Plain English, AUSTRAC-anchored, every obligation you owe.
No small-business or sole-trader exemption. The obligation is the same whether you're a one-person operation or a multi-office firm. You'll need your legal business name, ABN, ACN (if a company), business structure, address, designated services, beneficial owners (anyone with 25% or more), and the proposed compliance officer's details.
Create an AUSTRAC Online user account, sign in, and complete the Enrol a New Business form. You can save progress and come back within 14 days.
On submit you will receive a confirmation email with a receipt number and your AAN. Store this somewhere safe. You will need it for every future report.
If your address, structure, services, or beneficial owners change, update your AUSTRAC profile within 14 days. Same applies if your earnings cross A$100M.
Your compliance officer must be an Australian resident at management level with authority to make compliance decisions. In a one-person business, that's you.
AUSTRAC defines four roles for this. Governing Body, Senior Manager, AMLCO, and Customer-facing personnel. One person can fill all four, and AUSTRAC recommends the AMLCO also be a senior manager.
Personnel due diligence is principles-based, not a prescribed AUSTRAC form. Run an integrity check appropriate to the role and ML/TF risk for every AML/CTF-relevant person, not just the AMLCO.
Typical controls include identity verification, qualifications and experience review, and a fit-and-proper assessment. A national police check and reference checks are appropriate for some roles.
AUSTRAC publishes three PDD variants. General PDD for all AML/CTF personnel, stricter AMLCO PDD with extra checks, and 'same-person' PDD for sole-traders who hold both AMLCO and Governing Body roles.
Tranche-2 entrants have until the later of two dates. Either 29 July 2026, or 14 days after AUSTRAC processes your enrolment.
Notify via AUSTRAC Online. The path is Business Profile, then Compliance Officer. Use the same path whenever you change officer.
Senior management must give the compliance officer the resources, access and authority to do the job. That includes the authority to stop a transaction if they form a suspicion.
Identify which money-laundering, terrorism-financing, and proliferation-financing risks apply to your business. Rate each one, set your risk appetite, and this drives every control in the rest of your program.
AUSTRAC's decision rule is the same across every sector. One or more high-risk factors means High. Two or more medium-risk factors (with no high) means Medium. Otherwise Low. You can rate up from AUSTRAC's defaults, but not down.
Assign AML/CTF roles to your staff. Set the procedures for customer due diligence, reporting, training, and the independent-evaluation schedule. Document every decision.
AUSTRAC publishes a Policy template that references 17 named operational processes. Your customised version assigns each one to a named owner, defines what triggers it, and sets the evidence you retain.
Your principal (or another senior manager) must approve the program in writing before it takes effect. Re-approve any material change within 14 days.
When you update the program, keep the previous version for 7 years. Same applies to risk assessment and procedure updates.
Train everyone who performs an AML/CTF-relevant function. That includes frontline staff who interact with customers, admin or operations staff handling customer documents, and {RESPONSIBLE_PERSON}.
Training is risk-based and tailored to each person's role.
Cover AML/CTF obligations, the risks for your sector, red flags, internal escalation, the tipping-off prohibition, and how to use your internal systems.
AUSTRAC sets a universal training block plus role-specific tracks. Customer-facing staff train on risk-rating, identifying suspicious matters, customer due diligence, and escalation to the AMLCO. The AMLCO trains on oversight, investigations, and reporting. Senior managers and the governing body train on approving the program and reviewing compliance reports.
Initial training before anyone starts in an AML/CTF role. Refresher training when the program changes materially.
Maintain a training register. Per staff member: name, date, modules completed, evidence (certificate, signed acknowledgement, or quiz result). Keep for 7 years.
Identify your customer before you start providing the service.
For each individual, collect name, date of birth, residential address, and a current government-issued ID. For entities (companies, trusts, partnerships, associations), collect ABN or ACN, structure, and beneficial owners (anyone with 25% or more ownership or control).
Check the DFAT Consolidated List. It's the single Australian government source and already includes UN Security Council listings.
Also screen for politically-exposed persons and proliferation-financing exposure (DPRK, Iran). Foreign PEPs are automatically high-risk and require enhanced CDD with senior-manager approval.
US OFAC and EU lists aren't legally required, but may matter commercially where deals have a US or EU nexus.
Low risk gets simplified CDD. Medium gets standard CDD with source-of-funds checks. High gets enhanced CDD with source of funds, source of wealth, adverse media, and senior-manager approval.
Review cadence is risk-based. High typically yearly, medium every two years, low every three years.
Ongoing CDD is risk-based. Your program sets the cadence. A typical schedule is high-risk every 12 months, medium every 2 years, and low every 3 years.
These are illustrative defaults, not statutory minima. Always trigger an extra review on material changes such as a new service, PEP status, sanctions hit, or adverse media.
If you suspect on reasonable grounds that information may relate to a crime, money-laundering or terrorism-financing activity, or the customer isn't who they claim, file an SMR via AUSTRAC Online.
Timeframes are tight. Within 24 hours for terrorism financing. Within 3 business days for everything else.
Tipping-off is a criminal offence. Up to 2 years' imprisonment, 120 penalty units, or both.
The test is whether a disclosure would or could reasonably be expected to prejudice an investigation. Five categories of information must never be disclosed where that's the case. That an SMR was submitted or its trigger has been met. Any note made for SMR purposes. Any document containing SMR information. That you've been required to give information to AUSTRAC or law enforcement. That a customer is being investigated.
Access to this information is restricted to the AMLCO, governing body, senior managers, and need-to-know personnel.
If you offboard a customer because of suspicion, give genuine reasons that don't mention any of the protected information. Never reveal the underlying suspicion. Build decline, offboarding, and adjust-service clauses into your customer agreements.
Any single transaction involving physical currency of A$10,000 or more (or foreign-currency equivalent) requires a TTR within 10 business days.
Only the physical-currency leg counts toward the trigger. Card and bank-transfer legs don't count.
Splitting payments across linked transactions to keep individual cash legs under A$10,000 is structuring. That's a separate criminal offence and triggers an SMR, not just a TTR.
If physical currency or bearer negotiable instruments worth A$10,000 or more cross the Australian border, you file a CBM report.
Pre-departure when sending out. Within 5 business days when receiving from overseas.
Submit your annual compliance report via AUSTRAC Online.
Annual compliance reporting runs on financial years. For tranche-2 entrants the first reporting period is 1 July 2026 to 30 June 2027. The submission window is 1 July to 30 September 2027.
Program (all versions), risk assessments (all versions), CDD records, transaction records, SMR/TTR/CBM records with AUSTRAC receipt numbers, staff training records, consent records, independent evaluation reports.
Per OAIC guidance, store only the verification outcome (passed or failed, plus which document type), not the document image. This reduces breach risk and aligns with Privacy Act minimisation.
Stored securely, accessible to authorised staff, in English (or convertible), free from unauthorised change, available for AUSTRAC inspection on request.
Review the whole program. Update within 14 days of any material change. The principal must re-approve each material update.
The compliance officer tests CDD, SMR and TTR processes, training compliance, and the compliance officer function itself. Document findings.
AUSTRAC publishes a set of named effectiveness-check forms. For real estate there are 6. For other sectors there are 7, with cross-border movement reporting as the extra. The forms cover compliance officer and senior-manager review, customer or client onboarding (sampled across low, medium, and high risk), enhanced CDD, SMR and UAR review, TTR review, and a periodic summary consolidating the rest.
Quarterly is the default cadence. The AMLCO and governing body may extend the interval, but must record their reasoning. At minimum, annual checks feed the annual report to the governing body.
The compliance officer reports to the principal or board on activities, testing results, SMR and TTR volumes, training delivered, deficiencies, and remediation.
Your program must be independently evaluated periodically. The cycle is risk-based with a 3-year hard cap. The evaluator may be internal or external, as long as they're sufficiently independent of the compliance function.
For tranche-2 entrants, the first deadline is staggered by the last two digits of your AUSTRAC Account Number. Both digits odd is 30 June 2029. Second-last odd and last even is 31 December 2029. Both even is 30 June 2030. Second-last even and last odd is 31 December 2030.
The evaluation report is retained internally for AUSTRAC inspection on request. It isn't filed routinely.
The evaluator must have suitable experience and knowledge of your business and AML/CTF obligations, not have been involved in building the program, be independent of the work areas being evaluated, and have access to all relevant materials.
The evaluation covers nine scope areas. The risk-assessment process and its compliance with the rules. The currency of risk-assessment updates. Whether your policies are appropriate to your size and complexity. Whether policies include the mandatory elements. Whether policies clearly articulate obligations and roles. Operational testing via file sampling. Whether non-compliance is isolated or systemic. Effectiveness of risk identification, mitigation, and controls.
Glossary
Bookmark this. Every AML/CTF term that shows up in AUSTRAC documents and emails.