How Much Does AML/CTF Compliance Cost? A Realistic Guide for Small Firms

9 min read · General information, not legal advice · Updated 2026-06-12

You run a small real estate agency, a conveyancing practice, an accounting firm, a law practice, or you deal in precious metals or stones. You have heard that Tranche 2 brings your firm into Australia's AML/CTF regime, and the question keeping you up is a money question: what is this going to cost me? Not the theory — the actual outlay, in time and dollars, for a business that does not have a compliance department.

This article gives you a realistic, no-spin view. It walks through what genuinely drives the cost, where firms overspend, the honest trade-off between doing it yourself and hiring a consultant, and the practical moves that keep your spend lean without cutting corners. This is general information, not legal advice, and your obligations depend on the specific designated services you provide.

Why there is no single price tag

If you are searching for one number, you will be frustrated — and rightly suspicious of anyone who quotes you one without asking about your business first. The honest answer is that AML/CTF compliance cost is a function of your firm's size, the designated services you provide, your client risk profile, and how much of the work you do in-house versus buy in.

It helps to think in two buckets. There is the one-off setup cost of getting compliant before the new obligations commence on 1 July 2026 — building your AML/CTF program, completing your risk assessment, enrolling with AUSTRAC, and training staff. Then there is the ongoing running cost of staying compliant year after year — doing customer due diligence on every client, monitoring transactions, lodging reports, keeping records, and reviewing the program.

A two-person conveyancing practice with low-risk local clients sits at one end of that range. A busier firm with overseas clients, trusts, and high-value transactions sits much higher, because risk drives the depth of the controls you need. Tranche 2 refers to the reforms under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, and the regulator is AUSTRAC (the Australian Transaction Reports and Analysis Centre).

The real cost drivers

Before you can control the spend, you need to know what actually moves it. These are the levers that decide whether your compliance is cheap or expensive:

• The size and complexity of your client base. More clients, more entity types (companies, trusts, partnerships), and more beneficial owners to verify all add to the per-client effort of customer due diligence (CDD).
• Your risk profile. Higher-risk clients, jurisdictions, and services call for enhanced due diligence — deeper checks that take more time and may need paid verification tools.
• Build versus buy. Writing your AML/CTF program from a blank page costs your own hours; using a structured template kit costs less time but a modest outlay.
• People and time. Someone has to be your AML/CTF compliance officer (AMLCO). For a small firm that is usually an owner or senior staffer, and the cost is their time taken off fee-earning work.
• Tooling. Identity verification (KYC) checks, transaction monitoring, and record-keeping can be done manually at low volumes or with paid software as you scale.
• Training. Every staff member who deals with clients needs AML/CTF training, initially and as a refresher.
• Independent review. A periodic, independent check of your program is part of running it properly, and external review carries a fee.

Notice that most of these are time, not cash. For a small firm, the largest hidden cost of compliance is usually the hours your own people spend — which is exactly where smart choices save the most.

What you are actually paying for: the obligations

Every dollar and hour you spend maps to a core obligation of a reporting entity. Knowing the list helps you sanity-check any quote and spot work you are paying for twice:

• Enrol with AUSTRAC — done through AUSTRAC Online. The enrolment itself is an administrative step, not a major expense.
• Develop and maintain an AML/CTF program — governance, an ML/TF risk assessment, and the policies, procedures, systems and controls staff follow. This is the bulk of your setup cost.
• Conduct customer due diligence (CDD/KYC) — identify and verify clients and beneficial owners, plus ongoing CDD and transaction monitoring. This is the bulk of your running cost.
• Report suspicious matters and threshold transactions — lodge suspicious matter reports (SMRs) when you form a relevant suspicion, and threshold transaction reports (TTRs) for physical currency of AUD 10,000 or more.
• Keep records — generally for seven years.
• Appoint an AML/CTF compliance officer (AMLCO) — a named, accountable person responsible for the program.

If a proposal bundles in work that does not map to one of these, ask why. And remember the cost of getting it wrong: serious failures can attract significant civil and criminal penalties, which is why under-spending to the point of non-compliance is a false economy.

DIY versus hiring a consultant

This is the decision that most affects your bill, so it is worth thinking through honestly rather than defaulting to either extreme.

Doing it yourself costs little cash but a real amount of time, and it works best when your business is genuinely simple — a small client base, low-risk work, and an owner willing to learn the regime. The risk is that you misread how an obligation applies to your sector and build a program with gaps. You also carry the full learning curve yourself.

Hiring a consultant costs more up front but buys speed and reduces the chance of a costly mistake, which matters more as your risk profile rises. The risk here is overspending — paying for a heavyweight, enterprise-grade program when a small, low-risk firm needs something proportionate. Some consultants also re-charge for tailoring a template they reuse across clients.

For many small firms the sensible middle path is a hybrid: use a structured, audit-ready template to get the program's bones in place, do the tailoring and CDD yourself, and pay for targeted advice only on the parts you are unsure about — typically your risk assessment and whether specific services are captured. You spend money where expertise genuinely de-risks you, and keep the routine work in-house.

How to keep it lean: a practical checklist

Whichever route you choose, these moves keep the cost proportionate to a small firm without compromising compliance. Treat each as done only when it is written down and someone owns it.

• Map your designated services first. Confirm which of your services actually bring the firm into the regime before you build anything — scope creep is the biggest source of wasted effort.
• Right-size the program to your risk. A genuinely low-risk firm needs proportionate controls, not an enterprise framework. Let your risk assessment set the depth.
• Appoint an internal AMLCO. For a small firm, an owner or senior staffer with real authority is usually more cost-effective than outsourcing the role.
• Start with a template, then tailor. Buying the structure is far cheaper than buying every word from scratch — and it stops you re-inventing the format.
• Do manual CDD at low volume. Until your client numbers justify paid software, a disciplined manual process with clear checklists can be enough.
• Train once, well, then refresh. A single solid training session plus periodic refreshers beats repeated ad-hoc fixes.
• Build record-keeping in from day one. Retro-fitting seven years of records discipline later is far more expensive than setting it up now.
• Start early. Rushing toward 1 July 2026 is what pushes firms into expensive last-minute consultant time. A calm runway is the cheapest insurance you have.

As the AUSTRAC rules are finalised, expect more sector-specific detail. Build the structure now and refine the specifics as guidance lands rather than waiting and paying a premium for speed later.

Common cost mistakes to avoid

The firms that overspend tend to make the same handful of errors:

• Buying enterprise solutions for a small-firm problem. Tooling and consulting scaled for a bank is overkill for a two-person practice. Match the spend to your size and risk.
• Treating the program as a one-off purchase. Compliance is a running cost, not a single invoice. Budget for ongoing CDD, monitoring and review, not just the build.
• Skipping the risk assessment. Without it you cannot right-size your controls, so you either over-build (wasted money) or under-build (compliance risk).
• Leaving it to the last minute. Late starts force you onto premium-priced help and rushed decisions.
• Paying twice for the same work. Buying a template and then paying a consultant to rebuild it from scratch is a common, avoidable double-spend.
• Under-spending into non-compliance. The cheapest program is worthless if it leaves you exposed to significant civil and criminal penalties. Lean is not the same as inadequate.

A faster, cheaper route to a defensible first draft

You do not have to choose between an expensive consultant and a risky blank page. A well-built, audit-ready template kit gives you the program's structure — governance, a risk assessment framework, CDD procedures, reporting and record-keeping policies, and the supporting registers — so your money and hours go into tailoring rather than inventing the format. For a small firm, that typically turns a multi-week build and a large consulting bill into a focused tailoring exercise, while still producing a program that reflects your actual business.

Whichever route you take, the substance matters more than the wording: the program has to map to your designated services, your risks, and your day-to-day practice. This article is general information and not legal advice, and your obligations depend on the specific designated services you provide. Confirm the detail with AUSTRAC or a qualified adviser before you finalise.