If you’re a reporting entity under AUSTRAC, or about to become one, you need a documented AML CTF program template that actually holds up to regulatory scrutiny. Not a vague policy saved in a shared drive somewhere. A structured, operational program that reflects how your business identifies, mitigates, and manages money laundering and terrorism financing risks.
The problem? Most businesses don’t know where to start. AUSTRAC’s rules are detailed, the obligations are specific, and getting it wrong carries real consequences, from enforceable undertakings to civil penalties. For accounting firms preparing for the upcoming AML/CTF regime expansion, this is no longer a "nice to have."
This guide walks you through how to build a compliant AML/CTF program from scratch, covering the two mandatory parts, risk assessments, customer due diligence procedures, and ongoing obligations. We’ve also built it with practical implementation in mind, because once your program is documented, you still need to execute it efficiently. That’s where tools like StackGo’s IdentityCheck come in, letting you run identity verification and KYC checks directly inside your existing CRM without bolting on yet another platform. But first, let’s get the foundations right.
What AUSTRAC expects from an AML/CTF program
AUSTRAC requires every reporting entity to develop and maintain a written AML/CTF program tailored to the nature, size, and complexity of its business. This is not optional paperwork. Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, failing to have a compliant program in place is itself a breach, regardless of whether any financial crime actually occurs. If your business provides designated services as defined by AUSTRAC, you need to get this right from day one.
The two-part structure AUSTRAC mandates
Every AML/CTF program template must address two distinct parts set out by AUSTRAC. Part A covers your business-wide risk management approach: how you identify ML/TF risks, assess customer risk, apply customer due diligence (CDD), monitor transactions, and report suspicious matters. Part B is narrower but equally mandatory: it covers employee due diligence, meaning how you screen and manage staff who could be exposed to ML/TF risks.
AUSTRAC can request a copy of your program at any time. If your program does not exist in written form, or does not reflect how your business actually operates, that is a compliance failure in itself.
Your Part A program must be approved by your board (or equivalent senior body) and must name a designated AML/CTF Compliance Officer. This person oversees program implementation and your reporting obligations. In smaller firms, this is typically the principal, practice manager, or a senior partner.
Core obligations your program must cover
Beyond the two-part structure, your program must document a specific set of obligations that match your risk exposure. These are not broad principles. They are written procedures your staff can follow consistently, and that an AUSTRAC auditor can verify against your actual operations.
Your aml ctf program template must address each of the following areas:
| Obligation | What it covers |
|---|---|
| Customer identification and verification | KYC checks at onboarding, document verification |
| Ongoing customer due diligence | Transaction monitoring, risk re-assessment over time |
| Suspicious matter reporting (SMRs) | When and how to report to AUSTRAC |
| Threshold transaction reporting (TTRs) | Cash transactions at or above $10,000 AUD |
| Record keeping | Retention of records for a minimum of seven years |
| Staff training | Initial and ongoing AML/CTF awareness training |
| Independent review | Regular testing and audit of the program’s effectiveness |
Each area needs enough procedural detail that a new staff member, or an AUSTRAC examiner, could pick it up and understand exactly what your business does and why.
Step 1. Map your designated services and risks
Before you write a single policy, you need to know exactly which services trigger your AML/CTF obligations and what risks those services carry. Skipping this step and jumping straight into drafting procedures is the most common mistake businesses make. Your risk assessment is the foundation that every other part of your aml ctf program template sits on, so it needs to be thorough and specific to how your business actually operates.
Confirm which designated services you apply
Your first task is to identify which of your services fall under Schedule 1 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. For accounting firms, this typically includes services like bookkeeping, payroll, and tax agent services depending on what the expanded regime covers, but you need to check your specific service list against AUSTRAC’s guidance. Document each designated service by name, describe how it is delivered, and record which clients or client types receive it.
If you are unsure whether a specific service is designated, seek legal advice before proceeding. Incorrectly classifying your services is a compliance risk in itself.
Score your ML/TF risk exposure
Once you have your service list, assess the money laundering and terrorism financing risk each one carries. Consider four factors: customer type, delivery channel, product or service complexity, and geography. Use a simple scoring matrix to record your findings.
| Risk factor | Low | Medium | High |
|---|---|---|---|
| Customer type | Domestic individuals | Businesses | PEPs or high-risk jurisdictions |
| Delivery channel | Face to face | Online | Third-party intermediaries |
| Transaction volume | Low frequency, small amounts | Mixed | High frequency or large amounts |
| Geography | Australia only | Mixed | FATF-listed countries |
Rate each service across all four factors and assign an overall inherent risk rating. This rating drives how much due diligence you apply at onboarding and throughout the client relationship.
Step 2. Build your AML/CTF program template
With your risk assessment complete, you can now draft the actual document. Your aml ctf program template should follow the two-part structure AUSTRAC mandates, but treat it as a working operational manual rather than a policy document no one consults. Write it in plain language, reference your specific services and systems, and make sure every procedure reflects what your business actually does day to day.
Your program must describe real procedures, not aspirational ones. If your written program says staff will verify identity on day one of onboarding but your actual process happens a week later, you have a compliance gap.
Structure Part A: Business-wide risk management
Part A is the core of your program and should follow a logical order that mirrors your client lifecycle. Use the structure below as your working template:
| Section | What to document |
|---|---|
| 1. Business overview | Entity name, ABN, designated services, compliance officer details |
| 2. ML/TF risk assessment | Risk ratings per service from Step 1 |
| 3. Customer identification | KYC procedures, acceptable documents, verification steps |
| 4. Ongoing CDD | Triggers for re-verification, transaction monitoring approach |
| 5. Reporting | SMR and TTR procedures, who is responsible |
| 6. Record keeping | What is retained, where, and for how long |
| 7. Training | Frequency, delivery method, attendance records |
Structure Part B: Employee due diligence
Part B documents how you screen the people who deliver your designated services. For each role with AML/CTF exposure, record the checks you run at hiring and throughout employment, including criminal history checks and reference verification.
Also document what happens if a staff member fails screening or behaves in a way that raises concern. Include a short escalation procedure covering who is notified, what is recorded, and whether the matter triggers an SMR to AUSTRAC.
Step 3. Set up CDD, monitoring and reporting
Your customer due diligence (CDD) procedures and reporting obligations are where your aml ctf program template becomes operational. This step turns your risk ratings from Step 1 into specific actions your team takes at onboarding and throughout the client relationship. Document each procedure in enough detail that any staff member can follow it without guessing.
Customer due diligence procedures
CDD is not a single check at onboarding. It is a continuous process that adjusts based on your client’s risk rating. For standard-risk clients, you verify identity at the start and review if circumstances change. For high-risk clients, including politically exposed persons (PEPs) or clients from high-risk jurisdictions, you apply enhanced due diligence, which means additional verification, senior sign-off, and more frequent re-assessment.
Document your enhanced CDD triggers explicitly so staff apply them consistently, not just when they happen to notice a flag.
Use this table to structure your CDD procedures by risk tier:
| Risk tier | ID verification | Ongoing review | Senior approval required |
|---|---|---|---|
| Low | Standard documents | Annually or on change | No |
| Medium | Standard documents | Six-monthly | No |
| High | Enhanced documents and source of funds | Quarterly | Yes |
Transaction monitoring and reporting
Your program must set out how you monitor client activity for unusual patterns and what happens when something triggers a concern. Define your monitoring frequency, assign responsibility to a named role, and document your escalation path clearly.
For suspicious matter reports (SMRs), your procedure should specify who makes the final decision, the timeframe for lodging with AUSTRAC, and how you record the outcome internally alongside the reasoning behind it.
Step 4. Approve, train, test and review the program
Once your aml ctf program template is drafted, it does not become live until your board or equivalent senior body formally approves it in writing. Record the approval date, the names of approvers, and the version number. Store this sign-off alongside the program document itself so you can produce both instantly if AUSTRAC requests them.
Get board sign-off and assign ownership
Your compliance officer must present the program to your board and walk through each obligation. The board is not just rubber-stamping the document. They are accepting accountability for it. Document the outcome in your board minutes, and confirm your named compliance officer accepts responsibility for day-to-day implementation.
Train your staff before going live
Training is a mandatory obligation, not an optional follow-up task. Every staff member with exposure to designated services must complete AML/CTF training before they interact with clients under your program. Record who completed training, on what date, and what the training covered.
A staff member who has not been trained is a compliance gap, even if your written procedures are perfect.
Use a simple log to track completion:
| Staff member | Role | Training date | Next review due |
|---|---|---|---|
| Example: Jane Smith | Client manager | 01/07/2026 | 01/07/2027 |
Test and audit the program independently
AUSTRAC expects you to conduct independent reviews of your program at regular intervals, typically annually or after a significant business change. The reviewer must be independent from the compliance officer role. Your audit should test whether staff are following written procedures and whether those procedures still match your actual risk exposure. Document all findings and update the program accordingly.
Keep your program current
An AML/CTF program is not a one-time document. Your business, client base, and regulatory environment will all change, and your program must change with them. AUSTRAC expects you to review and update your aml ctf program template whenever your risk exposure shifts, whether that is a new service, a new client segment, or an update to AUSTRAC’s guidance or rules.
Set a formal review schedule in writing, typically annual at minimum, and assign a named person to own that process. When a review identifies gaps or outdated procedures, update the document, get board sign-off on the revised version, and retrain any affected staff before the changes take effect. Keep a version history so you can show AUSTRAC exactly what changed and when.
If you are ready to put efficient, integrated identity verification behind your program, explore how IdentityCheck supports AUSTRAC Tranche 2 compliance directly inside your existing software.
