Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Is AML/CTF And Why Does It Matter?
- Does AML/CTF Apply To My Business?
Step-By-Step: How To Get AML/CTF-Ready
- Step 1: Confirm Your Status And Enrol With AUSTRAC
- Step 2: Complete Your Business-Wide Risk Assessment
- Step 3: Draft Part A And Part B Of Your AML/CTF Program
- Step 4: Build KYC Into Onboarding And Operations
- Step 5: Establish Reporting, Monitoring And Record-Keeping
- Step 6: Train Your People And Test Your Controls
- Step 7: Schedule Independent Review And Continuous Improvement
- Penalties And Enforcement: What Happens If I Get It Wrong?
- Practical Tips To Keep Your Program Fit-For-Purpose
- Key Takeaways
Criminals are constantly looking for ways to move and disguise money. That’s why Australia has strict anti-money laundering and counter-terrorism financing (AML/CTF) laws that certain businesses must follow.
If you offer “designated services” - from financial products to remittance, digital currency exchange, gaming, bullion or wagering - you’re likely a “reporting entity” under the AML/CTF Act 2006. That triggers real obligations, from verifying customer identity to reporting suspicious activity to AUSTRAC.
The good news? With a practical plan, the right documents and ongoing training, AML/CTF compliance can be manageable. In this guide, we’ll unpack who the AML/CTF regime applies to, what an AML/CTF program must include, your key reporting obligations and the everyday steps that will keep you compliant as you grow.
What Is AML/CTF And Why Does It Matter?
AML/CTF is Australia’s legal framework to prevent money laundering (disguising the origin of criminal proceeds) and terrorism financing (funding terrorist acts or organisations). The regime is administered by AUSTRAC - the Australian Transaction Reports and Analysis Centre.
In practice, AML/CTF compliance is about knowing who you’re dealing with, spotting unusual activity and having systems that make it hard for criminals to exploit your business. It’s also about reporting red flags to AUSTRAC so authorities can act quickly.
Beyond avoiding fines and enforcement, strong AML/CTF controls protect your brand. They build trust with customers, investors and partners - and they help your team make good risk decisions day to day.
Does AML/CTF Apply To My Business?
AML/CTF obligations apply to “reporting entities” that provide “designated services” with a geographical link to Australia. Common examples include:
- Financial services (e.g. opening accounts, taking deposits, loans, issuing a stored value card)
- Money remittance and payment services
- Digital currency exchanges (exchanging crypto for fiat and vice versa)
- Gambling and wagering services
- Bullion dealers
- Some superannuation and managed investment services
If you operate in or adjacent to these sectors, assess your services against the AML/CTF Rules to determine if you’re a reporting entity. If you are, you must enrol with AUSTRAC and put an AML/CTF program in place before you start providing designated services.
For example, if your business plans on accepting cryptocurrency payments or launching a digital currency exchange, AML/CTF obligations will almost certainly apply, and they kick in early.
What Must Be In An AML/CTF Program?
Your AML/CTF program is the blueprint for how your business manages money laundering and terrorism financing risk. It’s usually divided into two parts.
Part A: Risk Management And Governance
Part A covers your organisation-wide controls. It should be tailored, documented and approved by your board or senior management. It generally includes:
- Business-wide risk assessment: Identify your inherent ML/TF risks across customers, products, delivery channels and geographies. Rate them using a clear methodology.
- Controls and mitigation: Describe the policies, systems and technology you use to manage and reduce those risks.
- Roles and responsibility: Appoint an AML/CTF Compliance Officer, define decision-making authority and escalation paths.
- Training: Provide regular AML/CTF training tailored to roles (front line, operations, risk, leadership). Keep records of completion.
- Independent review: Arrange periodic, independent reviews of your AML/CTF program’s design and effectiveness.
- Board and management oversight: Ensure leaders receive reports on key AML metrics, incidents and program changes.
Your governance framework should sit alongside other risk documents. For security and privacy controls that support AML processes, many businesses also adopt an Information Security Policy and a fit-for-purpose Privacy Policy.
Part B: Customer Due Diligence (CDD)
Part B covers how you identify and verify customers before providing a designated service. It should set out:
- Standard CDD: The identification information you collect and how you verify it (e.g. government ID, electronic verification, reliable third-party sources).
- Enhanced CDD: Additional steps for higher-risk customers (e.g. politically exposed persons, complex structures, high-risk jurisdictions) or when a trigger event occurs.
- Beneficial ownership: Processes to identify individuals who ultimately own or control your corporate customers.
- Ongoing CDD: Monitoring customer transactions and behaviour, updating KYC information and re-verifying when risk changes.
- Reliable and independent sources: What sources you use, how you assess reliability, and when you seek further evidence.
Your CDD processes should be practical for staff to follow and supported by your systems. If you accept applications online, ensure your onboarding flow aligns with your documented CDD steps.
What Are My AUSTRAC Reporting And Record-Keeping Obligations?
Reporting entities must submit certain reports to AUSTRAC within strict timeframes and keep thorough records. At a minimum, plan for the following.
Suspicious Matter Reports (SMRs)
If you form a suspicion that a person or transaction may be linked to crime or terrorism financing, you must submit an SMR to AUSTRAC as soon as practicable (and within the required period after the suspicion arises). Suspicion is a low threshold - if something doesn’t look right, escalate it.
Threshold Transaction Reports (TTRs)
Cash transactions of AUD 10,000 or more (or the foreign currency equivalent) often require a TTR. Make sure your systems flag these transactions automatically so you can review and report on time.
International Funds Transfer Instructions (IFTIs)
Certain instructions for funds moving into or out of Australia must be reported, depending on your role in the transfer. If you facilitate international transfers, build this into your workflow.
Ongoing Transaction Monitoring
Your monitoring must be risk-based and designed to detect unusual activity, patterns or inconsistencies. Tuning alerts (so they’re effective but not overwhelming) is an ongoing task for your compliance team.
Record-Keeping
You need to keep records of CDD, transactions, AML decisions and training for at least the required period (often seven years). Strong record-keeping also supports your data retention laws obligations and helps you evidence compliance during audits or reviews.
Everyday Controls That Make AML/CTF Work
The strongest AML/CTF programs translate regulatory obligations into everyday habits. Here are the controls that usually make the difference.
1) Clear Policies And Customer-Facing Terms
Your internal policies should be practical and accessible. Externally, your client onboarding and standard terms can reinforce compliance by explaining what you’ll ask for and why. Many businesses bake helpful clauses into a Customer Contract or account terms (for example, verification requirements and cooperation with lawful requests).
2) Training That Sticks
Most AML failures trace back to human error. Build an annual training calendar covering AML fundamentals, red flags for your specific products, and how to escalate concerns. If you’re formalising your approach to training employees, map modules to roles and keep attendance records.
3) Practical Escalation Pathways
Staff should never feel stuck when they spot something unusual. Define a simple escalation flow to your AML/CTF Compliance Officer. For larger teams, it’s also wise to support internal reporting through a Whistleblower Policy so concerns are voiced early.
4) Strong Privacy And Security Foundations
AML relies on sensitive personal data. Confirm your collection and use of customer information is covered by a tailored Privacy Policy and technical protections in your Information Security Policy. This alignment reduces friction in KYC while protecting customers and your business.
5) Risk-Based Monitoring And Reviews
Set thresholds and scenarios that reflect your risk profile - then test them. Use management reports to track alerts, SMRs, training status and KYC refresh rates. Schedule independent reviews of both Part A and Part B at regular intervals (and action the findings).
Step-By-Step: How To Get AML/CTF-Ready
If you’re starting out (or formalising your controls), here’s a practical sequence that keeps the process clear.
Step 1: Confirm Your Status And Enrol With AUSTRAC
Identify whether your services are designated services. If yes, enrol with AUSTRAC before providing those services. If you later expand or add higher-risk offerings, update your enrolment details promptly.
Step 2: Complete Your Business-Wide Risk Assessment
Map your products, delivery channels, customer types and geographies. Identify inherent risks and rate them. Document the controls you’ll use to mitigate those risks.
Step 3: Draft Part A And Part B Of Your AML/CTF Program
Keep it practical. Part A should set governance and oversight; Part B should set out step-by-step KYC procedures. Align your content with how your team actually operates, including any outsourced functions or verification tools.
Step 4: Build KYC Into Onboarding And Operations
Turn policy into process. Update forms, workflows and systems to capture required data and evidence verification. Consider how you’ll handle exceptions, non-face-to-face onboarding and high-risk triggers.
Step 5: Establish Reporting, Monitoring And Record-Keeping
Configure your systems to identify and report SMRs, TTRs and IFTIs. Create dashboards and a reporting calendar. Confirm your record-keeping meets both AML/CTF and broader retention requirements documented under your data retention laws.
Step 6: Train Your People And Test Your Controls
Deliver role-based training, run simulations (e.g. mock suspicious matter scenarios) and verify that alerts and escalations work in practice. Document attendance and outcomes.
Step 7: Schedule Independent Review And Continuous Improvement
Arrange an independent review at defined intervals. Close gaps with a documented action plan and keep your board or leadership team in the loop.
Common AML/CTF Questions We Hear From Businesses
Do I Always Need Enhanced Due Diligence?
Not always. Enhanced CDD is required for higher-risk scenarios (e.g. PEPs, complex ownership, high-risk jurisdictions) or when trigger events occur. Your risk assessment should define when to apply it and how.
What About Sanctions Screening?
While AML/CTF is focused on ML/TF risk, you should also screen relevant sanctions lists and follow Australia’s autonomous sanctions regime. Many businesses integrate sanctions checks into onboarding and ongoing monitoring.
Can I Outsource Parts Of AML/CTF?
Yes, but you remain responsible. If you use external identity providers or compliance vendors, document roles, testing and oversight. Your program should describe how you supervise outsourced providers.
Are Digital Businesses Treated Differently?
The obligations are the same, but the risks and controls differ. If onboarding is 100% online, your Part B should address non-face-to-face verification methods, fraud prevention and device or IP-based checks. If you deal in digital assets, revisit whether you are a reporting entity and ensure your program matches the specific risks of that model.
How Do Privacy And AML/CTF Interact?
They work together. AML/CTF requires you to collect identity information; privacy law requires you to collect only what you need, store it securely and explain how you use it in your Privacy Policy. Aligning the two reduces friction and risk.
Penalties And Enforcement: What Happens If I Get It Wrong?
AUSTRAC can take a range of actions - from enforceable undertakings and remediation directions to civil penalty proceedings seeking significant fines. Public statements after enforcement can also damage reputation and customer confidence.
Most issues arise from weak governance, inadequate risk assessment, poor-quality KYC, gaps in transaction monitoring and missed reports. Building your program early and testing it regularly are the best ways to avoid problems.
Practical Tips To Keep Your Program Fit-For-Purpose
- Tailor, don’t copy: Use templates as a starting point, but reflect your actual products, delivery channels and customers.
- Design for scale: Set rules and processes you can sustain as volumes grow (automation helps, but so does simplicity).
- Close the loop: When you spot a weakness (e.g. false negatives in alerts), update policies, retrain and retest.
- Embed in contracts: Include cooperation and KYC obligations in your Customer Contract and supplier arrangements so partners support compliance.
- Think end-to-end: AML intersects with cyber, privacy and data retention. Make sure your tech stack supports secure, accurate and auditable processes across the lifecycle.
Key Takeaways
- AML/CTF applies to businesses that provide designated services in Australia - if you’re a reporting entity, you must enrol with AUSTRAC and implement a compliant program.
- Your AML/CTF program needs two parts: Part A (governance, risk assessment, oversight, training, independent review) and Part B (customer due diligence and ongoing monitoring).
- Core obligations include CDD, ongoing monitoring, and timely reporting of SMRs, TTRs and IFTIs, supported by strong record-keeping.
- Everyday success comes from clear policies, role-based training, practical escalation paths, aligned privacy/security controls and continuous improvement.
- Penalties for non-compliance can be significant - building a tailored, tested program early is the best protection for your business and brand.
- If your model involves crypto, online onboarding or complex structures, revisit your risk assessment regularly and update controls to match reality.
If you would like a consultation on AML/CTF compliance for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
