AML and CTF Program

What Is an AML and CTF Program?

An AML and CTF program is a formal document that outlines how a reporting entity complies with its obligations under the AML/CTF Act. It explains how your business identifies, manages, and mitigates risks related to money laundering and terrorism financing. AUSTRAC references AML CTF Act 2006 section 83 for this term.

In practice, this is not just a policy. It is your compliance operating system. It should be written so that a manager can run it, staff can follow it, and an auditor can test it.

Part A vs Part B: What Each Part Covers

An AML/CTF program is typically divided into two key parts:

Part A – Risk-Based Systems and Controls

Part A focuses on how your business identifies and manages risk. It includes:

• Risk assessments
• Internal controls
• Governance frameworks
• Transaction monitoring processes
• Reporting procedures

Part B – Customer Identification Procedures

Part B focuses on customer due diligence. It includes:

• Customer identity verification (KYC)
• Beneficial ownership checks
• Procedures for identifying high-risk customers
• Ongoing customer monitoring

Both parts must work together. Part A defines the system, while Part B ensures you know who you are dealing with.

What to include in an AML and CTF program

The exact structure varies, but the content needs to be complete and usable.

Governance and oversight

• Appointment of accountable owners for AML CTF compliance
• Senior management oversight and reporting cadence
• Risk appetite statements in plain language
• Escalation pathways for suspicious matters
• Risk assessment and risk based approach
• Customer risk factors and scoring logic
• Product or service risks
• Delivery channel risks, including remote onboarding
• Geographic risks and cross border exposure

Customer due diligence and beneficial ownership

• Identification and verification processes
• Beneficial ownership identification approach where the customer is not an individual
• Enhanced due diligence triggers for higher risk relationships
• Ongoing due diligence, including refresh triggers

Monitoring and reporting

• How you detect unusual behaviours relevant to your services
• How you investigate concerns
• How you decide whether suspicion exists
• How you maintain reporting records and supporting material

Training and capability

• Induction training for new staff
• Role based training for higher risk roles
• Scenario based training relevant to your sector
• Competency checks and refresh cycles

Independent review and continuous improvement

• Independent evaluation schedule
• File testing approach and quality assurance
• Management of findings and remediation
• Change management for new services or channels

Why an AML/CTF Program Matters

The AML CTF Amendment Act 2024 expands the regime to certain high risk services provided by lawyers, accountants, trust and company service providers, real estate professionals, and dealers in precious metals and stones.

This is why Tranche 2 businesses must treat the AML and CTF program as a priority deliverable, not a final paperwork step.

AUSTRAC has also published clear transition messaging and dates for reform implementation, including enrolment opening for newly regulated sectors and obligations commencing for Tranche 2 entities in 2026.

This means preparation should start early, especially where your business model is decentralised across offices, partners, or contractors.

AML/CTF Rules and How They Support Your Program

While the AML/CTF Act sets out the legal framework, the AML/CTF Rules provide the detailed requirements that businesses must follow in practice.

Your AML/CTF program should align with these Rules, as they define:

• How customer identification must be performed
• What reporting obligations apply
• How risk-based systems should operate
• Record-keeping requirements

In simple terms, the Act tells you what to do, while the Rules explain how to do it. A compliant AML/CTF program must reflect both.

What an AML and CTF program is designed to do

A strong AML and CTF program answers four practical questions.

Examples of How this Looks in Tranche 2 Sectors

Best practice tips that stand up to AUSTRAC scrutiny

• Keep the program aligned to how work is actually done, including who collects documents and who approves risk ratings.
• Use plain language procedures, then back them with templates and checklists.
• Evidence implementation through training logs, file reviews, monitoring outcomes, and management reporting.
• Prepare an implementation plan if transitional gaps are likely, noting AUSTRAC’s expectations around managing risk during transition periods.

Common Challenges

• Template based documents that do not reflect the firm’s actual services
• Overly legal writing that staff cannot apply
• Lack of evidence that controls are used consistently
• Weak beneficial ownership handling, especially for companies and trusts

AML/CTF Program vs AML Policy: What’s the Difference?

Many businesses confuse an AML/CTF program with a simple policy document. In reality, an AML/CTF program is much broader.

• A policy outlines rules and principles
• A program defines how those rules are implemented in practice

Your AML/CTF program should include policies, procedures, controls, and evidence of implementation, not just written statements.

Final Thought on AML and CTF Program

An AML and CTF program is not a compliance checkbox. It is the system that protects your business, your clients, and the integrity of the market. Under the AML CTF Amendment Act 2024 and the reform transition, businesses that invest early in a practical program will reduce regulatory risk and operational disruption.