Article

The 9 Building Blocks of a Compliant AML/CTF Program

Mark KellyMark Kelly
23 Mar 2026
Regulatory ComplianceAML
#AML/CTF#Tranche 2#AUSTRAC#T2 reforms#AML Program#real estate#accountants#lawyers
Share
building blocks

I spent years helping gaming venues navigate their compliance obligations before co-founding Involv and building Assure GRC. Now I'm applying that same experience to the 80,000+ Australian businesses caught by the Tranche 2 reforms.

Here's what I've learned: most guidance out there is either too vague ("conduct customer due diligence") or too complex - 50-page templates designed for Tranche 1 entities like banks and casinos, not accounting firms, law practices, or real estate agencies.

The AUSTRAC Starter Kit is an excellent starting point. However, below is the plain-English version of the nine elements every Tranche 2 AML/CTF program must include.

1. ML/TF/PF Risk Assessment

What money laundering (ML), terrorism financing (TF), and proliferation financing (PF) risks apply to your services?

This is the foundation of everything else. Without it, you're guessing. Note that proliferation financing - that is, the financing of WMDs - is a new and mandatory addition under the revised Act. If you haven't considered it, you need to.

2. Policies, Procedures, Systems and Controls

These can't live in your head. They must be written down, covering what you do, when you do it, and who is responsible.

AUSTRAC will look for evidence of this during any review or audit. Early on, they’ll at least want to see that you’re developing a culture of compliance within your business. A well-structured program document, ideally in a purpose-built system such as Assure, meets this requirement cleanly.

3. Governance and Oversight

Your program requires senior management sign-off and an appointed AML/CTF Compliance Officer (AMLCO). That person can be you.

This element ensures accountability is located somewhere specific in your organisation, not diffused across a team and not buried in the fine print.

4. Initial Customer Due Diligence (CDD)

Know who your clients are. Verify their identity before you provide services. Keep records.

The verification step is critical and non-negotiable. AUSTRAC's rules are clear: you cannot onboard a client without first completing identity verification, which includes signing engagement contracts.

5. Ongoing Customer Due Diligence (OCDD)

CDD is not a one-time task. You're obligated to monitor for changes and unusual activity across your client base on an ongoing basis.

This is where many smaller firms will struggle without a tool to support them; manually tracking changes across dozens or hundreds of clients using checklists, Word docs, or spreadsheets is impractical (and probably risky, too).

6. Personnel Due Diligence and Training

This is a new and explicit requirement under the reformed Act. Screen your staff. Then train them on their AML/CTF obligations.

It's not enough to have a compliant program if the people running it don't understand what they're doing or why.

7. Reporting

Three types of reports matter here:

  • Suspicious Matter Reports (SMRs)…when something doesn't feel right
  • Threshold Transaction Reports (TTRs)…for cash transactions over $10,000
  • Annual Compliance Report…submitted to AUSTRAC each year

Each has its own rules, timeframes, and consequences for non-compliance.

8. Record Keeping

Seven years. Everything documented. Accessible and retrievable.

This is one of the more underestimated elements. AUSTRAC doesn't just want records to exist; they want them to be retrievable on request. Disorganised record-keeping is a compliance failure.

9. Independent Evaluation

Your program must be reviewed by someone independent of its day-to-day operations at a minimum every 3 years.

For most small firms, this means engaging an external reviewer. That's a real cost, and something worth planning for from the start.

—-

That's the framework. Nine elements, clearly defined, each with real obligations attached.

The devil is in the details, of course, and what "compliant" looks like will vary by sector and risk profile. But if your program covers all nine, you're starting from a defensible position.

Assure is built specifically to help accountants, lawyers, real estate agents, and conveyancers structure, document, and maintain a compliant program without needing to become a compliance expert first. Join the waitlist →

The first 100 waitlisters will receive free lifetime access as a thank-you for helping us on our journey.

Share

Don't wait for Tranche 2 deadlines

Join 600+ professionals preparing for July 2026 compliance obligations.

Join the waitlistCheck your readiness →
Back to all insights

Related articles

AUSTRAC Has Done Much of the Hard Work For You. Now It's Your Turn.Article
Regulatory ComplianceAML

AUSTRAC Has Done Much of the Hard Work For You. Now It's Your Turn.

AUSTRAC's newly released compliance starter kits give Tranche 2 professionals a practical on-ramp to AML/CTF obligations, commencing on 1 July 2026. Here's what's in them, what the regulator actually expects, and where the real compliance challenge begins.

Mark KellyMark Kelly
01 Feb 2026
Ask "why?"Article
Regulatory ComplianceRisk Management & GovernanceGaming Compliance

The Most Common Risk & Compliance Misstep And How to Avoid It

In risk and compliance, most teams don't fail because they lack effort; they fail because they focus on paperwork instead of building systems that actually work. The most common misstep we see across gaming operator businesses? Jumping straight into templates and registers without understanding the underlying why. Real compliance isn't about spreadsheets or documenting a long obligation register; it's about how controls operate in practice, how staff behave under pressure, and how decisions get made every day. If your compliance function lives in a shared spreadsheet in a shared drive gathering digital dust, it's not protecting your business.

Mark KellyMark Kelly
10 Sep 2025

Stay ahead of Tranche 2 compliance

Join the waitlist for early access to Assure GRC and lock in your reward tier.

Join the waitlist