Get the AML program template.

Part A is the high-level governance and risk management framework — board oversight, AML compliance officer designation, risk assessment methodology, training, and independent review schedule. Part B is the operational customer due diligence procedure — how you identify customers, verify identities, screen for sanctions/PEPs, monitor transactions, and report suspicious matters. Both are required under section 84 of the AML/CTF Act, and the template covers both with sector-specific prompts in each section.

AUSTRAC does not pre-approve AML programs — your program is assessed in the context of your business when (and if) AUSTRAC examines you. The template is structured against the AML/CTF Act 2006, AUSTRAC's published guidance, and Tranche 2 reform updates as of early 2026. It produces a structurally complete program; the substantive judgements (your specific risk ratings, control choices, monitoring thresholds) are yours to make and document.

Honestly: usually not the right call. The template gets you to a documented program. A vetted provider also gets you to a documented program — plus the ID verification, sanctions/PEP screening, transaction monitoring, training delivery, and audit trail that the document alone doesn't produce. DIY only works if you're already paying for those tools separately or have genuine in-house capability to build them. The honest take is on the page: most SMEs are faster and lower-risk with a provider.

Editable Microsoft Word (.docx), with bracketed prompts for the business-specific content you fill in (entity name, sector, designated services, AML compliance officer, key risk ratings). A companion PDF checklist tracks completion across the six sections, and a sector-specific addendum is included based on the sector you select on the form.

For a simple single-sector firm with one office, plan 8–15 hours of compliance officer time spread over a couple of weeks: 2–3 hours for the risk assessment, 3–5 hours for the CDD procedure, 2–3 hours for monitoring and reporting, 1–2 hours for governance and training. Multi-sector or multi-entity firms typically take 25–40 hours. We strongly recommend running the risk assessment tool first so the program documentation is grounded in a defensible rating.

Recommended for firms with material risk exposure (legal services with international clients, real estate at the prestige end, financial services, multi-jurisdictional operations) and for any firm that intends to operate the program for more than 12 months without external review. For lower-risk single-sector SMEs, partner-level review with reference to the AUSTRAC checklist is often enough — but the independent review obligation will eventually require an external assessor regardless.

Yes — and you must. The AML/CTF Act requires you to keep the program current as your business changes (new sectors, new customer types, new channels, regulatory updates). The template is yours to edit; we don't track adoption or push updates to your copy. We do publish material AUSTRAC guidance changes on the blog, which is the right place to get update prompts.

The structure (six sections, AML/CTF Act mapping, governance framework) applies to any reporting entity, but the sector-specific prompts and risk-rating guidance only cover the seven Tranche 2 sectors plus financial services. If you're a Tranche 1 entity (banking, remittance, gambling, digital currency exchange) the template can still be a useful skeleton, but you should expect to do more sector-specific drafting yourself.