If your accounting firm provides designated services from 1 July 2026, you are legally required to have an AML/CTF program in place before you provide your first designated service. No program means no compliance — and no compliance means potential penalties of up to $6.6 million for individuals.
The good news: for most small accounting practices, writing your AML/CTF program does not need to be complicated or expensive. AUSTRAC has released a free Accounting Program Starter Kit specifically designed for small, low-complexity practices — and this guide walks you through exactly how to use it.
An AML/CTF program is a documented set of policies, procedures, and controls that your firm uses to identify, assess, and manage money laundering and terrorism financing risks. It must be completed and approved by a senior manager before 1 July 2026. AUSTRAC's free Starter Kit provides a ready-made framework that most small practices can customise in a few hours.
What is an AML/CTF Program?
An AML/CTF program is essentially your firm's written plan for managing the risk that clients could use your services to launder money or finance terrorism. It is not just a document you file away — it is a living framework that guides how you onboard clients, verify their identity, monitor their activity, and respond to anything suspicious.
Under the AML/CTF Act, every reporting entity — including accountants providing designated services — must have a program that covers two parts:
Part A covers your firm's internal systems and controls — your risk assessment, governance structure, staff training, and record keeping obligations.
Part B covers customer due diligence — the processes you use to identify and verify clients, assess their risk profile, and monitor ongoing relationships.
"Your AML/CTF program must be documented and approved by a senior manager before you start providing any designated service."
Who Needs One?
Any accounting firm that provides one or more of the nine designated services from 1 July 2026 must have an AML/CTF program in place. This includes sole practitioners — the obligation applies regardless of business size.
If you are unsure whether your services are designated, read our guide: Do I Need to Register with AUSTRAC?
AUSTRAC's Free Accounting Starter Kit
Rather than writing your program from scratch, AUSTRAC has released a free Accounting Program Starter Kit specifically designed for small, low-complexity accounting practices. It is a pre-built framework you customise for your firm — saving significant time and cost compared to engaging a compliance consultant.
The Starter Kit is designed for practices that:
- Only provide designated services that are professional services
- Have 15 or fewer personnel (including administrative staff)
- Are an accounting practice — evidenced by membership to CA ANZ, CPA Australia, or ACCA
- Are not a high-complexity or high-risk firm
If your firm is larger or more complex — for example, if you handle significant volumes of physical cash, have international clients, or manage complex trust structures — the Starter Kit can still be a useful starting point, but you may want to seek specialist advice to ensure your program is adequately tailored.
The Four Steps to Building Your Program
AUSTRAC's Starter Kit breaks the process into four clear steps:
What Must Your Program Cover?
Whether you use the Starter Kit or write your own program, AUSTRAC requires it to address the following key areas:
1. Risk Assessment
A documented assessment of your firm's exposure to money laundering, terrorism financing, and proliferation financing risks. This covers your client types, the designated services you provide, your geographic exposure, and your delivery channels. AUSTRAC has published sector-specific risk insights for accountants to help you identify the most common risk indicators.
2. Governance & Oversight
Your program must identify who is responsible for AML/CTF compliance in your firm. This includes appointing an AML/CTF Compliance Officer (AMLCO) — someone who meets AUSTRAC's "fit and proper" requirements and has day-to-day responsibility for compliance oversight. For many small firms, this will be the principal or office manager.
3. Customer Due Diligence Procedures
Documented processes for identifying and verifying clients before providing designated services. This includes standard CDD for most clients, enhanced CDD for high-risk clients (such as politically exposed persons or clients from high-risk jurisdictions), and simplified CDD in limited low-risk circumstances.
4. Ongoing Monitoring
Procedures for monitoring existing client relationships, reviewing risk ratings periodically, and identifying changes in client behaviour that may indicate suspicious activity.
5. Suspicious Matter Reporting
Clear procedures for identifying and reporting suspicious matters to AUSTRAC. A Suspicious Matter Report (SMR) must be submitted within 24 hours if you suspect terrorism financing, or within three business days for other suspicious matters.
6. Staff Training
A training program ensuring all relevant staff understand their AML/CTF obligations, can identify red flags, and know how to escalate concerns. Training must be completed before staff commence AML/CTF duties and refreshed regularly.
7. Record Keeping
All CDD documentation, transaction records, and compliance activity must be retained for a minimum of seven years. This is a strict requirement — and the responsibility for maintaining those records sits entirely with your firm.
Tip: AUSTRAC's CEO has been clear that compliance does not need to be complex for small firms. The core expectation is that you know who your clients are, you've assessed their risk, and you've kept a record of having done so. SimpleAML is built around exactly these three things.
Who Should Write It?
For most small practices, the AML/CTF Compliance Officer — typically the principal or a senior manager — should lead the customisation of the Starter Kit. AUSTRAC has designed the kit to be completed without specialist compliance knowledge, though it does require careful reading and genuine engagement with the risk assessment.
If you have a more complex practice or are uncertain about specific obligations, engaging a compliance consultant to review your program before submission is a sensible precaution. A number of accounting industry bodies including CA ANZ and CPA Australia also have resources and guidance available to members.
Important: Your program must be approved by a senior manager before you provide your first designated service from 1 July 2026. Don't leave customisation until the last minute — allow at least 2–4 weeks to work through the Starter Kit, complete staff training, and get sign-off.
Keeping Your Program Up to Date
An AML/CTF program is not a one-time exercise. AUSTRAC expects firms to review and update their program regularly — particularly when:
- You start offering a new designated service
- Your client base changes significantly
- A new risk emerges that your current program doesn't address
- AUSTRAC publishes updated guidance relevant to your sector
- There is a change in key personnel, including your AMLCO
At minimum, most firms should review their program annually. Keeping a record of when reviews were conducted — and what changes were made — is important for demonstrating ongoing compliance to AUSTRAC if requested.
How SimpleAML Helps
Once your AML/CTF program is written and approved, SimpleAML gives you the tools to actually live it day-to-day. The app helps you run customer due diligence on each client, store your evidence vault, track ongoing monitoring obligations, log staff training completions, and maintain the seven-year records AUSTRAC requires — all in one place, free for small firms.
Ready to get your program in place?
SimpleAML helps you manage CDD, track obligations, and stay audit-ready. Free for small accounting firms — no account needed.
Get Compliant Free