Sandbox environment — test data only, not production
General6 min read

You've Got an AML/CTF Program. Here's How You Actually Run It From 1 July.

Generating an AML/CTF program is the easy part. From 1 July 2026 AUSTRAC expects you to operate it — apply customer due diligence to every new client, screen and monitor, keep records, and report when you have to. A program that sits in a drawer is not compliance. Here is the day-one operating rhythm for a small firm: what you do on every engagement, what runs in the background, and what only happens when something is off.

2026-06-18· AML Mate Team
You've Got an AML/CTF Program. Here's How You Actually Run It From 1 July.

Most of the conversation about 1 July 2026 stops at the program document. Get the program written, the thinking goes, and you're compliant. You're not. A written program that nobody follows is the single most common way a firm with good intentions still ends up in breach.

The reformed Act is built around a single, risk-based AML/CTF program that you implement and maintain — not one you produce once and file away. (AUSTRAC, about the reforms) So the question that actually matters from 1 July is operational: what does running the program look like in an ordinary week at a small firm? It is less work than people fear, because it splits cleanly into three rhythms.

Rhythm 1: On every new client engagement

This is the part you do by hand, every time, before you provide a designated service. It is the core of the regime and the thing an auditor will look at first.

Identify and verify the customer. Collect and verify identity using your Applicable Customer Identification Procedure, on a risk basis. For an individual that is typically government photo ID; for a company or trust it also means identifying the beneficial owners — the people who ultimately own or control the entity. (What beneficial ownership verification involves)

Screen them. Check the customer (and beneficial owners) against sanctions and politically-exposed-person lists. A hit doesn't automatically end the relationship, but it does trigger a closer look.

Rate the risk and decide. Assign a risk rating, and where any enhanced-due-diligence trigger applies — a PEP, a high-risk jurisdiction, an opaque structure, funds you can't explain — step up: verify source of funds and wealth, get senior sign-off, and document why you proceeded. (Source of funds vs source of wealth, explained)

The discipline that matters here is consistency. The same steps, every client, recorded the same way. A CDD process you apply to nine clients out of ten is a finding waiting to happen. (A practical CDD checklist)

Rhythm 2: In the background, continuously

These run quietly between engagements. They are where most firms under-invest, and where AUSTRAC's recent enforcement has concentrated.

Ongoing customer due diligence. Keep customer information current and watch for activity that doesn't fit the customer's profile. A long-standing client whose transactions suddenly change shape is exactly what ongoing CDD is meant to catch.

Transaction monitoring. Monitor the transactions connected to your designated services against the red flags in your program — unusual cash, third-party payments with no clear reason, structuring to stay under thresholds, links to high-risk jurisdictions. You don't need a bank's surveillance system; you need a defined set of indicators, someone responsible for reviewing flags, and a log that shows you did.

Re-screening. Sanctions and PEP lists change. Customers need to be re-screened periodically — higher-risk ones more often — not just once at onboarding.

Record keeping. Every step above is retained for seven years: identity and verification records, transaction records, your risk assessments, and the reasoning behind any decision to report or not report. If it isn't written down, for compliance purposes it didn't happen. (How client management, screening and records fit together)

Rhythm 3: Only when something is off

You hope to use these rarely, but the program has to make them automatic when the moment comes.

Suspicious matter reports (SMRs). When a staff member forms a suspicion on reasonable grounds that a matter may involve money laundering, terrorism financing, proliferation financing or another serious offence, it is escalated to the compliance officer, assessed, and — if warranted — lodged with AUSTRAC within the statutory timeframe (24 hours for terrorism-related, 3 business days otherwise). Crucially, you must not tip the customer off that a report has been or may be made. (SMR and TTR reporting, step by step) · (The tipping-off rules)

Threshold transaction reports (TTRs). Any cash transaction of $10,000 or more is reported within 10 business days. Watch for structuring designed to stay just under the line.

The job of the program is to make sure that when a junior staff member sees something odd, there is a clear, fast path from their desk to a lodged report — and that the decision (including a decision not to report) is documented.

The person who holds it together

Each of these rhythms runs through your nominated AML/CTF compliance officer. From 1 July that role isn't a title on an org chart — it's the person who reviews flags, makes the report-or-not call, keeps training current, and is AUSTRAC's point of contact. In a small firm it is usually the owner or a principal; the obligation is that someone genuinely owns it. (What the compliance officer is actually responsible for) Staff also need training appropriate to their role, so the people doing CDD and spotting red flags know what they're looking for. (Staff training requirements)

What this means with 13 days to go

If you don't yet have a program, generate one now — it's the foundation everything above sits on. (What "an AML/CTF program in place" actually requires) But if you do, spend the remaining time on the part that actually gets tested: make the three rhythms real. Decide who does CDD and how it's recorded. Name the red flags you'll monitor for. Confirm your compliance officer and brief your staff. Set where the records live. None of this requires the program to be perfect — it requires it to be running.

Where AML Mate fits

AML Mate is built for the running, not just the writing. Your generated program comes with the operating layer wired in: client onboarding with CDD and beneficial-ownership capture, PEP and sanctions screening with scheduled re-screening, transaction monitoring against your red flags, SMR/TTR lodgement, training records, and seven-year record keeping — all under one compliance officer, audit-ready. Start a 14-day free trial, cancel anytime, to generate your program and set up the day-one rhythm before 1 July. Not sure you're even in scope yet? The free compliance check tells you in two minutes, no login required.

austractranche-2aml-ctf-programongoing-cddtransaction-monitoringsmrttrrecord-keepingcompliance-officer1-july-2026

Related Articles

General

Six Days to 1 July: The Evidence Trail That Turns Good Faith Into Proof

AUSTRAC does not knock on your door on 1 July 2026. The day that matters comes later, when someone asks what you did, and by then the answer is whatever you wrote down. Good faith only counts if it left a trail. Here is the minimum evidence set a small firm should be able to produce: the records each obligation is supposed to leave behind, why a decision not to report still has to be documented, and how to make sure the work you do this week actually shows.

General

Seven Days to 1 July: The Realistic Last-Week Plan if You're Starting Now

One week out from 1 July 2026 and you have not started? You are not going to build a perfect compliance function in seven days, and AUSTRAC does not expect one. What you can do is be running. Here is the honest, priority-ordered last-week plan for a small firm: what actually falls due on 1 July, what does not, and the six steps that move you from nothing to a program you are operating in good faith.

General

Not Going to Be Perfect by 1 July? Here's What AUSTRAC Actually Expects.

With under two weeks to go, plenty of small firms know they won't have everything polished by 1 July 2026. AUSTRAC has said it plainly: it doesn't expect perfection on day one, but it does expect genuine effort to comply. That's reassuring, and it's widely misread. Genuine effort is not the same as 'we'll get to it.' Here is what the phrase actually means, the handful of obligations that get no grace at all, and the realistic minimum a small firm should have running on 1 July.

Ready to build your AML/CTF program?

AML Mate generates your AML/CTF program in 15 minutes using AUSTRAC's official templates. Start a 14-day free trial, cancel anytime.

This article is based on AUSTRAC's publicly available guidance. It does not constitute legal or compliance advice. Consult a licensed compliance professional for complex situations.

You've Got an AML/CTF Program. Here's How You Actually Run It From 1 July. | AML Mate Blog