Anti-Money Laundering / Counter Terrorism Financing program

Practitioners are urged to ensure that they have an AML/CTF Program in place by 1 July 2025.

Your AML/CTF program must be:

  • completed before you start providing a designated service
  • clearly documented in writing
  • approved by a senior manager
  • complied with and 
  • once the AML/CTF regime begins, you will need to ensure that it is:

Your AML/CTF Program has two main components:

  1. Risk Assessment – covering money laundering, terrorism financing and proliferation financing (ML/TF/PF)
  2. AML/CTF Policies – outlining the procedures, systems and controls to manage these risks

AUSTRAC will release sector-specific guidance, including an AML/CTF Program Starter Kit for small and medium legal practices, in January 2026.

Further details are available on the AML/CTF Reform | AUSTRAC website and we'll also keep you informed as new information becomes available.

Risk Assessment - ML/TF

This program will require a practice wide ML/TF/PF risk assessment. This assessment must: 

  • identify and assess these risks your practice may reasonably face in providing its designated services and must be done before you offer a designated service: 
    1. identify: understand where and how your services could be exploited and recognise your vulnerabilities
    2. assess: complete a structured risk assessment and risk rating of clients, transactions and services
  • be appropriate to the nature, size and complexity of your practice 
  • consider the following: 
    1. client types, such as individuals, businesses, or politically exposed persons (rule 1-5 defines domestic politically exposed persons)
    2. countries or jurisdictions the practice deals with, especially if they are high-risk
    3. types of designated services provided, including whether they facilitate international fund transfers, buy, sell, or transfer real estate, or accept cash
    4. delivery channels for the designated services
  • be documented, and
  • be reviewed and updated regularly, particularly in response to any significant changes within the practice or if an independent evaluation report highlights adverse findings (rule 5-1).

Note: The ML/TF risk assessment must be reviewed and updated at least once every three years or sooner if there are significant changes or if AUSTRAC communicates new risk information. Any updates must be documented within 14 days after the update occurs.

Practice tip:

Start to consider: 

  • what risks your practice will or will not accept
  • what risks your practice will treat on a case-by-case basis
  • what risks your practice will require escalation to your compliance officer
  • preparing a short risk appetite statement within your AML/CTF program. This helps staff (and future reviewers) understand what types of clients or matters the practice is willing to accept, escalate or refuse.

Practice tip:

Start to collect data now that provides necessary information for conducting an effective ML/TF risk assessment of your practice:

  • Determine the size and nature of your law practice ie: profile the type of work that you do to understand whether you are providing a ‘designated service’.
  • Are client identification records complete and have not changed?
  • Are your client files up to date?
  • Local or overseas – identify the country Nb: consider whether you have clients or will accept clients from high risk jurisdictions eg: the FATF grey or black lists, Consolidated Lists?
  • Consider who are your clients? eg: individuals, corporate entities, trusts, developers, investors, first home buyers, cash intensive businesses etc.
  • F2F, online? Nb: both with regard to taking instructions and conducting customer due diligence.
  • Where and how do you onboard?
  • Do you have existing systems in place that enables you to comply with these obligations.
  • AUSTRAC have indicated that a guide to ML/TF Risk assessment will form part of their AML/CTF Program Starter Kit.

Risk Assessment - PF

The majority of practices will generally concentrate on the ML/TF aspect of the assessment but practitioners need to also turn their minds to PF. PF (Proliferation financing) is the financing or attempted financing of illegal activities intended to facilitate the creation, purchase or supply of weapons of mass destruction (WMD) and is defined in Item 12, Schedule 1 of the Act. While most legal practices will have minimal PF risk, all reporting entities will still be required to assess this risk.

PF risk assessment requires practitioners to reasonably assess and demonstrate their level of risk of PF. If it is reasonably low, they are not required to adopt any counter proliferation financing (CPF)-specific measures or policies.

Practice tip:

AUSTRAC has a detailed Proliferation financing in Australia national risk assessment 2022. Practitioners should consider, assess and document their PF risk to justify their exclusion if challenged by AUSTRAC.

AML/CTF Policies

The second part of your AML/CTF Program are your AML/CTF Policies. Your policies encompass procedures, systems and controls that appropriately manage and mitigate your ML/TF/PF risks and ensure compliance of the AML/CTF regime. The key policy areas will include:

  • Governance and compliance management
  • Customer Due Diligence (CDD)
  • Record keeping
  • Reporting obligations.


Policy: Governance and compliance management

What is it?

Compliance and governance to the AML/CTF act requires a comprehensive, risk-based AML/CTF program outlining policies to identify, mitigate and manage the risks of money laundering and terrorism financing.

Policies encompass procedures, systems and controls to ensure compliance to the regime. One of the first things that must be completed in your AML/CTF program are your governance and compliance obligations.

What you need to do:

The following key roles must be appointed: 

  • Governing Body, 
  • AML/CTF Compliance Officer and 
  • the Senior Manager. 

Governing Body

Sole practitioners can take on all 3 roles. If the reporting entity is an individual, the Governing Body (s5 of the Act) is the individual. 

If the reporting entity is not an individual (eg: an incorporated legal practice, partnership, corporate entity etc.), the Governing Body is the individual or group who are primarily responsible for the governance and executive decisions of the reporting entity and must ensure compliance of the AML/CTF regime. 

AML/CTF Compliance Officer

The AML/CTF Compliance Officer is the individual designated for this role under s26J(1) of the Act. They must have sufficient authority, independence and access to resources and information to perform their functions effectively. The role of Compliance Officer cannot be outsourced though the officer may use external providers for support. They must:

  • be a person employed or engaged by the reporting entity at the management level
  • have sufficient authority, independence and access to resources and information to ensure they can perform their functions effectively
  • be a resident of Australia
  • be a fit and proper person, and
  • consider all other matters specified in rule 5-14

Their functions include overseeing and co-ordinating the day-to-day compliance with the AML/CTF regime and policies, addressing high-risk and potentially suspicious matters, communicating/reporting to AUSTRAC and reviewing/updating the AML/CTF Program.

Senior Manager

The Senior Manager (s5 of the Act) is the individual who makes or participates in making decisions that affect the whole or a substantial part of the business of the reporting entity. The AML/CTF Policies must:

  • designate one or more Senior Managers as responsible for approving the AML/CTF Policies and ML/TF risk assessment including updates
  • ensure the approval of a Senior Manager is obtained before commencing a designated service to a client who is identified as a foreign politically exposed person (PEP)
  • ensure the Senior Manager is informed before a designated service is provided to client whose ML/TF risk is assessed as high.

Practice tip:

Discuss and consider who will take on these roles. Remember all 3 positions can be the one person but each must meet the above criteria. 

Policies

Once you have completed your governance and appointed your key roles, your AML/CTF policies can be drafted, reviewed and adopted.

What must policies include

  • Governing Body’s responsibilities: The Governing Body is responsible for ongoing oversight of the Policies, Risks and Reports.
  • AML/CTF Compliance Officer: The Governing Body must appoint your AML/CTF Compliance Officer with the appropriate authority, qualifications, reporting and compliance obligations.
  • Personal Due Diligence: The undertaking of personal (employee) due diligence of staff both before and during their employment/engagement.
  • Personal (employee) training: The initial and ongoing training of staff on their AML/CTF responsibilities and obligations including ML/TF risks and red flags.
  • Independent evaluations: The Program must be independently evaluated at least once every 3 years.
  • Reporting obligations: Policies are required to ensure that all information reported under the Act (including suspicious matters, threshold transactions etc.) is complete, accurate, and free from unauthorised change.
  • Assessment of potential suspicious matters: Policies should enable timely review of relevant material and prompt determination of suspicious matters that may need to be reported to AUSTRAC.
  • Prevention of Tipping Off: Safeguards must be established within the Policies to prevent the unauthorized disclosure of information about suspicious matter reports that could prejudice an investigation.
  • Actions requiring approval or information: Policies must specify circumstances where senior manager approval is required (e.g., before commencing a designated service to a foreign politically exposed person or a high ML/TF risk customer.
  • Documentation and approvals: Both the Risk Assessment and the Polices must be documented before the designated services are provided and approved by the Senior Manager.

Practice tip:

Start to become familiar with these concepts and consider your existing policies, practices and technology to see whether you can use them as part of your AML/CTF program eg: client onboard practices, IT solutions, staff hiring and training policies, info barriers and internal info flows, conflict checking and management procedures. Ensure everything is documented when the time comes.