Step 3: Mitigate and manage your risks - AML/CTF policies (Reform)

Learn what anti-money laundering and counter-terrorism financing (AML/CTF) policies are and how to develop, maintain, document and approve them.

On this page

Why your AML/CTF policies are important

This section refers to the Act section 26F(1).

Your AML/CTF policies are your policies, procedures, systems and controls that work collectively to: 

  • appropriately manage and mitigate the money laundering, terrorism financing and proliferation financing (ML/TF) risks your business may reasonably face in providing your designated services
  • make sure you comply with your AML/CTF obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act), Anti-Money Laundering and Counter-Terrorism Financing Rules (the Rules) and regulations.

Protecting your business

In completing your ML/TF risk assessment, you’ll have identified and assessed the risk that your services could be exploited for ML/TF.

Your AML/CTF policies must appropriately manage and mitigate the risks you’ve identified. 

To meet this obligation, you must do all of the following: 

  • tailor and adopt policies, procedures, systems or controls that are explicitly required under the Act and Rules to address your ML/TF risks
  • develop and maintain policies any further procedures, systems and controls that are necessary to manage and mitigate the ML/TF risks you identified in undertaking your ML/TF risk assessment.

This will help ensure that your business is protected against the specific threats that it’s likely to face and can demonstrate compliance with its legal obligations. 

Tailoring to size, nature and complexity

The AML/CTF policies you develop must be appropriate to the nature, size and complexity of your business. 

Larger businesses are likely to have a more varied and rapidly changing ML/TF risk profile than smaller less complex businesses. This is often a product of their more complex and extensive customer base, service offerings, internal systems and exposure to global markets.

We generally expect larger complex businesses to have more extensive AML/CTF policies in place than smaller less complex businesses.   

For example, this could include: 

  • automated monitoring systems for high volumes of transactions
  • dedicated financial crime teams to monitor customer data, report to us and carry out more difficult checks
  • appointing multiple senior managers, separate to the compliance officer, to approve updates to the AML/CTF program and engagement with particular customer types. 

Appropriately manage and mitigate your ML/TF risks

This section refers to the Act section 26F and the Rules sections 5–2 to 5–5 and 5–17 to 5–20. 

The below principles on appropriately mitigating and managing risk align with the approach taken in joint submissions and endorsed by the court in Chief Executive Officer of the Australian Transaction Reports and Analysis Centre v Commonwealth Bank of Australia Limited [2018] FCA 930.

Our expectations

Your risk assessment must identify and assess the ML/TF risks you may reasonably face in providing designated services, including how all of the following is vulnerable to ML/TF exploitation: 

  • kinds of designated service
  • kinds of customer
  • delivery channels
  • countries you deal with.

To appropriately manage and mitigate your ML/TF risks, we expect your AML/CTF policies to be:

  • targeted – focus on the kinds of ML/TF risks your business may reasonably face in providing designated services. Your risk assessment must outline how your services are vulnerable to ML/TF exploitation. Target your AML/CTF policies to address these specific vulnerabilities
  • proportionate – the strength of your AML/CTF policies must match the level of ML/TF risk. Your risk assessment must assess the level of vulnerability of each risk factor (for example, low, medium and high). Higher risks need stronger AML/CTF policies. You can manage lower risks with simpler measures. This helps you use your resources effectively while staying compliant
  • ongoing – ML/TF risks change over time. Your AML/CTF policies must support regular monitoring and reassessment. Include clear steps for reviewing and updating your AML/CTF policies when there are changes to your business and ML/TF risks
  • effective – your AML/CTF policies must work in practice. You must also have a process to revise these policies when needed.  

Meeting our expectations

There are specific requirements that must be included in every program. You must tailor these requirements to your ML/TF risks. 

For example, this includes the requirements to: 

  • identify significant changes to risk factors relating to designated services
  • review and update your AML/CTF policies in response to a review of the ML/TF risk assessment and other triggers  
  • conduct CDD and identify the triggers for when you will conduct a source of funds or source of wealth check
  • make sure you comply with your targeted financial sanctions obligations
  • inform or obtain approval to start providing a designated service to certain customer-types
  • monitor transfers of value under the travel rule
  • verify know your customer information in a real estate transaction that’s provided by another person you rely on for CDD

These requirements alone are not likely to be sufficient to appropriately manage and mitigate your ML/TF risks. We expect you to adopt further AML/CTF policies as necessary. 

The AML/CTF policies you develop will depend on the specific risks you face. Some common ML/TF risks and corresponding AML/CTF policies are provided below.

  • where you’re exposed to high value physical currency (cash) transactions – implementing a transaction limit for physical currency or requesting customers complete transactions through bank transfer or EFTPOS only
  • updating the terms of your standard service agreement to allow you to stop providing services if a customer doesn’t cooperate with requests for KYC information or otherwise falls outside your ML/TF risk appetite
  • design services and products with safeguards in place so that you can service customers at risk of being excluded or underserved. For example, a financial inclusion focused bank transaction account that has a low cash deposit limit
  • business rules to not offer particular services to specified kinds of high ML/TF risk customers due to a business decision to not bear the higher resourcing implications of managing and mitigating the ML/TF risk.

Example

Crypto ATMs allow a customer to convert cash to cryptocurrency, which is sent to a digital wallet, all without interacting with another person. 

This fully remote self-service method carries the following inherent ML/TF risks: 

  • crypto ATMs allow cash to be introduced into the financial system easily and in volume
  • it is difficult to identify the true ownership and control of a digital wallet
  • the customer may not understand the workings of, or have true control over, the digital wallet. The wallet might be under the control of a third party, particularly where the customer has been provided the wallet address by someone else
  • third parties who control digital wallets can receive cryptocurrency anonymously, allowing them to avoid law enforcement detection
  • cryptocurrency is recorded on the blockchain which does not belong to any one country. Transactions and wallets can be accessed from anywhere, meaning value can be made available offshore easily and quickly
  • crypto ATMs can facilitate large volumes of transactions in a short period of time, allowing for cost-effective money laundering 

These features make Crypto ATMs an attractive facility for money laundering, scams and fraud. Our data shows that the majority of cryptocurrency ATM users are aged 50 or over. 

A Crypto ATM provider must ensure that their AML/CTF policies appropriately manage and mitigate the ML/TF risks above. 

For example, their AML/CTF policies could include:

  • ongoing CDD systems that monitor for risks and indicators of exploitation that are specific to Crypto ATMs and related money laundering, scam and fraud activity
  • methods for assigning risk ratings to customers for initial and ongoing CDD that incorporate the unique ML/TF risks posed by Crypto ATMs and the customer base that uses them
  • tailored enhanced customer due diligence measures to address the ML/TF risks, including the use of blockchain tools to understand the exposure of customer wallets to criminal activity. 

In addition to tailoring their AML/CTF policies, cryptocurrency ATM providers must also adopt additional policies procedures systems and controls to appropriately manage and mitigate the unique ML/TF risks. 

For example:

  • daily limits of $5,000 on cash deposits and withdrawals at crypto ATMs
  • mandatory scam warnings for all customers. 

Proliferation financing

This section refers to the Act sections 26F(1) and 26F(11).

You must identify and assess your proliferation financing (PF) risk in your risk assessment. The risk of PF can differ widely across industries and businesses. Many businesses face little or no risk in this area.

You don’t need a specific policy to address PF risks if you’ve reasonably assessed:

  • your PF risk as low
  • that your AML/CTF policies can appropriately manage and mitigate your PF risk. 

Your business is less likely to face PF risks if you satisfy the following criteria:

  • you only operate in Australia
  • you don’t provide designated services to customers located in, or who have connections to high-risk jurisdictions.

However, you must still document your PF risk assessment within your AML/CTF program.

If your PF risk is medium or high, you must develop and maintain AML/CTF policies to manage and mitigate this risk. Policies could include: 

  • customer monitoring for PF red flags and indicators. Including detecting when a customer is engaged in industries with higher PF risk (arms or munition sales, dual-use goods on the Defence and Strategic Goods List)
  • enhanced CDD for clients with business activities in areas with higher PF risk. Including enhanced sanctions screening against targeted financial sanctions and sanctioned vessels
  • embargos on prohibited business with prescribed countries and their nationals. For example, North Korea. 

Meet your AML/CTF obligations

This section refers to the Act sections 26C(1), 26D(1), 26F, 51B and the Rules divisions 2 and 3.

Your AML/CTF policies must set out how you comply with all your AML/CTF obligations. 

Guidance on your key obligations is provided in the links below. 

Enrol and register

  1. You must enrol with us and keep your enrolment details up to date.
  2. If you’re a virtual asset or remittance service provider, you must also apply for registration with us.

AML/CTF program

You must have and comply with an AML/CTF program

You must:

  • conduct an ML/TF risk assessment
  • develop and maintain AML/CTF policies
  • document your AML/CTF program and have it approved by a senior manager
  • review and update your AML/CTF program in response to triggers, and in any case every 3 years
  • make and keep records
  • conduct independent evaluations of your AML/CTF program.

Get your staff ready 

You must: 

Customer due diligence (CDD)

You must:

  • conduct initial CDD on your customers before you start to provide designated services to them to understand their ML/TF risk and identify particular people associated with them
  • conduct ongoing CDD to monitor your customers and manage and mitigate their ongoing ML/TF risks
  • detect whether particular customers are politically exposed persons, or are subject to targeted financial sanctions and make sure you meet your sanctions obligations.

Reporting

You must report to us.

You must:

  • report suspicious matters to us
  • avoid tipping off
  • report threshold transactions – when you have a physical currency transaction of $10,000 or more
  • report cross-border movement of bearer negotiable instruments
  • provide an annual compliance report to us.

You must also have policies, procedures, systems and controls to make sure:

  • reports are complete, accurate and free from unauthorised change
  • you give us suspicious matter reports in a timely manner and are not unduly delayed.

Record keeping

You must make and keep records.

Policies that only apply to certain businesses

There are also specific obligations and AML/CTF policy requirements for the businesses below: 

  • the travel rule – for virtual asset, remittance, financial services and some gambling service providers
  • reporting groups – for current designated business groups and businesses wanting to set up group-wide compliance
  • foreign branches and subsidiaries – for businesses that provide designated services from a permanent establishment overseas.

Document and approve your AML/CTF program

This section refers to the Act sections 26N, 26P and 116 and the Rules sections 5–15.

Your AML/CTF program, which includes your ML/TF risk assessment and AML/CTF policies, must be: 

  • documented (in one or more documents) before you start providing a designated service. Updates must be documented within 14 days after the update occurs
  • approved by a senior manager, along with any updates.

What must be documented and approved?

Your ML/TF risk assessment is a documented (usually written) record of the ML/TF risks your business may reasonably face in providing designated services. 

AML/CTF policies include any policy, procedure, system or control you rely on to:

  • appropriately manage and mitigate the ML/TF risks your business may reasonably face in providing your designated services
  • make sure you comply with your AML/CTF obligations under the Act, regulations and Rules.

Ancillary policies, procedures, systems and controls that aren’t directly necessary to demonstrate compliance with these outcomes will not be an AML/CTF policy. 

For example: 

  • the use of transaction monitoring software to monitor for high ML/TF risk cash transactions would be an AML/CTF policy, as this is a system used to manage a business’s ML/TF risks. The business could document this AML/CTF policy by outlining, in writing, how the software monitoring program helps them comply with their obligations and manage and mitigate their ML/TF risks
  • ancillary documents or data that’s not necessary to demonstrate compliance won’t form part of the AML/CTF policies. For example, out-of-scope material could include individual lines of code in the monitoring program or standard operating procedures to comply with software licencing conditions. 

How to document and approve your AML/CTF program

When first completing your AML/CTF program, you could do the following: 

  1. develop and document your ML/TF risk assessment in consultation with your senior manager and governing body – ensuring they are aware of the nature of the threats your business faces before you develop your AML/CTF policies
  2. document the proposed policies, procedures systems and controls you will use to:
    • ensure compliance with your obligations
    • appropriately manage and mitigate the ML/TF risks you have identified
  3. provide this document and your ML/TF risk assessment to your senior manager to approve
  4. have your senior manager approve the documents in writing, along with their name, role and a date of approval before you provide designated services
  5. provide the ML/TF risk assessment to your governing body
  6. implement the approved policies, procedures, systems and controls in your business and ensure that all personnel comply with them. 

Once your AML/CTF program is approved and implemented, updates to the program must be documented within 14 days and certain updates must be approved by a senior manager. 

Updates that must be approved by a senior manager include:

  • for the risk assessment – updates that relate to new or significantly changed ML/TF risks that the reporting entity may reasonably face. Any update must be provided to the governing body in writing as soon as practicable
  • for the AML/CTF policies – the senior manager must approve updates that are material changes to how the business’s policies, procedures, systems and controls achieve the outcomes of complying with AML/CTF obligations and managing or mitigating ML/TF risks. 

For example, for a transaction monitoring software system: 

  • changing the threshold for detecting cash transactions to only monitor $10,000 deposits in physical currency. This is a material change that would need senior manager approval
  • carrying out a routine software update on this system, or a change in workflow to the order investigators see in a case management tool, aren’t a material change to how the business complies with its obligations or manages or mitigates risk, so wouldn’t need senior manager approval. They are administrative changes of a process rather than impacting an outcome of complying with AML/CTF obligations and managing or mitigating ML/TF risks.

Comply with your AML/CTF policies

This section refers to the Act section 26G(1).
 

After developing your AML/CTF policies, you must comply with them. 

This means putting them into practice and following them in your daily operations. 

Complying with your AML/CTF policies means that your business:

  • uses its AML/CTF policies to appropriately mitigate and manage risk and meet your AML/CTF obligations
  • can demonstrate how the AML/CTF policies are being applied in practice. 

Next step

This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 16 Oct 2025
Page ID: 1294

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.