Fifteen days out, the most common feeling inside a newly regulated firm is not confusion about the rules. It is dread about the finish line. Somewhere in the last few months "we need an AML/CTF program by 1 July" quietly became "we need a perfect, finished, audit-proof program by 1 July," and that version of the deadline is paralysing — because no small firm can build a flawless compliance regime from scratch in two weeks.
The good news is that the paralysing version is not the version the Act asks for. The obligation on 1 July 2026 is that your AML/CTF program is in place. That is a real bar, and it is non-negotiable, but it is narrower and far more achievable than "perfect." It is worth being precise about what it means, because the gap between "in place" and "perfect" is exactly the room you have to work in for the next fifteen days.
Two Dates, Not One
The first thing that lifts some of the pressure is separating the two deadlines that get collapsed into "1 July."
Your AML/CTF program — the document and the practices behind it — must be in place from 1 July 2026, the day your designated services become regulated. That date does not move.
Your enrolment with AUSTRAC, by contrast, is due by 29 July 2026. Newly regulated businesses get a 28-day window after the start date to get onto the Reporting Entities Roll. (When AUSTRAC enrolment opens and closes)
So the honest sequence is: have a working program on 1 July, then enrol within the month. Firms that have been treating enrolment as the 1 July task, and the program as something to sort out afterwards, have it backwards.
What "In Place" Actually Requires
Under the reformed Act, the prescriptive split between Part A and Part B is gone. You are no longer assembling two named parts; you are building a single, outcomes-focused, risk-based AML/CTF program that you can structure however suits your business, as long as it meets the requirements of the Act. (AUSTRAC, about the reforms)
Strip that back to what genuinely has to exist on the day, and it is three things.
A risk assessment covering money laundering, terrorism financing and proliferation financing. This is the foundation, not the paperwork. You identify and assess your ML, TF and PF risks across your services, your customers, the channels you deal through, and the jurisdictions you touch. Proliferation financing is the piece most newcomers have never had to think about, so it is the one to check is actually there.
Policies and procedures that respond to the risks you found. The risk assessment says where the risk is; the policies say what you do about it — how you carry out customer due diligence, when you escalate, who is responsible, and how each reporting obligation is met. The Act expects the policies to flow from the assessment, not to sit beside it as generic boilerplate. (What a full Part A–F program covers in practice)
A nominated AML/CTF compliance officer. A named, fit-and-proper person responsible for the program. For most small practices this is the owner or a senior principal.
That is the spine of an "in place" program. It does not have to be long. It has to be real, it has to be yours, and it has to match what your firm actually does.
What You Are Not Graded On — Yet
Panic is as expensive as complacency, and it leads firms to burn their last two weeks gold-plating things that were never due on 1 July.
You are not graded on perfection. A program built on a genuine risk assessment that you are following is compliant even if it is plainly a first version. AUSTRAC has been consistent that it expects a risk-based, proportionate effort from a small firm, not the regime a major bank runs.
You are not required to switch reporting forms on day one. Suspicious matter and threshold transaction reports can stay on the current forms well past 1 July; the new fields are coming, but they are not a 1 July obligation. (How SMR and TTR reporting works today)
And you are not expected to have re-papered every client file. Initial customer due diligence has a transition runway — you do not have to re-onboard your entire book in the next fifteen days. (Existing entities have their own 1 July cliff — and a three-year CDD runway)
The one thing in that list that cannot wait is the program itself. The reporting-form choice and the CDD rebuild have time. The risk assessment, the policies and the compliance officer do not.
The Trap: Building For The Firm Next Door
There is one place where "in place" genuinely depends on more than your own four walls, and it is worth naming because it is where over-engineering tips into building the wrong thing entirely.
If your firm sits in a chain — a property transaction that passes through a real estate agent, a conveyancer, a solicitor and an accountant — the question of whose customer due diligence is the CDD of record is a reliance question, and reliance is by definition about the firm next door. (Why four professions had to meet AUSTRAC in one room) You do not need to resolve every reliance arrangement perfectly by 1 July. You do need your program to state your default position — whether you intend to rely, or to do your own CDD — so that the program reflects a real decision rather than an open question.
What To Do In The Fifteen Days That Are Left
The work between now and 1 July is not a build from zero. It is getting the spine standing.
First, write the risk assessment for the services you actually provide, and make sure it names money laundering, terrorism financing and proliferation financing. If PF is missing, that is the first gap to close.
Second, make sure your policies map to that assessment — CDD, escalation, reporting, record-keeping — and read as one risk-based program, not two relabelled old parts.
Third, name your compliance officer in writing, and set your default reliance position for the chains your firm sits in.
Fourth, diarise enrolment for the 28-day window that opens on 1 July, so the program work and the enrolment do not collide. (AUSTRAC enrolment, step by step)
Do those four and you have a program that is genuinely in place — a defensible first version you can refine, not a perfect artefact you never finished.
Where AML Mate Fits
This is exactly the gap AML Mate was built to close in the time that is left. It generates a single risk-based AML/CTF program for your firm — an ML, TF and PF risk assessment, policies mapped to your designated services, and a named compliance officer structure — from a short guided setup, so the spine is standing today rather than in a fortnight. Start a 14-day free trial — no credit card — to generate your program and see the real shape of what "in place" means for your firm, then decide what to refine before 1 July. If you only want to know where your gaps are first, the free compliance check reads them in a couple of minutes, no login required.