What’s in an AML/CTF program

Your AML/CTF program must show how you address the money laundering and terrorism financing risks your business or organisation may reasonably face. You must develop and document the policies, procedures and controls you use to identify, mitigate and manage those risks.

Your AML/CTF program must be risk-based. This means it must take into account the likely level of risk of your business or organisation being used for money laundering and terrorism financing, based on its size, nature and complexity, taking into account:

• who your customers are
• the services you provide
• how you deliver those services
• the foreign jurisdictions with which you deal.

There are two parts to an AML/CTF program. Part A must include processes and procedures to help you identify, mitigate and manage the money laundering and terrorism financing risks that you may reasonably face. Part B is focused on the procedures for identifying customers and beneficial owners including those that are politically exposed persons (PEPs), and verifying their identity.

There is no ‘one-size-fits-all’ AML/CTF program. Each reporting entity is different and has its own unique set of money laundering/terrorism financing risks. You must develop a program that is tailored to meet your specific needs, risks and characteristics. This gives you the flexibility to decide how to meet your obligations and to develop stronger and/or additional controls when necessary. 

While AUSTRAC does not provide AML/CTF program templates, we do provide guidance resources to help you comply with your legal obligations.

Part A of your program

Part A of your program must include the following elements to help you identify, mitigate and manage your risk of being used for money laundering (ML) or terrorism financing (TF).

• A ML/TF risk assessment of your business or organisation that is regularly reviewed and updated.
• Board and senior management approval and their ongoing oversight of your program. If your business or organisation does not have a board, Part A must be approved and overseen by your chief executive officer or equivalent.
• Having an AML/CTF compliance officer at the management level to manage your compliance with your obligations.
• An employee due diligence program to identify any employees who may put your business or organisation at risk of ML/TF.
• An AML/CTF risk awareness training program for employees so they know the risks to your business or organisation and what they must look out for.
• Consideration of guidance material and feedback from AUSTRAC, including anything we have circulated or published about the industry you operate in.
• Systems and controls to make sure you meet your AML/CTF reporting obligations.
• Ongoing customer due diligence (OCDD) systems and controls to make sure information collected about a customer or beneficial owner is reviewed and kept up to date, and to determine whether extra information should be collected and verified. OCDD includes having transaction monitoring and enhanced customer due diligence (ECDD) programs.

Part A of your program must be regularly independently reviewed.

You must also report to the board and senior management to make sure the policy, procedures, systems and controls documented in your program are:

• effective
• compliant
• properly implemented
• being followed.

Part B of your program

Part B of your program is focused on identifying customers and beneficial owners including politically exposed persons. It must include the following elements to outline how you know your customers and their beneficial owners, and the money laundering/ terrorism financing risk they pose.

• What customer information you collect and verify to make sure they are who they claim to be, or (for companies and organisations) that they exist, and how you do this.
• What information you collect and verify about beneficial owners, and how you do this.
• How you determine if your customer or the beneficial owner is a politically exposed person (PEP).
• How you respond to discrepancies in customer information.
• How you decide when you should collect additional information about a customer.

Types of AML/CTF programs

There are three types of AML/CTF programs.

1. A ‘standard program’ for individual reporting entities.
2. A ‘joint program’ for members of a designated business group (DBG) who choose this option for their AML/CTF program.
3. A ‘special program’ for holders of an Australian Financial Services Licence (AFSL), such as financial planners, who arrange designated services from other reporting entities for their clients. Special programs only need to include Part B of an AML/CTF program.

Operating in foreign countries

If you provide designated services through a permanent establishment overseas, then, in addition to any AML/CTF obligations of the country in which your overseas permanent establishment operates, you must have an AML/CTF program Part A, approved by the board and senior management, which provides for the following: 

• the appointment of a management level AML/CTF compliance officer
• ongoing supervision of Part A of your AML/CTF program by the board and senior management
• regular independent review of Part A of your AML/CTF program and reporting of the review outcome to the board and senior management
• consideration of feedback and guidance material from AUSTRAC on money laundering/terrorism financing risks.

You should know and understand the differences between the AML/CTF legal framework in Australia and the foreign country where you operate. If that country has a comparable AML/CTF regime to Australia, your permanent establishment there may only need minimal additional AML/CTF systems and controls.

AUSTRAC’s Guidance note on comparable AML/CTF laws in foreign countries (PDF, 114KB) will help you understand what ‘comparable laws’ are.