AML/CTF Compliance Checklist For Small Businesses: What To Do Before 1 July 2026

Australia’s AML/CTF laws are changing, and many small businesses that have not previously been regulated may soon have new compliance obligations.

From 1 July 2026, Tranche 2 businesses that provide certain designated services may need to enrol with AUSTRAC, conduct customer due diligence, update internal processes, keep records and report certain matters. This may include businesses in sectors such as legal services, accounting, real estate, trust and company services, and precious metals and stones - but only where they provide designated services. Home Affairs confirms that new obligations for Tranche 2 entities providing new designated services apply from 1 July 2026, with enrolment available from 31 March 2026.

This checklist is designed to help small businesses take practical first steps: checking whether they are captured, reviewing onboarding, updating client documents, training staff, setting up record keeping and knowing when to involve AML/CTF specialists.

1. Check whether your business is captured

The first step is to work out whether your business provides a designated service.

The AML/CTF regime does not apply to every business in a particular industry. It applies where a business provides specific regulated services that have the required geographical link to Australia.

Action step: list each service your business provides and compare it against AUSTRAC’s designated services guidance.

For example, a business that only provides general information may be in a different position from one that handles client money, assists with property transactions, sets up companies or trusts, arranges nominee services, or facilitates certain high-value transactions.

2. Map your client journey

Once you know which services may be captured, map how clients move through your business.

This should include first enquiry, quote or proposal, onboarding, identity checks, service delivery, payment, record keeping and ongoing client management. For ongoing services, it should also include renewals, changes in client details and when the relationship ends.

Action step: identify where AML/CTF checks need to occur before a service is provided.

For many small businesses, this will be one of the biggest practical changes. The client journey may need to allow time to collect information, verify identity, review beneficial ownership and assess whether the matter is higher risk.

3. Review your onboarding process

Client onboarding will usually need to collect more than basic contact details.

Depending on the business and service, you may need to collect and verify information about the client, people acting on behalf of the client, beneficial owners, controllers, directors, trustees, beneficiaries or other relevant parties.

You may also need to understand the purpose of the service. For example, why a company or trust is being created, why a nominee arrangement is being used, why a property transaction is structured in a particular way or why a client is using a particular payment method.

Action step: update onboarding questions so they help you identify the client, understand who is behind the client, and assess whether the service creates higher AML/CTF risk.

The level of enquiry should be risk-based. A straightforward local client may require a simpler process than a client involving complex structures, overseas parties, high-risk jurisdictions, nominee arrangements or inconsistent information. Home Affairs describes customer due diligence as involving identifying and verifying customers and certain associated persons, understanding risks and taking steps to mitigate those risks.

4. Update your client-facing documents

AML/CTF compliance should be reflected in your legal documents.

Your service terms, engagement letters, client agreements or website terms should give your business the right to request information, verify identity, conduct checks, delay work, refuse instructions or stop providing services where required.

Your documents should also make it clear that clients must provide accurate and up-to-date information. If your business provides ongoing services, the client should be required to notify you if relevant details change.

Privacy documents may also need updating. AML/CTF compliance can involve collecting personal information such as identity documents, dates of birth, residential addresses, beneficial ownership information, screening results and information about the purpose of a transaction or structure.

Action step: review your service terms, privacy policy, collection notices, engagement letters and onboarding forms to check whether they support your AML/CTF process.

5. Appoint someone responsible for AML/CTF compliance

Small businesses should decide who will be responsible for AML/CTF compliance.

This person may be a founder, director, operations manager or another suitable person in the business, depending on the size and structure of the organisation. The role should not be treated as a title only. The person responsible should understand the business’s AML/CTF risks, oversee procedures, make sure staff know what to do and know when to escalate issues or seek specialist advice.

AUSTRAC’s transitional rules give newly regulated businesses additional time to notify AUSTRAC of their AML/CTF compliance officer - by the later of 14 days after enrolment or 29 July 2026.

Action step: choose who will own AML/CTF compliance internally, and make sure they have the authority and support to implement changes.

6. Create or update internal AML/CTF procedures

A captured business will generally need an AML/CTF program that is appropriate for its size, services and risk profile. AUSTRAC’s Tranche 2 factsheet says reporting entities will need to enrol, develop and maintain an AML/CTF program, conduct customer due diligence, monitor relationships, report certain matters and keep records.

The goal is not to copy a bank’s compliance framework. For small businesses, the process should be practical, proportionate and matched to the services and risks of the business.

Action step: create simple internal procedures covering what information staff collect, when checks are completed, how risk is assessed, who reviews higher-risk matters and when the business should pause or refuse a service.

The aim is to make AML/CTF compliance part of everyday operations, rather than a policy that sits in a folder and is never used.

7. Train staff on red flags and escalation

Staff need to know what to do when something does not look right.

This does not mean every staff member needs to become an AML specialist. However, staff who onboard clients, handle enquiries, deliver services or manage ongoing client relationships should understand the basics of the business’s AML/CTF process.

Action step: train relevant staff on when checks are required, what information must be collected, what red flags to look for and who to escalate concerns to.

Common red flags may include clients refusing to provide information, giving inconsistent explanations, using unnecessarily complex structures, involving high-risk jurisdictions, asking to avoid ordinary checks or applying unusual urgency.

8. Set up record keeping systems

Record keeping should be considered early, not left until after checks are complete.

Businesses should decide where AML/CTF records will be stored, who can access them, how long they will be kept and how they will be protected. Records may include identity documents, verification results, beneficial ownership information, risk assessments, decisions about higher-risk matters, staff training records and copies of reports or compliance actions.

Action step: set up a secure system for storing AML/CTF records before new onboarding processes go live.

This should also be linked to privacy and data security. AML/CTF records may include sensitive personal and commercial information, so businesses should avoid collecting more information than they need and should make sure records are stored securely.

9. Plan for ongoing monitoring

AML/CTF compliance does not always end after the initial onboarding stage.

If your business provides ongoing services, you may need to refresh client information or reassess risk when something changes. This could include changes to ownership or control, new directors or trustees, new jurisdictions, unusual instructions, adverse information or a change in the nature of the client relationship.

Action step: decide what events will trigger a review of client information or risk rating.

Ongoing monitoring does not need to be overly complicated for every small business. The key is to have clear triggers for when information should be reviewed and who is responsible for doing that review.

10. Know when to involve AML/CTF specialists

Some tasks can be handled through legal document updates, clear internal processes and staff training. Other tasks may require specialist AML/CTF advice.

A small business should consider involving AML/CTF specialists where it is unclear whether the business is captured, where the business provides higher-risk services, where there are complex ownership structures, where clients are based overseas, where nominee or trust arrangements are common, or where the business needs help building a formal AML/CTF program.

Specialist input may also be useful when choosing verification tools, setting up risk assessment frameworks, dealing with suspicious matter reporting, or preparing for AUSTRAC engagement.

Action step: separate legal document work from specialist AML/CTF work. Service terms, privacy policies, onboarding forms and client notices may need legal review, while AML/CTF program design, risk methodology and reporting processes may require AML/CTF specialist input.

11. Put a timeline in place

Businesses should avoid leaving AML/CTF preparation until the last minute.

Newly regulated Tranche 2 entities will be able to enrol with AUSTRAC from 31 March 2026, and new obligations will apply from 1 July 2026 for those providing new designated services.

Action step: work backwards from 1 July 2026 and set dates for service mapping, document updates, staff training, record keeping and specialist review.

Key takeaway

If your business may be affected by the new AML/CTF laws, now is a good time to review your services, onboarding process, client documents, staff procedures and record keeping systems.

If you would like a consultation on complying with the AML laws, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.