As Australian law firms, accounting firms, conveyancers and real estate agencies prepare for Tranche 2 AML/CTF reforms, many businesses are focusing on completing their business-wide ML/TF risk assessment. While the risk assessment is a critical component of compliance, it is only one part of a much broader AML/CTF Program.

One of the most common misconceptions is that an AML/CTF Program is simply a collection of policies stored on a server or in a compliance folder. In reality, the purpose of an AML/CTF Program is not to create documents. The purpose is to create repeatable compliance behaviour throughout the business. The program should establish clear operational guardrails that demonstrate how the business identifies, manages and monitors money laundering and terrorism financing risks in practice.

If AUSTRAC were to ask a business how it manages AML/CTF compliance, the answer should not be a single policy document. The answer should be reflected in a complete compliance framework consisting of risk assessments, methodology documents, policies, procedures, governance controls and documented workflows. Together, these documents explain how the business operates its compliance program and how decisions are made on a consistent basis.

The Business-Wide ML/TF Risk Assessment

The business-wide ML/TF risk assessment forms the foundation of the AML/CTF Program. Before a business can determine what controls it requires, it must first understand where its risks arise.

AUSTRAC expects reporting entities to assess the money laundering and terrorism financing risks associated with their customers, services, delivery channels and geographic exposure. The objective is not simply to assign risk ratings. The objective is to identify areas of vulnerability and determine whether additional controls are required to manage those risks appropriately. Businesses should also remember that ML/TF risk assessments are not a one-off exercise and continue to play an important role after commencement. See ML/TF Risk Assessments: Beyond the 1 July Deadline.

A lawyer onboarding a family trust may need to identify the trustee, map the ownership structure, identify beneficial owners, assess jurisdiction risk and determine whether enhanced due diligence is required before funds are received. A real estate agency dealing with overseas purchasers may face different risks from an agency operating exclusively within a local market. The business-wide ML/TF risk assessment provides the framework for identifying those differences and documenting the firm's exposure.

Why a Methodology Document Matters

Many businesses focus heavily on the risk assessment itself while overlooking the importance of the methodology that sits behind it.

The methodology document explains how the risk assessment was conducted, how risks were categorised and how final risk ratings were determined. It demonstrates that the assessment was performed using a consistent and repeatable process rather than subjective judgement.

This is particularly important because risk assessments are intended to be reviewed and updated over time. Without a documented methodology, different staff members may apply different approaches, resulting in inconsistent outcomes. A methodology creates a defensible framework that can be followed year after year and helps demonstrate to regulators that the assessment process is structured, rational and repeatable.

Why We Separate Impact and Likelihood

One of the key features of the Flagship AML methodology is the separation of impact and likelihood assessments.

These concepts measure different things and should not be treated as the same risk factor. Impact measures the potential consequences if a service is misused for money laundering or terrorism financing purposes. Likelihood measures the probability of that misuse occurring within the business.

A service may have a high potential impact if abused, but only be offered occasionally. Conversely, a service may be provided regularly while presenting relatively low inherent risk. Separating impact and likelihood produces a clearer understanding of the firm's risk profile and helps create more defensible risk management decisions.

This approach also aligns more closely with the way businesses assess risk in practice. Firms typically consider both the seriousness of a risk event and the likelihood of that event occurring before determining what controls should be applied.

Policies Should Drive Behaviour

Once risks have been identified, the AML/CTF Program must explain how those risks are managed. This is where policies and procedures become critical.

Unfortunately, many compliance programs fail because policies exist in isolation. They are drafted, approved and stored away without becoming part of the firm's day-to-day operations.

The purpose of a policy is not simply to satisfy a regulatory requirement. The purpose of a policy is to establish clear operating rules that staff can follow consistently. Policies should explain how clients are onboarded, how beneficial ownership is identified, when enhanced due diligence is required, how monitoring is conducted and how compliance decisions are documented.

A policy should be capable of demonstrating to AUSTRAC:

"This is how we run our compliance program."

If a policy requires enhanced due diligence for high-risk clients, staff should know precisely when enhanced due diligence applies and how it must be documented. If a policy requires beneficial ownership verification, the business should have a workflow that ensures beneficial ownership is assessed before onboarding proceeds.

Policies become meaningful when they are integrated into workflow. See How Small Firms Can Operationalise the AUSTRAC Toolkits.

What Businesses Should Look For in an AML/CTF Program

Businesses should avoid viewing AML compliance as a collection of disconnected documents. An effective AML/CTF Program should operate as a practical compliance framework that guides staff through onboarding, risk assessment, due diligence, escalation and monitoring processes.

A consistent workflow reduces regulatory risk by ensuring staff follow the same onboarding sequence every time, rather than relying on individual judgement, memory or informal office practices. This creates consistency across the organisation and produces stronger compliance records when decisions are later reviewed.

Businesses should also be cautious of generic policy templates that are not tailored to their actual services and risk profile. A policy that does not reflect how the business operates may provide limited practical value during an AUSTRAC review or independent audit.

What Should Be in Place Before 1 July?

By commencement, businesses should have more than a completed risk assessment. They should have a documented business-wide ML/TF risk assessment, a supporting methodology, AML/CTF policies and procedures, customer due diligence processes, beneficial ownership procedures, enhanced due diligence procedures, monitoring controls, governance arrangements and staff training processes.

Most importantly, these components should work together as a single compliance framework.

The objective is not simply to produce documents. The objective is to create a defensible AML/CTF compliance program that demonstrates how the business identifies risk, applies controls and documents compliance decisions in practice.

For many smaller firms and agencies, the challenge is not understanding what must be done. The challenge is implementing those requirements in a way that is practical, consistent and sustainable. Businesses that focus on workflow, governance and documented decision-making will be far better placed than those relying solely on policies sitting untouched in a compliance folder.

By Amira Ward and Daniel Ward

Flagship AML

Published May 2026 • Estimated reading time: 6 minutes

What Must Be Included in an AML/CTF Program?