Anti-Money Laundering / Counter Terrorism Financing program

Practitioners are urged to ensure that they have an AML/CTF Program in place by 1 July 2025.

Your AML/CTF Program has two main components:

  1. Risk Assessment – covering money laundering, terrorism financing and proliferation financing (ML/TF/PF)
  2. AML/CTF Policies – outlining the procedures, systems and controls to manage these risks

AUSTRAC will release sector-specific guidance, including an AML/CTF Program Starter Kit for small and medium legal practices, in January 2026.

Further details are available on the AML/CTF Reform | AUSTRAC website and we'll also keep you informed as new information becomes available.

Your program must include a practice-wide ML/TF/PF risk assessment.

This assessment must:

  • Identify and assess the money laundering, terrorism financing and proliferation financing risks your practice could reasonably face in providing designated services
  • Be completed before offering any designated services
  • Be appropriate to the nature, size and complexity of your practice

It should also consider:

  • Types of clients (e.g. individuals, businesses, politically exposed persons – as defined in Rule 1-5)
  • Countries or jurisdictions you deal with, especially those considered high risk
  • Types of designated services provided (e.g. real estate transactions, fund transfers, or cash handling)
  • Delivery channels for those services

The assessment must be documented and reviewed and updated regularly – particularly when significant changes occur or when an independent evaluation identifies issues (Rule 5-1).

While most practices will primarily focus on money laundering and terrorism financing risks, you must also consider proliferation financing (PF) — the financing or attempted financing of illegal activities linked to weapons of mass destruction (as defined in Item 12, Schedule 1 of the Act).

Although the PF risk for legal practices is typically low, all reporting entities must still assess and document their exposure.

If your assessment shows that PF risk is reasonably low, you are not required to adopt specific counter-proliferation financing (CPF) measures or policies.

Practice tip:

You must review and update your ML/TF risk assessment at least every three years, or sooner if your practice changes or AUSTRAC issues new risk information.

Any updates must be documented within 14 days of completion.

AML/CTF Policies

The second part of your AML/CTF Program comprises of your policies and procedures. These must be risk-based and designed to ensure your practice effectively manages ML/TF/PF risks and complies with AML/CTF obligations.

Your policies should address:

Governance and compliance management

What is it?

Compliance and governance to the AML/CTF act requires a comprehensive, risk-based AML/CTF program outlining policies to identify, mitigate and manage the risks of money laundering and terrorism financing.

Policies encompass procedures, systems and controls to ensure compliance to the regime. One of the first things that must be completed in your AML/CTF program are your governance and compliance obligations.

What you need to do:

The following key roles must be appointed: 

  • Governing Body, 
  • AML/CTF Compliance Officer and 
  • the Senior Manager. 

For sole practitioners, they may hold all three roles.

If your practice is not an individual entity (e.g. an incorporated legal practice, partnership or company), the Governing Body is the person or group primarily responsible for governance and executive decision-making.

They are accountable for ensuring AML/CTF compliance.
 

This role is required under s26J(1) of the Act.

The Compliance Officer must:
•    Be employed or engaged at a management level
•    Have sufficient authority, independence, and access to resources and information
•    Be a resident of Australia
•    Be a fit and proper person (see Rule 5-14)

Their responsibilities include overseeing day-to-day compliance, coordinating reporting to AUSTRAC, addressing high-risk matters, and reviewing and updating the AML/CTF Program.

A Senior Manager (as defined in s5 of the Act) is a person who makes or participates in decisions that affect the whole or a substantial part of the business.

Your AML/CTF Policies must ensure:

•    One or more Senior Managers approve the AML/CTF Policies and ML/TF Risk Assessment (including updates)
•    Senior Manager approval is obtained before providing services to foreign politically exposed persons (PEPs)
•    The Senior Manager is informed before services are provided to high ML/TF risk clients

Practice tip:

The Compliance Officer role cannot be outsourced, but the officer may engage external providers for support and advice.

Developing Your Policies

Once governance arrangements are in place and key roles appointed, your AML/CTF Policies can be drafted, reviewed and adopted.

Your policies must include:

  • Governing Body responsibilities: ongoing oversight of risks, policies and reporting
  • Compliance Officer appointment: ensuring the officer has suitable authority, qualifications and obligations
  • Personal due diligence: screening and monitoring employees and contractors
  • Staff training: initial and ongoing AML/CTF training, including recognising ML/TF risks and red flags
  • Independent evaluation: an independent review of your program at least once every three years
  • Reporting obligations: ensuring reports to AUSTRAC (e.g. suspicious matters, threshold transactions) are accurate and unaltered
  • Suspicious matter procedures: processes for promptly reviewing and reporting potential suspicious activity
  • Tipping off prevention: safeguards to prevent unauthorised disclosure of suspicious matter reports
  • Approval processes: situations requiring Senior Manager approval (e.g. high-risk or PEP clients)
  • Documentation and approvals: ensuring both your Risk Assessment and Policies are fully documented and approved before providing designated services