Most firms I talk to think training means one webinar and a PDF everyone signs. That clears the box. It does not meet the obligation, and it does not protect you.
Under the reformed Tranche 2 framework, training is a named part of your AML/CTF program. The Act puts it there directly, at section 26F(4)(e). So does personnel due diligence, its sibling obligation, at section 26F(4)(d). These are not extras you bolt on once the program is written. They are the program.
Here is the part people miss. The law does not ask for “training.” It asks for training that fits the role. A receptionist who hands a buyer an onboarding form and a compliance officer who signs off on an enhanced due diligence file do not need the same session. Train them the same way and you have either bored the front desk or under-prepared the person making the hard calls.
So sort your people first, not your slides.
Role | Training they need | Example frequency |
Customer-facing (front desk, property managers) | Spot the indicators of suspicious activity; know how to report a concern internally | At onboarding; again when rules or risks change |
Onboarding, transaction monitoring, EDD | The ML/TF risks your firm carries; EDD and reporting procedures in depth | Roughly every 12 months |
Compliance officer, senior managers, governing body | How the whole program works and your obligations under it | Ongoing, alongside fit-and-proper checks |
Third parties you engage for AML/CTF functions | Tailored to the specific function they perform | When engaged; again when the contract changes |
Pull the AUSTRAC examples apart and the pattern is clear. Anyone customer-facing needs to recognise the indicators of suspicious activity and know exactly how a concern gets reported inside your firm. They do not need to run an EDD file. The people who do run EDD, or who investigate and lodge a suspicious matter report, need the deeper version: the real ML/TF risks your firm carries, and the steps they follow when something looks off.
Frequency is the next thing firms guess at. AUSTRAC gives examples, not a fixed calendar, and the examples are sensible. People in onboarding, transaction monitoring or EDD roles: refresh roughly every 12 months. Anyone about to take on new duties that expose them to new risk: before they start, not after. Third parties you engage: when they come on, and again when the contract changes. Everyone else: general awareness at onboarding. And whenever the rules shift or a new risk shows up, you refresh the material and put it back in front of the people it affects.
The format matters more than firms expect. A scenario beats a slide. Give a property manager a real one: a buyer wants to pay the deposit from a third party’s account, through a structure nobody can quite explain. Walk them through what they notice, who they tell, what they write down. That sticks. A definition of “layering” read off a slide does not.
Then write it down, because a program is only as real as its records. AUSTRAC expects a training plan and schedule, material that gets updated for regulatory change, and a register that records who completed what and when the next round is due. Keep that register wherever works, a spreadsheet or a tool like HP-KYC, but keep it. If you ever have to show the program works, the register is the evidence. No register, no proof it happened.
One more thing, and it is the half everyone forgets. Training assumes the person can be trained into the role. Personnel due diligence asks the prior question: are they the right person to hold it at all? You assess skills, knowledge, expertise and integrity, before and during their engagement, heavier for high-risk roles, the compliance officer most of all. Training and personnel due diligence are two sides of one obligation. Do one, skip the other, and the program has a hole in it.
None of this has to be heavy. A small firm can cover it with a plan, a register, and an afternoon of role-specific scenarios. If you are still assembling the program, fold this into the 90-day build rather than bolting it on at the end. What matters is that it is deliberate, tailored, and written down. Not a video and a signature.
The regulatory detail
AML/CTF training is required under section 26F(4)(e) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), with detail in the AML/CTF Rules 2025 sections 5-9(2) and (3). Personnel due diligence is required under section 26F(4)(d) of the Act, with detail in Rules section 5-8(2). Both sit inside the AML/CTF program provisions (sections 26B to 26L) and must be addressed in the AML/CTF policies the program contains. They apply to any person a reporting entity employs or engages to perform AML/CTF functions, including the governing body, senior managers, the AML/CTF compliance officer, and third parties engaged to perform those functions. The compliance officer is also subject to fit-and-proper requirements under section 29F(d) of the Act and Rules section 5-8(2). Policies must provide for initial and ongoing training and personnel due diligence, tailored to each role and its ML/TF risk, with completion recorded and reviewed.
Sources
AUSTRAC, AML/CTF training (Reform): https://www.austrac.gov.au/amlctf-reform/reforms-guidance/amlctf-program-reform/personnel-due-diligence-and-training-reform/amlctf-training-reform
AUSTRAC, Personnel due diligence (Reform): https://www.austrac.gov.au/amlctf-reform/reforms-guidance/amlctf-program-reform/personnel-due-diligence-and-training-reform/personnel-due-diligence-reform
AUSTRAC, Personnel due diligence and training (Reform): https://www.austrac.gov.au/amlctf-reform/reforms-guidance/amlctf-program-reform/personnel-due-diligence-and-training-reform
AML/CTF Act 2006 (Cth): https://www.legislation.gov.au/C2006A00169/latest
AML/CTF Rules 2025 (Cth): https://www.legislation.gov.au/F2025L01026/latest
