Your Practice Needs an AML/CTF Program by July 1. Here's What That Actually Looks Like.

A small accounting practice came to us recently. A handful of staff, a mix of individual tax, company and trust work, SMSF establishments and some corporate secretarial services. They’d been aware of the AML/CTF reforms coming on 1 July 2026 but hadn’t had time to act on them; tax season doesn’t leave much room for compliance projects.

Three days later they had a finalised, seven-document compliance pack: 119 pages covering risk assessment, policy, process document, customer due diligence forms, implementation checklist, assumptions register and a compliance traceability matrix mapping every AUSTRAC obligation to where it’s addressed in their documents. Every assumption confirmed by the directors. Ready for implementation.

What most practices don’t realise yet

From 1 July 2026, accountants who provide certain services become “reporting entities” under the AML/CTF Act. Not all accountants; not all services. But if you help clients create companies or trusts, provide corporate secretarial services, assist with SMSF establishment, or let clients use your office as their registered address, you’re in scope.

The obligations aren’t theoretical. You need a written AML/CTF program that includes a risk assessment, a compliance policy, documented procedures for customer due diligence, ongoing monitoring, and suspicious matter reporting. You need to appoint an AML/CTF Compliance Officer. You need to keep records for seven years. And within three years (subject to transitional rules) you need an independent evaluation of the whole program.

Most small practices we’ve spoken to fall into one of three camps: they haven’t heard of it, they’ve heard of it but assume it’s a tick-box exercise, or they’ve looked at the AUSTRAC guidance and don’t know where to start.

None of those positions are comfortable with the deadline less than three months away.

How we build a program

The traditional consulting approach to compliance is: interview the client, write a questionnaire, wait for answers, draft documents, send for review, revise, repeat. For a small practice, that process takes weeks and costs accordingly.

We use a different model. Instead of starting with questions, we start with assumptions.

Step 1: We research the practice. We review the firm’s website, ASIC registrations, service offerings and public profile. From that we build a detailed set of assumptions about the practice’s structure, designated services, client base, risk profile and operational model. For the practice we built for, that was 31 assumptions covering everything from which Table 6 services they provide to what screening software they use.

Step 2: We build the full program. Using those assumptions as the foundation, we construct all seven compliance documents: risk assessment, policy, processes, forms, implementation plan, compliance matrix and the assumptions register itself. Every document is tailored to the practice’s specific profile. Every AUSTRAC obligation is mapped and addressed. This is the bulk of the work, and it happens entirely on our side.

Step 3: The client reviews the assumptions. The firm receives the complete pack with the assumptions register at the front. Their job is straightforward: read through the assumptions, mark each one as confirmed, amended or removed. Where something’s wrong, they tell us what’s different. The directors reviewed the pack over a couple of hours, workshopped the assumptions between themselves, and sent back their amendments.

Step 4: We update and finalise. Amendments flow through all seven documents. The updated pack is re-verified for internal consistency and re-issued. For that engagement, turnaround was same day.

This inverts the usual process. Instead of the client trying to answer abstract compliance questions (“What is your risk appetite for customer due diligence?”), they’re reviewing concrete statements about their own practice (“The practice uses Annature for identity verification, sanctions screening and PEP screening”). That’s a fundamentally different conversation; faster, more accurate, and less dependent on the client understanding AML/CTF jargon.

What the output looks like

The compliance pack we deliver contains seven documents, each serving a specific purpose:

Compliance Traceability Matrix. Maps every AUSTRAC obligation to where it’s addressed in the program. This is the document the independent evaluator will use in three years to confirm you’ve covered everything.

Assumptions Register. The foundation layer. Every factual assumption about the practice, confirmed by the client. When legislation changes or the practice evolves, this is what gets updated first; the downstream documents follow.

Business-Wide Risk Assessment. Identifies ML/TF/PF risks across five dimensions: customer, service/product, delivery channel, country and new technology. Each risk is rated with existing controls and residual risk scores.

AML/CTF Compliance Policy. The governing document. Roles, responsibilities, risk appetite, CDD thresholds, reporting obligations, record retention, training requirements and independent evaluation schedule.

AML/CTF Process Document. The operational playbook. Step-by-step procedures for onboarding, customer due diligence (standard, simplified and enhanced), sanctions and PEP screening, ongoing monitoring, suspicious matter reporting and annual reviews.

Customer Due Diligence Forms. Ready-to-use forms for individuals, companies, trusts and SMSFs. These supplement (not replace) the practice’s existing client onboarding process.

Implementation Checklist. Phased rollout plan: what to do before 1 July, what to do in the first 90 days, and what to schedule for ongoing compliance.

Every document cross-references the others. The policy says what you’ll do; the process says how you’ll do it; the forms capture the evidence; the checklist tells you when to do it; and the matrix proves you haven’t missed anything.

What this is and what it isn’t

This is compliance program development. We build the documents, structure the risk assessment, map the obligations and produce the operational procedures. The client reviews, confirms and adopts the program as their own.

This is not legal advice. We don’t interpret the law for specific client situations. We don’t tell you whether a particular transaction triggers a suspicious matter report. We don’t make judgement calls about individual client risk ratings. Those decisions belong to the practice’s AML/CTF Compliance Officer; our documents give them the framework and decision criteria to make them.

The source material is entirely public: the AML/CTF Act 2006 (as amended 2024), the AML/CTF Rules 2025, AUSTRAC’s published reform guidance and sector-specific starter kits, national risk assessments and FATF publications. We structure and apply that material to the practice’s specific profile. The expertise is in the architecture, not the interpretation.

AUSTRAC has been explicit that reporting entities are expected to build their own programs. The starter kits and step-by-step guidance exist for exactly this reason. What we bring is speed, structure and consistency; we don’t replace the practice’s own accountability for their compliance obligations.

For more on the spectrum of data handling and privacy considerations when using AI tools in professional services, see What Happens to Your Data When You Press ‘Send’ on an AI Tool.

Timeline and cost

The traditional route is a compliance consultant. For a large firm with complex international operations, that makes sense. But for a small-to-medium practice doing domestic company and trust work, the engagement can cost $15,000 to $30,000 and take months to deliver. That’s a hard sell when you’re trying to run a practice at the same time.

Our engagements start at $1,200 and range up to $2,000 depending on complexity. The main cost driver isn’t firm size; it’s how much discovery is required. A practice with a current website and clearly defined services is straightforward for us to research and build assumptions for. A practice with an outdated web presence, complex or unusual service lines, or assumptions that need multiple rounds of revision takes more time on our side and is priced accordingly.

For practices with a clear online profile and directors who are comfortable with the assumption-based review process, we’ve delivered finalised programs within three days. The firm’s time commitment is typically two to four hours: reading the pack, reviewing the assumptions with their co-directors, and sending through amendments. The heavy lifting happens on our side before the client sees anything.

For practices already using tools like Annature, Xero or similar platforms, the program documents reference your existing technology stack. We don’t ask you to buy new software; we build around what you already have.

What comes next

The initial program build is the foundation. But AML/CTF compliance isn’t a one-off exercise. The Act requires ongoing monitoring, periodic reviews and an independent evaluation within three years (subject to transitional rules). When the legislation is updated or AUSTRAC issues new guidance, the program needs to reflect those changes.

Because the entire program is built on the assumptions register, updates are efficient. A change in staff, a new service line or a shift in client base means updating the relevant assumptions and flowing the changes through the documents. The architecture supports that without starting from scratch.

We’re currently offering this service to accounting practices across Australia. Real estate agents and settlement agents (conveyancers) face the same 1 July deadline under the same Tranche 2 reforms; sector-specific programs for those industries are in development.

If your practice needs an AML/CTF program and you’re not sure where to start, get in touch. The conversation takes fifteen minutes. The assumptions register tells you exactly where you stand.

For a broader look at how we approach AI-assisted professional services, see What a Good AI Audit Actually Delivers.