The layman's guide to AML/CTF Rules 2025: Part 5 - AML/CTF programs

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Understanding AML/CTF programs under Australia’s AML/CTF Rules 2025

Part 5 explains what must go into your AML/CTF program. It turns legal requirements into practical steps for managing risk, due diligence, and compliance.

Here’s the quick version:

• Risk assessments: Review and update them when issues are found.
• Customer due diligence (CDD): Verify identity at onboarding and ongoing, plus check source of funds/wealth when risks change.
• Sanctions & PEPs: Avoid sanctioned parties, and get senior manager approval before working with high-risk or politically exposed persons.
• Governance & compliance: Ensure boards are informed, compliance officers report regularly, and staff are trained and background-checked.
• Independent testing: Have your program independently evaluated and act on findings.
• Reporting & confidentiality: Keep AUSTRAC reports accurate, assess suspicious matters quickly, and prevent staff from tipping off customers.
• Record-keeping: Document policies, risk assessments, and group arrangements. Extra requirements apply if you handle real estate transactions.

In essence, Part 5 is about turning policy into practice: making sure your AML/CTF program is documented, risk-based, independently tested, and woven into daily business.

Useful terms

• ML/TF: Money laundering and terrorism financing risks.
• KYC information: Information you collect and (where required) verify to identify a customer.
• Source of wealth (SoW) and source of funds (SoF): Information about where a customer’s wealth and the specific funds for a transaction come from.
• Politically exposed person (PEP): A person with a prominent public function. The Rules refer to foreign PEPs, domestic PEPs and international organisation PEPs.
• Designated services: The specific regulated services listed in the Act.
• Governing body: The internal group or individual responsible for overseeing your AML/CTF program.
• Independent evaluation report: A written report produced after an independent evaluation of your AML/CTF program e.g. an audit conducted by an AML consultancy.

Useful links

• The Act
• Explanatory Statement

Designated services 

• Tranche 1 - table 1
• Tranche 2- Schedules 3 and 6

Division 1 - ML/TF risk assessment

5-1: When you must review it

• If an independent evaluation report finds problems with your ML/TF risk assessment, you must review it.
• Do the review as soon as possible after your governing body receives the report.

Division 2 — AML/CTF policies related to ML/TF risk mitigation

5-2: Customer due diligence (CDD)

Your policies must clearly set out when you will collect and verify customer due diligence - both at the start (initial CDD) and as the relationship continues (ongoing CDD).

They must also explain when you need to go further and check where a customer’s funds or wealth comes from.

Examples:
Initial CDD – section 28
A client engages a law firm for conveyancing → collect and verify their ID.

If the buyer pays cash or uses funds from a foreign account → also check the source of those funds.

Ongoing CDD – section 30
An existing family law client now wants to buy property through a company → re-verify directors and shareholders, and confirm source of funds.

A repeat real estate customer suddenly bids for a high-value property through an offshore company → re-check beneficial ownership and verify the money being used.

5-3: Targeted financial sanctions

Your policies must make sure that, when providing designated services, you:

• do not give money or assets to any individual or entity on a sanctions list.
• do not use or handle assets that belong to or are controlled by any individual or entity on a sanctions list.

This is required under Australian sanctions laws.

5-4: Updating policies after adverse independent findings

If an independent evaluation report highlights problems with your AML/CTF policies, your policies must explain how you will review and update them in response.

5-5: Things that require senior manager approval or notification

Senior manager approval is required before you:

• Start providing a designated service to a customer who (or whose owner/representative) is a foreign PEP.
• Start providing a designated service to a domestic PEP or international organisation PEP and the customer’s ML/TF risk is high.
• Continue a business relationship where a customer (or owner/representative) has become:
  • a foreign PEP, or
  • a domestic or international organisation PEP with high ML/TF risk.
• Start providing a service as part of a nested services relationship.
  
  Example: A law firm wants to send client funds overseas. Instead of dealing directly with a bank, it uses a fintech that relies on a global bank. Because the service passes through multiple layers (law firm → fintech → bank), a senior manager must approve it before funds can be sent.
• Enter into a formal written agreement to rely on another party’s customer ID checks paragraph 37A(1)(a) of the Act (commonly known as “outsourced KYC”), as long as the arrangement is documented and meets AML/CTF Rule requirements.

Special case

If your customer is a foreign PEP, but you serve them through your office in the same country where they hold that status, you treat them as a domestic PEP for approval purposes.

Example: A Sydney firm opens a matter for a client who is a PEP in Fiji. If the service is delivered through the firm’s Fiji office, the client is treated as a domestic PEP for approval.

A senior manager must be informed before you:

• Make a payment under a life insurance or sinking fund policy where the customer is high risk (item 39 of table 1 in section 6 of the Act).

Your policies must also cover:

• Any other cases where approval is needed to start or continue services.
• Who in the business can give that approval.
• When a senior manager must approve cases involving a former PEP.

Division 3 - AML/CTF policies related to governance and compliance, management

5-6: Information for the governing body (i.e. your internal oversight individual or group)

A reporting entity’s AML/CTF policies must explain how important information will be shared with its board (or equivalent governing body) so the board can properly carry out its responsibilities under the law.

5-7: Reports from the AML/CTF compliance officer (AMLCO)

Your policies must make sure the compliance officer gives regular reports to the internal governing body (e.g. board) about:

1. How well the organisation is following its AML/CTF policies.
2. Whether those policies are effectively managing ML/TF risks.
3. Whether the organisation is following the law and AML/CTF rules.

These reports should happen at least once a year.

Exceptions

• This doesn’t apply if you’d just be reporting to yourself (e.g., if the reporting entity is a sole trader, or if the AMLCO and the governing body are the same person).

5-8: Personnel due diligence

Your AML/CTF policies must ensure that you background check staff and contractors who perform AML work — both before they commence and while they’re with you.

What to check:

• Do they have the right skills and knowledge for their role?
• Do they act with honesty and integrity?

Example: Before promoting a staff member to handle client onboarding, you check they understand AML/CTF rules and have a clean professional history.

5-9: Personnel training

Your AML/CTF policies must provide for training when someone starts, and then on an ongoing basis.

What training must be:

• Relevant to the person’s job, the risks they’ll face, and the responsibilities they hold.
• Connected to your business’s AML/CTF risks and policies.
• Easy to understand and follow.

Example:

• A new accounts assistant learns how to spot unusual cash deposits.
• A senior manager gets training on approving/rejecting high-risk PEP clients.

5-10: Independent evaluations

Every business must have its AML/CTF program independently evaluated. 

What the evaluation must cover:

• How you carried out or reviewed your ML/TF risk assessment, measured against the Act, regulations and Rules.
• Check if the AML/CTF policies are designed properly.
• Test if your organisation is actually following its own AML/CTF policies.
• Assess if you are properly spotting, assessing and managing the ML/TF and proliferation financing risks your business may face.

The evaluation report
The auditor must give you a written report on their findings and give that report to the board and any senior manager responsible for approvals.

Your response
Your AML/CTF policies must explain how you will respond to findings raised in the report.

5-11: Quality of reports you lodge

Your AML/CTF policies must make sure that everything you report to AUSTRAC is complete, accurate and hasn’t been tampered with.

Reports this applies to:

• Section 41 – Suspicious matter reports (SMRs)
• Section 43 – Threshold transaction reports (TTRs)
• Section 46 – International value transfer service (IVTS) reports
• Section 46A – Reports of value transfers involving unverified self-hosted virtual asset wallets.

5-12: Assessing potential suspicious matters

Your AML/CTF policies must give you time and processes to review information that could trigger a suspicious matter report (SMR).

What this means:

• If you’re providing, or asked to provide, a designated service, you must decide quickly whether you reasonably suspect:
  • identity fraud
  • tax evasion
  • other crime
  • terrorism financing
  • money laundering

If you do, you must lodge an SMR with AUSTRAC (see paragraphs 41(1)(d)–(j) of the Act).

5-13: Preventing tipping off

Your AML/CTF policies must stop staff or contractors from warning customers that an SMR might be, or has been, lodged.

What this means:

• Keep all SMR-related information confidential.
• Only use or share it when appropriate.

In essence, customers must never know if they’re under suspicion.

Division 4 — AML/CTF compliance officers

5-14: Fit and proper compliance officer test

When deciding if an individual is fit and proper to be your AMLCO, consider:

1. Skills and knowledge: Does the person have the right skills, knowledge, experience, and judgement for the role, considering the size and complexity of the organisation?
2. Character: Are they honest and of good character?
3. Criminal history: Have they been convicted of a serious crime?
4. Past legal or regulatory issues: Have they been involved in civil, criminal, or regulatory cases (in Australia or overseas) that showed problems with competence, honesty, judgment, or diligence?
5. Financial issues: Are they an undischarged bankrupt, or have they entered into a formal insolvency agreement?
6. Conflicts of interest: Do they have any conflicts that could stop them from doing their job properly?

Note: Spent convictions under Australian law may not need to be disclosed, and others should disregard them where the law allows.

Division 5 - AML/CTF program documentation

5-15: When your program must be written down

Your business must have written records of:

• The money laundering and terrorism financing risk assessment.
• The AML/CTF policies.

Timing

• Do this before you first provide a designated service to a customer.
• If you update your risk assessment (section 26D) or your policies, you must document the updated program within 14 days.

Division 6 — AML/CTF policies related to lead entities

5-16: Record-keeping by the lead entity

If you are the lead entity of a reporting group, your AML/CTF policies must deal with keeping up-to-date records about group membership, including changes.

Division 7 — AML/CTF policies related to transfers of value

Why Division 7 (Transfers of Value) doesn’t apply to Tranche 2 entities

Division 7 of the AML/CTF Rules sets requirements for payment transfers - the kind normally handled by financial institutions such as banks, remitters, fintechs, and crypto exchanges.

As a law firm, accounting practice, or real estate agency, you:

• Don’t initiate or process payment transfers (you use banks or licensed providers instead).
• Don’t act as the “ordering”, “intermediary”, or “beneficiary” institution in a value transfer chain.
• Don’t hold or move client crypto assets in wallets.

So Division 7 is (most likely) not in scope for you.

The only time it might matter is if you go beyond your core services and start offering payment or virtual asset transfers yourself or enter a nested services arrangement with a fintech that relies on banks further down the chain. In those cases, you’d need senior manager approval and to meet Division 7 requirements.

Division 8 — AML/CTF policies related to real estate transactions

5-20: Verifying KYC before settlement

If your business is involved in real estate transactions, such as buying, selling, or transferring property, your AML/CTF policies must explain how you will verify your customer’s identity before settlement.

Exception -  reliance clause

You can rely on another reporting entity to do the KYC checks, but they must complete them within 15 days of contract exchange.