Caltury

Caltury Resource

AML/CTF Tranche 2 Compliance Checklist

For independent Australian real estate agencies, conveyancers, accountants and small law firms. Tranche 2 commences 1 July 2026.

Tip: print to PDF if you want a saved copy.

1. AUSTRAC enrolment

  • Confirm your business provides a 'designated service' under the AML/CTF Act 2006
  • Create an AUSTRAC Online account using a director or principal email
  • Submit the enrolment form (Reporting Entity Enrolment) and receive your AUSTRAC RE number
  • Record the RE number in a dedicated AML/CTF folder for staff reference
  • Diary your annual Compliance Report due date (July of the year following enrolment)

2. AML/CTF Program — Part A (general)

  • Conduct an ML/TF risk assessment specific to your customers, services, channels and geographies
  • Document the risk assessment in writing, dated, with risk levels (low / medium / high) per category
  • Senior management formally approves the Program in writing (minutes or signed memo)
  • Appoint a named AML/CTF Compliance Officer (must be a real individual, not a role)
  • Establish an Employee Due Diligence procedure for any staff with customer contact
  • Schedule the first Independent Review for 12-24 months after enrolment
  • Document the staff training program (initial + annual refresh, role-specific)

3. AML/CTF Program — Part B (customer due diligence)

  • Customer identification (KYC) procedure for individuals (full name, date of birth, residential address verification)
  • Customer identification procedure for companies (ABN/ACN, registered office, directors)
  • Beneficial-owner identification for company customers (25%+ ownership or control)
  • Trustee, settlor and beneficiary identification for trust customers
  • PEP (politically exposed person) screening procedure documented
  • Sanctions list screening against DFAT, UN, OFAC and EU minimum
  • Enhanced due diligence procedure for high-risk customers (sources of funds, structure questions)
  • Ongoing customer due diligence cadence by risk tier (low: annual, medium: quarterly, high: monthly minimum)
  • Trigger events that force re-verification (change in beneficial ownership, suspicious activity, jurisdiction change)

4. Record-keeping

  • Customer identification records retained for 7 years after end of customer relationship
  • Transaction records retained for 7 years after the transaction date
  • AML/CTF Program documents retained for 7 years after the version is replaced
  • Suspicious matter records retained for 7 years after the report (regardless of customer relationship)
  • Storage location documented (cloud provider, region, encryption at rest)
  • Backup process documented with restoration test cadence
  • Access control: who in your firm can view, edit and export AML records

5. Reporting obligations

  • Suspicious Matter Report (SMR) lodged within 3 business days of forming a suspicion (24 hours for terrorism financing)
  • Threshold Transaction Report (TTR) lodged within 10 business days for cash transactions of A$10,000 or more
  • International Funds Transfer Instruction (IFTI) report lodged within 10 business days for cross-border instructions
  • Annual Compliance Report (ACR) lodged in AUSTRAC Online in July each year
  • Internal escalation path documented (who reviews a possible SMR before lodgement)
  • Tipping-off procedures clear: no customer notification of SMR lodgement

6. Technology and systems

  • Customer database with structured fields for KYC data (not free-text in a Word doc)
  • Document storage with retention-period enforcement (auto-purge after 7 years if appropriate)
  • Sanctions screening capability (manual lookup minimum, automated against a real list provider preferred)
  • Audit trail: every risk decision and KYC verification is timestamped and attributable to a staff member
  • Reporting workflow (manual lodgement via AUSTRAC Online minimum; system-generated drafts preferred)

7. Staff and governance

  • All staff with customer contact have completed initial AML/CTF training (record the date and content)
  • Annual training refresh scheduled and tracked per staff member
  • Compliance Officer has completed training pitched at their oversight role (not the same as front-line staff)
  • Senior management briefed on AML/CTF risks at least annually (board paper or principal sign-off)
  • Whistleblower or internal tip-off procedure documented for staff who spot suspicious activity

8. Going live

  • Run a test KYC end-to-end with a friendly first customer before 1 July 2026
  • Confirm the first lodgement workflow if any reported events trigger before or at go-live (SMR, TTR or IFTI)
  • Schedule the first internal AML/CTF Program review for 6 months post go-live
  • Add 1 July 2026 to the calendar as your AUSTRAC commencement date