Logo
AML/CTF Compliance Guide

Your Obligations

A summary of the key AML/CTF obligations that apply to all Tranche 2 businesses under the AML/CTF Act.

Overview

As a Tranche 2 reporting entity, you have a set of core obligations under the AML/CTF Act. While the specific requirements vary by industry and designated service, the fundamental obligations are shared across all five regulated sectors.

These obligations exist to help detect and deter money laundering (ML) and terrorism financing (TF). They are not optional — failure to comply can result in significant civil and criminal penalties.

1. Register with AUSTRAC

You must enrol with AUSTRAC as a reporting entity before providing any designated services. Registration is free and can be completed online through AUSTRAC's website.

You need to register if your business provides, or intends to provide, a designated service as defined by the AML/CTF Act. Not all activities within a regulated industry trigger obligations — only specific services listed in the legislation.

Verifia provides reminders and guidance for AUSTRAC registration, but the actual registration must be completed directly with AUSTRAC.

2. Appoint an AML/CTF Compliance Officer

Every reporting entity must appoint an AML/CTF Compliance Officer who is responsible for overseeing the AML/CTF program. This person must:

  • Be a senior member of the organisation (or the owner/principal in small businesses)
  • Have the authority to make compliance decisions and allocate resources
  • Oversee the development, implementation, and maintenance of the AML/CTF program
  • Act as the primary contact for AUSTRAC

In Verifia, the Compliance Officer role has the highest level of system access and is responsible for approving KYC cases, authorising reports, and managing the compliance program.

3. Identify Your Designated Services

Before you can assess your risks or build your program, you must understand which of your business activities are designated services under the AML/CTF Act. Designated services are the specific activities that trigger your compliance obligations.

Each industry has its own set of designated services. For example:

  • Real estate — brokering or directly selling real estate
  • Legal profession — conveyancing, trust and company services, acting as nominee
  • Accounting — company and trust formation, acting as director or trustee
  • Conveyancers — assisting with buying, selling, or transferring real estate
  • Precious metals dealers — buying or selling precious goods where payment of $10,000+ is in physical currency or virtual assets

See your industry guide for the full list of designated services for your sector.

4. Conduct a Risk Assessment

You must assess your business's ML/TF risks before developing your AML/CTF program. Your risk assessment must consider four dimensions:

DimensionWhat to assess
Customer riskTypes of customers you serve — individuals vs entities, PEP exposure, non-face-to-face relationships
Service/product riskWhich designated services you provide and their inherent ML/TF risk
Delivery channel riskHow you deliver services — in-person, online, through third-party agents
Geographic riskCountries and jurisdictions you deal with, including FATF-identified high-risk jurisdictions

Your risk assessment determines:

  • Your overall ML/TF risk rating (High, Medium, or Low)
  • The baseline CDD measures applied to your customers
  • The controls required in your AML/CTF program
  • How frequently you need to review your program

5. Develop Your AML/CTF Program

Your AML/CTF program is the written document that sets out how your business will meet its obligations. AUSTRAC's starter kits structure the program around three steps:

Step 1: Customise

Tailor the program to your business — your designated services, your risk assessment, your personnel, and your operating environment.

Step 2: Use

Apply the program in your day-to-day operations — performing CDD on customers, monitoring transactions, filing reports, and training staff.

Step 3: Maintain

Keep the program current — review it regularly, update it when circumstances change, and test its effectiveness.

Your program must be approved by a senior manager (such as the Compliance Officer or a member of the governing body) before it takes effect.

6. Perform Customer Due Diligence (CDD)

Before providing a designated service to any customer, you must:

  1. Identify the customer — determine who they are and, for entities, who the beneficial owners are
  2. Verify their identity — collect and verify identity information using reliable and independent sources
  3. Assess their risk level — determine whether the customer poses low, medium, or high ML/TF risk
  4. Apply risk-appropriate measures — the level of CDD must be proportionate to the assessed risk:
Risk LevelCDD ApproachKey RequirementsReview Cycle
LowSimplified CDDReduced verification — single reliable document may sufficeEvery 3 years
MediumStandard CDDFull verification using multiple sourcesEvery 2 years
HighEnhanced CDD (ECDD)Full verification plus source of funds/wealth, adverse media screening, and senior manager approvalEvery 12 months

See CDD Tiers for detailed requirements.

7. Conduct Ongoing Customer Due Diligence

CDD is not a one-off exercise. Throughout the business relationship, you must:

  • Keep customer information up to date — update records when circumstances change
  • Monitor the business relationship — ensure transactions are consistent with your knowledge of the customer
  • Reassess risk — review the customer's risk level at scheduled intervals and when trigger events occur
  • Apply enhanced measures if the customer's risk increases

8. Monitor Transactions and Activity

You must have systems and procedures to monitor for:

  • Threshold transactions — transactions of $10,000 or more in physical currency (cash)
  • Suspicious matters — any activity that gives rise to a suspicion of ML/TF or other serious crime
  • Unusual patterns — activity that is inconsistent with the customer's known profile or business

Your monitoring should be proportionate to your risk profile and the nature of your designated services.

9. Submit Reports to AUSTRAC

You must submit the following reports to AUSTRAC:

ReportWhen to fileDeadline
Suspicious Matter Report (SMR)When you form a suspicion on reasonable grounds that a customer or transaction may relate to ML/TF or proceeds of crime24 hours (terrorism financing) or 3 business days (all other matters)
Threshold Transaction Report (TTR)When a transaction involves $10,000+ in physical currency10 business days
Annual Compliance ReportEach calendar yearAs specified by AUSTRAC

Tipping-off prohibition: It is a criminal offence to disclose to any person — including the customer — that an SMR has been, is being, or will be filed.

See Reporting Obligations for full details.

10. Train Your Personnel

All personnel involved in providing designated services or handling AML/CTF matters must:

  • Receive initial AML/CTF training before commencing their role
  • Complete refresher training at regular intervals
  • Understand how to identify suspicious behaviour and know the escalation process
  • Be aware of the tipping-off prohibition

You must also conduct personnel due diligence — assess the suitability of each staff member before they take on AML/CTF responsibilities.

See Personnel Obligations for details.

11. Keep Records

You must retain records of:

  • All CDD information collected and verification results
  • Transaction records
  • Reports submitted to AUSTRAC
  • Risk assessments and AML/CTF program versions
  • Training records and personnel due diligence assessments
  • Compliance decisions and their rationale

Records must be retained for 7 years after the end of the business relationship or the date of the transaction, whichever is later.

12. Review and Update Your Program

Your AML/CTF program is a living document. You must review and update it:

  • At regular intervals — at least annually, or more frequently if your risk profile warrants it
  • When triggered by events such as:
    • Changes to the designated services you offer
    • Significant changes to your customer base
    • New jurisdictions you deal with
    • Regulatory updates or new guidance from AUSTRAC
    • Findings from independent reviews
    • Internal compliance incidents or near-misses
    • Changes in ML/TF typologies relevant to your industry

Verifia tracks review triggers and prompts you when a program review is due.

Next steps

  • Read about the 3-Step Framework that structures your compliance journey
  • Understand CDD Tiers — Simplified, Standard, and Enhanced due diligence
  • Jump to your industry guide for obligations specific to your sector

What is Tranche 2 AML/CTF?

An introduction to the AUSTRAC Tranche 2 AML/CTF reforms — what they are, who they affect, and why they matter for your business.

The 3-Step Framework

AUSTRAC's 3-step framework for building and maintaining your AML/CTF compliance program — and how Verifia supports each step.

On this page

Overview
1. Register with AUSTRAC
2. Appoint an AML/CTF Compliance Officer
3. Identify Your Designated Services
4. Conduct a Risk Assessment
5. Develop Your AML/CTF Program
Step 1: Customise
Step 2: Use
Step 3: Maintain
6. Perform Customer Due Diligence (CDD)
7. Conduct Ongoing Customer Due Diligence
8. Monitor Transactions and Activity
9. Submit Reports to AUSTRAC
10. Train Your Personnel
11. Keep Records
12. Review and Update Your Program
Next steps
Your Obligations