INSIGHT | EXISTING ENTITIES

The essential elements of an AML/CTF program

By:

Neil Jeans,

Katherine Shamai,

Martin Stone,

Annelies Homersham

18 Feb 20258 min read

Quick Summary

The amended AML/CTF Act introduces significant changes to the current AML/CTF program, shifting from a prescriptive, compliance-based approach to a more flexible, outcomes-based framework, emphasising the importance of effectively managing ML/TF/PF risks.
Reporting entities must address these changes to ensure compliance, which involves updating risk assessments, policies, and procedures.
The breadth of these changes requires a comprehensive overhaul of existing AML/CTF programs, focusing on achieving meaningful results in preventing financial crime. It is recommended that existing entities draft new policies, rather than trying to adapt their pre-existing Part A and Part B Program policies.
By adapting to these new requirements, entities can enhance their ability to combat ML/TF threats and maintain regulatory compliance.

An Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) program is essential to support organisations complying with AML/CTF obligations and requirements.

Under the AML/CTF Act 2006, all reporting entities must have (before providing designated services) and maintain (throughout the time they are providing designated services) an AML/CTF program that appropriately identifies, mitigates, and manages their ML/TF risk and addresses the AML/CTF system and control requirements set out in the AML/CTF Rules.

The amended AML/CTF Act introduces significant changes to the existing AML/CTF program, shifting from a prescriptive, compliance-based approach to a more flexible, outcomes-based framework.

This new approach emphasises the importance of the effectiveness of AML/CTF measures set out in the AML/CTF program. It allows reporting entities to tailor their AML/CTF programs to their specific risk profiles, improve the overall effectiveness of AML/CTF measures, and ensure a focus on achieving meaningful results in preventing ML/TF.

For reporting entities, the transition to the amended AML/CTF Act will require significant adjustments to their existing AML/CTF programs.

Current AML/CTF program requirements

An AML/CTF program is a comprehensive set of policies, procedures, and controls designed to prevent, detect, and report money laundering and terrorism financing (ML/TF) activities. The primary goal of an AML/CTF program is to ensure that reporting entities can identify, mitigate and manage their risks associated with ML/TF.

The current AML/CTF program is divided into two parts:

Part A: Focuses on identifying, mitigating, and managing ML/TF risks that are appropriate to the level of risk the business faces. It includes establishing and documenting controls to comply with the requirements set out in Chapters 8 (singular entity) or 9 (designated business groups) and 15 of the AML/CTF rules. 
Part B: Details the customer identification and verification procedures, including identifying beneficial owners and politically exposed persons (PEPs), set out in Chapter 4 of the AML/CTF Rules.

Changes to the AML/CTF program requirements

The AML reforms introduce significant changes to the AML/CTF program requirements, shifting from a prescriptive, compliance-based approach to a more flexible, outcomes-based framework as follows:

The separation of the AML/CTF program into Part A and Part B is no longer required. Reporting entities can now organise their AML/CTF programs to suit their needs, provided they comply with the AML/CTF Act-mandated obligations.
A specific requirement is to identify, assess, and document the risks related to money laundering and terrorism financing (ML/TF) and proliferation financing (PF).
Clarifying the role and importance of AML/CTF policies and procedures as part of an AML/CTF program.
The new requirements emphasise the effectiveness of AML/CTF measures, allowing entities to tailor their AML/CTF programs to their specific risk profiles.
There is an increased focus on the role of governing bodies and senior management in overseeing ML/TF/PF risk and AML/CTF compliance and the need to take reasonable steps to comply with AML/CTF obligations. This includes an explicit requirement to appoint a fit and proper AML/CTF compliance officer responsible for implementing the AML/CTF program.

The amended AML/CTF Act introduces a significant change by replacing the concept of a ‘designated business group’ with a ‘reporting group’ concept. This new framework allows related entities, including non-AML/CTF reporting entities where appropriate, to meet their AML/CTF obligations collectively.

The AML/CTF program changes are intended to support reporting entities in enhancing their AML/CTF measures, ensuring better compliance and more effective risk management.

AML/CTF program documents

Under the amended Australian AML/CTF Act, an AML/CTF program comprises several key documents, each crucial in ensuring compliance with revised AML/CTF obligations.

ML/ TF risk assessment

This document sets out the systematic and structured identification of ML/TF risks, an assessment of the likelihood and impact of those risks, and the documentation of the risk assessment process.

Forms the foundation of the AML/CTF program by identifying and evaluating the specific risks faced by the reporting entity and guiding the development of tailored AML/CTF policies and procedures.

The risk assessment informs all other documents, ensuring the AML/CTF program is risk-based and focused on the most significant threats.

AML/CTF policies

This document outlines the reporting entity's approach to managing and mitigating identified ML/TF risks and ensuring compliance with the general requirements in the AML/CTF Act and AML/CTF Rules.

The AML/CTF policies must be developed based on the ML/TF risk assessment and provide the framework for the procedures manual.

Procedures manual

This document provides detailed instructions on implementing AML/CTF policies, ensuring consistency and effectiveness in applying AML/CTF measures.

The procedures manual operationalises the policies and is informed by the risk assessment by providing detailed procedural guidance to ensure consistency and effectiveness in applying AML/CTF measures.

The procedures manual provides practical guidance for staff on how to comply with AML/CTF obligations. It is crucial for these documents to inform the building of employee training content to ensure that employees with relevant roles are aware of their responsibilities and obligations within the reporting entity’s AML/CTF environment.

Next steps

To prepare for and address the changes to the AML/CTF program under the amended AML/CTF Act, reporting entities should follow a structured, step-by-step approach:

1 - Conduct a comprehensive risk assessment

Review and, where necessary, create a detailed risk assessment document that evaluates the specific ML and TF risks faced, including consideration of proliferation financing (PF) risks.

2 - Develop AML/CTF policies

AML/CTF policies are required to address the identified risks and comply with the new AML/CTF Act requirements. The policies must align with the outcomes-based framework and adequately cover ML/TF/PF risks identified in the risk assessment.

Whilst it is possible to revise an existing AML/CTF program document to create a new one that will be a policy document, given the nature of the changes set out in the AML/CTF Act, it is recommended that existing reporting entities develop a new AML/CTF policy document. This will support the parallel management of compliance with the current AML/CTF requirements while preparing for compliance with the new AML/CTF requirements.

Where there are any new risks identified by a new risk assessment, the relevant sections in the AML/CTF policies should also be updated.

3 - Create a detailed procedures manual

Review and, where necessary, revise or develop a procedures manual(s) that provide detailed instructions on implementing the AML/CTF policies set out in the AML/CTF policy document(s), ensuring the manual promotes consistency and effectiveness in applying AML/CTF measures. Where there are any new risks identified by a new risk assessment, the relevant sections in the procedures manual should also be updated. 

4 - Stay informed

Monitor for additional AML/CTF Rule requirements and guidance AUSTRAC provides. It is understood that the AML/CTF Rules will be published around June 2025, with core Guidance published by AUSTRAC in August 2025.

Civil penalty provisions

The amended AML/CTF Act introduces new civil penalty provisions related to the development and maintenance of an AML/CTF program, increasing the regulatory risk related to non-compliance. These include civil penalty provisions for failure to document an AML/CTF program, failure of the AML/CTF program to cover mandated requirements, and failure to notify the governing body of AML/CTF program changes.

We are here to help

Although the new AML/CTF requirements won't be enforced until April 2026 for existing entities, it is vital to start planning and preparing for compliance with the revised AML/CTF requirements now.

With a short lead time to compliance and limited AML/CTF experts across Australia, demand will only continue to increase as the compliance date approaches.

If you would like to discuss any of the above with one of our AML/CTF specialists, please reach out.

Learn more about how our Anti-Money Laundering reforms services can help you

Visit our Anti-Money Laundering reforms page

Services

Audit & Assurance

Tax

Risk

Forensics

Deals

Finance and funding

Insolvency

Restructuring and turnaround

Business services

Environmental, Social and Governance (ESG) and Sustainability

Consulting

Market services

Industries

Careers

Working at Grant Thornton

Early careers

Experienced careers

Alumni

Current opportunities

About us

The essential elements of an AML/CTF program