From 1 July 2026, every Australian accounting practice providing designated services must have a written AML/CTF program in place. This is not optional — and it must be approved by a senior manager before you provide your first designated service.
The good news is that for most small practices this does not need to be complex or expensive. This guide explains exactly what your program must cover, how to structure it, and how to get it done before the deadline.
An AML/CTF program is a set of written documents covering how your firm identifies, assesses, and manages money laundering and terrorism financing risks. It consists of Part A (your internal controls and governance) and Part B (your client due diligence procedures). It must be completed and approved by a senior manager before 1 July 2026. Free templates are available at simpleaml.com.au/templates.html.
What Is an AML/CTF Program?
Your AML/CTF program is your firm's documented framework for managing the risk that your services could be misused for financial crime. It is the central document of your compliance obligations — everything else flows from it.
Under the AML/CTF Act, your program must be:
- Written and formally documented — verbal policies do not satisfy the requirement
- Approved by a senior manager before you provide any designated service
- Kept up to date and reviewed regularly — at minimum annually
- Available to AUSTRAC if requested — this is your primary evidence of compliance
"Your AML/CTF program is what an AUSTRAC auditor will ask to see first. It is your proof that you take these obligations seriously."
Part A and Part B — What's the Difference?
The program is structured in two parts. Both are required.
- Your firm's ML/TF/PF risk assessment
- Governance structure and responsibilities
- AMLCO appointment and fit & proper assessment
- Staff training policy and register
- Staff vetting procedures
- Record keeping obligations
- Program review and independent evaluation
- Suspicious matter and threshold transaction reporting
- Client identification and verification procedures
- Standard CDD requirements
- Enhanced CDD for high-risk clients
- Simplified CDD in low-risk circumstances
- Beneficial owner identification
- PEP and sanctions screening procedures
- Ongoing monitoring of client relationships
- Correspondent relationships (if applicable)
Step-by-Step: How to Create Your Program
What Must Be in Your Program
1. Firm Risk Assessment
A documented assessment of your firm's exposure to ML/TF/PF risk across your designated services, client types, geographic exposure, and delivery channels. Each dimension must be rated Low, Medium or High with a written narrative. See our guide: How to complete your AML/CTF firm risk assessment →
2. Appoint an AMLCO
Your program must identify your AML/CTF Compliance Officer — the person responsible for day-to-day oversight of your compliance obligations, including filing Suspicious Matter Reports. For sole practitioners this will typically be yourself. The AMLCO must meet AUSTRAC's fit and proper person requirements.
3. Client Due Diligence Procedures
Written procedures for how you will identify and verify clients before providing designated services. This includes standard CDD for most clients, enhanced CDD for high-risk clients (such as PEPs, clients from high-risk jurisdictions, or clients with complex structures), and your criteria for when simplified CDD applies.
4. Ongoing Monitoring
How often will you review each client's risk rating? What will trigger an out-of-cycle review? Your program must document your monitoring approach — and your client risk reviews must be completed and recorded.
5. Staff Training
Your program must include a training policy covering who must be trained, how often, and on what topics. All staff with AML/CTF responsibilities must complete training before commencing those duties. Training completions must be logged and records kept for seven years.
6. Staff Vetting
Before appointing anyone to an AML/CTF role, you must conduct personnel due diligence — verifying their identity, checking for relevant criminal history, and assessing their fitness for the role. This applies to your AMLCO, reporting officer, and any staff conducting client CDD.
7. Suspicious Matter Reporting
Your program must include clear procedures for identifying and reporting suspicious matters to AUSTRAC. An SMR must be filed within 24 hours for suspected terrorism financing, or within three business days for other suspicious matters. Tipping off a client that an SMR has been filed is a criminal offence.
8. Record Keeping
All AML/CTF records — CDD documentation, training logs, risk assessments, program documents — must be retained for a minimum of seven years. Your program must document how and where these records are stored.
Senior Manager Approval — What This Means
AUSTRAC requires your program to be approved by a senior manager — defined as someone with authority to make decisions about how the firm operates. For most small practices, this is the principal or managing partner.
Approval must be:
- In writing — a signed declaration or signature block in the document itself
- Dated — the date of approval must be recorded
- Completed before 1 July 2026 — not after you start providing designated services
- Recorded in your compliance evidence — SimpleAML stores this as part of your audit trail
Don't leave this until June. Allow at least 2–4 weeks to work through the templates, complete your risk assessment, conduct staff vetting, log training, and get senior manager sign-off. If you are a sole practitioner, you still need to work through each section genuinely — a blank template with a signature does not satisfy the requirement.
Keeping Your Program Up to Date
Your AML/CTF program is not a one-time exercise. AUSTRAC expects it to be a living document reviewed regularly. You must update it when:
- You start offering a new designated service
- Your client base changes significantly
- There is a change in your AMLCO or other key compliance roles
- AUSTRAC publishes updated guidance or sector risk assessments
- A suspicious matter arises suggesting your controls need strengthening
At minimum, review and re-approve your program annually. Every 3 years you must also commission an independent evaluation of your program under s.159 of the AML/CTF Act — your first evaluation will be due around 2029.
Generate your Compliance Report after enrolment. Once your program is approved and you have enrolled with AUSTRAC, generate your SimpleAML Compliance Report and save it as a PDF. This is your baseline evidence record — proving your program was in place from 1 July 2026 with your AUSTRAC Entity ID included.
Free Templates
SimpleAML provides five free templates for Australian accounting practices, covering everything your program needs:
- AML/CTF Program — Part A (Internal Controls & Governance)
- AML/CTF Program — Part B (Customer Due Diligence)
- Firm Risk Assessment
- Staff Training Policy
- SMR & TTR Procedure
Download all five templates free at simpleaml.com.au/templates.html →
Track your AML/CTF program in SimpleAML
Upload your completed program documents, record senior manager approval, and generate your Compliance Report — all in one place. Free for small accounting practices, no account needed.
Open SimpleAML Free →