The AML/CTF programme under the 2025 Rules
What an AML/CTF programme has to contain under the new Rules, and why most online templates are out of date.
In short
Under the AML/CTF Rules 2025 the Part A / Part B split is gone. Your programme is now an integrated set of documents covering one ML/TF risk assessment (four mandatory categories) plus AML/CTF policies. You choose the structure; AUSTRAC says organise it in whatever way meets your needs, provided every required element is in there and the governing body has approved it.
Until 2025, the AML/CTF programme had a fixed shape. Part A managed ML/TF risk. Part B set out customer due diligence. Almost every off-the-shelf template, training pack and consultant deliverable still follows that structure.
The Part A / Part B split has been abolished.
Under the AML/CTF Amendment Act 2024 and the AML/CTF Rules 2025, the programme is an integrated set of documents. AUSTRAC's position is plain: organise the programme in whatever way meets your needs, as long as every required element is there and the governing body has approved it. The content has not been reduced. The shape is your choice.
The Act now requires two core components:
- A ML/TF risk assessment (s 26C) — which under the 2024 reforms also covers proliferation financing (PF), so substantively it's an ML/TF/PF risk assessment even though the colloquial name keeps "ML/TF"
- AML/CTF policies that address that risk (s 26D)
The risk assessment must cover four mandatory categories (s 26C):
- Kinds of customers — individuals, companies, trusts, foreign buyers, PEPs, the mix you actually see
- Kinds of designated services — the Table 5, Item 1 services you provide as a buyer's or seller's agent
- Delivery channels — face-to-face, online, via intermediaries
- Foreign jurisdictions — countries your customers, counterparties or funds connect to
Each category is assessed for ML/TF and proliferation-financing risk. The programme then describes the systems and controls that address what the assessment found. AUSTRAC's position is that where PF risk is low and the same controls address it, you don't need a separate counter-PF policy — but you do need to have considered PF in the scoring.
Beyond the risk assessment and matched policies, the programme must also document:
- Governance — appointment of the AML/CTF Compliance Officer (ss 26J–26M), reporting lines, escalation paths
- Initial customer due diligence and ongoing CDD
- Enhanced customer due diligence triggers and procedures (s 32; Rules s 6-20)
- Suspicious matter and threshold transaction reporting procedures (ss 41, 43)
- Record-keeping arrangements
- Staff training and screening
- Independent evaluation schedule and scope (at least every three years)
The programme must be approved by the governing body of the reporting entity — board of directors for a company, or the principal/director for a sole-director entity. AUSTRAC inspectors will not accept a generic template. The programme has to reflect your agency's risk profile, customer base and operations.
The size and complexity of your agency determine how detailed the programme has to be, but every reporting entity needs one that is current, governing-body-approved and demonstrably operational by 1 July 2026.
What to do next. Check that any template you have been offered references the AML/CTF Rules 2025 (F2025L01026) and the four mandatory risk categories at s 26C. If it still has Part A and Part B headings, it is stale and will need to be rebuilt before commencement.
Frequently asked questions
- Is Part A and Part B still a thing?
- No. The AML/CTF Amendment Act 2024 and Rules 2025 abolished the Part A / Part B structure. Any template still using those headings is stale.
- What are the four mandatory risk categories?
- Kinds of customers, kinds of designated services, delivery channels, and foreign jurisdictions. Section 26C of the Act sets them out.
- Who has to approve the programme?
- The governing body of the reporting entity — the board for a company, or the principal/director for a sole-director entity. Approval has to be on the record.