Law Society of WA
·

Australia’s new AML CTF policies: Starter kits, real risks, and lessons from Mounties

Every reporting entity must carry out a risk assessment and have documented AML CTF policies. Reporting entities must comply with their AML CTF policies. 
by
September 3, 2025

By Fiona Halsey

From 1 July 2026, there will be major changes for most Australian law firms due to new AML CTF legislation.  This article is the third in a practical series on AML CTF implementation for Western Australian law firms.

Every reporting entity must carry out a risk assessment and have documented AML CTF policies. Reporting entities must comply with their AML CTF policies.  All policies and compliance with these policies must be independently evaluated at least every three years.  (Risk assessments and policies are part of the entity’s AML CTF program.)

To support smaller firms, AUSTRAC has announced the release of “starter-program kits” in late 2025. These kits are designed to reduce the burden on new entrants, particularly those with low-complexity businesses, and will contain template policies. But while the starter kits are a welcome support, they are not a free pass – and the risks of treating them as “tick-box” compliance are real.

What the policies must address

The Anti-Money Laundering and Counter-Terrorism Financing (AML CTF) Act 2006 (the Act) and the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (the AML CTF Rules) outline specific requirements for a reporting entity’s AML CTF policies. These policies must be developed and maintained to ensure the entity effectively manages risks and complies with its obligations.  Appendix 1 is a summary list of mandatory policy requirements.

Starter programs: A ready-made path for some small firms

AUSTRAC’s starter kits will provide:

  • A template AML CTF program with pre-drafted policies and procedures.
  • Guidance on risk assessments, designed around the profile of a “typical low-complexity” business.

If your firm genuinely matches the profile for which the kit was designed, you can adopt the starter program “as is”. AUSTRAC has made it clear this is a legitimate compliance pathway – it avoids the need for small, low-risk firms to spend time and money drafting programs from scratch.

This approach recognises that a small country practice is unlikely to need the same degree of complexity in its AML CTF program as a large bank or casino.

AUSTRAC has not yet released final details of which firms can rely upon the policies in the starter program. However, it will probably be smaller firms in lower risk practice areas.  (We will cover risk assessment of firms in a later article.)

Adoption comes with responsibility

But there is a critical caveat: if you adopt the AUSTRAC starter program, you must follow it in practice.

That means:

  • Training your staff on the policies and procedures set out in the program.
  • Ensuring the systems described (such as how to identify and escalate suspicious matters) are operational in your business.
  • Demonstrating, during evaluation or regulatory engagement, that your firm’s day-to-day practice aligns with the adopted policies.

If you simply file the starter kit or adopt it without aligning it to how your firm operates, you create serious risks.

The dangers of “set and forget”

In an independent evaluation, the reviewer will ask two key questions:

  1. Are your policies suitable for your business?
  2. Are you complying with them in practice?

If the answer to either question is “no”, the evaluation will record serious deficiencies. That report must be provided to senior management, and AUSTRAC may be notified.

For example, if your firm uses AUSTRAC’s starter program but fails to actually implement its transaction monitoring or escalation procedures, an evaluation will quickly reveal the gap. Similarly, if your firm is higher-risk than the starter kit assumes, but you rely on it anyway without modification, the evaluator will conclude your program is inappropriate for your risk profile.

Independent evaluation: every three years

The new rules require every reporting entity to arrange an independent evaluation of its AML CTF program at least once every three years. For high-risk entities, more frequent reviews are expected.

These evaluations are not box-ticking exercises. They test:

  • Whether your policies are fit for purpose.
  • Whether your staff and systems are complying with the policies in practice.
  • Whether governance and oversight mechanisms are effective.

If deficiencies are identified, your firm must have a plan to remediate them.

The Mounties Case: A stark warning

The risks of superficial or ineffective AML CTF programs were highlighted in July 2025 when AUSTRAC launched civil penalty proceedings against the Mount Pritchard District & Community Club (Mounties), one of Australia’s largest clubs. 

AUSTRAC alleges that Mounties:

  • Did not have an AML CTF program (policies) that reflected the risks of handling hundreds of millions in cash through its 1,400 gaming machines.
  • Failed to provide adequate, tailored training to staff.
  • Lacked effective transaction monitoring and customer due diligence.
  • Failed to conduct adequate independent reviews of its program (including policies).

AUSTRAC’s message is clear: policies that exist on paper but are not implemented in practice are not adequate.

Final thoughts

The AML CTF Amendment Act 2024 has shifted Australia to a more modern, risk-based, and outcomes-focused regime. AUSTRAC’s starter-program kits are a valuable initiative that will make compliance far more accessible for small businesses. For many firms, adopting them “as is” will be appropriate.

But adoption is not the end of the compliance journey. You must operationalise the program, train your staff, monitor transactions, escalate issues, and keep records. And you must be prepared for an independent evaluation every three years that will test whether your program both fits your business and is being followed in practice.

Tranche 2 firms now preparing for entry into the AML CTF regime should consider carefully if off-the shelf policies are appropriate and practically workable. 

This article is part of a series on AML CTF. The next article will focus on firm risk assessments. Do you have a particular topic or question on AML CTF you would like Fiona to cover? Email us at brief@lawsocietywa.asn.au.

This is a broad summary of the law and has been condensed for readability.  You must consider the law yourself before making decisions.

Appendix 1

In summary the AML CTF policies for a reporting entity carrying on business in Australia must:

  • Appropriately manage and mitigate the risks of money laundering, financing of terrorism, and proliferation financing that the reporting entity may reasonably face in providing its designated services.
  • Ensure the reporting entity complies with all obligations imposed by the Act, the regulations, and the AML CTF Rules.
  • Be appropriate to the nature, size, and complexity of the reporting entity’s business. (For a lead entity of a reporting group, this scope extends to the business of the lead entity and each other reporting entity in the group).
  • Comply with any specific requirements detailed in the AML CTF Rules.
  • Identify significant changes to factors that influence ML/TF risk, such as customer types, service kinds, delivery channels, and countries dealt with.
  • Carry out customer due diligence.
  • Review and updating AML CTF policies in response to:
    • Reviews of the entity’s ML/TF risk assessment.
    • Circumstances specified in the AML CTF Rules, such as adverse findings in an independent evaluation report.
  • Regularly review the AML CTF policies themselves, with a frequency of at least once every three years, or at intervals specified in the AML CTF Rules.
  • Ensure compliance with financial sanctions obligations, meaning the entity must not make money, property, or virtual assets available to or for the benefit of, or deal with assets owned or controlled by, a person designated for targeted financial sanctions, in contravention of relevant legislation.
  • Include procedures for actions requiring senior manager approval or information, such as commencing a designated service for a foreign politically exposed person.
  • If the reporting entity is not an individual, policies must address informing the governing body sufficiently about ML/TF and proliferation financing risks to enable it to fulfill its responsibilities.
  • Designate an AML CTF compliance officer for the entity.
  • Ensure the governing body receives regular reports from the AML CTF compliance officer (at least every 12 months) about the entity’s compliance with its AML CTF policies, the effectiveness of these policies in managing ML/TF/proliferation financing risks, and overall compliance with the Act, regulations, and AML CTF Rules.
  • Designate one or more senior managers responsible for approving the AML CTF policies and the ML/TF risk assessment.
  • Undertake due diligence on personnel (employees or engaged persons) performing relevant functions. This includes assessing their skills, knowledge, expertise, diligence, and integrity both before and during their employment/engagement.
  • Provide training to relevant personnel on ML/TF and proliferation financing risks, and the entity’s obligations under the Act, regulations, and AML CTF Rules. This training must be both initial and ongoing, appropriate to the person’s function and risks, and readily understandable.
  • Independently evaluate the AML CTF program, including specifying the frequency (at least once every three years). These evaluations must assess the ML/TF risk assessment steps, the design of AML CTF policies, compliance with these policies, the effectiveness of risk management, and result in a written report delivered to the governing body and relevant senior managers. Policies must also outline how the entity will respond to these reports.
  • Establish safeguards to prevent “tipping off” (contraventions of subsection 123(1) of the Act) by the reporting entity or its personnel, including ensuring confidentiality and appropriate use of internally disclosed information.
  • Ensure reported information is complete, accurate, and free from unauthorised change for reports
  • Assess potential suspicious matters by enabling timely review of relevant material and ensuring prompt determination of whether a suspicion exists as per section 41(1) of the Act.

If a reporting entity is the lead entity of a reporting group, further items must be included.

Print 🖨 PDF 📄

Related Posts

Previous Story

Editor’s opinion: Time for the LPB’s reckoning

Next Story

Family law case notes: September 2025

Discover more from brief.

Subscribe now to keep reading and get access to the full archive.

Continue reading