What Must an AML/CTF Program Include? A Build Checklist for Tranche 2 Firms

9 min read · General information, not legal advice · Updated 2026-06-12

You run a real estate agency, a conveyancing practice, an accounting firm, a law practice, or you deal in precious metals or stones. Word has reached you that Australia's AML/CTF regime is expanding under Tranche 2, that your firm is likely a 'reporting entity' once you provide certain designated services, and that you must build something called an AML/CTF program before the new obligations commence on 1 July 2026. What you don't yet know is what actually goes inside that program.

This article answers exactly that question. It walks through the program part by part, so you can see what a compliant program looks like, decide what your firm needs, and start building rather than guessing. This is general information, not legal advice, and your precise obligations depend on the specific designated services you provide.

What an AML/CTF program actually is

An AML/CTF program is the documented system your firm uses to identify, manage and reduce the risk that your services are misused for money laundering or terrorism financing. It is not a single form you lodge once. It is a living set of governance arrangements, a risk assessment, and the policies, procedures, systems and controls that put those into practice day to day.

Think of it as three layers working together. At the top sits governance — who is responsible, who signs off, and how senior management stays across the program. In the middle sits your ML/TF risk assessment — a clear-eyed view of where your specific business is exposed. At the base sit the policies, procedures, systems and controls that staff follow when they onboard a client, monitor a transaction, or escalate something that looks wrong.

The regulator is AUSTRAC (the Australian Transaction Reports and Analysis Centre). AUSTRAC expects your program to be tailored to your business, kept current, and actually used — not a template that sits in a drawer.

Who and what it applies to under Tranche 2

Tranche 2 refers to the reforms under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which extend Australia's AML/CTF regime to new sectors often called 'tranche 2 entities'. The new obligations are due to commence on 1 July 2026.

You are likely captured if you fall into one of these groups and you provide specified 'designated services':

• Real estate professionals — agents and others involved in property transactions.
• Dealers in precious metals and precious stones.
• Certain professional service providers — lawyers, conveyancers, accountants, and trust and company service providers.

The trigger that matters is the designated service, not your job title. A firm only becomes a reporting entity when it provides one of the specified services. Two practices in the same profession can have different obligations depending on what work they actually do. Because the line sits at the service level, your first task is to map your service offering against the designated services list rather than assuming the whole firm is in or out.

The core obligations your program supports

Your AML/CTF program is the engine that lets you meet the obligations of a reporting entity. The core obligations are:

• Enrol with AUSTRAC — registration and reporting are handled through AUSTRAC Online.
• Develop and maintain an AML/CTF program — the governance, risk assessment, and policies, procedures, systems and controls described here.
• Conduct customer due diligence (CDD/KYC) — verify who your customers are, and carry out ongoing CDD and transaction monitoring across the relationship.
• Report suspicious matters and threshold transactions — lodge suspicious matter reports (SMRs) when you form a relevant suspicion, and threshold transaction reports (TTRs) for physical currency transactions of AUD 10,000 or more.
• Keep records — generally for seven years.
• Appoint an AML/CTF compliance officer (AMLCO) — a named, accountable person responsible for the program.

Every one of these obligations needs to be reflected somewhere in your written program. If an obligation has no matching policy, procedure or control, that is a gap a reviewer will find.

The anatomy of a compliant program, part by part

Here is what each layer of the program needs to contain in practice.

1. Governance and oversight. Name your AMLCO. Set out how senior management approves the program and reviews it on a regular cycle. Define roles, reporting lines, and how often the board or owners are briefed. Document who can authorise an exception and who signs off on changes.

2. The ML/TF risk assessment. Assess the money laundering and terrorism financing risk across your customers, the services you provide, the delivery channels you use, the jurisdictions involved, and any other relevant factors. Rate the risks, explain your reasoning, and decide what controls each risk level calls for. This assessment drives everything else — a generic risk rating that ignores your real client base is a common weakness.

3. Customer due diligence procedures. Specify how you identify and verify customers, including beneficial owners, before or at the start of providing a designated service. Set out enhanced due diligence for higher-risk customers, and your approach to ongoing CDD so customer information stays current.

4. Transaction monitoring. Describe how you watch for unusual or suspicious activity over the life of the relationship, and how a staff member escalates a concern.

5. Reporting procedures. Lay out how and when you lodge SMRs and TTRs through AUSTRAC Online, who is authorised to lodge, and how you protect against tipping off.

6. Record-keeping. State what you keep, where, and for how long (generally seven years), covering customer records, transaction records and your program documents.

7. Training and screening. Set out an AML/CTF training program for staff and appropriate employee due diligence, so the people running the controls understand them.

8. Independent review. Build in periodic, independent review of the program so weaknesses surface before AUSTRAC finds them.

Your build checklist

Use this as a working checklist while you assemble the program. Treat each line as 'done' only when it is written down and someone owns it.

• Map your designated services — confirm which of your services bring the firm into the regime.
• Appoint your AMLCO — name the person and record their authority and responsibilities.
• Complete your ML/TF risk assessment — customers, services, channels, jurisdictions, and your ratings and reasoning.
• Write your CDD/KYC procedures — identification, verification, beneficial ownership, enhanced due diligence, and ongoing CDD.
• Document transaction monitoring and escalation — what staff watch for and how they raise it.
• Write reporting procedures — SMRs, TTRs (AUD 10,000+ physical currency), AUSTRAC Online process, and tipping-off safeguards.
• Set your record-keeping policy — what, where, and a seven-year retention rule.
• Build a staff training plan — initial and refresher AML/CTF training, plus employee screening.
• Schedule independent review — set the cadence and who performs it.
• Plan your AUSTRAC enrolment — know the AUSTRAC Online steps so you are ready ahead of 1 July 2026.
• Get senior sign-off — record management approval of the finished program.

As the AUSTRAC rules are finalised, expect further detail on how some of these requirements apply to your sector. Build the structure now and refine the specifics as guidance lands.

Common mistakes to avoid

The firms that struggle tend to make the same few errors:

• Treating the program as paperwork. A document no one follows is not a program. The controls have to be lived day to day.
• Copying a generic template without tailoring it. AUSTRAC expects the program to reflect your actual business and your actual risks. A risk assessment that could belong to any firm is a red flag.
• Skipping the risk assessment and jumping to procedures. The risk assessment is what justifies your controls. Without it, your procedures have no foundation.
• Forgetting beneficial ownership. Knowing the customer in front of you is not enough if someone else ultimately controls the funds.
• Leaving the AMLCO role nominal. The compliance officer needs real authority, time, and visibility to senior management.
• Waiting until June 2026. Building governance, a risk assessment and staff training takes longer than most firms expect. Starting early is the cheapest insurance against a rushed, non-compliant launch — and against the significant civil and criminal penalties that can follow serious failures.

A faster way to a defensible first draft

You do not have to write every part from a blank page. A well-built, audit-ready template kit gives you the program structure — governance, a risk assessment framework, CDD procedures, reporting and record-keeping policies, and the supporting registers — so your effort goes into tailoring rather than inventing the format. That can take a multi-week build down to a focused tailoring exercise, while still producing a document that reflects your firm.

Whichever route you take, remember the substance matters more than the wording: the program has to map to your designated services, your risks, and your day-to-day practice. This article is general information and not legal advice, and your obligations depend on the specific designated services you provide. Confirm the detail with AUSTRAC or a qualified adviser before you finalise.