Video by tereliukv
Every Remittance Provider in Australia Needs an AML/CTF Program — Here Is Yours
If you hold an AUSTRAC registration as a remittance dealer, you are legally required to have a written AML/CTF program. There are no exceptions, no grace periods, and no "small operator" exemptions. Under Part 8 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act), every reporting entity that provides a designated remittance service must develop, implement, maintain, and comply with an AML/CTF program.
Compliance consultants routinely charge AUD 220–550 for a template document. Some charge thousands for a "bespoke" program. This guide gives you a complete, AUSTRAC-aligned framework — covering Part A (customer identification), Part B (transaction monitoring and reporting), risk assessment methodology, employee due diligence, record keeping, and the compliance officer role — at no cost.
Use it alongside AUSTRAC's own guidance to build a program that will stand up to a compliance assessment.
Regulatory basis: Part 8, Division 2 of the AML/CTF Act 2006 (sections 81–85); AML/CTF Rules, Chapters 1–9 and 15–17; AUSTRAC Compliance Guide for Remittance Service Providers.
Key Takeaways
- Every AUSTRAC-registered remittance dealer must have a written, two-part AML/CTF program (Part A: customer identification; Part B: ongoing monitoring and reporting) — failing to maintain one can attract civil penalties of up to AUD 31.3 million per breach.
- Your program must be based on a documented ML/TF risk assessment specific to your business, corridors, customer base, and delivery channels.
- Reporting obligations have strict deadlines: suspicious matter reports (SMRs) within 24 hours for terrorism-related matters or 3 business days for all others; threshold transaction reports (TTRs) for transactions of AUD 10,000 or more within 10 business days; and international funds transfer instructions (IFTIs) within 10 business days under section 75.
- The AML/CTF program must be reviewed and updated at least every 12 months, or whenever there is a material change to your business — whichever comes first.
- The 2026 AML/CTF Reform Act introduces significant changes including simplified obligations for small remitters and a new risk-based reporting framework — but the core program requirements remain.
What Is an AML/CTF Program?
An AML/CTF program is the documented set of policies, procedures, systems, and controls that a reporting entity uses to identify, mitigate, and manage money laundering and terrorism financing (ML/TF) risks.
Under section 81 of the AML/CTF Act, every reporting entity that provides a designated service must have an AML/CTF program. For remittance dealers, the designated services are set out in Table 31 of section 6 of the Act — covering the sending and receiving of money or property transfers.
Legal structure of the program
The AML/CTF Rules require the program to have two parts:
| Component | What It Covers | Primary Rule Reference |
|---|---|---|
| Part A | Customer identification and verification (KYC/CDD) | AML/CTF Rules, Chapters 4–7 |
| Part B | Ongoing customer due diligence, transaction monitoring, and reporting | AML/CTF Rules, Chapters 15–17 |
Both parts must be underpinned by a ML/TF risk assessment (Chapter 1 of the AML/CTF Rules). The program must also address employee due diligence (Chapter 8), AML/CTF compliance officer appointment, reporting obligations, and record keeping.
When must you have it in place?
Your AML/CTF program must be operational before you provide any designated remittance service. AUSTRAC does not require you to submit your program for pre-approval, but you must be able to produce it on request during an assessment or examination. Operating without a compliant program — even if you are registered — is a contravention of section 81 and exposes your business to enforcement action.
Part A: Customer Identification (KYC Procedures)
Part A of your AML/CTF program sets out how you identify and verify your customers before providing them with a designated service. This is commonly referred to as Know Your Customer (KYC) or Customer Due Diligence (CDD).
Applicable customer identification procedures (ACIPs)
Under the AML/CTF Rules, your program must include applicable customer identification procedures that vary depending on the customer type:
Individual customers (most common for remittance):
- Collect the customer's full legal name, date of birth, and residential address.
- Verify identity using reliable and independent documentation or electronic verification.
Companies, trusts, and associations:
- Identify the entity and verify its existence (ASIC extract, trust deed, etc.).
- Identify and verify the beneficial owners — any individual who ultimately owns or controls 25% or more of the entity.
- Identify and verify any individual authorised to conduct transactions on behalf of the entity.
Acceptable identification documents
For Australian individual customers, AUSTRAC's guidance establishes a tiered approach:
| Category | Acceptable Documents |
|---|---|
| Primary photographic ID (at least one required) | Australian passport (current or expired within 2 years); Australian driver licence or learner permit with photo; Australian proof-of-age card with photo; foreign passport with photo |
| Primary non-photographic ID | Australian birth certificate or birth extract; Australian citizenship certificate; Centrelink pension card; Department of Veterans' Affairs card |
| Secondary ID | Medicare card; Australian tax file number notice; utility bill (less than 3 months old); rates notice; bank statement; letter from an employer on letterhead |
Minimum verification requirement: At least one primary photographic ID, or one primary non-photographic ID plus one secondary ID. Where a customer cannot provide standard documents, you must apply alternative verification procedures and document the reasons.
Electronic verification (eKYC)
Electronic verification is an acceptable alternative to document-based verification under the AML/CTF Rules. If you use electronic verification, your program must specify:
- The data sources used (e.g., government databases, credit bureaus, DVS — the Document Verification Service).
- The matching rules applied (typically at least two data sources confirming name plus date of birth or address).
- How failed electronic verification is escalated to manual review.
Many remittance operators use the federal government's Document Verification Service (DVS) via an accredited gateway as their primary electronic verification tool.
Enhanced due diligence (EDD) triggers
Your program must specify circumstances that trigger enhanced due diligence — that is, more rigorous identification and verification procedures. At a minimum, EDD should apply when:
- The customer or transaction is assessed as high risk under your ML/TF risk assessment.
- The customer is a politically exposed person (PEP) — domestic or foreign.
- There is a discrepancy or inconsistency in the customer's identification information.
- The transaction involves a high-risk corridor identified in your risk assessment.
- The customer is sending remittances to jurisdictions with known ML/TF deficiencies (refer to FATF grey list and black list).
- The transaction value is unusually large for the customer's profile or the corridor.
- The customer is using a third party to conduct the transaction.
EDD measures may include obtaining additional identification documents, verifying the source of funds, requiring senior management approval before proceeding, and increasing the frequency of ongoing monitoring.
Part B: Transaction Monitoring and Reporting
Part B of your AML/CTF program sets out your systems and processes for ongoing customer due diligence, transaction monitoring, and meeting your reporting obligations.
Ongoing customer due diligence
Beyond the initial identification at onboarding, your program must include procedures for:
- Monitoring transactions to ensure they are consistent with the customer's known profile, business, and risk assessment.
- Keeping customer information up to date — re-verifying identity when information changes or when doubts arise about previously obtained information.
- Identifying complex, unusual, or large transactions that have no apparent economic or lawful purpose.
Transaction monitoring systems
Your AML/CTF program must describe the transaction monitoring arrangements you use. For remittance operators, this typically includes rule-based alerts (automated flags for thresholds, high-risk corridors, or rapid successive transactions), pattern detection (identifying structuring, rapid fund movement, or sudden changes in behaviour), peer group comparison, and documented manual review procedures for how flagged transactions are escalated and resolved.
For small operators processing fewer than 500 transactions per month, a well-designed spreadsheet-based monitoring system with documented review procedures can satisfy AUSTRAC's requirements. Larger operators should invest in dedicated transaction monitoring software.
Reporting obligations
Remittance dealers have three core reporting obligations under the AML/CTF Act. Non-compliance with any of these is a serious contravention.
| Report Type | Trigger | Deadline | Legislative Basis | Maximum Penalty |
|---|---|---|---|---|
| Suspicious matter report (SMR) | Reasonable grounds to suspect ML/TF, proceeds of crime, tax evasion, or other serious offence | 24 hours (terrorism-related) or 3 business days (all other) from forming the suspicion | Section 41 | Up to AUD 31.3 million per breach (body corporate) |
| Threshold transaction report (TTR) | Physical currency transaction of AUD 10,000 or more (or foreign equivalent) | 10 business days after the transaction | Section 43 | Up to AUD 31.3 million per breach (body corporate) |
| International funds transfer instruction (IFTI) | Any instruction for an international transfer of money or property | 10 business days after sending or receiving the instruction | Section 45 (sending) / Section 46 (receiving); detailed in Section 75 | Up to AUD 31.3 million per breach (body corporate) |
Critical compliance notes:
- SMR confidentiality: Under section 123 of the AML/CTF Act, it is a criminal offence to disclose that an SMR has been filed ("tipping off"). Do not inform the customer, and limit knowledge of the report within your organisation to those who need to know.
- TTR structuring: If you suspect a customer is deliberately breaking a transaction into amounts below AUD 10,000 to avoid a TTR, this is structuring and must be reported as an SMR — even though no individual transaction reaches the threshold.
- IFTI completeness: Every IFTI must include the ordering customer's full name, address, date of birth or unique identification number, and the beneficiary's details. Incomplete IFTIs are a very common audit finding.
How to file reports
All reports are filed through AUSTRAC Online (austrac.gov.au). You must:
- Register for an AUSTRAC Online account linked to your remittance registration.
- Appoint an AUSTRAC Online administrator.
- File reports in the prescribed format (XML or through the web portal).
Batch filing via the AUSTRAC Bulk Filing System is available for operators submitting large volumes of IFTIs.
Video by stockadrik
ML/TF Risk Assessment
Your AML/CTF program must be based on a documented ML/TF risk assessment. This is not optional — Chapter 1 of the AML/CTF Rules requires every reporting entity to identify, assess, and document its ML/TF risk.
How to conduct an ML/TF risk assessment
A compliant risk assessment addresses four risk dimensions:
- Customer risk — who are your customers? (e.g., individuals vs businesses, domestic vs foreign nationals, PEPs, walk-in vs established customers)
- Service/product risk — what services do you offer? (e.g., cash to cash, bank to bank, mobile wallet, same-day transfers)
- Channel risk — how do customers access your services? (e.g., in-person at a shopfront, online, via agent)
- Geographic/corridor risk — where are you sending money? (e.g., FATF grey/black list countries, high-risk corridors, conflict zones)
Risk matrix template
For each risk dimension, assess the inherent risk (before controls) and residual risk (after controls):
| Risk Factor | Risk Category | Inherent Risk | Controls in Place | Residual Risk |
|---|---|---|---|---|
| Walk-in customers with no prior relationship | Customer | High | Photo ID verification, transaction limits for new customers, EDD for first-time large transactions | Medium |
| Cash-to-cash transfers | Service | High | TTR reporting, daily cash reconciliation, structuring detection rules | Medium |
| Online/app-based transfers | Channel | Medium | eKYC, device fingerprinting, geo-location checks | Low–Medium |
| Australia to Philippines corridor | Geographic | Medium | Standard CDD, corridor-specific monitoring rules | Low–Medium |
| Australia to Pakistan corridor | Geographic | High | EDD for transactions over AUD 3,000, source-of-funds verification, enhanced monitoring | Medium |
| Australia to Somalia/South Sudan | Geographic | Very High | EDD for all transactions, senior management approval, source of funds for every transaction, sanctions screening | High |
Corridor-specific risks
Remittance operators must pay particular attention to corridor-specific ML/TF risks. Your risk assessment should document FATF mutual evaluation outcomes for each destination country, sanctions exposure (check the DFAT consolidated sanctions list and UN sanctions lists), the ML/TF risks associated with your correspondent or payout partners, payment method risks at destination (cash pickup carries higher risk than bank deposit), and known typologies from AUSTRAC's corridor-specific intelligence assessments.
Documenting and updating the risk assessment
- The risk assessment must be in writing and available for inspection by AUSTRAC.
- It must be reviewed at least annually or whenever there is a material change to your business (e.g., new corridor, new delivery channel, significant change in transaction volumes).
- Each review should be dated and signed by the AML/CTF compliance officer or a senior manager.
Employee Due Diligence and Training
Employee screening
Under Chapter 8 of the AML/CTF Rules, your AML/CTF program must include employee due diligence procedures. Before an employee is permitted to perform duties relevant to your AML/CTF program, you must:
- Verify the employee's identity (using the same standard as customer identification).
- Conduct background checks appropriate to the employee's role — particularly for employees who handle transactions, have access to customer records, or perform compliance functions.
- Assess whether the employee has any criminal history relevant to ML/TF, fraud, or dishonesty offences.
Best practice (not required by law, but recommended): Conduct police checks for all employees with transaction-handling or compliance responsibilities. Re-screen key personnel every 2–3 years.
AML/CTF training requirements
Your program must ensure that all relevant employees receive AML/CTF training:
- Initial training before performing any designated service functions.
- Ongoing training at least annually thereafter.
- Training must cover, at a minimum:
- Your AML/CTF obligations as a remittance dealer.
- How to identify suspicious behaviour and transactions.
- How to escalate concerns internally.
- Reporting obligations (SMRs, TTRs, IFTIs) and deadlines.
- Tipping-off prohibitions.
- Updates to legislation, AUSTRAC guidance, and your internal program.
Training records
You must maintain records of all training delivered, including:
- Date of training.
- Names and roles of attendees.
- Topics covered.
- Method of delivery (in-person, online module, etc.).
- Assessment results (if applicable).
These records must be retained for a minimum of 7 years after the training event.
Record Keeping Obligations
Under sections 107–111 of the AML/CTF Act, remittance dealers must retain comprehensive records. The minimum retention period is 7 years from the date the record is created.
Records you must keep
| Record Type | Retention Period | Details |
|---|---|---|
| Customer identification records | 7 years after the end of the relationship | Copies of ID documents, electronic verification results, EDD records |
| Transaction records | 7 years from the date of the transaction | Full details of every transaction: amount, currency, date, ordering and beneficiary customer details, correspondent details |
| SMR, TTR, and IFTI records | 7 years from the date of filing | Copies of all reports filed, including supporting documentation and the decision-making process |
| Correspondence with AUSTRAC | 7 years from the date of correspondence | All communications including compliance assessments, information requests, and responses |
| AML/CTF program and risk assessments | 7 years from the date each version was superseded | All current and previous versions, including review notes |
| Training records | 7 years from the date of training | Attendance, content, and assessment outcomes |
| Employee due diligence records | 7 years after employment ends | Identity verification, background checks, criminal history assessments |
Format requirements
Records may be kept in any format — paper or electronic — provided they are:
- Readily accessible and can be produced to AUSTRAC within a reasonable timeframe (typically 14 days for a formal notice).
- Legible and in English (or accompanied by an English translation).
- Protected against unauthorised access, modification, or destruction.
Best practice: Maintain an electronic record management system with automated backup. AUSTRAC has historically been critical of operators who rely solely on paper records, as these are vulnerable to loss and difficult to search during an assessment.
Compliance Officer Role
Your AML/CTF program must designate an AML/CTF compliance officer at the management level. This is a requirement under the AML/CTF Rules, not merely a best practice.
Who should be the compliance officer?
For sole traders and very small operators, the compliance officer will typically be the business owner. For larger organisations, the compliance officer should be a person who:
- Holds a senior management position with direct access to the board or principal.
- Has sufficient authority to ensure compliance across the organisation.
- Has relevant knowledge and experience in AML/CTF compliance (or access to appropriate training and advisory resources).
- Is not conflicted — ideally, the compliance officer should not also be the person responsible for revenue-generating activities, to avoid conflicts of interest.
Responsibilities
The compliance officer's documented responsibilities should include:
- Overseeing the AML/CTF program — ensuring it is implemented, maintained, and enforced.
- Reporting to senior management and/or the board on compliance matters, ML/TF risks, and program effectiveness.
- Managing the reporting process — ensuring SMRs, TTRs, and IFTIs are filed accurately and within statutory deadlines.
- Coordinating with AUSTRAC — being the primary contact for compliance assessments, information requests, and enforcement correspondence.
- Conducting or overseeing the annual program review and risk assessment update.
- Managing employee training and due diligence processes.
- Escalating significant compliance concerns or breaches.
Reporting lines
The compliance officer must have a direct reporting line to the most senior level of management in the organisation. For small operators, this may simply be the sole trader or director. For larger businesses, the compliance officer should report directly to the CEO, managing director, or board of directors — not to a mid-level operations manager.
Ongoing Monitoring and Review
Annual program review
Under the AML/CTF Rules, you must review your AML/CTF program at least every 12 months. The review must assess whether your program:
- Remains consistent with your current ML/TF risk assessment.
- Adequately addresses the ML/TF risks you have identified.
- Has been effectively implemented and complied with.
- Reflects any changes to your business operations, services, corridors, or customer base.
- Incorporates any changes to the AML/CTF Act, Rules, or AUSTRAC guidance.
What the review should produce
Each annual review should result in a written report that includes:
- The date of the review.
- Who conducted the review (the compliance officer, an internal audit function, or an external consultant).
- A summary of findings — what is working, what is not.
- Identified deficiencies and recommended corrective actions.
- An updated risk assessment (if changes are warranted).
- A revised AML/CTF program document (if amendments are needed).
- Sign-off by the compliance officer and senior management.
Triggers for ad hoc review
In addition to the annual review, you should review and update your program whenever:
- You add a new corridor or discontinue an existing one.
- You introduce a new delivery channel (e.g., launching an online platform).
- There is a significant change in your transaction volumes or customer demographics.
- AUSTRAC issues new guidance, rules amendments, or typology reports relevant to remittance.
- You become aware of an internal compliance failure or near-miss.
- There is an enforcement action against another remittance operator that reveals systemic issues.
Photo by The Yuri Arcurs Collection
The 2026 AML/CTF Reform Act: What Is Changing
The AML/CTF Amendment Act 2026, which received Royal Assent in March 2026, introduces the most significant changes to Australia's AML/CTF framework since the original Act commenced in 2006. While most provisions will not take full effect until 2027–2028, remittance operators should begin preparing now.
Key changes affecting remittance providers
Simplified compliance for small remitters: The reforms introduce a tiered compliance framework. Remittance operators processing fewer than AUD 5 million per year in total transaction value will be eligible for a "simplified program" with reduced documentation requirements — although the core obligations (customer identification, reporting, record keeping) remain unchanged.
Risk-based reporting: The current rules-based approach to TTRs (every transaction of AUD 10,000 or more) will be supplemented by a more risk-based framework. While the AUD 10,000 threshold remains, the reforms emphasise that reporting should be intelligence-led — operators will be expected to demonstrate that their reporting contributes to useful intelligence, not just volume.
Enhanced beneficial ownership requirements: New rules will require remittance operators to take reasonable steps to identify and verify the beneficial owners of all legal entity customers — with a lower ownership threshold (moving from 25% to 10% for higher-risk entities).
Technology neutrality: The reforms expressly recognise digital identity verification, including biometric verification and digital ID credentials, on equal footing with document-based verification. This provides regulatory certainty for operators using eKYC and digital onboarding.
Expanded AUSTRAC powers: AUSTRAC will gain additional powers to issue infringement notices for minor breaches (as an alternative to civil penalty proceedings) and to require reporting entities to undertake independent compliance audits at their own cost.
Transitional provisions: Existing AML/CTF programs will remain valid during a 12-month transition period. Operators must update their programs to comply with the new framework within this period.
What to do now
- Monitor AUSTRAC's website for implementation guidance and draft Rules under the amended Act.
- Begin reviewing your program against the new requirements as guidance is published.
- If you are a small operator (under AUD 5 million per year), assess whether the simplified program pathway suits your business.
- Budget for system or process changes the reforms may require.
Common Audit Findings from AUSTRAC Compliance Assessments
AUSTRAC conducts regular compliance assessments of remittance dealers. Based on published enforcement outcomes, industry feedback, and AUSTRAC's own compliance guidance, the following are the most frequently identified deficiencies:
1. Inadequate or outdated ML/TF risk assessment
Many operators have a risk assessment that was written when the business commenced and has not been updated since. AUSTRAC expects a current, corridor-specific risk assessment that reflects your actual business — not a generic template.
2. Incomplete IFTIs
Missing or inaccurate information in IFTI reports is the single most common reporting deficiency. Common gaps include:
- Missing ordering customer residential address.
- Missing or incorrect beneficiary details.
- Failure to include the transaction reference or ordering institution details.
- Filing IFTIs outside the 10-business-day deadline.
3. No evidence of ongoing customer due diligence
Having KYC records from initial onboarding is not sufficient. AUSTRAC looks for evidence that you are actively monitoring customer activity, updating customer information, and re-verifying identity when triggers arise.
4. Failure to file SMRs
AUSTRAC consistently finds that remittance operators under-report suspicious matters. Common issues include:
- Not recognising suspicious indicators (e.g., structuring, inconsistent customer behaviour, third-party transactions).
- Failing to file within the statutory deadline (24 hours for terrorism, 3 business days for all other matters).
- Filing SMRs with insufficient detail to be useful for intelligence purposes.
5. Inadequate training records
Even where operators conduct training, many fail to maintain adequate records. An assessor will ask to see: who was trained, when, on what topics, and how competency was assessed.
6. No annual program review
Many operators cannot produce evidence of an annual review. A program that has not been reviewed in the last 12 months is, by definition, non-compliant with the AML/CTF Rules.
7. Compliance officer not properly designated
Some operators have not formally designated a compliance officer, or the designated person has no real authority or involvement in the AML/CTF program. AUSTRAC expects the compliance officer to be genuinely engaged, not a name on a document.
8. Poor record keeping
Records stored in unstructured formats (loose papers, personal email accounts, unsecured USB drives) or records that cannot be produced within a reasonable timeframe are a recurring issue.
Frequently Asked Questions
How much does it cost to build an AML/CTF program?
Building the program yourself using AUSTRAC's free guidance and this guide costs nothing — though you will invest significant time. Engaging a compliance consultant typically costs AUD 2,000–15,000 depending on complexity. Ongoing maintenance (annual reviews, training, system licensing) runs AUD 1,000–5,000 per year for a small operator.
Can I use a template AML/CTF program?
You can use a template as a starting point, but AUSTRAC requires your program to be tailored to your specific business. A generic template that does not reflect your actual corridors, customer types, transaction volumes, and risk profile will not satisfy the AML/CTF Rules. Assessors can quickly identify a template that has not been customised.
How often must I review and update my AML/CTF program?
At a minimum, every 12 months. You must also review and update the program whenever there is a material change to your business — such as adding a new corridor, changing your technology platform, or a significant shift in transaction volumes or customer demographics.
What happens if AUSTRAC finds my program is deficient?
AUSTRAC's response depends on the severity of the deficiency. Options range from informal guidance and a requirement to remediate, through to formal enforceable undertakings, infringement notices, and civil penalty proceedings. For serious or systemic non-compliance, penalties can reach AUD 31.3 million per contravention for a body corporate. AUSTRAC can also seek injunctions, cancel or suspend your registration, and publish details of enforcement actions.
Do I need a separate AML/CTF program for each corridor?
No. You need one AML/CTF program for your business, but it must address the specific ML/TF risks associated with each corridor you operate. Your ML/TF risk assessment should include a corridor-by-corridor analysis, and your program should specify any corridor-specific controls (e.g., enhanced due diligence for high-risk corridors, corridor-specific transaction limits or monitoring rules).
Can the compliance officer also be the business owner?
Yes, particularly for sole traders and small businesses. However, the person must genuinely perform the compliance officer functions — not just hold the title. If your business grows, AUSTRAC expects you to consider whether the compliance officer role should be separated from day-to-day operations to avoid conflicts of interest.
Disclaimer
This guide is published by Australia Remittance for general informational purposes only. It does not constitute legal, compliance, or professional advice of any kind. AML/CTF legislation, AUSTRAC Rules, and regulatory guidance change frequently.
You should not rely on this guide as a substitute for professional advice. Before making decisions about your AML/CTF program, consult a qualified legal professional, compliance adviser, or contact AUSTRAC directly (austrac.gov.au). Requirements for your business depend on your particular circumstances, risk profile, corridors, and customer base.
Australia Remittance accepts no liability for any loss or damage arising from reliance on this guide.
Last reviewed: April 2026. This guide will be updated as the 2026 AML/CTF Reform Act implementation guidance is published by AUSTRAC.