What Is an AML/CTF Program?

An AML/CTF program is a documented compliance framework that every reporting entity must establish, implement, and maintain under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). For firms searching for an AML CTF program template Australia, the critical starting point is understanding that a template alone is insufficient — the program must be tailored to your firm's specific business activities, risk profile, and client base.

The program serves two interlinked purposes. First, it demonstrates to AUSTRAC that your firm has assessed the money laundering and terrorism financing risks inherent in your practice. Second, it establishes the internal controls and procedures your staff must follow to detect, prevent, and report suspicious activity. A program that exists only on paper — never reviewed, never trained on, never tested — will not satisfy AUSTRAC in an audit.

The obligation to maintain an AML/CTF program is not new for designated services like financial institutions and gambling operators. What is new, effective July 1, 2026, is that lawyers, conveyancers, and real estate agents are now included. For most small-to-medium professional services firms, this is the first time they have faced a mandatory, regulator-auditable compliance framework of this scale.

Who Must Have an AML/CTF Program?

Under the Tranche 2 reforms, any firm that provides a "designated service" as defined by the amended AML/CTF Act must enrol with AUSTRAC and maintain a compliant program. For the legal and property sectors, this captures a broad range of activities.

Law firms and barristers' chambers must comply if they provide services relating to property transactions, managing client funds, company formation, or trust and estate administration. Conveyancers are captured directly, as property settlement is explicitly a designated service. Real estate agents must comply when they facilitate the purchase or sale of real property — which is, of course, their core business.

The threshold is not based on firm size or revenue. A sole-practitioner conveyancer conducting five settlements a year has the same obligation as a 200-partner national law firm. The only meaningful distinction is that larger firms face higher maximum penalties, because the civil penalty framework scales with firm size and the nature of the contravention.

Enrolment with AUSTRAC is a prerequisite, and failure to enrol is itself a separate offence. Firms that have not yet enrolled should treat that as the most urgent first step, before focusing on the program documentation itself.

What Must an AML/CTF Program Contain? Part A and Part B

The AML/CTF Act requires that the program consist of two distinct parts: Part A and Part B. These are not interchangeable or combinable — they serve different functions, and AUSTRAC auditors review them separately.

Part A is the overarching governance framework. It must document your firm's risk assessment methodology, the structure of your internal compliance function (including the appointment of an Anti-Money Laundering Reporting Officer, or AMLRO), your employee due diligence procedures, your ongoing training program, your independent review schedule, and how senior management is accountable for AML/CTF compliance. Part A is, in essence, the "how we run our compliance function" document.

Part B is the customer-facing operational framework. It must document your customer identification and verification procedures — commonly called Know Your Customer (KYC) — your enhanced due diligence procedures for high-risk clients such as politically exposed persons (PEPs) and complex trust structures, your ongoing customer monitoring procedures, and your record-keeping policies. Part B is the "how we deal with each client" document.

Both parts must be reviewed and updated at least annually, or whenever there is a material change to your business activities, risk environment, or the regulatory framework. A program written in 2026 that has never been touched by 2028 will be treated sceptically by AUSTRAC as evidence of inadequate governance.

How to Write an AML/CTF Program

Writing a compliant AML/CTF program begins with a risk assessment. Before you can document what controls you will apply, you must assess the inherent risk levels in your practice: What types of clients do you serve? What jurisdictions are involved? What transaction structures do you facilitate? What delivery channels do you use — in-person, remote, or both?

The risk assessment is not a bureaucratic formality. It is the analytical foundation on which every subsequent control decision rests. A firm that primarily assists elderly clients with straightforward residential conveyances in metropolitan Australia has a materially different risk profile from a firm that advises high-net-worth foreign nationals on commercial property acquisitions via discretionary trusts. The controls in each firm's program should reflect those differences.

Once the risk assessment is complete, you translate its findings into policies and procedures for both Part A and Part B. Each policy must be specific enough to guide staff behaviour in practice. Phrases like "we will verify client identity as required by law" are insufficient — the program must specify which documents are accepted, in what circumstances enhanced due diligence is triggered, who authorises exceptions, and what records must be retained and for how long.

The program must then be approved by senior management or the board, trained to all relevant staff, and stored where it can be produced in response to an AUSTRAC information request. AUSTRAC can request your program at any time, including without formal notice of an audit.

Common Mistakes Firms Make

The most pervasive mistake is using a generic template without customisation. AUSTRAC has made clear in its published guidance and enforcement actions that boilerplate programs — where the firm name has been substituted into a document that is otherwise identical to dozens of other firms — do not satisfy the requirement for a program that reflects the firm's own risk assessment. The program must be genuinely tailored.

The second most common mistake is treating the program as a one-off exercise. Firms draft something in year one, file it away, and never return to it. Without annual reviews, the program becomes stale — it may reference staff who have left, procedures that have changed, or risks that have evolved. Annual review is not optional; it is explicitly required by the Act.

A third mistake is failing to appoint a qualified AMLRO. The role carries real responsibilities: receiving and reviewing internal suspicious matter reports, making determinations on whether to file with AUSTRAC, and maintaining oversight of the firm's overall AML/CTF posture. Appointing a junior staff member with no authority or resources to carry out those functions does not satisfy the requirement.

Finally, many firms underestimate the record-keeping obligations. Every customer identification record, every transaction monitoring decision, and every suspicious matter report — filed or not filed — must be retained for seven years. That means structured, retrievable records, not ad hoc notes in a matter file.

How Tranche Automates Program Generation

Tranche's compliance wizard guides your firm through a structured five-step process that captures all information needed to generate both Part A and Part B of your AML/CTF program. Each step is built around the specific regulatory requirements — not a generic policy framework — so the output is a document that speaks directly to AUSTRAC's expectations for Tranche 2 entities.

Step one collects your firm's details: name, ABN, AUSTRAC Reporting Entity ID, and licence type. Step two walks through a risk assessment that mirrors AUSTRAC's own risk methodology, covering client risk, product/service risk, and geographic risk. Step three documents your policies across all required areas. Step four captures your AMLRO appointment and governance structure. Step five generates a PDF manual that is immediately usable as your documented program.

The generated manual is stored in your Tranche account with a version history, so you can demonstrate to AUSTRAC that your program has been maintained and updated over time. Annual review reminders are built in. The entire process typically takes under 30 minutes for a firm that has already gathered its AUSTRAC enrolment details and thought through its client risk profile.