How to create an AML/CTF program

Disclaimer: This article is for informational purposes only and is based on the draft rules as of today. It is designed to assist reporting entities and industry associations in understanding the effect of the proposed regulations and becoming familiar with the amended legislation. 

Creating an anti-money laundering and counter-terrorism financing (AML/CTF) program is essential for businesses that provide designated services under Australia's AML/CTF Act.

A well-structured program helps prevent money laundering (ML), terrorism financing (TF) and proliferation financing (PF). It also ensures compliance with AUSTRAC regulations and streamlines onboarding. 

AUSTRAC specifies that your AML/CTF program must:

• Include ML/TF/PF risk assessments (see explanation below)
• Outline AML/CTF policies
• Be documented and approved by a senior manager
• Kept up to date with business changes and AUSTRAC risk updates
• Independently evaluated at least every 3 years
• Have oversight from a board or senior management
• Designate a compliance officer to manage implementation

Additionally, AML/CTF programs typically cover:

• Training
• Reporting
• Standard operating procedures related to CDD and KYC

AUSTRAC is finalising how related businesses can share compliance costs within a reporting group. Read our article, AML compliance options for real estate groups. Using Reporting Groups for an idea of how these can work.

Understanding the terminology

Before going any further, it’s good to understand what some of these terms mean. 

Money Laundering (ML): Concealing illegally obtained money as legitimate funds.

Terrorism financing (TF): Funding terrorist activities, using both legal and illegal sources.

Proliferation financing (PF): Financing the spread of weapons of mass destruction (WMDs).

Now that you know what’s expected of you, let’s look at these parts in more detail.

Step 1: Conduct a risk assessment

Your AML/CTF program must take a risk-based approach. Akash Khushal of One AML advises businesses to consider key risk factors unique to them, such as:

• Business complexity: Multiple branches, international operations, high cash turnover
• Products & services: High-risk transactions (e.g. large cash deposits, international transfers)
• Service channels: Non-face-to-face transactions, intermediaries, online services, and indirect customer relationships such as pooled accounts or nominee arrangements
• Customer risks: Complex structures, PEPs, high-value transactions, unverifiable wealth
• Jurisdictional risks: Transactions with high-risk or sanctioned countries

Evaluating country risk

A high-risk jurisdiction is one with poor AML controls and high levels of corruption.

Sources to assess country risk include:

• FATF's list of high-risk and non-cooperative jurisdictions
• FATF mutual evaluation reports
• European Union AML and tax blacklist
• Basel AML Index
• United Nations Office on Drugs and Crime reports
• Transparency International Corruption Perceptions Index

Maintaining and updating the risk assessment

Your risk assessment must be documented, regularly updated and independently audited at least every three years.

AUSTRAC also has a helpful page of risk factors, which is currently being updated to include newly regulated entities.

Step 2: Appoint an AML/CTF compliance officer

Each reporting entity must appoint an AML/CTF compliance officer (AMLCO) responsible for:

• Overseeing risk assessments, policies, training, transaction monitoring and AUSTRAC reporting
• Holding managerial authority, independence and resources
• Meeting AUSTRAC’s “fit and proper” standard

For smaller businesses, this role is often fulfilled by a senior manager.

Step 3: Establish customer due diligence (CDD) policies

Before providing services, businesses must verify customer identities and assess their risk profile. Your AQML/CTF program should cover the following:

• Initial CDD
• Ongoing CDD
• Enhanced CDD
• Simplified CDD

The information you collect and verify to complete CDD will depend on the ML/TF/PF risk profile of the customer, with enhanced CDD being applied in higher risk scenarios and simplified CDD being available in low risk scenarios.

For more details, read our next article, Know your obligations: Customer Due Diligence (CDD).

Step 4: Conduct employee training

Regular AML/CTF training ensures staff can identify, assess and report money laundering and terrorism financing risks.

Who needs training?

• Compliance and audit teams
• Senior management
• Customer-facing employees in high-risk areas

What should training cover?

• AML/CTF risks specific to your business
• AML obligations under the AML/CTF Act
• Identifying suspicious behaviour
• CDD procedures, transaction monitoring and reporting requirements

Training frequency and methods

AUSTRAC does not specify a training cadence, but it does specify that it needs to be regular and sustained. Most companies conduct training when a new staff member starts, on an annual basis as a refresher and when new regulations are introduced or new risks emerge.

Depending on size and risk appetite, many firms do one or all of the following.

Who

• Internal training sessions
  • Conduct in-house training using AUSTRAC guidance and case studies relevant to your industry.
• External training providers
  • Engage third-party experts for in-depth workshops or certifications. Examples include Raven AML, Teal Compliance and EY.
• Online learning
  • Use e-learning platforms for flexible, trackable training. Examples include Alpha AML Training.

What / how

• Role-specific training
  • Tailor content for different teams, such as frontline staff, compliance officers and senior management.
• Testing and assessments
  • Ensure that staff members understand key concepts through quizzes or practical exercises.
• Record-keeping
  • Maintain logs of training completion for audits and compliance reviews.

Step 5: Establish transaction monitoring

Transaction monitoring (part of ongoing CDD, or in short OCDD) helps detect unusual transactions and behaviours.

• Identify, mitigate and manage ML/TF/PF risks.
• Identify and report suspicious matters to AUSTRAC.
• Meet your ongoing customer due diligence (OCDD) and enhanced customer due diligence (ECDD) obligations. 

What to monitor

Transactions and behaviours that are:

1. unusually large or complex transactions relating to a specific customer;
2. unusual behaviour for that specific customer;
3. transactions and behaviours that have no apparent economic or lawful purpose;
4. transactions and behaviours that are inconsistent with what the reporting entity reasonably knows about any of the following:
   a. the customer;
   b. the nature and purpose of the business relationship;
   c. the ML/TF risk of the customer;
   d. where relevant, the customer’s source of funds or source of wealth.

Reference: AML/CTF Act 2006 Section 30

Implementing monitoring

AUSTRAC notes that “How you monitor transactions and develop your program depends on the size of your business and your level of assessed ML/TF risk. Depending on the type, size and complexity of your business, your transaction monitoring program can be manual or automated".

Given that guidance, consider the relevance of the following elements in the transaction monitoring section of your AML/CTF program. 

Identification of suspicious transactions

• Define processes to identify suspicious customer transactions
• Capture and analyse all sources of customer and transaction data
• Use alerts for highlighting unusual patterns inconsistent with customer profiles

Controls and investigation

• Use manual or automated systems based on business size and risk level
• Set clear internal escalation and investigation processes
• Maintain records and conduct audits for compliance

Reporting and documentation

• Document procedures for managing and reporting suspicious matters
• Maintain detailed records of transaction monitoring processes
• Audit and review automated transaction monitoring systems
• Ensure transaction monitoring processes are consistently applied across all areas of the business

Step 6: Record-keeping and reporting

 Businesses must report certain transactions to AUSTRAC:

When setting up your compliance program, consider that you will be collecting and storing large amounts of sensitive data. This includes personally identifiable information (PII) such as names, addresses, dates of birth, financial details and identity documents. If this data is not properly secured, it can be targeted by cybercriminals for identity theft, fraud and other financial crimes.

Storage of compliance data

• Maintain records of all customer due diligence (CDD), transaction monitoring, risk assessments, training logs and reporting obligations
• Store documents in secure, centralised systems to prevent loss or unauthorised changes
• Ensure records are easily retrievable for audits, regulatory reviews and AUSTRAC requests

Data security and confidentiality

• Implement role-based access controls so only authorised personnel can view or modify compliance data
• Use encryption and secure storage for sensitive customer and transaction record
• Establish secure communication channels for reporting and compliance discussions

Record retention requirements

• Retain all compliance-related records for at least seven years as required by AUSTRAC
• Maintain detailed audit logs tracking who accessed or modified records
• Conduct regular security reviews to ensure data remains accurate and protected

Ongoing monitoring and updates

• Review data protection policies regularly to address emerging security risks
• Ensure system updates and backups are in place to prevent data breaches or loss
• Establish incident response procedures for potential data breaches or security threats

Step 7: Conduct independent reviews

Your AML/CTF program must be independently reviewed at least every three years (or as required by AUSTRAC). Reviews generally include:

• Policy and process evaluations
• Operational testing
• Findings and recommendations

Final thoughts

Building an AML/CTF program may seem complex, but these steps help ensure compliance and protect your business from financial crime risks. If needed, consider using an expert to help set up your compliance program such as Raven AML, Teal Compliance, One AML, Whitelight AML and EY.