Introduction to the AML/CTF Compliance Toolkit

What’s Included in the Package

The AML/CTF Toolkit includes a fully drafted Program document and an extensive suite of templates to help your legal practice meet the compliance obligations coming into effect from 1 July 2026. It covers CDD, EDD, transaction monitoring, risk assessment, internal reporting, and audit readiness.

How the Toolkit Aligns with AML/CTF Legislation

The templates have been built around the requirements of the AML/CTF Act 2006 and AUSTRAC guidance, with reference to the expanded obligations for lawyers and conveyancers under Tranche 2 reforms.

What’s Included in the Package

The AML/CTF Toolkit includes a fully drafted Program document and an extensive suite of templates to help your legal practice meet the compliance obligations coming into effect from 1 July 2026. It covers CDD, EDD, transaction monitoring, risk assessment, internal reporting, and audit readiness.

How the Toolkit Aligns with AML/CTF Legislation

The templates have been built around the requirements of the AML/CTF Act 2006 and AUSTRAC guidance, with reference to the expanded obligations for lawyers and conveyancers under Tranche 2 reforms.

Key Compliance Deadlines and Planning Milestones

– Q4 2025-26: Begin firm-wide AML/CTF implementation
– Q1 2026-27: Finalise staff training, appoint Compliance Officer
– 1 July 2026: Legislation commences – Program must be in place

Setting Up Your AML/CTF Program

Customising the Core Program Document

Review and adapt the core AML/CTF Program to reflect your practice size, services, structure, and risk profile. Update headers with firm name and align procedures with internal workflows.

Appointing a Compliance Officer

Nominate a senior staff member to oversee AML/CTF obligations. This person should be responsible for monitoring compliance, handling reports, and liaising with AUSTRAC.

Adapting Governance and Reporting Structures

Set up internal processes to enable escalation, investigation, and reporting of suspicious activity. Ensure each staff member understands their role in reporting.

Integrating the Program into Your Operations

Link the AML/CTF Program to client intake, trust accounting, and file review processes. Use the templates to ensure compliance is consistent and auditable.

Conducting Customer Due Diligence (CDD)

When to Apply CDD vs. EDD

Apply CDD for standard clients and transactions. Use EDD when the client is high-risk, a PEP, or where complex structures or foreign jurisdictions are involved.

Using the CDD Checklist – Individuals

Use this checklist to capture and verify name, address, date of birth, and ID documents. File with the matter and record verification steps taken.

Using the CDD Checklist – Companies and Trusts

Use the entity-specific checklist to verify structure, control, ABN/ACN, trust deeds, and directors/trustees. Identify and document all beneficial owners.

Identifying and Verifying Beneficial Owners

Identify any person with 25%+ ownership or control. Use the Beneficial Owner Form and attach ID. Document ownership chains where layered entities exist.

Recording PEP Declarations and Risk Red Flags

Use the PEP Attestation Form and Red Flag Indicators list. Escalate any concerns to the Compliance Officer for assessment and potential reporting.

Assessing Risk Using the Templates

Completing the Client Risk Assessment Tool

Assign scores to client type, structure, jurisdiction, and behavioural indicators. Calculate total score and assign a risk category: Low, Medium, or High.

Scoring Transactions with the Risk Tool

Use the Transaction Risk Scoring Tool to assess urgency, value, structure complexity, and payment type. Match to client risk level to inform controls.

Performing Ongoing Risk Reviews

Use the Ongoing Risk Review Form when a trigger event occurs, such as new third-party involvement or ownership change. Reassess and record updates.

Assigning Risk Ratings and Documenting Decisions

Ensure rationale is recorded in matter file or Risk Register. All high-risk matters must be approved by the Compliance Officer before proceeding.

Monitoring Transactions and Escalating Concerns

Using the Transaction Monitoring Checklist

Complete the checklist to compare transaction behaviour with expected patterns. Flag any inconsistencies or unusual features for review.

Identifying Trigger Events

Common triggers include third-party funds, mid-stream party changes, large or urgent transfers, or jurisdictions newly introduced into the matter.

Completing the Internal Suspicion Report Form

Staff must complete this form for any concern and submit it to the Compliance Officer within one business day. Do not alert the client.

Submitting SMRs, TTRs, and IFTIs to AUSTRAC

The Compliance Officer must assess all internal reports and submit Suspicious Matter Reports within three days. TTRs and IFTIs are submitted as required.

Maintaining Compliance Records

Using the Recordkeeping Matrix

Refer to the recordkeeping matrix for retention periods: ID documents, reports, assessments, and training records must be stored for 7 years.

Storing CDD and Verification Records

Records should be stored securely in both physical and digital formats. Access must be restricted to authorised personnel only.

Version Control of the Program

Use the Version Control Log to track program changes. Update when laws change, audits are completed, or internal processes are modified.

Using the Audit and Independent Review Register

Maintain a formal register of audits and reviews, along with findings, dates, and remediation actions taken. Required every two years.

Training Staff and Building Awareness

Who Needs Training and How Often

All staff must complete AML/CTF training annually. New staff within 2 weeks. High-risk roles may require more frequent updates.

Using the Training Attendance Log

Record names, roles, dates, and training type. Store logs with the Program as evidence for audit and AUSTRAC review.

Content and Methods for Effective Training

Training should include real examples, risk indicators, red flags, and internal reporting obligations. Use live sessions, online modules, or recorded briefings.

Updating Your AML/CTF Program Over Time

Triggers for Review and Revision

Review the Program every 24 months or when there’s a change in firm services, staffing, client base, or after audit findings.

Using the Version Control Log

Log every update, including date, nature of change, who approved it, and whether retraining was conducted.

Documenting and Implementing Changes

Update related checklists, processes, and staff training in line with Program changes. Communicate all changes clearly.

Preparing for External Review or Audit

AUSTRAC Visits and What to Expect

Prepare for AUSTRAC to request documentation, evidence of procedures, risk assessments, and records of reporting and training.

Compiling Evidence Using Templates

Use checklists, reports, logs, and forms as evidence of implementation and compliance. Ensure all files are up to date and accessible.

Responding to Review Findings and Remediation

Document findings, assign action items, set deadlines, and track remediation progress in the Independent Review Register.

Appendix – Template Quick Reference

Summary of Each Template and Its Purpose

Provides a one-line summary of each template (e.g. CDD – ID collection; Risk Rating Tool – client classification aid; Audit Register – review tracker).

Recommended Use Frequency

Templates should be used as follows: CDD at onboarding; Risk Tools at onboarding and review; Training Logs annually; Reporting forms as required.

Document Retention Periods

Maintain all AML/CTF-related documentation for at least 7 years. This includes identification, assessments, internal reports, and training evidence.

Disclaimer

This guide is provided for general informational and compliance assistance purposes only. It does not constitute legal advice, regulatory advice, or professional consulting services.

AML/CTF obligations may change over time through amendments to legislation, AUSTRAC Rules, regulatory guidance, or judicial interpretation. Practices should ensure they obtain current professional advice regarding their specific obligations and operational circumstances.

While reasonable care has been taken in preparing this guide, no warranty is given regarding completeness, accuracy, or suitability for any particular purpose. Each legal practice remains responsible for ensuring its own compliance with applicable laws and professional obligations.

Users of this guide should also refer directly to:

• the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth);
• the AML/CTF Rules;
• AUSTRAC guidance publications;
• relevant professional conduct rules; and
• applicable privacy and cybersecurity legislation.