AML/CTF Program for an Australian Accounting Firm: What It Must Cover

What an AML/CTF Program Is

An AML/CTF program is the document, plus the systems that sit behind it, that show how a reporting entity manages money-laundering and terrorism-financing risk. Under the AML/CTF Act, every entity that provides a professional designated service has to have one in place from the day it starts providing the service. For Australian accountants, tax agents and bookkeepers brought into the regime by Tranche 2, that day is 1 July 2026.

The program is not a marketing brochure or a generic policy lifted from another firm. It has to read like an accurate, current description of what the firm actually does: which services it provides, which of those are designated services, who its clients are, where its risks sit, how those risks are managed, and who is responsible. AUSTRAC's your AML/CTF program guidance is the source of truth for what the document has to contain.

Two things flow from that. First, the program is specific to the firm. A two-partner suburban practice with a stable SMSF book does not need the same program as a mid-tier firm with corporate insolvency, restructures and a foreign-client base. Second, the program is alive. It gets reviewed when the firm's service mix changes, when staff change, when risk indicators change, and on a regular schedule set in the program itself.

The Two Halves: Governance and Risk-Based Systems

AUSTRAC's framing for the program has two main components. One is governance: how the firm runs the program. The other is risk-based systems: the actual machinery that finds, assesses and manages ML/TF risk on each file. Both halves are mandatory, and the program document has to cover both.

Within those two halves, AUSTRAC sets out the headline content in its develop your AML/CTF program material. The list maps to most reporting entities and reads naturally for an accounting firm:

• An ML/TF risk assessment for the firm.
• Policies, procedures, systems and controls to manage the identified risks.
• A description of the designated services the firm provides.
• The AML/CTF Compliance Officer appointment and role description.
• Customer due diligence procedures (initial and ongoing).
• Reporting obligations (SMRs, threshold transaction reports, AUSTRAC reports).
• Recordkeeping rules.
• Staff training approach.
• How the program is approved and reviewed, including independent evaluation.

For the wider Tranche 2 picture, see our accountants Tranche 2 guide. The rest of this article walks through each part of the program in the order an accounting firm would actually build it.

The Governance Half in Detail

The governance side describes how the firm runs the program. The components are simple to list and harder to do well in a small practice where one person wears five hats.

• Compliance Officer. Named individual at management level with sufficient authority and access to act on AML/CTF matters. In a sole practice, this is the principal. In a multi-partner firm, it is usually a partner or senior manager.
• Governing body approval. The board, partnership or principal approves the program in writing before it is in use, and re-approves it after any material change.
• Reporting line. The Compliance Officer reports to the governing body on the operation of the program: SMRs lodged, sanctions hits, training completion, any issues identified.
• Training program. Role-relevant AML/CTF training for every team member who can encounter a designated service, with completion records.
• Independent evaluation. A regular, independent review of the program by someone not involved in day-to-day operation.
• Recordkeeping. A 7-year retention rule for CDD records, transaction records, training records, reports and the program itself.

In a small firm, governance is usually thin on paper and thick in practice: one person who knows everything, no formal sign-off process, training run by the person being trained. The Tranche 2 requirement is that the firm writes it down. That is often the biggest cultural change.

The Risk-Based Systems Half in Detail

The risk-based systems side describes what the firm actually does on each file. It starts from the firm-wide risk assessment and flows down into procedures that match the assessed risk.

ML/TF risk assessment

The firm identifies its ML/TF risks across four dimensions: customer types, service types, delivery channels and jurisdictions. For an accountant, customer types include corporate clients, family trusts, SMSFs, professional clients, foreign individuals, and high-net-worth families. Service types are the designated services the firm provides. Delivery channels include in-person, telephone, video and digital onboarding. Jurisdictions are the countries the firm or its clients touch.

The output is a risk profile (typically low/medium/high) for combinations of those dimensions, plus an explanation of why. The risk assessment is reviewed at least annually and whenever the firm's service mix or client base materially changes.

Customer due diligence

CDD procedures cover initial onboarding CDD, Enhanced CDD for higher-risk clients, and ongoing CDD across the life of the relationship. For accountants, the typical client is a non-individual, so the procedures spell out how the firm identifies entities, walks up beneficial ownership chains, and handles trusts and SMSFs. The full walk-through is in our CDD for accountants guide.

Sanctions and PEP screening

Every relevant party (the customer entity, directors, trustees, beneficial owners) is screened against the DFAT Consolidated List and PEP databases, both at onboarding and on an ongoing basis. The program describes how matches are escalated, how false positives are resolved, and how PEP status is risk-rated.

Reporting and monitoring

Procedures for filing Suspicious Matter Reports under AUSTRAC's SMR guidance, ongoing monitoring under the ongoing CDD guidance, and any other reports the firm is required to lodge.

The AML/CTF Compliance Officer

Every reporting entity appoints an AML/CTF Compliance Officer. The role is a statutory one. The Compliance Officer has to:

• Sit at management level, with sufficient authority and access to firm information.
• Be fit and proper for the role.
• Oversee day-to-day operation of the program.
• Approve significant CDD decisions and Enhanced CDD packages.
• Decide whether to lodge an SMR (with the support of staff who escalate concerns).
• Run the training schedule and confirm completion.
• Maintain records and respond to AUSTRAC requests.
• Act as the firm's primary AUSTRAC contact.

In a sole practice the principal is the Compliance Officer. In a multi-partner firm it is normally a senior partner with the trust and confidence of the wider partnership. Outsourcing the role to an external compliance manager is permitted, but the firm cannot outsource responsibility for the program itself. Personal liability for compliance failures is real; see our principal liability guide for the detail.

Board or Management Approval

The program is signed off by the firm's governing body before it is in operation. "Governing body" reads strangely for a sole practice or partnership, but the concept is the same: the persons accountable for the firm's strategic decisions formally approve the program in writing. In a partnership, that means the partners adopt the program (typically by partnership resolution). In a Pty Ltd practice, the directors approve it. In a sole practice, the principal signs the approval and records the date.

Approval is also required after a material change. If the firm adds a new line of service that touches a designated service (for example, starting to act as a corporate trustee), the program has to be updated and re-approved. Material changes that flow through the program include changes in customer types, services, geographies, technology, or risk indicators identified during operation.

Training

AML/CTF training is required for every team member who can encounter a designated service. That includes partners, accountants, paraplanners, administrators handling client onboarding, bookkeepers stepping into entity formation work, and any practice manager who reviews files. The training is role-relevant: a principal needs the full picture (program, CDD, SMRs, tipping-off, reporting), while a junior administrator needs enough to recognise red flags and escalate.

The minimum content most accounting firms include is:

• What the firm's designated services are and how to recognise one.
• CDD basics, including beneficial ownership for entities.
• Red flags for accountants (cash-heavy transactions, opaque structures, unwilling clients, urgency pressure).
• The SMR process, including the role-split that prevents tipping-off.
• Tipping-off (section 123 of the AML/CTF Act) in plain English.
• Sanctions and PEP screening basics.
• Recordkeeping rules.
• How to escalate a concern to the Compliance Officer.

Completion is recorded for every staff member, with an annual refresher and a fresh module for new starters at induction.

Independent Evaluation

The program is subject to regular independent review. The reviewer must be independent of the day-to-day operation of the program (so the Compliance Officer cannot review their own work). The reviewer can be internal (a partner not involved in compliance, an internal audit function) or external (an AML consultant or firm).

The cadence is risk-based. A small low-complexity practice typically runs an internal review annually and an external independent evaluation every two to three years. A firm with higher-risk work (foreign clients, complex restructures, multi-jurisdiction trusts, related-party financing, large client money movements) will run independent reviews more often.

The output is a written report identifying any weaknesses and recommendations. The Compliance Officer responds to the report with a remediation plan and tracks closure of each recommendation. AUSTRAC has signalled that the absence of any independent review is itself an indicator of weak compliance, so even a small firm needs at least a documented internal review on the books. Our independent evaluation guide walks through scope, evidence and findings in detail.

Recordkeeping

The program describes how the firm keeps records and for how long. The default retention period under the AML/CTF Act is 7 years. Records include CDD documents and decisions, transaction records tied to designated services, sanctions and PEP screening results, SMR drafts and lodgement evidence, training completion records, the program itself and all versions of it, and the independent evaluation reports.

The records have to be retrievable on request. In practice that means a tamper-proof, time-stamped audit trail rather than a folder of PDFs on someone's laptop. AUSTRAC's recordkeeping guidance sets the standard.

Starter Kit vs Purpose-Built Program

AUSTRAC publishes an Accountant Program Starter Kit for small low-complexity firms. The kit includes a template program, a supporting document library and worked examples of dealing with clients. It is free and is a sensible baseline.

The kit is a baseline, not a finished product. Two things still have to happen after a firm downloads it:

1. The kit has to be tailored to the firm's actual service mix, client base and risk profile. A program that reads identically to fifty other firms is not the firm's own program.
2. The kit has to be operationalised. A template program is paper. CDD workflows, sanctions screening, SMR handling, monitoring and recordkeeping all have to run as actual systems behind the program.

Our AUSTRAC program starter kits guide compares what the kits cover and what they do not, and the broader trade-off between the starter kit and purpose-built software sits in the starter kit vs purpose-built comparison.

How AMLTranche Auto-Generates the Program

AMLTranche turns the program into a workflow rather than a Word file. A short questionnaire (firm size, services offered, client types, geographies, delivery channels) generates a written AML/CTF program plus an ML/TF risk assessment, mapped to the AUSTRAC Accountant Starter Kit structure. The Compliance Officer reviews and approves the draft, and the program is then live alongside the CDD, sanctions screening, SMR and monitoring workflows that sit behind it.

Every change to the program is versioned. Training completion, CDD records, screening results and SMR drafts are stored in the 7-year tamper-proof audit log hosted in AWS Sydney. The independent evaluation runs against a live program, not a stale PDF. The full feature list and pricing for accountants sits on the AML software for accountants page.

Frequently Asked Questions

Does every accounting firm need an AML/CTF program?

Every accounting firm that provides a professional designated service under the AML/CTF Act needs a written AML/CTF program covering the captured work. A firm that only prepares tax returns and BAS is not a reporting entity and does not need a program. The moment any partner or staff member touches a designated service, the firm needs one.

What is the difference between an AML/CTF program and the AUSTRAC Accountant Program Starter Kit?

The starter kit is a template program, a document library and worked examples, designed for small low-complexity firms. The AML/CTF program itself is the firm's actual, tailored document plus the systems behind it. Most firms use the kit as a baseline and then tailor it, rather than adopting it word for word.

Who is the AML/CTF Compliance Officer for an accounting firm?

A named individual at management level. In a sole practice this is the principal. In a multi-partner firm it is typically a partner or senior manager. The Compliance Officer owns the program and is the firm's primary AUSTRAC contact.

How often does an accounting firm need an independent evaluation?

Risk-based, with the cadence set in the program. A small low-complexity firm typically runs an internal review annually and an external independent evaluation every two to three years. A firm with higher-risk work reviews more often.

Do staff have to be trained, and how often?

Every team member who can encounter a designated service needs role-relevant AML/CTF training. Most firms run a structured induction module for new starters and an annual refresher for everyone. Completion is recorded.

Disclaimer: This article provides general information about AML/CTF programs for accounting firms and does not constitute legal advice. Confirm your specific obligations with AUSTRAC or a qualified legal adviser.