AML/CTF program — Part A and Part B explained

What an AML/CTF program is

A reporting entity providing a designated service is required to have, and comply with, a written AML/CTF program. This requirement is outlined in Part 7 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). To ensure compliance, entities should consider a AUSTRAC enrolment 31 March 2026 walkthrough.

The AML/CTF program’s purpose, as mandated by section 81 of the Act, is to identify, mitigate and manage the money-laundering and terrorism-financing (ML/TF) risk that the entity reasonably faces. This involves a structured approach to risk management.

The program itself is comprised of two distinct components: Part A, which is the general program, and Part B, which is the applicable customer identification program. The board (or equivalent governing body) must approve the program and review it regularly.

Part A — the general program

Part A establishes the general framework for managing money laundering and terrorism financing (ML/TF) risk. This framework is risk-based and forms the standing foundation for an entity’s ML/TF risk management program. A core component of Part A is the entity’s ML/TF risk assessment. This assessment must consider factors such as customer types, designated services, methods of delivery, and jurisdictions. AML risk-based approach (AUSTRAC) provides further information on this approach.

To address the risks identified in the assessment, Part A requires the implementation of systems and controls. These controls include transaction monitoring, employee due diligence, ongoing training, and the appointment of an AML/CTF Compliance Officer. These measures are designed to mitigate the identified ML/TF risks and ensure compliance with relevant obligations.

Part A is not a static document. It must be subject to regular independent review to ensure its effectiveness. Furthermore, the program must be reviewed and updated whenever there are changes to the entity’s business or the broader risk environment.

Part B — applicable customer identification procedures

Part B details the customer identification procedures an entity must follow prior to providing a designated service. These procedures require verification of customer identity using reliable and independent documentation or electronic data, often referred to as KYC. This identification process extends to non-individual customers, requiring identification of their beneficial owners. Beneficial ownership register Australia (proposed)

Identifying politically exposed persons (PEPs) is also a key requirement within Part B. This identification should be conducted using a risk-based approach, considering the potential for increased money laundering and terrorism financing risk.

The specific procedures outlined in Part B must be tailored to reflect the money laundering and terrorism financing (ML/TF) risk profile established in Part A. This ensures the intensity of customer identification aligns with the assessed level of risk.

Independent review and AUSTRAC oversight

Part A of an AML/CTF program must undergo regular independent review, as mandated by Part 8.6 of the AML/CTF Rules. These reviews must be conducted by individuals who are appropriately qualified and maintain independence from the activities under scrutiny. The reviews’ purpose is to assess both the design and operational effectiveness of the risk controls within the program.

AUSTRAC has the authority to require entities to implement recommendations arising from these independent reviews. This ensures that identified weaknesses are addressed and the program’s overall integrity is maintained. AUSTRAC compliance report (ACR) annual reporting provides a snapshot of compliance activity.

Failure to establish and maintain an AML/CTF program constitutes a contravention of section 81 of the AML/CTF Act. Such contraventions may result in civil penalties of up to 100,000 penalty units per instance.