Go to top of page

Chapter 6 - AML/CTF programs



The requirement for reporting entities to have an AML/CTF program for their business is a cornerstone of Australia's AML/CTF regime. The AML/CTF program establishes the operational framework for a reporting entity to meet its compliance obligations under the AML/CTF Act.

An AML/CTF program should specify how the reporting entity identifies, mitigates and manages the risk of its products or services being misused to facilitate money laundering or terrorism financing.

Part 7 of the AML/CTF Act contains the requirement that reporting entities must develop and maintain a written AML/CTF program, while the AML/CTF Rules set out the primary components which must be included within an AML/CTF program.

This chapter assists reporting entities to develop, implement and maintain an AML/CTF program which is suitable to their business.

Back to top


What is an AML/CTF program?

An AML/CTF program provides reporting entities with a toolkit for identifying the money laundering and terrorism financing (ML/TF) risks their business faces and establishing and documenting the policies, procedures and controls to mitigate and manage these risks. Reporting entities must develop and maintain a written AML/CTF program before providing any designated services to a customer.

There are three types of AML/CTF programs:

  • a standard AML/CTF program, which applies to individual reporting entities
  • a joint AML/CTF program, which applies to reporting entities that are members of a designated business group (DBG) and have elected to operate under a joint AML/CTF program
  • a special AML/CTF program, which applies to individual reporting entities that hold an Australian financial services licence (AFSL) and that arrange for a person to receive another designated service from a separate reporting entity. An example is a financial planner who arranges for a client to receive a designated service (such as acquiring or disposing of a security or derivative) provided by another reporting entity.

Standard and joint AML/CTF programs must have two components:

Special AML/CTF programs are only required to include the Part B component - they are not required to include Part A.

Part A of an AML/CTF program covers identifying, managing and reducing the money laundering and terrorism financing risk faced by a reporting entity. It includes:

  • an ML/TF risk assessment of the business conducted by the entity. This assessment must be reviewed and updated periodically
  • approval and ongoing oversight by boards (where appropriate) and senior management
  • appointment of an AML/CTF compliance officer
  • regular independent review of Part A
  • an employee due diligence program
  • an AML/CTF risk awareness training program for employees
  • policies and procedures for the reporting entity to respond to and apply AUSTRAC feedback
  • systems and controls to ensure the entity complies with its AML/CTF reporting obligations
  • ongoing customer due diligence (OCDD) procedures, which provide for the ongoing monitoring of existing customers to identify, mitigate and manage any ML/TF risks. These include a transaction monitoring program and an enhanced customer due diligence (ECDD) program.

Part B covers a reporting entity's customer due diligence (CDD) procedures. It includes:

  • establishing a framework for identifying customers and beneficial owners of customers so the reporting entity can be reasonably satisfied a customer is who they claim to be
  • collecting and verifying customer and beneficial owner information.

What are the AML/CTF program requirements for reporting entities which provide designated services at or through a permanent establishment in a foreign country?

Reporting entities which provide designated services at or through a permanent establishment in a foreign country must have certain elements of Part A of an AML/CTF program, including:

  • approval and ongoing oversight of Part A by boards (where appropriate) and senior management
  • appointment of an AML/CTF compliance officer
  • regular independent review of Part A
  • procedures to respond to and apply AUSTRAC feedback.

Reporting entities which have a permanent establishment in a foreign country at or through which they provide designated services, should be aware of the differences between the AML/CTF legal framework in Australia and the foreign country. Where the foreign country has a comparable AML/CTF regime to Australia, the reporting entity's permanent establishment in a foreign country may need to implement only minimal additional AML/CTF systems and controls.

AUSTRAC Guidance note 09/02 - Assessment of comparable AML/CTF laws in foreign countries provides assistance to reporting entities on what constitutes a comparable AML/CTF law in a foreign country.

Can a reporting entity adopt a template or model AML/CTF program?

AML/CTF programs are risk based and relate to the size and nature of each business, the designated services it offers customers and its ML/TF risk profile. AUSTRAC does not provide an AML/CTF program template that each reporting entity must use. Instead, each reporting entity must develop and document an AML/CTF program that is tailored to its specific business needs and which is proportionate to the level of ML/TF risk it faces.

AUSTRAC has developed industry specific guidance for some industry sectors on developing an AML/CTF program and these guides provide reporting entities with practical guidance on meeting their obligations. 

What is a risk-based approach to developing an AML/CTF program?

The risk-based approach recognises that the reporting entity is best placed to identify and assess the risks its business faces according to the types of customers it serves and the products and services it provides to customers. The risk-based approach also acknowledges that entities are best placed to develop controls, procedures and allocate resources that are proportionate to those risks.

For example, a reporting entity may allocate additional effort to those areas of the business it assesses as having a higher ML/TF risk. The risk-based approach provides a reporting entity with a degree of flexibility to determine how its obligations can be implemented and enables a reporting entity to tailor its AML/CTF program to meet the specific features, risks and characteristics of the business.

A reporting entity's AML/CTF systems and controls must address the nature, size and complexity of its business and the types of ML/TF risk it might reasonably face.

Further information

For further information on the risk-based approach, see:

Back to top

Developing an AML/CTF program

An AML/CTF program must include several elements to satisfy the requirements set out in the AML/CTF Act and AML/CTF Rules.

Part A (general)

Part B (customer due diligence procedures)

Last modified: 17/12/2018 09:30