How to Customise AUSTRAC’s AML/CTF Program Starter Kit Before an Independent Evaluation

Introduction

Recently, the Australian Transaction Reports and Analysis Centre (AUSTRAC) released program starter kit materials to offer practical guidance for newly regulated entities preparing for the Tranche 2 reforms. From 1 July 2026, any profession providing a designated service, including professional services from accounting, law firms, conveyancing, and real estate professionals, must maintain a compliant anti-money laundering and counter-terrorism financing (AML/CTF) program. While these templates help small reporting entities establish a baseline to manage money laundering, terrorism financing and proliferation financing risks, they must be adapted to the exact size and complexity of your business.

This article explains how to customise and implement AUSTRAC’s starter kits for your specific risk profile so you can meet your AML/CTF compliance obligations. It details the steps to adapt your risk assessment, risk rating, customer due diligence (CDD) processes, and delivery channels to build an AML framework that can pass an independent evaluation.

Interactive Tool: Check If Your AML/CTF Program Is Ready for Independent Evaluation

AUSTRAC’s Starter Kits Are a Starting Point, Not the Evaluation Standard

AUSTRAC’s program starter kits offer a practical foundation for reporting entities to build their AML/CTF program. While these kits provide a comprehensive framework for eligible businesses, they are a starting point, not the final measure of compliance.

An independent evaluation serves as the official test of whether your customised program is suitable, legally compliant, effectively implemented, and operating as intended. The starter kits are designed as a complete package for specific entities and do not constitute formal legal advice.

What the AUSTRAC Program Starter Kit Says About Independent Evaluations

The policy documents included in the AUSTRAC starter kit outline the key requirements for conducting an independent evaluation of your AML/CTF program.

As per Section 26F(4)(f) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), your business must arrange for an independent evaluation of its AML/CTF program. This evaluation must occur at least every three years, though the frequency of independence evaluations may change depending on the size, nature, and complexity of your operations.

The person or firm conducting the evaluation must meet specific evaluator selection criteria to ensure a thorough and unbiased assessment. As a result, the evaluator must:

• Suitable experience: possess suitable experience and knowledge of your industry, its money laundering and terrorism financing (ML/TF) risks, and relevant AML/CTF obligations.
• No prior involvement: not have been involved in the development, implementation, or day-to-day use of your AML/CTF program, systems, or controls.
• Operational independence: be independent of the specific work areas that are being evaluated.
• Unrestricted access: receive full access to all materials relevant to the evaluation.

An independent evaluation is not a simple review of your documents. Rather, it is a practical test to determine if your AML/CTF program has been properly implemented and is effective in managing your business’s specific risks. Furthermore, evaluators seek concrete evidence of your program’s operational implementation. This means they will verify that the policies and procedures from the starter kit have been customised and integrated into your daily workflows.

What an AML Independent Evaluator May Test If You Used a Starter Kit

Proper Customisation of ML/TF Risk Assessment

An independent evaluator will verify that your ML/TF risk assessment is a true reflection of your business, not just the default template from the AUSTRAC starter kit. Furthermore, they test whether you have thoughtfully analysed your specific operational risks.

The evaluator will look for evidence that you have reviewed and tailored the assessment based on several factors, including:

• Designated services: The assessment should only include the professional services you actually provide and reflect the inherent risks associated with them.
• Client types: Your risk ratings should be based on the kinds of clients you deal with, whether they are individuals, sole traders, companies, or trusts.
• Delivery channels: The assessment needs to consider how you interact with clients, such as in person, via email, or over the phone, and the specific risks each channel presents.
• Technologies: Any new or emerging technologies you use, like artificial intelligence or biometric verification, must be identified and their risks assessed.
• Countries: You must document and assign a risk rating to every country you deal with when providing a designated service.

Matching Policy with Actual Business

Evaluators check that your AML/CTF policies are a practical match for your business operations. Generic policies that are not customised indicate that the program has not been properly implemented. Ultimately, an evaluator will assess if the policies are appropriate for the nature, size, and complexity of your business.

Signs of poor customisation that an evaluator may look for include:

• Policies that mention designated services your business does not offer.
• Generic role descriptions that do not align with your actual staff structure or responsibilities.
• Workflows and procedures that are unrealistic for your business size or are not actually followed by your staff.

Adherence to CDD & ECDD Processes

An independent evaluation goes beyond a document review to test whether your CDD processes are being applied in practice. Evaluators will sample client files to confirm that your policies are consistently followed.

They will verify that your team is correctly performing key checks, as follows:

• Customer risk ratings: Ensuring clients are assigned a low, medium, or high ML/TF risk rating according to the methodology in your AML/CTF program.
• Identity verification: Confirming that you have collected and verified identity information for clients, beneficial owners, and representatives.
• Beneficial ownership: Checking that for clients like companies or trusts, you have followed the beneficial ownership process to identify the individuals who ultimately own or control the entity.
• Screening: Verifying that you have conducted sanctions and Politically Exposed Person (PEP) checks on relevant individuals.
• Enhanced Customer Due Diligence (ECDD): For high-risk clients, ensuring that ECDD has been performed, which includes conducting adverse media checks, verifying source of funds and wealth, and obtaining senior manager approval.

Effectiveness of Reporting & Escalation Controls

An evaluator will test the effectiveness of your internal controls for identifying and reporting suspicious activities. This involves checking whether your staff can recognise red flags and if your reporting framework functions as designed.

The evaluation will likely cover several areas, including:

• Internal escalations: Reviewing records to see if staff are using the proper process for escalating matters to the AML/CTF compliance officer to report unusual activity.
• Suspicious Matter Reports (SMRs): Confirming that the AML/CTF compliance officer assesses escalated matters and submits SMRs to AUSTRAC within the required timeframes, which are 24 hours for terrorism financing suspicions and three business days for all others.
• Threshold Transaction Reports (TTRs): Verifying that you are reporting any physical currency transactions of $10,000 or more to AUSTRAC within 10 business days.
• Compliance officer review: Ensuring that the compliance officer properly documents their review of escalated matters and the rationale for either reporting or dismissing the suspicion.

Active Governance and Oversight

An evaluator will assess whether your governance framework provides meaningful oversight of your AML/CTF program, as recent governance lessons from ASIC v Bekier highlight the importance of active director involvement. It is not enough to simply have designated roles; there must be evidence of active supervision and accountability from senior management and the governing body.

To test this, an evaluator will check for proof of compliance, such as:

• The AML/CTF compliance officer providing regular written reports to the governing body, at least annually, on the program’s effectiveness and compliance.
• Senior managers and the governing body reviewing the findings of independent evaluation reports.
• Adverse findings from evaluations being formally reviewed and actioned, with decisions documented. This includes either accepting a finding and creating an action plan or formally rejecting it with a recorded justification.

Remediation of AML/CTF Deficiencies

The evaluation process includes a review of how your business has addressed issues identified in previous evaluations. An evaluator will check if you have a structured process for remediation and can demonstrate that fixes have been effective.

They will search for evidence that you have taken the following steps:

• Use the “Independent evaluation response form“ to formally document your response to any adverse findings.
• Develop a clear action plan to resolve any accepted deficiencies.
• Obtain approval for the action plan from a senior manager before implementation.
• Implement the necessary updates to your risk assessment, policies, or processes.
• Test the changes to ensure they have effectively corrected the original problem.

Key Customisation Areas in AUSTRAC’s Starter Kits

Designated Services & Client Types

An essential step in preparing your AML/CTF program for an independent evaluation is to customise it to your business’s specific operations. The AUSTRAC program starter kit includes risk assessments based on typical services and clients within a profession. Therefore, your first task is to review these lists and identify which are relevant to you.

This review involves confirming:

• The specific designated services your business provides;
• The types of clients you serve; and
• The countries you deal with when providing services.

For instance, your business might assist clients with company and trust formation but not offer other designated services listed in the starter kit. Similarly, you may deal with individuals and body corporates, but not partnerships or other client types. By removing irrelevant items, you ensure your risk assessment accurately reflects your business activities.

In addition, you must list every country you deal with, including where clients, their representatives, or beneficial owners are located. Ultimately, you must assign each of these countries a risk rating.

Delivery Channels Technology & Risk Appetite

Customisation also applies to how you deliver your services. Your AML/CTF program must account for the specific ML/TF risks associated with your delivery channels. As a result, each method of service delivery presents different vulnerabilities.

Common delivery channels and their associated risks include:

• In-person: Risks can involve personal manipulation.
• Email: Vulnerabilities include a higher risk of fraud from fake or stolen identification and email address spoofing.
• Telephone: Challenges include phone number spoofing and voice manipulation.
• Video conferencing: This channel carries risks such as the use of deepfake images and videos.

Furthermore, your business must consider any new or emerging technologies it uses, like artificial intelligence or biometric identity verification. After identifying all relevant risks across your services, clients, and channels, you must determine your risk appetite. This involves deciding which risks you are willing to accept and which you will avoid.

For any risk your business is not prepared to accept, you must document the controls that will be implemented to prevent exposure to that risk.

Risk Assessment & Controls

For your AML/CTF program to be effective, all its components must be aligned and updated dynamically. Your program is not a static set of documents; rather, it must evolve as your business operations, risks, and regulatory obligations change. An independent evaluator will look for consistency across your entire AML/CTF compliance framework.

This means your risk assessments, policies, and processes must tell the same story. When a review is triggered by an event, such as a change in the designated services you offer or new ML/TF risks, all related parts of your program must be updated to reflect that change. In addition, this ensures alignment between your:

• ML/TF risk assessment.
• AML/CTF policies and processes.
• Client and transaction records.
• Governance and reporting to senior management.
• Remediation steps following an evaluation.

Common Independent Evaluation Risks for Businesses Using Starter Kits

Treating the AUSTRAC Starter Kit as a Plug-and-Play Compliance Pack

A frequent mistake is treating the AUSTRAC program starter kit as a complete, off-the-shelf compliance solution. Businesses that simply copy and paste the templates without customisation are likely to fail an independent evaluation. Regulators expect your AML/CTF program to be tailored to your specific operations.

An evaluator will identify a lack of customisation by looking for several red flags, including:

• Irrelevant services: The program documents mention designated services that your business does not provide.
• Generic roles: The policies contain role descriptions that do not match your actual staff structure or responsibilities.
• Untailored risk assessments: The risk assessment has not been adapted to reflect your specific client types, delivery channels, or the countries you deal with.

Failing to Document Customisations & Evidence Frontline Workflows

Another significant risk is the failure to document your customisation decisions and provide evidence that your policies are being followed. An independent evaluation is not just a review of documents; it tests whether your AML/CTF program is working in practice.

Key areas where businesses fall short include:

• Not documenting risk decisions: If you change a default risk rating in the starter kit’s risk assessment, you must record the reason for your decision. An evaluator may assess how you identify, analyse, and rate your money laundering and terrorism financing risks.
• Mismatch between policies and practice: Your documented policies and processes must align with your actual frontline workflows. If your staff follow different procedures than what is written, an evaluator may identify this as a major compliance gap.
• Lack of file-level evidence: You must maintain records that prove your CDD processes are being followed consistently. This includes evidence in client files showing that staff have been trained and are correctly applying procedures for identity verification, risk rating, and screening.

What This Means for Your Business

The purpose of using an AUSTRAC program starter kit is to build a living AML/CTF framework, not just to assemble a folder of documents. Ultimately, a successful program that can pass an independent evaluation demonstrates that your business has a genuine understanding of its specific ML/TF risks.

An evaluator will test whether your program is effective in practice. Therefore, a program that withstands this scrutiny shows that your business is:

• Appropriately identifying, assessing, managing, and mitigating the ML/TF risks it reasonably faces.
• Using tailored controls specifically designed for those identified risks.
• Actively applying those controls and policies in its day-to-day operations.

Conclusion

AUSTRAC’s program starter kits offer a crucial foundation for newly regulated entities, but they must be carefully customised to address your specific business risks and operational realities. A properly tailored AML/CTF program is essential for passing an independent evaluation and meeting your compliance obligations from 1 July 2026.

To ensure your AML/CTF framework can withstand independent scrutiny, contact Click Legal’s specialist AML lawyers for a comprehensive AML independent evaluation and review. Our Legal Team specialises in ensuring your program is fully customised and ready to meet AUSTRAC’s rigorous regulatory requirements.

Frequently Asked Questions