Program & Operations FAQ

What should an AML/CTF program include at a high level?

AUSTRAC's guidance structure shows that an AML/CTF program should cover governance, risk assessment, AML/CTF policies to manage and mitigate risk, review and update processes, independent evaluation, and record keeping. AUSTRAC also says reporting entities must make and keep records relating to their AML/CTF program, customer due diligence and designated-service transactions.

Can we use AUSTRAC templates or starter kits instead of building everything from scratch?

Yes. AUSTRAC says newly regulated entities can have an AML/CTF program either by using an AUSTRAC starter program/starter kit or by developing their own. AUSTRAC has sector starter kits for accountants, conveyancers, legal professionals, jewellers and real estate businesses.

At what point do AML/CTF obligations begin for a client?

Obligations generally begin when you start acting on instructions in relation to a transaction, not just at settlement or completion. This means compliance processes should be considered early in the engagement.

What is customer due diligence, and is it risk-based?

AUSTRAC says customer due diligence is split into initial CDD and ongoing CDD. The amount of information you collect and verify depends on the customer's money laundering and terrorism financing risk profile. AUSTRAC also says you must apply enhanced CDD in high-risk scenarios, and you may be able to apply simplified CDD in low-risk scenarios.

Do we need to identify beneficial owners?

Yes, where relevant. AUSTRAC's ownership and control guidance says determining ownership and control structures helps firms identify who the beneficial owners of their customers are for initial customer due diligence.

Who in our business needs AML/CTF training?

Anyone involved in AML/CTF-related activities must be trained. This can include employees, contractors, consultants, and even third-party service providers where relevant.

Do we need to check staff before they start AML/CTF roles?

Yes. You must conduct personnel due diligence before engagement and continue to assess suitability on an ongoing basis. This includes reviewing a person's skills, knowledge, and integrity.

Can we rely only on AUSTRAC's online training modules?

No. AUSTRAC training materials can support your program, but they cannot be relied on alone. Training must be tailored to your business, roles, and risks.

Do I need to hire a full-time compliance officer?

No. The AML/CTF Compliance Officer must be at a management level, but it can be an existing executive or owner acting in a dual capacity. What matters is that they have enough authority to oversee the program and make final compliance decisions.

What are reporting groups, and do they matter for multi-entity businesses?

AUSTRAC says reporting groups replace designated business groups from 31 March 2026. If a business currently operates in a group structure, it may need to consider whether it automatically becomes a reporting group or whether it can choose to form one.

What reports might we need to submit to AUSTRAC?

AUSTRAC says reporting entities may need to submit suspicious matter reports, threshold transaction reports, international funds transfer reports, cross-border movement reports, and annual compliance reports. Which ones apply will depend on the designated services you provide and the activity you undertake.

When do suspicious matter reports need to be lodged?

AUSTRAC says an SMR must be submitted within 24 hours of forming the suspicion if it relates to terrorism financing, or within 3 business days for other suspicions. AUSTRAC also expects your AML/CTF policies to support timely identification, review, decision-making and submission.

When is a threshold transaction report required?

AUSTRAC says a TTR is required if you provide a designated service involving the transfer of $10,000 or more in physical currency, including receiving or paying physical cash. The threshold also applies to foreign currency of the same value.

Does AUSTRAC provide examples of suspicious activity?

Yes. AUSTRAC publishes risk indicators and suspicious activity examples, particularly for sectors like real estate. These help businesses identify red flags and support reporting decisions.

Can we outsource AML/CTF work to a third party or vendor?

Yes, you can outsource tasks such as KYC, monitoring, or reporting support. However, your business remains legally responsible for compliance with AML/CTF obligations.

How long do we need to keep AML/CTF records?

AUSTRAC says proper record keeping includes creating accurate and complete records and keeping them for a specified period, usually 7 years. The records include AML/CTF program records, CDD records and transaction records related to designated services.