CompareAMLGet matched →
All guides
Regulatory deep dive

AML/CTF program Part A and Part B explained: what each part must contain

Australia's AML/CTF Rules require every reporting entity to have a written program in two parts. This guide unpacks what Part A (general program) and Part B (customer identification) must cover, with sample structure for an SME.

By James Carter 12 min read Last reviewed 4 May 2026

Part 7 of the AML/CTF Act 2006 requires every reporting entity to adopt and maintain an AML/CTF program. The Rules (Chapters 8 and 9) divide that program into Part A — the general program — and Part B — the applicable customer identification procedures.

The split exists because the two parts answer different questions. Part A asks: how does this business identify, mitigate and manage money-laundering and terrorism-financing risk overall? Part B asks: how does this business actually identify and verify the customers it provides designated services to?

Why the program is split into two parts

AUSTRAC supervises Part A and Part B differently. Part A is reviewed at the entity level — your governance, training, oversight and risk methodology. Part B is reviewed at the transactional level — whether you actually verified the customer in front of you before providing the designated service. Both must exist in writing, must be approved by your governing body (board, partners, principal), and must be tested through independent review at appropriate intervals.

Part A: what it must contain

Chapter 8 of the AML/CTF Rules sets the mandatory contents of Part A. At minimum, your Part A must address each of the following:

1. ML/TF risk assessment

A documented assessment of the money-laundering and terrorism-financing risks your business reasonably faces, considering: the customers you serve, the designated services you provide, the channels through which you provide them, and the jurisdictions involved. The risk assessment must be reviewed at appropriate intervals (typically annually for SMEs, more frequently for higher-risk firms).

2. Risk-based systems and controls

Specific policies, procedures and controls that respond to the risks you identified. Higher-risk customers, services or channels must attract enhanced controls (enhanced customer due diligence, additional approvals, more frequent review). Lower-risk areas can be subject to simplified due diligence.

3. Governance

Board or principal approval of the program, an appointed AML/CTF Compliance Officer, and a clear escalation path for SMRs and other compliance events. The Compliance Officer must have direct access to your governing body.

4. Employee due diligence

Pre-employment screening proportional to role risk for any staff who will work on designated services or have access to AML systems. For most SMEs this is a documented background check process — not necessarily an external screening service.

5. Training

An AML/CTF training programme appropriate to roles. AUSTRAC's expectation is at least annual refresher training for all in-scope staff, with role-specific training for higher-risk functions (e.g. floor staff in a gaming venue, settlement staff in a conveyancer).

6. Ongoing customer due diligence (OCDD)

Procedures for monitoring customer behaviour and transactions through the lifecycle of the relationship, refreshing CDD when triggers occur, and reviewing higher-risk customers more frequently.

7. Reporting

Procedures for identifying, drafting and lodging SMRs (within 3 business days of forming suspicion), TTRs (within 10 business days of a A$10,000+ cash transaction) and any other reports triggered by the Act. Includes the internal escalation step from line staff to the Compliance Officer.

8. Record-keeping

Procedures and storage to retain CDD, transaction, training and reporting records for 7 years from the relevant trigger date. Records must be accessible by AUSTRAC on request.

9. Independent review

The schedule and scope of independent review of Part A. AUSTRAC does not prescribe a frequency, but typical practice for SMEs is every 2–3 years, performed by an external consultant or a sufficiently independent internal function.

Part B: customer identification procedures

Chapter 9 of the AML/CTF Rules governs Part B. The objective is straightforward: before you provide a designated service to a customer, you must collect and verify enough information about that customer to be reasonably satisfied who they are and (for non-individuals) who controls them.

For an individual customer, this typically means full name, date of birth, residential address, and verification of those details against a reliable and independent source (a passport, driver licence, or an electronic verification provider that meets the Rules).

For non-individual customers — companies, trusts, partnerships — it also means identifying and verifying:

  • The legal entity itself (company name, ACN, place of incorporation; trust deed name, type, jurisdiction; partnership name and structure).
  • Beneficial owners — natural persons who ultimately own or control 25% or more of the entity, or who exercise effective control through other means.
  • The role and identity of senior managing officials (directors, trustees, partners) where beneficial ownership is dispersed.

Enhanced customer due diligence (ECDD)

ECDD applies in higher-risk situations: politically exposed persons (PEPs) and their close associates, customers from jurisdictions assessed as higher risk, opaque or unusual ownership structures, or any customer where ML/TF risk is otherwise heightened. ECDD typically requires senior approval, additional source-of-funds enquiry, and more frequent review.

Simplified customer due diligence (SCDD)

SCDD is permitted only in narrowly defined low-risk circumstances under the Rules — for example, certain listed public company customers. SCDD is not the default and should never be used because CDD is administratively inconvenient.

Risk-based vs prescriptive — what AUSTRAC expects

Australia's AML/CTF regime is risk-based, not prescriptive. The Act tells you what outcomes you must achieve; it does not tell you exactly how to achieve them. That flexibility is intentional: a sole conveyancer running 50 settlements a year cannot reasonably be expected to operate the same controls as a national property group running 50,000.

But risk-based does not mean rules-free. AUSTRAC's consistent supervisory message is that programs must be genuinely tailored to the firm using them. 'Off-the-shelf' programs lifted from a template provider and used unchanged are a recurring enforcement theme. Tailoring is the difference between a defensible program and a paper exercise.

Independent review of the program

Both Part A and Part B must be subject to independent review at appropriate intervals. The reviewer must be sufficiently independent of the function being reviewed — a self-review by the Compliance Officer is not independent. For SMEs, independent review is typically external (an AML consultant) and happens every 2–3 years; for larger firms it is more frequent and may be performed by an internal audit function.

The scope of independent review should cover the design adequacy of the program (does it meet the Rules?) and operational effectiveness (is it actually being followed?). The output is a written report, retained as part of the program records, with management responses to any findings.

Sample table of contents for an SME program

  1. Document control, version history, board/partner approval.
  2. Part A — Section 1: ML/TF risk assessment (customers, services, channels, jurisdictions).
  3. Part A — Section 2: Risk-based systems and controls.
  4. Part A — Section 3: Governance and the AML/CTF Compliance Officer.
  5. Part A — Section 4: Employee due diligence.
  6. Part A — Section 5: AML/CTF training and competency.
  7. Part A — Section 6: Ongoing customer due diligence and transaction monitoring.
  8. Part A — Section 7: Reporting (SMR, TTR, IFTI) and escalation.
  9. Part A — Section 8: Record-keeping.
  10. Part A — Section 9: Independent review schedule.
  11. Part B — Section 1: Customer identification procedures (individuals).
  12. Part B — Section 2: Customer identification procedures (companies, trusts, partnerships).
  13. Part B — Section 3: Beneficial ownership identification.
  14. Part B — Section 4: Enhanced customer due diligence and PEP screening.
  15. Appendices: Risk register, CDD evidence templates, training records, SMR escalation form.

Frequently asked questions

What is a Part A AML/CTF program?+

Part A is the general program — the set of policies and procedures that govern how a reporting entity identifies, mitigates and manages money-laundering and terrorism-financing risk overall. Chapter 8 of the AML/CTF Rules requires Part A to cover at minimum: risk assessment, risk-based systems and controls, governance, employee due diligence, training, ongoing CDD, reporting, record-keeping, and independent review.

What is a Part B AML/CTF program?+

Part B is the set of customer identification and verification procedures applied before a reporting entity provides a designated service to a customer. Chapter 9 of the AML/CTF Rules requires Part B to cover identification and verification of individuals, non-individuals (companies, trusts, partnerships), beneficial owners (25%+ control or effective control), and enhanced procedures for higher-risk customers and PEPs.

Can I use a template AML/CTF program?+

Templates from software providers and industry bodies are valid starting points but must be tailored to your business. AUSTRAC has consistently warned that 'off-the-shelf' programs used unchanged are a non-compliance risk. The risk-based principle requires the program to genuinely reflect the customers, services, channels and jurisdictions of the specific firm using it.

Who must approve the AML/CTF program?+

The program must be approved by the governing body of the reporting entity — board for a company, partners for a partnership, principal for a sole practitioner, trustees for a trust. Approval must be documented (board minute, partnership resolution) and re-confirmed when material changes are made to the program.

How often must the AML/CTF program be reviewed?+

AUSTRAC does not prescribe a frequency in the Rules. The risk-based standard is 'at appropriate intervals'. Typical practice for SMEs is annual review of the risk assessment and Part A by management, with independent external review of the full program every 2–3 years. Higher-risk firms review more frequently.

What is enhanced customer due diligence?+

ECDD is the heightened verification and ongoing monitoring applied in higher-risk situations: politically exposed persons (PEPs) and their associates, customers from higher-risk jurisdictions, opaque ownership structures, or any customer where ML/TF risk is heightened. ECDD typically involves senior approval before the relationship proceeds, source-of-funds enquiry, and more frequent customer review.

Last reviewed 4 May 2026 by James Carter. This guide is general regulatory information about the AML/CTF Act 2006 and AUSTRAC Tranche 2 reforms — it is not legal advice for your business.

Related guides

Regulatory deep dive

AUSTRAC enrolment: the complete 2026 guide for Tranche 2 reporting entities

Step-by-step walkthrough of who must enrol with AUSTRAC, when to do it, what information you need, and how enrolment differs from registration. Plain English, with statutory references.

Read guide
Regulatory deep dive

Suspicious matter reporting (SMR): when, how, and what AUSTRAC expects

An SMR is the cornerstone of Australia's AML/CTF reporting regime. This guide explains the legal trigger, the 3-business-day deadline, what to include in the report, and the safe-harbour protections that apply when you submit one in good faith.

Read guide

Get a free shortlist of vetted providers

Match in 60 seconds — sector-targeted, no logins, no card.

Get matched