Webinar 2All sectorsAUSTRAC Official

AML/CTF Obligations

An overview of all key AML/CTF obligations for reporting entities — from enrolment and program development through to reporting, independent evaluations, and record keeping.

Topics covered

  • 1Enrolment with AUSTRAC
  • 2Developing an AML/CTF Program
  • 3AML/CTF Policies
  • 4Customer Due Diligence (CDD)
  • 5Transaction monitoring
  • 6Governance
  • 7Reporting obligations
  • 8Independent evaluations
  • 9Record keeping

Obligations at a glance

A quick-reference summary of every obligation covered in this webinar.

ObligationWhat it requiresTiming
EnrolmentRegister with AUSTRAC before providing a designated serviceBefore providing any designated service
AML/CTF ProgramA written, risk-based program covering all Parts A and B requirementsIn place before providing designated services; reviewed regularly
AML/CTF PoliciesDocumented policies supporting your program — KYC, monitoring, governancePart of the program; updated when risks or processes change
Customer Due DiligenceIdentify and verify customers before providing services; ongoing due diligenceBefore service; ongoing for existing customers
Transaction MonitoringSystems and rules to detect and review unusual or suspicious activityOngoing; rules tuned to your risk profile
GovernanceBoard and senior management accountability for AML/CTF complianceOngoing; documented in program
ReportingSuspicious matter reports (SMRs), threshold transaction reports (TTRs), IFTI reportsSMR: as soon as practicable; TTR: within 10 business days; IFTI: within 10 business days
Independent EvaluationPeriodic independent review of your AML/CTF Program's effectivenessAt least every 3 years or after significant change
Record KeepingRetain CDD, transaction, and program records for the required period7 years from end of customer relationship or transaction

Written companion

Plain-language notes on each obligation — for easy reference and staff training.

1

Enrolment

Every entity that provides a designated service must enrol with AUSTRAC before commencing those services. Enrolment is done through AUSTRAC Online and requires you to provide details about your business, the designated services you provide, and your key personnel. Enrolment is not a one-time formality — you must keep your details current and notify AUSTRAC of material changes. Operating without enrolment, or providing incorrect enrolment information, is a breach of the AML/CTF Act. If you are providing designated services and are not enrolled, that is your first and most urgent compliance action.

2

Developing an AML/CTF Program

An AML/CTF Program is a written, risk-based document (or set of documents) that describes how your business identifies, manages, and mitigates the money laundering and terrorism financing risks it faces. Programs have two parts: Part A covers your risk assessment, governance, transaction monitoring, and staff training; Part B covers your customer identification and verification (KYC) procedures. Your program must be tailored to your actual business — the designated services you provide, your customer base, delivery channels, jurisdictions, and products. A generic, copy-paste program that does not reflect your real operations is not compliant. AUSTRAC assessments routinely identify programs that are adequate on paper but not embedded in practice — what AUSTRAC calls a 'paper program'.

3

AML/CTF Policies

Policies are the operational documents that support your AML/CTF Program — translating the program's intent into procedures staff follow day-to-day. Key policies typically include a customer identification and verification policy, a transaction monitoring policy, a suspicious matter reporting policy, a sanctions screening policy, a staff training policy, and a governance and escalation policy. Policies must be kept current. When your business changes — new products, new delivery channels, new customer types — your policies need to be reviewed and updated to remain accurate. A policy that describes a process your business no longer uses is a compliance gap, not a compliance document.

4

Customer Due Diligence

CDD is the process of identifying and verifying who your customers are before providing designated services — and continuing to understand your customers as the relationship continues. Standard CDD requires collecting and verifying identity information for individuals and beneficial owners of entities. Enhanced CDD (ECDD) applies to higher-risk customers — including politically exposed persons (PEPs), customers from high-risk jurisdictions, and customers with complex ownership structures. Ongoing CDD means monitoring the relationship and updating customer information when it becomes stale or when a trigger event occurs (such as a significant change in transaction behaviour). The principle is: know your customer well enough to assess whether their activity is consistent with who they say they are and what they told you they would do.

5

Transaction Monitoring

Transaction monitoring is the process of reviewing customer transactions — individually and in aggregate — to detect activity that is unusual given what you know about the customer. An effective monitoring program is risk-based: the rules and thresholds you apply should reflect the risks of your business, not be copied from a generic template. Transaction monitoring must cover all designated services and all customer types. Common monitoring scenarios include unusual transaction volumes, structuring (breaking transactions into smaller amounts to avoid reporting thresholds), transactions to or from high-risk jurisdictions, and activity inconsistent with the customer's stated purpose. Monitoring alerts must be investigated, documented, and — where suspicion arises — reported via a suspicious matter report (SMR).

6

Governance

AUSTRAC expects that AML/CTF compliance is owned by the board and senior management — not delegated entirely to a compliance team and forgotten. Good governance means that the board receives regular, meaningful reporting on AML/CTF risks and compliance performance, that there is a named accountable officer for AML/CTF (often a Chief Compliance Officer or AML/CTF Compliance Officer), that compliance breaches are escalated and remediated, and that the AML/CTF Program is reviewed and updated regularly. Governance must be documented. Verbal commitments and informal arrangements are not sufficient — the board's role, the compliance officer's authority, and the escalation process must all appear in your program documents.

7

Reporting Obligations

Reporting entities have three main reporting obligations to AUSTRAC: Suspicious Matter Reports (SMRs), which must be submitted as soon as practicable after forming a suspicion — and certainly within 24 hours for matters involving terrorism financing; Threshold Transaction Reports (TTRs), required for cash transactions of AUD 10,000 or more, within 10 business days; and International Funds Transfer Instructions (IFTIs), which must be reported within 10 business days of sending or receiving an international transfer. Reports are submitted through AUSTRAC Online. The obligation to report is mandatory — it is not a judgment call about whether AUSTRAC would find the information useful. If the threshold is met or suspicion is formed, the report must be filed.

8

Independent Evaluations

Your AML/CTF Program must be independently evaluated periodically — at least every three years, or more frequently after significant changes to your business or the regulatory environment. The evaluation must be conducted by someone who is genuinely independent of the compliance function being evaluated. This can be an internal audit team that sits outside the compliance function, or an external specialist. The evaluation must assess whether your program is adequate and effective — not just whether the documents exist. If the evaluation identifies gaps, those gaps must be addressed and documented. AUSTRAC can and does request copies of evaluation reports during assessments, so the evaluation must be substantive, not ceremonial.

9

Record Keeping

Reporting entities must retain records for at least seven years from the end of the customer relationship or the date of the transaction — whichever is later. Required records include customer identification and verification records, transaction records, AML/CTF Program and policy documents, monitoring alerts and investigation records, and SMR, TTR, and IFTI records. Records must be stored in a way that allows AUSTRAC to access them in a timely manner during an assessment or investigation. Records held by an outsourced provider must be retrievable by you — 'the provider has it' is not a sufficient answer. Consider your record storage, access controls, and retention management as compliance infrastructure, not administrative housekeeping.

Every obligation. One platform.

Veriqua covers every obligation covered in this webinar — ML/TF Risk Assessment, AML/CTF Program and Policies, CDD workflows, transaction monitoring, SMR timers, IFTI tracking, governance reporting, and a tamper-evident audit trail built for AUSTRAC assessments.

The webinar embedded on this page is an official AUSTRAC publication. The written companion content on this page is general information only, current as at July 2026, and is not legal, financial or compliance advice. Obligations depend on the services you provide, your risk assessment and transitional timing. Please confirm your position against current AUSTRAC guidance and seek advice for your specific circumstances.