Australia’s AML/CTF regime is expanding, and if you’re in a designated service sector, having a robust AML compliance checklist isn’t optional, it’s mandatory. With AUSTRAC extending obligations to accountants, lawyers, and other professional services from 2026, thousands of businesses now face the task of building compliant programs from scratch. The penalties for getting it wrong? Up to $27.5 million for serious contraventions.
The challenge isn’t just understanding the rules, it’s implementing them in a way that actually works within your existing operations. Many firms scramble between spreadsheets, disconnected software, and manual verification processes, creating gaps that regulators (and criminals) can exploit. A proper compliance framework needs to be systematic, documented, and integrated into how your team already works, not bolted on as an afterthought.
This guide breaks down exactly what your AML compliance program needs to include, from initial risk assessments through to ongoing monitoring and reporting. We’ve structured it as a practical, step-by-step checklist you can use to audit your current setup or build one from the ground up. And because compliance workflows are only as strong as their weakest link, we’ll also show you how StackGo’s IdentityCheck integration lets you run KYC verification directly from your CRM, eliminating manual data entry, reducing errors, and keeping sensitive client information secure through our privacy layer.
What AML compliance means in Australia in 2026
AML compliance in Australia means following the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), which AUSTRAC enforces. You need to identify, mitigate, and report suspicious financial activity that could involve money laundering or terrorism financing. The regime originally covered banks, casinos, and remittance providers, but as of March 2026, it extends to accountants, lawyers, real estate agents, and dealers in precious metals and stones. If you provide designated services, you’re now a reporting entity with legal obligations to maintain a compliant programme.
The 2026 expansion: who’s now caught
Before 2026, Australia had a compliance gap that made it one of the few developed nations without AML obligations for professional service providers. The expansion brings approximately 90,000 new businesses into the regime, meaning your accounting practice, law firm, or real estate agency now faces the same compliance requirements as financial institutions. You must register with AUSTRAC within 28 days of providing your first designated service, and failing to do so constitutes an offence under section 75 of the Act.
The designated services for professional firms include preparing or lodging tax returns, forming companies or trusts, buying or selling real property, and managing client funds. If you handle these activities, you’re in scope regardless of business size. There’s no small business exemption, no grace period beyond the initial 28 days, and no option to simply refuse high-risk clients without documenting why.
"Reporting entities must adopt a risk-based approach to identify, mitigate and manage their money laundering and terrorism financing risks." AUSTRAC Guidance
Core obligations you can’t skip
Your AML compliance checklist starts with five non-negotiable requirements. First, you must enrol with AUSTRAC and keep your registration current. Second, you need a board-approved AML/CTF programme that documents your risk assessment methodology, customer due diligence procedures, and reporting processes. Third, you must conduct ongoing customer due diligence, which means verifying identities before providing services and monitoring transactions for suspicious activity.
Fourth, you’re required to submit Suspicious Matter Reports (SMRs) within three business days of forming a suspicion, and threshold transaction reports where applicable. The Act protects you from liability when reporting in good faith, but failing to report carries significant penalties. Finally, you must retain records of customer identification, transactions, and your compliance programme for seven years. These aren’t suggestions; they’re legislative requirements with strict timelines.
Penalties that actually bite
AUSTRAC enforces these obligations through civil penalties, criminal charges, and enforceable undertakings. Civil penalties reach $27.5 million for corporations or three times the benefit obtained from the contravention, whichever is greater. For individuals, the maximum is $5.5 million. These aren’t theoretical figures. In 2024, AUSTRAC secured a $3.35 million penalty against a casino for AML/CTF breaches, and Westpac paid $1.3 billion in 2020 for systemic failures.
Criminal penalties apply to serious contraventions, including operating without registration or intentionally obstructing AUSTRAC investigations. You can face up to 10 years imprisonment for deliberately facilitating money laundering through non-compliance. Beyond financial penalties, enforcement actions damage your reputation, trigger client audits, and often result in external compliance monitoring at your expense. The regulator publishes enforcement outcomes publicly, which means your breach becomes permanently searchable.
What "fit for purpose" actually requires
AUSTRAC expects your compliance programme to be proportionate to your risk profile, not a copy-paste template. If you operate in high-risk sectors or geographic areas, you need enhanced due diligence procedures and more frequent monitoring. Your risk assessment must be specific to your business model, client base, service offerings, and delivery channels. Generic programmes that don’t reflect your actual operations fail regulatory scrutiny and leave you exposed to both breaches and penalties.
The regulator conducts random compliance assessments and responds to intelligence about potential breaches. You can’t assume you’ll stay under the radar by being small or newly registered. AUSTRAC’s approach focuses on systemic compliance culture, meaning they examine whether your senior management actually understands and enforces the obligations, or whether your programme exists only on paper.
Step 1. Confirm if you are a reporting entity
Your first item on any AML compliance checklist is determining whether the law actually applies to you. The AML/CTF Act doesn’t cover every business, it only captures those providing designated services as defined in section 6. You need to assess whether your activities fall within the scope, because operating as a reporting entity without registering carries penalties, while incorrectly assuming you’re captured wastes resources on unnecessary compliance programmes.
The 2026 expansion specifically targets professional service providers who were previously exempt. Your business becomes a reporting entity the moment you provide a designated service to a customer, not when you think you might provide one in the future. This trigger point determines your 28-day registration deadline with AUSTRAC, so you can’t afford to guess or delay this assessment.
The designated services test
You’re caught by the regime if you provide services listed in section 6 of the AML/CTF Act. For professional firms entering scope in 2026, the designated services include:
- Preparing or lodging tax returns, Business Activity Statements, or related documents with the ATO
- Forming, operating, or managing companies, partnerships, or trusts on behalf of clients
- Buying or selling real property as an agent, representative, or nominee
- Managing client funds in trust accounts or similar arrangements
- Dealing in precious metals, stones, or jewellery where transactions exceed $10,000
Check your service agreements, engagement letters, and invoicing records to identify which activities you actually perform. If you only provide advice without preparing or lodging documents, you may not be caught. For example, tax advice alone doesn’t trigger obligations, but preparing the return does.
"A reporting entity is a person who provides a designated service at or through a permanent establishment in Australia." AML/CTF Act, Section 5
What triggers registration
Your obligation activates when you provide your first designated service after 31 March 2026. You must enrol with AUSTRAC within 28 days of that initial service, not when you open for business or sign a client. The clock starts when you actually perform the activity, whether that’s lodging a tax return, registering a company, or settling a property transaction.
Document the exact date you provided your first designated service, because AUSTRAC may request evidence during compliance reviews. If you operated before the expansion but continue providing the same services after March 2026, you need to register based on your first post-expansion service. Missing the 28-day window constitutes a strict liability offence under section 75, meaning AUSTRAC doesn’t need to prove intent to prosecute.
Accounting firms should audit their service mix immediately to determine which clients and engagements fall within scope. If you outsource compliance preparation to third parties but maintain client relationships and lodge documents yourself, you’re still the reporting entity responsible for the AML/CTF programme.
Step 2. Set governance and accountability
Your AML compliance checklist requires clear ownership at the board level before you build any programme. Section 84 of the AML/CTF Act mandates that your board or equivalent governing body must adopt and approve your AML/CTF programme in writing. You can’t delegate this responsibility to middle management or outsource it to consultants. The board must understand the obligations, review your compliance framework, and formally accept accountability for its implementation.
This isn’t a box-ticking exercise. AUSTRAC expects your senior management to demonstrate active engagement with compliance, not simply sign off on documents they haven’t read. During enforcement actions, regulators examine board meeting minutes, risk committee papers, and executive correspondence to verify whether governance was genuine or cosmetic. Your directors face personal liability under the Act if they fail to take reasonable steps to prevent contraventions.
Who owns compliance at the top
Your board or partners must appoint a senior manager with authority to oversee the entire AML/CTF programme. This person typically holds a title like Chief Compliance Officer, Risk Manager, or Practice Manager, depending on your firm size. They need direct access to the board, budget control for compliance resources, and the power to escalate issues without interference from business development teams.
Document this appointment in writing with a clear position description that specifies their responsibilities under the AML/CTF Act. The appointment should include authority to halt client onboarding, reject transactions, and submit suspicious matter reports without requiring approval from client relationship managers. Your governance structure must prevent commercial considerations from overriding compliance decisions.
"The board of a reporting entity must ensure that the entity has and complies with an AML/CTF programme." AML/CTF Act, Section 84
Your AML/CTF compliance officer role
You must formally appoint an AML/CTF compliance officer under section 84(2) of the Act. This person may be the same senior manager mentioned above, or a dedicated role in larger organisations. Their core duties include maintaining your compliance programme, monitoring its effectiveness, investigating suspicious matters, submitting reports to AUSTRAC, and training staff on their obligations.
The compliance officer needs practical authority, not just a title. They must have sufficient seniority to challenge business decisions, access to all client files and transaction records, and protection from retaliation when raising compliance concerns. Your appointment letter should specify their reporting line to the board, their access rights to systems and data, and their obligation to report directly to AUSTRAC when required.
Document authority and reporting lines
Create an organisational chart that shows your compliance structure, from the board down through the compliance officer to staff handling customer due diligence. Include names, titles, reporting relationships, and key responsibilities for each role. This documentation proves to AUSTRAC that you’ve established genuine oversight, not just assigned compliance as an additional duty to someone already overloaded.
Your governance documentation should include:
- Board resolution adopting the AML/CTF programme with meeting date and signatories
- Position descriptions for compliance officer and other key roles
- Delegation of authority matrix showing who can approve high-risk clients, transaction monitoring thresholds, and SMR submissions
- Escalation procedures for suspicious matters, compliance breaches, and system failures
- Reporting schedule to the board (quarterly minimum) on compliance metrics, SMRs lodged, and risk assessment updates
Keep these documents version-controlled and accessible to AUSTRAC auditors. Your governance records form the foundation of your entire programme, and gaps here undermine everything else you build.
Step 3. Run a documented ML and TF risk assessment
Your AML compliance checklist requires a formal risk assessment before you build your programme, not after. Section 84 of the AML/CTF Act mandates that you identify, assess, and document the money laundering and terrorism financing risks your business faces based on your specific circumstances. You can’t copy a template from the internet and call it done. AUSTRAC expects your risk assessment to reflect your actual client base, services, delivery channels, and geographic exposure.
Your risk assessment determines how robust your customer due diligence procedures need to be, which transactions require enhanced monitoring, and where you should allocate compliance resources. You must complete this assessment before providing your first designated service after registration, and review it at least annually or when your business model changes materially. Documenting your methodology matters as much as the conclusions, because regulators audit your thinking process during compliance reviews.
What your risk assessment must cover
Your assessment must evaluate risk across eight mandatory factors that AUSTRAC specifies: your customers, the services you provide, delivery channels, geographic locations, your business structure, and emerging risks. You need to analyse each factor systematically and assign a risk rating based on evidence, not guesswork.
For customers, assess their ownership structures, source of wealth, transaction patterns, and whether they operate in high-risk industries like cash-intensive businesses or politically exposed persons. Service risk depends on whether you handle large cash transactions, form complex trust structures, or facilitate international transfers. Delivery channels matter because non-face-to-face onboarding carries higher identity fraud risk than in-person verification.
"A reporting entity must carry out an assessment of the risk of its services being misused for money laundering or terrorism financing." AUSTRAC Guidance Note
Document your findings in a risk assessment matrix that shows each factor, identified risks, likelihood ratings, consequence ratings, and your overall risk score. Here’s a basic structure:
| Risk Factor | Specific Risk | Likelihood | Consequence | Overall Rating |
|---|---|---|---|---|
| Customer type | High-net-worth individuals with complex structures | Medium | High | High |
| Service delivery | Remote onboarding without face-to-face verification | High | Medium | High |
| Geographic location | Clients with business interests in high-risk jurisdictions | Low | High | Medium |
Document your methodology and findings
Your risk assessment must explain how you determined each risk rating, not just state conclusions. Describe the data sources you used, such as client demographics from your CRM, transaction volumes from accounting systems, and external intelligence from AUSTRAC typologies or FATF country assessments. Include references to specific AUSTRAC guidance notes or industry reports that informed your analysis.
Keep your assessment document version-controlled and board-approved with signatures and dates. Your compliance officer should present the findings to the board with recommendations for control measures needed to mitigate identified risks. Update your assessment whenever you expand into new service lines, enter new geographic markets, or observe emerging threats from AUSTRAC alerts.
Risk ratings and mitigation strategies
Assign each risk factor a rating scale such as low, medium, high, or extreme based on both likelihood and potential impact. Your ratings drive your customer due diligence approach. High-risk factors require enhanced due diligence procedures like source of wealth verification, adverse media screening, and senior management approval before onboarding.
Document specific mitigation controls for each identified risk. If you rated remote onboarding as high risk, your mitigation might include biometric identity verification, electronic document authentication, and video confirmation calls. Your assessment should map each risk to corresponding controls in your AML/CTF programme, creating a clear link between what you identified and how you respond.
Step 4. Build your AML and CTF programme
Your AML/CTF programme is the written document that describes how you meet your obligations under the Act. Section 84 requires you to create a programme that’s specific to your business, addresses the risks you identified in Step 3, and sets out your procedures for customer due diligence, ongoing monitoring, reporting, and record-keeping. This isn’t a policy statement or general guideline document. Your programme must contain detailed, operational procedures that staff can follow when onboarding clients, verifying identities, and identifying suspicious activity.
Your programme becomes legally binding once your board adopts it, and you must provide a copy to AUSTRAC within 28 days of their request. The document needs enough detail that an AUSTRAC auditor could assess whether you’re complying with your own procedures, but practical enough that your team actually uses it daily instead of ignoring it as bureaucratic paperwork.
What your programme document must include
Your programme must contain two mandatory parts under section 84(3) of the Act. Part A covers your customer identification procedures, including when and how you verify identities, what documents you accept, and your processes for beneficial owner identification. Part B covers everything else: your risk assessment methodology, ongoing customer due diligence procedures, correspondent banking relationships (if applicable), employee screening and training, AML/CTF compliance officer appointment, and independent review arrangements.
Each section needs to specify who does what, when, and how. Your customer identification procedures should state which staff members can approve identity documents, what verification methods you’ll use (document verification, biometric checks, electronic data sources), and your escalation process when standard verification fails. Document your thresholds for enhanced due diligence, such as clients from high-risk jurisdictions or transactions above certain values.
"The AML/CTF programme must be appropriate to the size and nature of the reporting entity’s business." AUSTRAC Guidance Note
Include templates and checklists as appendices to your programme to ensure consistency across your team. Your aml compliance checklist for customer onboarding might include:
- Identity document collection and verification steps
- Beneficial ownership identification procedures
- Risk rating decision tree
- Enhanced due diligence triggers and procedures
- Record-keeping requirements for each client type
Board approval and version control
Your board must formally adopt your programme through a written resolution that you attach to the document. The resolution should include the date of adoption, list of directors who approved it, and confirmation that the board reviewed the programme’s contents. You can’t implement your programme until the board approves it, and any material changes require fresh board approval before taking effect.
Maintain strict version control with clear dating, version numbers, and change logs. When you update procedures based on new AUSTRAC guidance or internal audits, document what changed, why, and when the board approved the revision. Keep superseded versions archived for seven years, because regulators may need to review your historical procedures during investigations.
Step 5. Operate controls: CDD, screening, SMRs, records
Your programme document means nothing if you don’t actually operate the controls you designed. This step requires you to implement daily procedures for customer due diligence, screen clients against sanctions lists, submit suspicious matter reports when required, and maintain compliant records. Your aml compliance checklist becomes operational here, transforming from board-approved policies into the actual work your team performs every time you onboard a client or process a transaction.
Your controls must function consistently across all staff members and service lines. You can’t have some team members following proper verification procedures while others skip steps because clients are urgent or lucrative. AUSTRAC audits operational practice, not just your written procedures, which means your actual client files must demonstrate compliance every time.
Customer due diligence at onboarding
You must verify every client’s identity before providing a designated service, not after. Your CDD procedures should collect full name, date of birth, residential address, and verify these details against reliable and independent documents like passports, driver licences, or government-issued identity cards. You need to verify beneficial owners who hold 25% or more ownership or control of corporate entities or trusts.
Your CDD checklist for each new client should include:
- Identity document collection (passport, driver licence, or equivalent)
- Document verification through electronic sources or certified copies
- Beneficial ownership identification for companies, trusts, and partnerships
- Risk rating assignment based on your risk assessment criteria
- Enhanced due diligence triggers for high-risk clients (PEPs, high-risk jurisdictions, complex structures)
StackGo’s IdentityCheck integration lets you run this verification directly from your CRM, pulling contact details automatically, verifying documents against global databases, and writing outcomes back into your system without manual data entry or spreadsheet management.
"Reporting entities must verify customer identity using reliable and independent documentation, data or information." AUSTRAC Guidance
Ongoing monitoring and screening
Your obligations don’t end at onboarding. You must conduct ongoing customer due diligence throughout the relationship, screening clients against DFAT sanctions lists, monitoring transaction patterns for unusual activity, and updating client information when circumstances change. Screen your entire client base at least quarterly against updated sanctions lists and adverse media databases.
Document your monitoring procedures with specific triggers for enhanced review, such as transactions exceeding normal patterns, sudden changes in client behaviour, or services involving high-risk jurisdictions. Your monitoring checklist should specify review frequency, who conducts reviews, and escalation thresholds for suspicious matters.
Suspicious matter reports and record retention
Submit SMRs to AUSTRAC within three business days of forming a suspicion about money laundering or terrorism financing. Your suspicion must be based on reasonable grounds, not speculation, and you must document what triggered your concern. Keep complete records of all customer identification documents, transaction records, and correspondence for seven years minimum from the end of the relationship or transaction.
Keep your programme working year-round
Your AML compliance checklist doesn’t finish once you’ve onboarded clients and submitted your first reports. You need to treat compliance as an ongoing operational function, not a project with an end date. Schedule quarterly board reports on compliance metrics, SMR volumes, and risk assessment updates. Run annual independent audits of your programme’s effectiveness and update procedures when AUSTRAC releases new guidance.
Your team needs regular training refreshers every 12 months minimum to maintain their understanding of obligations and identification procedures. Test your systems quarterly to verify that screening lists update correctly, monitoring rules capture unusual activity, and record retention processes archive documents properly. AUSTRAC expects continuous improvement, tracking failures and implementing fixes rather than repeating mistakes.
If you’re building your programme and need AML/CTF verification inside your existing CRM, StackGo’s IdentityCheck handles identity verification, screening, and record-keeping requirements without forcing your team to learn new software.
