Learn how you can use outsourcing to help meet your anti-money laundering and counter-terrorism financing (AML/CTF) obligations.

You may outsource functions relating to your compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. These are called AML/CTF functions. You may outsource AML/CTF functions for a range of reasons, such as:

  • accessing specialist AML/CTF knowledge and expertise
  • managing the cost of compliance. 

If you outsource AML/CTF functions, you remain responsible for complying with your obligations under the Act and Rules. 

Generally, your business will remain legally liable for any breach of its AML/CTF obligations, even under outsourcing arrangements. You’ll incur any penalty that arises from a breach. 

We expect that you take steps to manage any risks of outsourcing and have appropriate oversight of your providers.

This guidance will help you: 

  • comply with your AML/CTF obligations when using outsourcing
  • identify, mitigate and manage money laundering, terrorism financing and proliferation financing risks (we refer to these as ML/TF risks) and AML/CTF compliance risks that could arise when using outsourcing
  • take steps to ensure the services that your business outsources and the outsourced service providers you use are appropriate for your business and its specific ML/TF risks.

What is outsourcing and when you might use it

Outsourcing in this guidance means entering into an arrangement with a third party to carry out certain AML/CTF functions on your behalf. 

Depending on the services you provide, you may outsource on a one-time basis (for example, to have someone develop your AML/CTF program). Or on an ongoing basis, such as to carry out: 

This guidance provides our expectations and suggested good practices that may help you manage some of the risks that can arise when outsourcing your AML/CTF functions. It also notes certain legal obligations, such as record keeping and restrictions on sharing certain information.

What’s not included in this guidance

The following activities aren’t covered in this guidance:

  • Relying on services provided by another member of your reporting group.
  • Engaging a provider to undertake an independent evaluation of your AML/CTF program.
  • Using technology (such as software applications) that help you meet your AML/CTF obligations in-house (learn more about engaging a RegTech).
  • Using databases maintained by government departments or agencies, such as the Australian Sanctions Office Consolidated List.
  • Relying on customer identification and verification performed by another entity (learn more about reliance on customer identification by a third party).

Effective management of outsourcing

The following steps may help you manage your outsourcing arrangements effectively and reduce potential risks when outsourcing.

  1. Identify the risks that may arise through outsourcing.
  2. Conduct due diligence on outsourced service providers.
  3. Understand legal restrictions on sharing information with outsourced service providers.
  4. Use a written agreement for outsourcing.
  5. Monitor and review ongoing outsourcing arrangements.
  6. Document procedures for managing outsourcing arrangements in your AML/CTF program.

1. Identify the risks that may arise through outsourcing 

Outsourcing can potentially create:

  • ML/TF risk, where the use of outsourcing creates additional vulnerabilities in your business that criminals could exploit
  • AML/CTF compliance risk, where you may fail to meet your AML/CTF obligations due to poor due diligence, implementation or monitoring of outsourcing arrangements.

These risks may arise if an outsourced service provider:

  • doesn’t tailor its services to your business’s unique ML/TF risks
  • lacks the expertise or resources to carry out the relevant AML/CTF functions on your behalf
  • isn’t aware of the legal restrictions on information sharing under the Act
  • isn’t subject to adequate oversight and monitoring during the arrangement.

Failure to address these risks when implementing an outsourcing arrangement could lead to systemic and serious non-compliance with your AML/CTF obligations.

Consider whether any proposed outsourcing is in line with the ML/TF risk assessment that your senior manager has approved.

Outsourcing monitoring of your customers

It’s critical that any outsourcing of monitoring your customers is based on a thorough ML/TF risk assessment, including an understanding of the ML/TF risks and specific indicators of suspicious activity relevant to your business.

Without this, the outsourced service provider may: 

  • monitor for ML/TF risks and suspicious activities that aren’t relevant to your business  
  • fail to monitor ML/TF risks and suspicious activities that are relevant to your business
  • lead to failures in reporting, such as failure to submit suspicious matter reports as required under the AML/CTF Act.

Learn more about:

2. Conduct due diligence on outsourced service providers

Before you enter into an outsourcing arrangement, you must conduct appropriate due diligence on the outsourced service provider. This is to make sure they can properly carry out the relevant AML/CTF functions on your behalf. This should also take into account any ML/TF and AML/CTF compliance risks you’ve identified. 

You must also make sure you meet personnel due diligence obligations in relation to persons you engage to perform AML/CTF functions. 

Examples of factors you may want to consider include the outsourced service provider’s: 

  • experience in delivering the services required
  • qualifications or expertise that may be relevant to AML/CTF and your industry
  • willingness to agree to performance monitoring and mechanisms for dealing with any breaches of the arrangement.

Some methods you could use to verify your outsourced service provider’s suitability include: 

  • a demonstration of their services
  • an explanation of how they will tailor their services to suit your business
  • verification of their AML/CTF or other relevant qualifications, resourcing and performance history
  • references from businesses similar to yours that have previously engaged the outsourced service provider. Where possible, you may want to consult businesses not suggested by the outsourced service provider.

The following could indicate that an outsourced service provider has sufficient experience or knowledge to carry out the relevant AML/CTF functions on your behalf effectively:

  • they have experience providing AML/CTF services to businesses of a similar nature, size and complexity to yours
  • they understand your industry, type of business or its ML/TF risks, or take sufficient steps to understand these factors
  • they offer products that are tailored to your business, and do not offer generic or template products
  • they develop their solution after consulting you about your customers, designated services, delivery methods and jurisdictions you deal with.

3. Understand legal restrictions on sharing information with outsourced service providers

There are legal restrictions on sharing certain types of information, if it would or could reasonably be expected to prejudice an investigation. 

This is known as tipping off.

You must ensure that any outsourcing arrangements don’t involve the unauthorised disclosure of any information protected by tipping off provisions. Tipping off is a criminal offence. 

You may wish to obtain legal advice before entering into an outsourcing arrangement. Particularly if the arrangement could involve information that’s protected by the tipping off provisions.

There may also be other legal restrictions on information sharing that apply to you, such as privacy laws.

Learn more about tipping off, including the types of information that tipping off applies to.

4. Use a written agreement for outsourcing

To ensure your outsourced service provider is properly carrying out the relevant AML/CTF functions on your behalf, you could outsource through a written and legally binding outsourcing agreement.

At a minimum, we expect any agreement to: 

  • outline the services and performance targets the outsourced service provider will need to meet to carry out the relevant AML/CTF functions on your behalf
  • provide oversight mechanisms to ensure that the outsourced service provider is producing the agreed services and meeting the agreed performance targets
  • include mechanisms to manage compliance risks if the relevant AML/CTF functions are not carried out properly. 

For one-off outsourced services, the written agreement could be relatively simple, requiring your outsourced service provider to produce a particular product to an agreed performance standard and rectify any failures to meet this standard in a timely manner. 

For ongoing outsourcing arrangements, we expect more substantial oversight, monitoring and review standards to ensure that the outsourced service provider is continuing to carry out the relevant AML/CTF functions on your behalf throughout the course of the arrangement.

General details  

The outsourcing agreement may include the following details as appropriate, depending on the type of agreement:

  • when the agreement starts and ends
  • whether the service is to be provided on an ongoing or one-off basis
  • the details of the person in your business that will oversee and be responsible for the agreement
  • specific details about what steps and obligations the outsourced service provider will complete and how this will fit into your business processes
  • business continuity plans in case the outsourced service provider fails to carry out the relevant AML/CTF function on your behalf
  • oversight, monitoring and review provisions for ongoing outsourcing arrangements
  • expected service standards, including reporting arrangements and quality assurance processes
  • if the outsourced service provider holds any data, who owns and controls that data – including whether you can share the outsourced service provider’s data externally with regulators, other institutions, clients and others if needed
  • details of how you and your outsourced service provider will implement the outcomes of any independent evaluations. 

Performance targets

You can design your performance targets to provide assurance that the relevant AML/CTF functions will be carried out on your behalf if the targets are met by the outsourced service provider. 

For one-off outsourced services, performance targets would typically include quality and timeliness standards that align with your AML/CTF obligations. 

For example, performance targets for an outsourced AML/CTF program might include that the program:

  • is delivered before you’re legally required to adopt it (for example, before you start to provide a designated service to a customer)
  • contains a ML/TF risk assessment that’s informed by your designated services, methods of delivering designated services, customer types and foreign jurisdictions you deal with, and relevant AUSTRAC guidance and feedback on ML/TF risks
  • contains all the requirements of an AML/CTF program required to identify, mitigate and manage ML/TF risks
  • is tailored to your business and can be adopted by your business with reasonable adjustments to your systems.

Avoid generic AML/CTF programs

We expect you to avoid using template or global AML/CTF programs (which aren’t Australia-specific) without amending them. 

AML/CTF obligations and ML/TF risks differ between countries, regions and individual businesses. Template AML/CTF programs are generally not tailored to your business and its ML/TF risks, while global AML/CTF programs often don’t consider your particular obligations under the Act and Rules. 

If you adopt a template or global AML/CTF program, this could lead to serious and systemic compliance failures with your AML/CTF obligations. 

Learn more about developing your AML/CTF program

In addition to quality and timeliness standards, ongoing outsourcing arrangements could require additional ongoing performance standards, such as: 

  • requirements for the outsourced service provider to regularly report on their adherence to the agreed performance targets
  • a maximum number of breaches allowed before a review of the agreement is initiated
  • maximum timeframes to implement changes to the agreement if your ML/TF risks or circumstances change
  • record-keeping targets that align with your record-keeping obligations.

For example, performance standards for outsourcing giving international funds transfer instructions (IFTI) reports to us might include: 

  • a requirement to submit all IFTI reports within the statutory timeframe of 10 business days from receipt or sending of the instruction
  • a quality requirement to include all mandatory reportable details in IFTI reports
  • a record-keeping requirement to retain all relevant records of IFTIs
  • a requirement to provide you with an implementation plan within a set timeframe if the outsourced service provider is going to change their IFTI systems following an independent evaluation of your AML/CTF program.

Verification of performance

We expect any outsourcing agreement to include appropriate oversight clauses to verify that your outsourced service provider is meeting their agreed performance targets. 

For one-off outsourced services, this will often be straightforward, and would typically involve your outsourced service provider producing draft and final products for your review within particular timeframes. 

For ongoing outsourcing arrangements, you may require that the outsourced service provider:

  • documents actions under the outsourcing agreement in writing and provides records to you when requested
  • notifies you of any suspected non-compliance with your AML/CTF obligations and emerging ML/TF risks
  • subjects themselves to ongoing due diligence and service quality checks against the agreed performance targets
  • cooperates with scheduled independent evaluations of outsourcing arrangements and associated ML/TF risks.

Breaches of the agreement

We expect that your outsourcing agreement include options to allow you to take a proportionate and risk-based response to any breaches of the agreement.

Responses could include: 

  • requirements for the outsourced service provider to remedy any breach of the agreement within a specified timeframe
  • suspension of the agreement until identified deficiencies are addressed
  • termination of the agreement in cases of serious or systemic non-compliance with AML/CTF obligations or the outsourcing agreement. 

In accordance with your AML/CTF program and the level of AML/CTF compliance risk or ML/TF risk you identify in relation to the breach, you may decide to escalate breaches by the outsourced service provider to your governing body or senior management for action. 

You must also ensure that you meet your record-keeping obligations under the Act in relation to any possible non-compliance caused by the breach.

5. Monitor and review outsourcing arrangements.

For one-off outsourced services, such as the development of your AML/CTF program, you could evaluate the service against the performance targets you have agreed to with the outsourced service provider, to ensure the service provided meets your AML/CTF obligations. 

For ongoing outsourcing arrangements, you could continue to monitor and review the arrangement including to: 

  • verify that the outsourced service provider is meeting its targets under the agreement
  • confirm that your business is meeting its AML/CTF obligations while using the outsourcing arrangement
  • adjust the arrangement in light of any changes to the ML/TF risks your business is likely to be exposed to.

Such processes will help you detect non-compliance and mitigate potential ML/TF risks arising from the ongoing outsourcing arrangement. 

You can set reviews of ongoing outsourcing arrangements at regular periodic intervals and not just in response to events or incidents, such as a potential breach.

As with your due diligence, ensure the processes you use to monitor the outsourced service provider are proportionate to the level of AML/CTF compliance risks and ML/TF risks you have identified with the outsourcing arrangements. 

Examples you may want to consider include:

  • asking the outsourced service provider to report periodically on how they are meeting the performance measures agreed to in the outsourcing arrangement
  • reviewing the outsourced service provider’s documented procedures and processes periodically
  • reviewing random samples of the relevant AML/CTF functions the outsourced service provider has carried out – for example to check how customer identification and verification procedures are carried out and whether they comply with your AML/CTF obligations
  • comparing expected outcomes versus actual outcomes – for example the number of reportable transactions or SMRs generated may be higher or lower than expected, or the content of SMRs may not align with your expected ML/TF risks.

If the outcomes of your monitoring and reviews aren’t what you expect, it’s important to investigate and understand the causes so that you can take appropriate action.

For example, if an outsourced service provider isn’t picking up any suspicious activities while monitoring your customers, consider if the issue is caused by: 

  • the outsourcing arrangement
  • an incorrect assessment of ML/TF risks
  • other factors.

6. Document procedures for managing outsourcing arrangements in your AML/CTF program

We expect you to document in your AML/CTF program how you’ll: 

  • assess any AML/CTF compliance risks or ML/TF risks arising from an outsourcing arrangement
  • carry out due diligence on potential outsourced service providers
  • evaluate whether the service delivered meets your requirements and how you will remediate any identified issues
  • monitor and review ongoing outsourcing arrangements, including who is responsible for actioning any findings.

A senior manager must approve any updates to your AML/CTF program. 

We also expect you to document how your governing body and senior management will: 

  • be responsible for the oversight, accountability and resourcing required to identify, mitigate and manage the AML/CTF compliance and ML/TF risks of outsourcing
  • receive reports on AML/CTF compliance and ML/TF risks arising from outsourcing arrangements
  • effectively resolve non-compliance with outsourcing agreements and adapt to changing ML/TF risks. 

Good outsourcing practices

Below are some good outsourcing practices:

  • Develop AML/CTF policies that identify, manage and mitigate AML/CTF compliance risks and ML/TF risks that may arise from outsourcing.
  • Conduct due diligence on your outsourced service provider to verify that they can carry out the relevant AML/CTF functions on your behalf.
  • Have senior management oversight of your outsourcing arrangements and responsibility for dealing with AML/CTF compliance risks and ML/TF risks.
  • Ensure that the outsourced service provider tailors their products to your business’s ML/TF risks, designated services, customer types, jurisdictions and methods of delivery.
  • Ensure you understand your legal obligations in relation to outsourcing and information sharing under the Act and obtain legal advice where necessary.
  • Have a written and legally binding outsourcing agreement, including clear responsibilities and performance targets that the outsourced service provider must meet to effectively carry out the relevant AML/CTF functions on your behalf.
  • Include oversight and breach clauses in outsourcing agreements that allow you to quickly detect and escalate non-compliance to senior management for appropriate action.
  • Actively monitor your outsourced service provider and their adherence to the performance measures agreed to and review the ongoing outsourcing arrangements to ensure they continue to meet your needs. 

Related pages

This guidance sets out how we interpret certain Australian legislation, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 26 Mar 2026

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.