The AML/CTF Act and Rules require a documented program in two parts. Part A deals with the general systems and controls. Part B deals with how you identify customers.
Part A — the general program
- Risk assessment of your business, customers, services, channels, and jurisdictions.
- Risk-based controls to mitigate the identified risks.
- AML/CTF compliance officer designated in writing.
- Employee due diligence — pre-employment screening for relevant staff.
- Annual training program with attendance records.
- Ongoing monitoring of customers and transactions.
- Reporting obligations — SMR, TTR, IFTI procedures.
- Independent review at appropriate intervals.
- Board or senior management oversight.
Part B — customer identification
- Procedures for collecting and verifying customer information at onboarding.
- Procedures for identifying beneficial owners of non-individual customers.
- Procedures for ongoing customer due diligence and triggers for re-verification.
- Procedures for handling enhanced due diligence on high-risk customers.
- Procedures for safe-harbour identification where applicable.
What good looks like for an SME
Good is not exhaustive — it is defensible. A 12–20 page Part A and a 6–10 page Part B, written in your firm's voice, signed by a named compliance officer, reviewed annually, and demonstrably operating in the business. AUSTRAC has seen plenty of beautiful programs that nobody followed.