AML/CTF Compliance Guide
The 3-Step Framework
AUSTRAC's 3-step framework for building and maintaining your AML/CTF compliance program — and how Verifia supports each step.
AUSTRAC structures AML/CTF compliance around a practical 3-step lifecycle. This framework is used across all five Tranche 2 industries and is reflected in AUSTRAC's program starter kits. Verifia is designed to guide you through each step.
Step 1: Customise Your Program
This is the setup phase where you tailor your AML/CTF program to your specific business. A program that is not customised to your operations will not be effective and may not satisfy AUSTRAC's requirements.
What you need to do
- Identify your designated services — determine which of your business activities are regulated under the AML/CTF Act
- Complete your ML/TF risk assessment — evaluate your risk across customers, services, delivery channels, and geography
- Determine your risk appetite — decide how much ML/TF risk your business is willing to accept and what controls you will apply
- Build your AML/CTF program — create your policies and procedures based on your risk assessment, using AUSTRAC's starter kit as a foundation
- Set up personnel obligations — appoint your Compliance Officer, plan training, and conduct initial personnel due diligence on all relevant staff
- Communicate to staff — ensure all personnel have read, understood, and acknowledged the program before it takes effect
- Obtain senior manager approval — your program must be formally approved by a senior manager before implementation
How Verifia helps
| Task | Verifia feature |
|---|---|
| Identify designated services | Industry-specific service catalogue auto-loaded during onboarding |
| ML/TF risk assessment | Guided questionnaire covering all four risk dimensions, with automated scoring and PDF report |
| AML/CTF program | AI-generated draft based on your risk assessment and industry, with built-in editor for customisation |
| Personnel setup | Staff management with Compliance Officer designation, role assignment, and due diligence tracking |
| Staff communication | Read-and-acknowledge workflow with timestamped audit trail |
| Senior manager approval | Formal approval workflow with digital sign-off |
Step 2: Use Your Program
This is the day-to-day operational phase where you apply your program to real customers and transactions. Your program is only effective if it is consistently used.
What you need to do
- Perform initial CDD — identify, verify, and risk-assess every customer before providing a designated service
- Conduct ongoing CDD — keep customer information current, monitor for changes in risk, and conduct scheduled reviews
- Monitor transactions — watch for threshold transactions ($10,000+ in physical currency), suspicious activity, and unusual patterns
- Submit reports — file SMRs (within 24 hours for terrorism financing, 3 business days for other matters), TTRs (within 10 business days), and annual compliance reports
- Escalate and decide — when risk indicators or suspicious behaviour are identified, follow your escalation pathway: investigate, apply additional controls, report, or refuse service
- Manage personnel — deliver ongoing training, conduct periodic personnel due diligence reviews, and manage role changes and departures
How Verifia helps
| Task | Verifia feature |
|---|---|
| Initial CDD | KYC Workbench with guided forms, eKYC identity verification (DVS), and sanctions/PEP screening |
| Ongoing CDD | Automated review scheduling based on risk tier, with triggered reviews for new risk indicators |
| Transaction monitoring | Configurable rule engine with industry-specific rules (including linked transaction detection for precious metals) |
| Reporting | Assisted SMR/TTR drafting with pre-filled customer and transaction data, deadline tracking, and LPP assessment for legal practitioners |
| Escalation | Structured decision workflow (proceed / apply controls / report / refuse) with documented rationale and audit trail |
| Personnel management | Training module assignment, completion tracking, due diligence scheduling, and departure procedures |
Step 3: Maintain and Review
This is the ongoing improvement phase. AML/CTF compliance is not a set-and-forget exercise — your program must evolve as your business, customers, and the threat environment change.
What you need to do
- Review your risk assessment — update when your circumstances change (new services, new customer types, new jurisdictions, or new ML/TF typologies)
- Update your program — revise policies and procedures to reflect changes in risk, regulation, or business operations
- Conduct independent reviews — arrange periodic independent assessments of your program's effectiveness (AUSTRAC recommends this, and it may become mandatory)
- Test your controls — verify that your CDD processes, monitoring rules, and reporting procedures are working as intended
- Report annually — submit your annual compliance report to AUSTRAC
- Respond to triggers — when specific events occur (regulatory changes, compliance incidents, audit findings), initiate a program review promptly
How Verifia helps
| Task | Verifia feature |
|---|---|
| Risk assessment review | Version history with side-by-side comparison, triggered review prompts |
| Program updates | Version-controlled program with change tracking and staff re-acknowledgment workflow |
| Independent reviews | Review workflow with findings tracking and remediation management |
| Control testing | Compliance health score, system metrics, and effectiveness indicators |
| Annual reporting | Guided annual report generation using compliance data collected throughout the year |
| Trigger management | Automated trigger detection (regulatory updates, overdue reviews, incidents) with review prompts |
The compliance lifecycle
┌─────────────────────────────────────────────┐
│ STEP 1: CUSTOMISE │
│ Risk Assessment → Program → Personnel │
│ (Do this before 1 July 2026) │
└──────────────────┬──────────────────────────┘
│
v
┌─────────────────────────────────────────────┐
│ STEP 2: USE │
│ CDD → Monitor → Report → Escalate │
│ (Day-to-day operations) │
└──────────────────┬──────────────────────────┘
│
v
┌─────────────────────────────────────────────┐
│ STEP 3: MAINTAIN │
│ Review → Update → Test → Report │
│ (Ongoing improvement) │
└──────────────────┬──────────────────────────┘
│
└──── (cycle repeats) ──────>The three steps are not a one-time journey. After initial setup (Step 1), your program should continuously cycle between day-to-day use (Step 2) and periodic maintenance (Step 3). Each review cycle strengthens your program and helps you stay ahead of emerging ML/TF risks.