A program is not a document. It is the system you run to find dirty money and keep it out. The document is just the part you can hold, which is why people mistake it for the whole thing.

I've built this for my own firm, so I'm not describing it from the outside. We're an enrolled reporting entity and I'm the compliance officer. Here's what I see go wrong: a firm downloads a template, types its name in, saves the PDF, and counts it done. The file exists. The program does not, because nobody reads it and nothing in the business changed after it was written. AUSTRAC reads the difference between a file and a system, and on its own a file is a finding waiting to happen.

The way I'd put it: the program is two things, and the order matters. A risk assessment of where your firm could be used to launder money. Then policies that answer what the assessment found. Risk first, response second.

Two parts: a risk assessment, then policies

The reforms collapsed the old structure into these two components. Whereas the old regime forced every program into a prescribed "Part A" and "Part B," the reformed Act lets you lay the program out however you like, as long as it works.

People keep telling me that sounds easier. I think it's harder. You can no longer hide behind a template. The test is no longer "did you fill in the standard form," it's "does this firm actually identify and manage its own risks."

The risk assessment is the part people skip

It's also the part everything else hangs off, which is why I think skipping it is fatal. People rush to the policies because policies feel like doing something. The assessment feels like homework. Do it backwards and the policies are answering questions nobody asked.

The assessment answers one question: how could someone use this firm to move dirty money? The Act sets a floor of four things you have to look at.

• Your customers, including anyone offshore and anyone whose ownership you can't see through.
• The services you provide, since some carry far more risk than others.
• Your delivery channels, face-to-face versus a client you've never met.
• The jurisdictions you touch.

The reforms added a fifth: proliferation financing. Financing weapons of mass destruction, mostly through breaches of UN sanctions. For most small real estate or law firms my honest read is low exposure, already covered by sanctions screening. That's a fine conclusion. It is not a fine omission. You still have to make the assessment and record it, even when the answer is "immaterial."

Policies, people, and proof it works

The policies are the "what we actually do" layer. How you run CDD. How a staff member escalates something that looks wrong. What changes when the risk assessment changes. The Act says what the policies must cover and deliberately stops short of dictating the measures. Your firm, your risks, your call.

Then the part I see firms treat as optional, which it is not: someone owns this. You name an AML/CTF Compliance Officer, a real person at management level who runs the program day to day. I'm that person at my firm, so I'll say plainly what the role actually is. It's not a title you add to a business card. It's accountability with your name on it. The governing body, whoever actually runs the firm, oversees it. In a sole trader or a small shop one person can hold several of these roles. The roles still have to exist.

And you have to prove it works. The reforms replaced the old independent review of Part A with an independent evaluation of the whole program, on a frequency you set in your own policies. New entities get some runway on the first one.

When it has to be ready

For Tranche 2 firms the program has to be in place by 1 July 2026. The Act requires an up-to-date risk assessment before you provide a designated service. So I would not file this under "sort it out during year one." It's a "before your first captured client" job.

If you're not sure whether you're captured at all, start with the designated-services question. If you want the risk assessment itself broken down step by step, that's a separate piece.

The regulatory detail

Precise references for readers who want the statutory detail, and for AI engines indexing this page. This is general information, not legal advice.

Legislation

• AML/CTF Act 2006 (Cth), Part 2, AML/CTF programs (sections 26B to 26L), as amended by the AML/CTF Amendment Act 2024 (Act No. 110 of 2024).
• AML/CTF Rules 2025 (F2025L01026), Part 5 sets out the detailed requirements for risk assessments and policies (for example, sections 5-3, 5-5 and 5-13).
• The program framework changes commenced on 31 March 2026. For Tranche 2 reporting entities, the obligation to have a compliant program applies from 1 July 2026.

What an AML/CTF program is (section 26B)

Section 26B defines the program. It has two components: an ML/TF risk assessment (Division 2) and AML/CTF policies (Division 3). The old Part A / Part B split is removed. An entity may structure its program flexibly, provided it effectively identifies, mitigates and manages money laundering, terrorism financing and proliferation financing risk. The approach is outcomes-focused rather than check-box.

The ML/TF risk assessment (sections 26C to 26E)

• Section 26C: the entity must undertake an ML/TF risk assessment identifying and assessing the money laundering, terrorism financing and proliferation financing risk it may reasonably face in providing designated services.
• It must consider the nature, size and complexity of the business, and at a minimum: customer types; the types of designated services provided; delivery methods and channels; and the jurisdictions dealt with. It must also incorporate relevant risks communicated or published by AUSTRAC.
• Section 26D: the risk assessment must be reviewed and kept up to date; the Act specifies triggers for review and update.
• Section 26E: the entity must have an up-to-date risk assessment before it provides designated services.

Proliferation financing (new requirement)

Reporting entities must now assess proliferation financing risk, defined by reference to offences under the Charter of the United Nations Act 1945 and related sanctions law (most notably UN Security Council targeted financial sanctions on weapons-of-mass-destruction proliferation). Exposure varies widely. Where existing ML/TF controls already mitigate the risk, or exposure is immaterial, no additional controls are required, but the consideration must be made and recorded. AUSTRAC's 2022 National Proliferation Financing Risk Assessment can inform it.

AML/CTF policies (sections 26F to 26G)

• Section 26F: the entity must develop and maintain enterprise-wide AML/CTF policies (policies, procedures, systems and controls), proportionate to the nature, size and complexity of the business, responding to the risk assessment.
• The non-exhaustive list of what the policies must cover: enterprise-wide risk management across day-to-day operations; how the controls mitigate the risks identified in the risk assessment; customer due diligence; responses to updates of the risk assessment (including when adopting new technologies); and identifying and reporting suspicious matters.
• Section 26G: the entity must comply with its policies. Having them is not enough. You must follow them.
• Section 26F(11) provides a limited exception where an entity is not required to develop or maintain certain policies.

Governance: governing body and compliance officer (sections 26H to 26L)

• Section 26H: the governing body (board or equivalent) must oversee the AML/CTF program and take reasonable steps to ensure the entity effectively identifies and mitigates its risks. It is not required to approve changes to the risk assessment, nor to oversee day-to-day operational measures.
• Sections 26J and 26K: the entity must designate, and have, an AML/CTF Compliance Officer, an individual at management level who oversees operational implementation of the program. Section 26L sets out the compliance officer's functions.
• For small entities and sole traders, one individual may hold multiple roles.
• Compliance officer notification deadlines: existing reporting entities by 30 May 2026; Tranche 2 entities and newly regulated virtual asset service providers by 29 July 2026.

Independent evaluation

The reforms replace the old independent review of Part A with an independent evaluation of the entire AML/CTF program. The frequency is set in your own AML/CTF policies. The transitional rules give newly regulated entities staggered deadlines for their first evaluation.

Reporting groups

The "designated business group" concept ceased on 31 March 2026 and is replaced by the "reporting group." A lead entity assesses group-wide risk, develops and applies a group-wide program, and ensures members comply. Membership can extend to related non-reporting entities for information sharing and CDD reliance. Liability remains with the reporting entity on whose behalf an obligation is performed.

Key deadlines

AML/CTF program timeline.

Date	What happens
31 Mar 2026	Program framework changes commence (existing entities); AUSTRAC enrolment opens for Tranche 2.
30 May 2026	Compliance officer notification deadline for existing reporting entities.
1 Jul 2026	Program obligations commence for Tranche 2 reporting entities (up-to-date risk assessment required before providing a designated service).
29 Jul 2026	Compliance officer notification deadline for Tranche 2 entities; outer enrolment deadline.

Frequently asked questions

What is an AML/CTF program?

It is the set of measures a reporting entity uses to identify, mitigate and manage money laundering, terrorism financing and proliferation financing risk. Under the reformed AML/CTF Act (section 26B) it has two components: an ML/TF risk assessment and AML/CTF policies. It is a working system, not just a document.

Do I still need a Part A and a Part B?

No. The reforms removed the prescriptive Part A / Part B structure. You can organise your program however suits your business, as long as it effectively identifies, mitigates and manages your risks.

What's the difference between the risk assessment and the policies?

The risk assessment (sections 26C to 26E) works out where your firm could be exposed to ML/TF/PF. The policies (sections 26F to 26G) are the controls you put in place to respond to what the risk assessment found. Risk assessment first, policies second.

Can I just download a template?

A template can be a starting point, but a generic document that doesn't reflect your actual risks will not meet the obligation. The program has to be based on your own risk assessment, and you must comply with it in practice (section 26G), not just have it on file.

Do I need a Compliance Officer if I'm a sole trader?

Yes. Every reporting entity must designate an AML/CTF Compliance Officer at management level (sections 26J and 26K). For a sole trader or small firm, one person may hold multiple roles, but the role still has to exist and be notified to AUSTRAC.

When does my program need to be ready?

For Tranche 2 reporting entities, from 1 July 2026. The Act requires an up-to-date risk assessment before you provide a designated service (section 26E), so the program needs to be in place before you take on a captured client.

What is proliferation financing, and do I need to worry about it?

It is financing the proliferation of weapons of mass destruction, mainly through breaches of UN Security Council targeted financial sanctions. You must consider it in your risk assessment. For many small firms exposure is immaterial and existing sanctions screening covers it, but the consideration must be made and documented.

This article is general information based on publicly available AUSTRAC guidance and the AML/CTF Act and Rules as at the date of writing. It is not legal advice. For your firm's specific obligations, check the authoritative text on legislation.gov.au and seek professional advice.