Key Takeaways

In this guide

What is an AML/CTF program? Part A: Risk management Part B: Customer identification The ML/TF risk assessment Developer-specific program elements Why generic templates fail Building your program Ongoing maintenance Frequently asked questions

What Is an AML/CTF Program?

An AML/CTF program is a written compliance framework that describes how your business identifies, manages, and mitigates money laundering and terrorism financing risks. Every reporting entity under the AML/CTF Act must develop, implement, and maintain one.

The program has two mandatory parts:

The program must be:

Part A: Risk Management

Part A is the governance backbone of your compliance program. It covers how your organisation manages ML/TF risk at an institutional level. AUSTRAC's real estate program starter kit provides a useful reference for structuring this section.

Part A must include

1 ML/TF risk assessment. A documented assessment of the money laundering and terrorism financing risks your business faces. This must consider customer types, products and services, delivery channels, and geographic factors.
2 Compliance officer appointment. Name and details of your AML/CTF compliance officer, their authority, and their responsibilities.
3 Employee due diligence. Procedures for screening employees who are involved in providing designated services or handling customer information. Background checks and ongoing monitoring.
4 Training arrangements. How and when staff receive AML/CTF training, what the training covers, how competency is assessed, and how records are maintained.
5 Transaction monitoring. How you monitor transactions for suspicious activity. For developers, this includes monitoring payment patterns, deposit sources, and buyer behaviour against red flag indicators.
6 Reporting obligations. Procedures for submitting Suspicious Matter Reports (SMRs) to AUSTRAC, including escalation workflows, timeframes, and tipping-off prevention measures.
7 Record-keeping. What records you keep, where they are stored, how long they are retained (minimum 7 years), and how they are protected from unauthorised access or destruction.
8 Independent review. Commitment to an independent review of the program within 3 years, and procedures for actioning findings.
9 AML/CTF program governance. How the program is approved, reviewed, updated, and who has oversight. For developers with reporting groups, this includes how the lead entity coordinates compliance across member entities.

Part B: Customer Identification Procedures

Part B is where the program gets practical. It sets out exactly how you verify buyer identity before providing a designated service.

Part B must cover

1 Individual buyers. Acceptable ID documents (passport, driver’s licence), electronic verification methods, and procedures when documents are unavailable or the buyer is overseas.
2 Corporate buyers. How you verify the company (ASIC search, ABN lookup), identify directors, and determine beneficial owners holding 25% or more ownership or control.
3 Trust buyers. Procedures for identifying the trustee, settlor, and beneficiaries. Different procedures for regulated trusts (SMSFs, managed investment schemes) versus unregulated trusts (family trusts, discretionary trusts).
4 Partnership and association buyers. Verification of the partnership agreement or association rules, identification of partners or office holders.
5 Foreign buyers. Additional verification requirements for non-Australian residents, including acceptance of foreign identity documents, use of certified translations, and considerations for high-risk jurisdictions.
6 Timing of verification. When CDD must be completed relative to the designated service. For property developers: before or at the point of entering into the contract of sale.
7 Enhanced CDD (ECDD). When enhanced procedures apply — PEPs, high-risk jurisdictions, complex ownership, unusually large transactions — and what additional steps are required. See AUSTRAC's CDD guidance for detail.
8 Ongoing CDD. How you monitor the customer relationship over time, including periodic re-screening against sanctions lists and updating customer information.

The ML/TF Risk Assessment

The risk assessment is the foundation of your entire program. Every other element — your CDD procedures, training content, monitoring approach — should be proportional to the risks you identify.

Your risk assessment must evaluate four dimensions:

Risk Dimension What to Assess Developer Example
Customer risk Who are your buyers? What is their risk profile? Foreign buyers via offshore agents = high risk. Local first-home buyers = lower risk.
Product/service risk What designated services do you provide? Off-the-plan sales with 24-month settlement = higher risk than completed home sales.
Channel risk How do buyers engage with you? Overseas marketing agents = higher risk. Display village walk-ins = medium risk.
Geographic risk Where are your buyers located? Buyers from FATF high-risk jurisdictions = elevated risk. Domestic buyers = standard.

The output of your risk assessment directly shapes your program. A developer with 90% domestic buyers purchasing house-and-land packages has a different program than a developer selling luxury apartments to an international buyer pool.

Developer-Specific Program Elements

Property developers face situations that other reporting entities do not. Your AML/CTF program should address these explicitly:

Developer-specific considerations

1 Off-the-plan CDD timing. Your program must specify that CDD is completed before contract execution, not at settlement. This is the most common compliance gap for developers.
2 Contract assignment procedures. If buyers can assign or nominate contracts before settlement, your program needs CDD procedures for the incoming assignee — treating them as a new customer.
3 SPV and reporting group structure. If you operate through multiple SPVs, your program should describe the reporting group arrangement, the lead entity, and how compliance is coordinated across entities.
4 Sales agent coordination. If external sales agents market your properties, your program should clarify who conducts CDD — the developer or the agent — and how information is shared.
5 Deposit and payment monitoring. Procedures for monitoring the source of deposits and purchase payments, including red flags for structured deposits, third-party payments, and cash transactions.

Why Generic Templates Fail

AUSTRAC has been explicit in its AML/CTF programs guidance: your program must be tailored to your business. A generic template downloaded from the internet fails for several reasons:

Templates as a starting point

Using a template as a structural guide is fine — it helps ensure you cover all required elements. But the content must be customised. AMLTranche solves this by auto-generating your program from your risk assessment answers, producing a document that is structurally complete and genuinely tailored to your business.

Building Your Program

Step-by-step program development

1 Complete your ML/TF risk assessment first. Everything flows from this. Assess your customer types, transaction channels, geographic exposure, and product risks.
2 Appoint your compliance officer. Name them in the program document with their authority and responsibilities clearly stated.
3 Draft Part A. Document your risk management framework, training plan, monitoring approach, record-keeping procedures, and reporting obligations. Reference your risk assessment findings throughout.
4 Draft Part B. Set out your CDD procedures for each customer type you encounter: individuals, companies, trusts, partnerships. Include your verification methods, acceptable documents, and ECDD triggers.
5 Get senior management approval. The program must be approved by a senior manager or the board. Document the approval with a date and signature.
6 Distribute to relevant staff. Everyone involved in buyer-facing transactions must have access to the program and understand their responsibilities under it.
7 Implement and train. Roll out the procedures, conduct initial training, and start using the program with real transactions.

Ongoing Maintenance

Your AML/CTF program is a living document. It must be reviewed and updated:

AMLTranche tracks program versions, records approval dates, and alerts you when a review is due.

Your AML/CTF program, auto-generated.

Answer questions about your business. AMLTranche produces a compliant, tailored AML/CTF program with Part A and Part B — ready for principal sign-off. No consultants. No templates. Done in under an hour.

Get Started → Book a Demo →

Get a free compliance checklist for your business:

No spam. Unsubscribe anytime.

Frequently Asked Questions

What is an AML/CTF program?

A written compliance framework with two parts: Part A covers risk management (risk assessment, compliance officer, training, monitoring, reporting). Part B covers customer identification procedures (how you verify buyer identity for individuals, companies, trusts, and other entity types).

What is Part A?

Part A covers your ML/TF risk assessment, compliance officer appointment, employee due diligence, training, transaction monitoring, reporting obligations, record-keeping, and independent review commitments. It is the governance framework for your compliance program.

What is Part B?

Part B sets out your Customer Identification Procedures. It specifies how you verify individual buyers, corporate buyers, trust buyers, and other entities. It covers acceptable documents, electronic verification, standard versus enhanced CDD, and when verification must be completed.

Can I use a generic template?

As a structural guide, yes. As your actual program, no. AUSTRAC requires your program to be tailored to your business. It must reflect your specific customer types, risk profile, transaction channels, and geographic exposure. AMLTranche auto-generates a tailored program from your risk assessment.

How often must it be updated?

Whenever your business, risk profile, or regulatory environment changes materially. Annual reviews are recommended. An independent review must be completed within 3 years of commencement.

Does AMLTranche generate the program?

Yes. You answer questions about your business and AMLTranche produces a compliant Part A and Part B program tailored to your operations. It can be exported as a PDF and is maintained within the platform with version tracking.