How to Build an AML/CTF Program: AUSTRAC Guide

Q: What are the two parts of an AML/CTF program?

An AML/CTF program consists of Part A, which covers risk assessment, governance, and oversight, and Part B, which covers customer due diligence, including how customers are identified, verified, and monitored. Both parts must be documented and actively followed.

Q: How does AUSTRAC assess whether my AML/CTF program is compliant?

AUSTRAC assesses whether the program is appropriate for your business risk profile, properly implemented, understood by staff, and kept up to date. They may conduct reviews, request documentation, and take enforcement action if deficiencies are identified.

Q: What is a Suspicious Matter Report (SMR) and when do I need to file one?

A Suspicious Matter Report (SMR) must be submitted to AUSTRAC when there are reasonable grounds to suspect a transaction or customer is linked to money laundering, terrorism financing, or other offences. It must be lodged as soon as practicable, and the customer must not be informed.

Q: How often does an AML/CTF program need to be reviewed?

The program must be reviewed at appropriate intervals. In practice, this is typically every two to three years, or more frequently if there are significant business changes or updated regulatory guidance.

Q: Can I use a template AML/CTF program for my money transfer business?

Templates can be used as a starting point, but they must be customised to reflect your specific business operations, customer base, and risk profile. A generic template is unlikely to meet compliance requirements.

Q: What happens if my AML/CTF program is found to be inadequate?

AUSTRAC may take enforcement action, including issuing directions, enforceable undertakings, civil penalties, infringement notices, or criminal prosecution in serious cases. Inadequate programs can also lead to banks closing or refusing accounts.

If you are starting or running a money transfer business in Australia, building a compliant Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) program is not optional — it is a legal requirement. And it is one that many new operators underestimate, both in terms of what it involves and how seriously AUSTRAC takes it.

The good news is that an AML/CTF program does not need to be intimidating. At its core, it is a structured framework that helps your business identify who your customers are, understand the risks your services create, monitor transactions for suspicious activity, and report what needs to be reported. Done well, it protects your business, builds trust with banks and partners, and keeps you on the right side of Australian law.

This guide walks you through what an AML/CTF program actually needs to contain, how to approach building one for a remittance business, and what AUSTRAC expects to see. For broader context on the licensing framework itself, our article on what a money transfer licence is and why you need one is a useful starting point.

What Is an AML/CTF Program and Why Does It Matter?

An AML/CTF program is a documented set of policies, procedures, and controls that a regulated business must put in place under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). The program serves as the operational backbone of your compliance obligations.

For money transfer businesses — known as remittance service providers or “remittance dealers” under AUSTRAC’s framework — the AML/CTF program is the primary tool through which you demonstrate that you understand the risks your business faces and are actively managing them.

AUSTRAC does not just check whether you have a program. They assess whether it is fit for purpose for your specific business, whether staff actually follow it, and whether it is kept up to date as your business evolves. A program that exists only on paper is a red flag during an audit.

Failing to have an adequate AML/CTF program — or having one that exists only in theory — is one of the most common reasons money transfer businesses face AUSTRAC enforcement action, banking exclusion, or registration cancellation.

To understand what is at stake, our article on the risks of operating without a money transfer licence in Australia covers the consequences of non-compliance in detail — including what happens when AML/CTF obligations are breached alongside licensing requirements.

The Two Core Parts of an AML/CTF Program

Under the AML/CTF Act, a compliant program must contain two formally recognised parts. These are not informal categories — they are specific structural requirements under the legislation.

Part A: The Governing AML/CTF Program

Part A of your program sets out the governance framework for how your business manages AML/CTF risk. It must include:

A documented assessment of the money laundering and terrorism financing (ML/TF) risks your specific business faces — based on your customer types, the services you offer, the countries you transfer to and from, and your delivery channels
Appointment of an AML/CTF Compliance Officer responsible for overseeing the program day-to-day
Clear procedures for identifying, assessing, and managing ML/TF risk on an ongoing basis
A process for reporting to senior management or the business owner on compliance matters
A commitment to independent review of the program at regular intervals

Part A is essentially the strategic and governance layer of your compliance framework. It should reflect your actual business — not be a generic template cut and pasted from another provider.

Part B: The Customer Due Diligence (CDD) Program

Part B governs how you identify and verify your customers. This is often where businesses make the most errors because it requires clear, operational procedures that staff must follow for every customer interaction.

Part B must include procedures for:

Collecting identification information from new customers before providing services
Verifying that information — using documents, data sources, or both — to a standard appropriate to the risk
Conducting ongoing due diligence for existing customers, particularly when their circumstances or transaction patterns change
Applying enhanced due diligence (EDD) to higher-risk customers, including politically exposed persons (PEPs), customers from high-risk jurisdictions, and those with unusual transaction patterns
Screening customers against sanctions lists and other relevant databases

Practical tip: Your CDD procedures need to be workable in practice, not just compliant on paper. Build them with your actual customer journey in mind — how customers identify themselves online, in person, or through agents — and ensure your staff understand exactly what is required at each step.

Transaction Monitoring: Detecting What Does Not Look Right

A critical operational component of any AML/CTF program is transaction monitoring — the ongoing process of reviewing transfers and customer behaviour to detect activity that may indicate money laundering, terrorism financing, or other financial crime.

For money transfer businesses, effective transaction monitoring typically includes:

Setting rules or thresholds that flag transactions or patterns for review — for example, multiple transfers just below the $10,000 reporting threshold (a known technique called structuring)
Monitoring transfers to or from high-risk countries or regions identified by AUSTRAC, the Financial Action Task Force (FATF), or your own risk assessment
Reviewing sudden changes in a customer’s transfer frequency, amounts, or destination countries
Identifying inconsistencies between a customer’s stated purpose for a transfer and their actual transaction behaviour

When a transaction or pattern raises a concern that cannot be explained, your business is required to lodge a Suspicious Matter Report (SMR) with AUSTRAC. This is a legal obligation, and the decision about whether to file should be documented — even when you decide not to report.

Important: Tipping off a customer that they are the subject of an SMR is a criminal offence under Australian law. Suspicious matter reporting must be handled with strict confidentiality within your organisation.

Threshold Transaction Reports: The $10,000 Rule

One of the most straightforward but commonly misunderstood obligations for money transfer businesses is Threshold Transaction Reporting (TTR). Under the AML/CTF Act, any cash transaction of $10,000 AUD or more must be reported to AUSTRAC within 10 business days.

For remittance businesses, this applies to cash received from senders or paid out to recipients. Electronic fund transfers between financial institutions are handled differently, but if your business accepts cash at an agent location or through a teller-style service, this reporting obligation is directly relevant.

TTRs must capture:

The amount and currency of the transaction
The date and time of the transaction
Details of the sender and recipient
The nature of the transaction and the designated service it relates to

AUSTRAC cross-references TTRs with other data sources to identify patterns that may not be obvious from a single report. Accurate, timely reporting is not just a technical obligation — it is part of how Australia’s financial intelligence network operates.

Staff Training: Making Compliance Operational

An AML/CTF program is only as effective as the people implementing it. AUSTRAC requires that all staff who are involved in providing designated services — including tellers, agents, customer service staff, and management — receive appropriate AML/CTF training.

That training must cover:

The purpose of AML/CTF laws and your business’s obligations under them
How to identify red flags and suspicious behaviour in customer interactions
How to correctly collect and verify customer identification information
What to do when a transaction or customer raises a concern — including the internal escalation process
The legal prohibition on tipping off customers about reports or investigations

Critically, training must be ongoing — not a one-time induction activity. As your business changes, as AUSTRAC issues new guidance, or as new risks emerge in the remittance sector, your training program needs to evolve with it. Records of all training should be maintained as part of your compliance documentation.

The AML/CTF Program Components at a Glance

The table below summarises the key components of a compliant AML/CTF program for money transfer businesses:

Program Part	What It Must Cover	Key AUSTRAC Obligation
Part A — Governance	ML/TF risk assessment, board/owner oversight, AML/CTF compliance officer role	Must be adopted and maintained by board or senior management
Part B — Customer Due Diligence (CDD)	Customer ID procedures, verification methods, ongoing due diligence	All customers must be identified and verified before services are provided
Ongoing CDD & Enhanced Due Diligence	Higher-risk customers, PEPs, large or unusual transactions	Enhanced scrutiny required for high-risk relationships
Transaction Monitoring	Rules to detect unusual patterns, structuring, high-risk corridors	Suspicious Matter Reports (SMRs) must be filed with AUSTRAC
Threshold Transaction Reports (TTRs)	Cash transactions of $10,000 AUD or more must be reported	TTRs due within 10 business days of the transaction
Staff Training	All staff trained on AML/CTF obligations, red flags, and reporting procedures	Ongoing training required — not a one-time event
Independent Review	Program must be independently reviewed and updated regularly	Required by AUSTRAC at risk-appropriate intervals

Independent Review: Keeping Your Program Current

The AML/CTF Act requires that your program be independently reviewed at appropriate intervals — and that the findings of those reviews are acted upon. For most remittance businesses, this means commissioning a review by an external compliance professional who can assess whether your program reflects your current risk environment and meets AUSTRAC’s evolving expectations.

Independent reviews typically assess:

Whether your ML/TF risk assessment is still accurate given how your business has changed
Whether your CDD procedures are being followed consistently in practice
Whether your transaction monitoring is identifying the right risks
Whether staff training is current and effective
Whether there are gaps between your documented program and actual operational practice

Getting your program right from the start — and keeping it current — is one of the most important things you can do for the long-term viability of your business. Our guide on common compliance mistakes money transfer businesses should avoid covers the specific areas where operators most often fall short and how to address them proactively.

Practical Steps to Building Your AML/CTF Program

Building a compliant AML/CTF program does not require a compliance team of twenty people. For a small to mid-sized remittance business, a well-structured program can be developed systematically by working through the following steps:

Conduct your ML/TF risk assessment — document the specific risks your business faces based on your customers, services, channels, and geographic exposure.
Draft your Part A governance document — establish your AML/CTF policy, appoint your Compliance Officer, and set out how risk will be managed and reported internally.
Develop your Part B CDD procedures — write step-by-step procedures for customer identification, verification, ongoing due diligence, and enhanced due diligence for high-risk cases.
Build your transaction monitoring framework — define what will be flagged, how it will be reviewed, and who is responsible for making SMR decisions.
Set up your reporting processes — ensure you have systems in place to file TTRs accurately and on time, and to submit SMRs through AUSTRAC Online when required.
Implement a staff training program — document what training is required, when it must be completed, and how it will be recorded.
Schedule your first independent review — plan for an external review within a reasonable period of launching your program, and build in regular review cycles thereafter.

If you are at the stage of building your program as part of preparing to register with AUSTRAC, our complete step-by-step guide to registering a money transfer business in Australia will help you understand how the AML/CTF program fits within the broader registration requirements.

Final Thoughts: Compliance Is the Foundation, Not a Burden

A well-built AML/CTF program is not just a regulatory checkbox — it is the foundation of a trustworthy, sustainable money transfer business. It is what enables you to maintain banking relationships, attract corporate clients, and operate with confidence knowing that you are meeting your legal obligations.

The businesses that thrive in the Australian remittance sector are not the ones that minimise compliance investment — they are the ones that treat their AML/CTF program as a genuine operational asset and keep it current as their business grows and evolves.

If you are working through the registration and compliance process and want guidance specific to your situation, our team at MoneyTransferLicence.com.au is here to help. Start by reading our overview of who needs a money transfer licence and how to get approved — and reach out when you are ready to take the next step.

Frequently Asked Questions

What is an AML/CTF program and do I need one for my money transfer business?

An AML/CTF program is a documented set of policies and procedures a business must have under Australia’s Anti-Money Laundering and Counter-Terrorism Financing Act 2006. If you provide remittance or money transfer services in Australia, you are required to register with AUSTRAC and maintain a compliant AML/CTF program as a condition of that registration. There are no exemptions for small businesses or startups.

What are the two parts of an AML/CTF program?

Under the AML/CTF Act, a program must contain Part A — the Governing AML/CTF Program, which covers your ML/TF risk assessment, governance structure, and oversight arrangements — and Part B — the Customer Due Diligence Program, which sets out how you identify, verify, and monitor your customers. Both parts must be documented, maintained, and actually followed in practice.

How does AUSTRAC assess whether my AML/CTF program is compliant?

AUSTRAC assesses programs based on whether they are appropriate for your specific business risk profile, whether they are actually implemented in practice (not just documented), whether staff understand and follow the procedures, and whether the program is kept up to date. AUSTRAC can conduct compliance assessments, request documentation, and initiate formal enforcement if significant deficiencies are found.

What is a Suspicious Matter Report (SMR) and when do I need to file one?

A Suspicious Matter Report (SMR) must be filed with AUSTRAC whenever your business has reasonable grounds to suspect that a transaction or customer relationship is related to money laundering, terrorism financing, or certain other offences. You must submit an SMR as soon as practicable after forming that suspicion — and you must never tell the customer that a report has been or may be lodged. SMRs are submitted through AUSTRAC Online.

How often does an AML/CTF program need to be reviewed?

The AML/CTF Act requires that your program be reviewed at appropriate intervals, but does not prescribe a fixed schedule. In practice, AUSTRAC expects an independent review at least every two to three years for most businesses, and more frequently if your business changes significantly — for example, if you add new services, enter new markets, or if AUSTRAC issues updated guidance. Reviews should be documented and findings acted upon.

Can I use a template AML/CTF program for my money transfer business?

A template can be a useful starting point, but it cannot be used as-is. AUSTRAC expects your program to reflect your actual business — your specific customer base, the corridors you serve, your channels, and the risks you face. A generic template that has not been customised to your circumstances is unlikely to satisfy a compliance assessment and may expose you to enforcement risk. Working with a compliance specialist who understands the remittance sector is strongly recommended.

What happens if my AML/CTF program is found to be inadequate?

AUSTRAC has broad powers to respond to compliance failures, ranging from remedial direction letters and enforceable undertakings to civil penalties, infringement notices, and criminal prosecution for the most serious breaches. Inadequate AML/CTF programs are also a common reason why banks terminate or refuse to open accounts for remittance businesses — which is typically fatal to business operations. Addressing deficiencies proactively is always preferable to waiting for enforcement action.