The Two-Part Structure of an AML/CTF Program

When AUSTRAC auditors review a reporting entity's compliance posture, one of the first things they check is whether the firm's AML/CTF program — which is now a legal requirement for lawyers, conveyancers, and real estate agents under the Part A Part B AML/CTF program framework — is properly bifurcated into its two distinct components. These are not formatting conventions; they reflect genuinely different regulatory functions, and the AML/CTF Act treats them differently.

Part A governs internal governance and risk management. It answers the question: how does your firm, as an organisation, manage its AML/CTF obligations? Part B governs customer due diligence. It answers a different question: how do you, as a firm, assess and verify each individual client you engage?

The distinction matters because AUSTRAC can find a deficiency in one part without finding a deficiency in the other. A firm might have excellent customer verification procedures (strong Part B) but inadequate internal governance — no annual review, no meaningful AMLRO oversight (weak Part A). That is still a contravention. Similarly, a firm with a well-documented governance framework that fails to apply appropriate due diligence to individual high-risk clients will have a Part B deficiency even if Part A is pristine.

Part A: What It Must Document

Part A is your firm's enterprise-level compliance framework. The AML/CTF Rules prescribe the minimum content, and every element must be present and substantive — not merely referenced.

The program must document the risk assessment methodology your firm uses to evaluate its exposure to money laundering and terrorism financing risk. This is not a static risk matrix; it is a methodology — an explanation of how your firm identifies, weighs, and responds to different risk factors across your client base, services, and operating environment. The actual risk assessment output — your conclusions about your firm's risk level — flows from applying this methodology.

Part A must also document your employee due diligence procedures. Before engaging or promoting a staff member into a role with AML/CTF responsibilities, you must verify their fitness and propriety. This does not require a formal criminal history check in all cases, but it does require a documented, consistently applied screening process.

The AMLRO appointment must be documented in Part A. The AMLRO — Anti-Money Laundering Reporting Officer — must be a senior person within the firm, with sufficient authority to receive internal reports, make filing decisions, and escalate concerns to management. A junior accounts clerk cannot meaningfully hold this role, regardless of their job title.

Your staff training program must also be documented: what training is delivered, at what frequency, who must complete it, and how completion is recorded. AUSTRAC has penalised firms that had a nominal training policy but no records of training actually being delivered. Annual training is the minimum standard for staff in AML/CTF-sensitive roles.

Finally, Part A must document your independent review arrangement. At least annually, an independent reviewer — internal or external, but genuinely independent of the day-to-day compliance function — must assess whether your program remains fit for purpose. The review findings must be documented and considered by senior management.

Part B: What It Must Document

Part B is your client-facing due diligence framework. It must be specific enough that any staff member, presented with a new client engagement, can follow it and arrive at a compliant outcome.

Customer identification and verification is the centrepiece of Part B. The program must specify which customers require identification, what information must be collected (for individuals: full name, date of birth, residential address; for companies: ACN or equivalent, registered address, beneficial ownership structure), what documents or data sources are acceptable for verification, and when verification must be completed relative to the commencement of service.

For most law firms and conveyancers, identification must occur before the commencement of the designated service — not midway through a matter, and certainly not at settlement. The Part B program should make this timing requirement explicit, because staff who are under time pressure will default to whatever the document says unless it is unambiguous.

Enhanced due diligence procedures must also be documented. Not every client represents the same risk. Politically exposed persons — individuals who hold or recently held prominent public positions — require additional scrutiny. Clients with complex or opaque ownership structures (trusts within trusts, offshore entities) require additional scrutiny. Clients from high-risk jurisdictions as designated by AUSTRAC require additional scrutiny. Part B must explain what "additional scrutiny" means in practice: what additional information is collected, who approves the engagement, and how the decision is documented.

Ongoing transaction monitoring procedures must be documented: how frequently you review existing client relationships for changes in risk profile or unusual activity, and what triggers a re-verification of identity. For a conveyancing firm handling one-off transactions, this is relatively straightforward. For a law firm with long-term client relationships, the ongoing monitoring obligation requires more deliberate design.

Record-keeping requirements must be explicit: what records are created, in what format, where they are stored, and for how long (the minimum is seven years from the end of the customer relationship or the transaction date, whichever is later).

How Part A and Part B Interact

Part A and Part B are not independent documents that sit in separate folders. They are designed to interact. Part A establishes the risk environment within which Part B procedures operate; Part B puts into practice the risk appetite and control philosophy articulated in Part A.

For example, if your Part A risk assessment concludes that your firm has a high proportion of clients with complex beneficial ownership structures, your Part B enhanced due diligence procedures should directly reflect that — specifying how beneficial ownership is verified and documented, who approves complex-ownership engagements, and what records are retained. If Part A says the firm is high-risk in a particular area but Part B has no procedures that address that area, the program is internally inconsistent and will be treated as deficient.

AUSTRAC auditors are trained to read both parts together. An inconsistency between them — where Part A acknowledges a risk that Part B ignores — is as problematic as a gap in either part in isolation. The program must present a coherent, end-to-end picture of how your firm identifies risk and then manages it at the client level.

This interconnection also applies to updates. When your annual Part A review identifies a new or elevated risk — say, an increase in foreign national clients — your Part B must be updated to address it. An annual review that produces findings but no consequent changes to Part B procedures does not demonstrate genuine compliance improvement.

Consequences of Incomplete Documentation

AUSTRAC's civil penalty regime is calibrated to deter non-compliance, not merely punish it after the fact. For corporations, civil penalties can reach $23 million per contravention. For individuals — which can include individual solicitors, conveyancers, or real estate agents operating under their own licence — penalties are lower but still material, and the reputational consequences are severe.

An incomplete or deficient AML/CTF program is not treated as a minor administrative failing. AUSTRAC has demonstrated in its enforcement actions that it treats documentation deficiencies as evidence of systemic governance failure, not paperwork oversight. The December 2025 civil actions against Castra and Princeton — both of which involved allegations of inadequate AML/CTF frameworks — illustrate that AUSTRAC is actively using its expanded enforcement powers.

Beyond civil penalties, a finding of non-compliance can trigger a formal remediation direction, requiring the firm to engage an AUSTRAC-approved independent auditor at its own expense. Persistent non-compliance can result in the suspension or cancellation of the firm's AUSTRAC enrolment — which effectively prohibits it from providing designated services.

For law firms, there is an additional layer of risk: the relevant state Legal Services Commissioner or Law Society can use an AUSTRAC finding as the basis for a conduct investigation, potentially affecting a solicitor's practising certificate.

How Tranche Generates Both Parts

Tranche's wizard is structured to capture the specific inputs needed for both Part A and Part B simultaneously, without requiring the user to understand the regulatory architecture in advance. The wizard's risk assessment step feeds directly into Part A's documented methodology. The policies step populates Part B's procedures. The AMLRO appointment step completes the governance documentation Part A requires.

The output is a single PDF manual that contains both parts, clearly delineated, with all required elements present. The document references the AML/CTF Act and Rules with appropriate specificity, so it reads as a genuine compliance document rather than a generic policy template. AUSTRAC enrolment details, AMLRO name and authority, and firm-specific risk conclusions are incorporated throughout.

Because the generation process is guided and structured, it is also auditable. Tranche stores the inputs that produced the document, so if AUSTRAC asks when a particular policy decision was made or what information it was based on, that record exists. The manual includes a generation timestamp and version number, supporting the firm's obligation to demonstrate that its program has been maintained over time.