If your accounting firm, legal practice, or other reporting entity is preparing for AML/CTF obligations, you’re probably wondering where to actually start. AUSTRAC recognises this, which is why they’ve published the AUSTRAC program starter kit, a collection of templates and resources designed to help small businesses build a compliant AML/CTF program from scratch.
The starter kit covers the essentials: risk assessments, customer identification procedures, ongoing due diligence, and reporting obligations. It’s free, it’s practical, and it gives you a structured framework rather than leaving you to interpret legislation on your own. For sectors like accounting and legal services that are coming under AUSTRAC’s regulatory umbrella, these resources are a critical first step toward compliance readiness.
This guide breaks down what’s included in the starter kit, how to use each component, and where the templates fit into your broader compliance workflow. We’ll also cover how tools like StackGo’s IdentityCheck can help you operationalise the identity verification requirements directly within your existing CRM, so you’re not just ticking boxes on paper, but running KYC checks as part of your actual onboarding process.
What the AUSTRAC program starter kits cover
The AUSTRAC program starter kit is a set of free resources published by AUSTRAC to help small reporting entities build and document their AML/CTF programs. Rather than handing you a blank page, the starter kit provides templates, examples, and explanations you can adapt to your specific business type, whether that is an accounting firm, legal practice, or jewellery dealer.
The starter kit does not replace legal advice, but it gives you a working structure that directly reflects AUSTRAC’s own compliance expectations.
The core documents included
AUSTRAC’s starter kit includes a risk assessment template, a customer due diligence (CDD) procedure guide, an AML/CTF program template, and a staff training checklist. Each document works as a standalone resource or as part of a complete program, so you can start with what is most urgent and build out from there.
The templates come with explanatory notes and worked examples that tell you what information to include in each section and why it matters from a regulatory standpoint. This means you are not guessing at what AUSTRAC expects to see during a compliance review.
How the templates are structured
Each template follows a logical compliance workflow: identify your business profile, assess your risks, document your controls, and assign responsibility for ongoing monitoring. The structure mirrors the four pillars of an AML/CTF program: risk assessment, customer identification and verification, ongoing due diligence, and reporting and record-keeping.
Working through the templates in order also helps you spot gaps in your current processes early, before you attempt to finalise and lodge your program with AUSTRAC.
Step 1. Confirm you provide a designated service
Before you open the AUSTRAC program starter kit and start filling in templates, you need to confirm that your business actually provides a designated service under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. This sounds obvious, but many firms skip this step and build programs around the wrong scope, which creates compliance gaps from the start.
Common designated services for accountants and lawyers
AUSTRAC’s expanded reforms bring legal practitioners and accounting firms into scope when they provide specific services. Check whether your firm provides any of the following:
- Trust and company formation or management services
- Client account management, including receiving or holding money on behalf of clients
- Buying or selling real property on behalf of a client
- Providing tax agent services involving financial transactions
- Financial services provided through a managed investment scheme
If your firm provides even one of these services, you are a reporting entity and must enrol with AUSTRAC and build a compliant AML/CTF program.
Step 2. Set up enrolment, roles, and basic governance
Once you’ve confirmed your designated services, your next task is to enrol with AUSTRAC and establish who inside your firm is responsible for AML/CTF compliance. The AUSTRAC program starter kit includes a governance template that helps you document these roles before you start drafting your full program.
Enrol through the AUSTRAC Online portal
You must enrol your business through the AUSTRAC Online portal before your compliance obligations take effect. Enrolment requires your ABN, business details, and a description of the designated services you provide. Once enrolled, you receive a reporting entity ID that you will reference throughout your program documentation.
Assign your AML/CTF compliance officer
Every reporting entity must appoint a designated compliance officer who holds formal accountability for the AML/CTF program.
Documenting this role before you finalise your program is something AUSTRAC looks for during any compliance review.
This person does not need a legal background, but they must understand your reporting obligations and have their name, role, and contact details recorded in your governance template so oversight is clearly established.
Step 3. Tailor your risk assessment to your real work
The risk assessment template in the AUSTRAC program starter kit is not a one-size-fits-all document. You must adapt it to reflect the actual services your firm provides, the clients you work with, and the jurisdictions involved. A generic risk profile will not satisfy AUSTRAC during a compliance review.
Focus on your highest-risk client types
Start by identifying which client segments carry the most exposure. For an accounting firm, this typically means clients who are politically exposed persons (PEPs), operate in high-risk industries, or transact across multiple jurisdictions. Document your reasoning for each risk rating so the logic is clear and auditable.
Your risk assessment must be a living document, so set a formal review schedule of at least annually and record it in the template itself.
Once you assign risk ratings, map them directly to the controls you plan to apply, such as enhanced due diligence for high-risk clients. This mapping ensures your program shows a clear, defensible link between the risks you identified and the responses you have put in place.
Step 4. Build CDD, screening, and EDD into onboarding
The AUSTRAC program starter kit includes a CDD procedure guide that tells you exactly what information to collect from each customer before you provide a designated service. You must verify identity before the relationship begins, not after. Document your standard CDD steps in a simple checklist so every staff member follows the same process and your compliance records stay consistent.
Know when to apply Enhanced Due Diligence
Enhanced Due Diligence (EDD) applies whenever a client falls into a high-risk category based on your Step 3 risk assessment. This means collecting additional information, such as source of funds, the purpose of the relationship, and any PEP declarations, before onboarding proceeds. Record the outcome and the staff member who approved it.
EDD is not optional for high-risk clients. It is a mandatory control that must be documented in your program and applied consistently.
| Risk Level | CDD Requirement |
|---|---|
| Low | Standard ID verification and name check |
| Medium | Standard CDD plus source of funds |
| High | Full EDD including PEP check and senior sign-off |
Step 5. Make reporting, training, and records workable
The AUSTRAC program starter kit includes a staff training checklist and a record-keeping guide that remove the guesswork from your ongoing compliance obligations. These are not administrative extras; they are mandatory program components that AUSTRAC will check during any review of your firm.
Suspicious Matter Reporting and Threshold Transactions
You must submit Suspicious Matter Reports (SMRs) to AUSTRAC whenever you form a suspicion about a transaction or client, and Threshold Transaction Reports (TTRs) for any cash transaction of $10,000 or more. Log each report in your compliance register immediately, noting the date, the staff member who filed it, and the outcome.
Keep a complete register of all reports submitted, as this demonstrates to AUSTRAC that your program is active and functioning.
Training and Record-Keeping Schedules
Set a formal annual training schedule for all staff who handle designated services, covering your CDD procedures, red flags, and reporting obligations. Store training records, customer verification files, and transaction documents for at least seven years so you can produce them quickly if AUSTRAC requests an audit. Your record-keeping register should include:
- Staff training dates and topics covered
- Customer identity verification records
- SMR and TTR submission logs
- Risk assessment review dates
Wrap up and take action
The AUSTRAC program starter kit gives your firm a real foundation to work from, covering risk assessment, CDD procedures, governance roles, reporting obligations, and staff training in a format you can adapt and submit. Working through the five steps in this guide means you are building your program in the right order, not retrofitting compliance controls after the fact.
Documenting your program is only half the job. You also need to run identity verification consistently every time you onboard a new client, and that process needs to be fast, auditable, and embedded in the tools your team already uses every day. Manual checks create gaps; integrated checks create records.
If you want to see how automated KYC verification fits inside your existing CRM or practice management software, explore IdentityCheck for AUSTRAC Tranche 2 compliance and test whether it suits your firm’s onboarding workflow.
