Most of the conversation about 1 July 2026 stops at the program document. Get the program written, the thinking goes, and you're compliant. You're not. A written program that nobody follows is the single most common way a firm with good intentions still ends up in breach.
The reformed Act is built around a single, risk-based AML/CTF program that you implement and maintain — not one you produce once and file away. (AUSTRAC, about the reforms) So the question that actually matters from 1 July is operational: what does running the program look like in an ordinary week at a small firm? It is less work than people fear, because it splits cleanly into three rhythms.
Rhythm 1: On every new client engagement
This is the part you do by hand, every time, before you provide a designated service. It is the core of the regime and the thing an auditor will look at first.
Identify and verify the customer. Collect and verify identity using your Applicable Customer Identification Procedure, on a risk basis. For an individual that is typically government photo ID; for a company or trust it also means identifying the beneficial owners — the people who ultimately own or control the entity. (What beneficial ownership verification involves)
Screen them. Check the customer (and beneficial owners) against sanctions and politically-exposed-person lists. A hit doesn't automatically end the relationship, but it does trigger a closer look.
Rate the risk and decide. Assign a risk rating, and where any enhanced-due-diligence trigger applies — a PEP, a high-risk jurisdiction, an opaque structure, funds you can't explain — step up: verify source of funds and wealth, get senior sign-off, and document why you proceeded. (Source of funds vs source of wealth, explained)
The discipline that matters here is consistency. The same steps, every client, recorded the same way. A CDD process you apply to nine clients out of ten is a finding waiting to happen. (A practical CDD checklist)
Rhythm 2: In the background, continuously
These run quietly between engagements. They are where most firms under-invest, and where AUSTRAC's recent enforcement has concentrated.
Ongoing customer due diligence. Keep customer information current and watch for activity that doesn't fit the customer's profile. A long-standing client whose transactions suddenly change shape is exactly what ongoing CDD is meant to catch.
Transaction monitoring. Monitor the transactions connected to your designated services against the red flags in your program — unusual cash, third-party payments with no clear reason, structuring to stay under thresholds, links to high-risk jurisdictions. You don't need a bank's surveillance system; you need a defined set of indicators, someone responsible for reviewing flags, and a log that shows you did.
Re-screening. Sanctions and PEP lists change. Customers need to be re-screened periodically — higher-risk ones more often — not just once at onboarding.
Record keeping. Every step above is retained for seven years: identity and verification records, transaction records, your risk assessments, and the reasoning behind any decision to report or not report. If it isn't written down, for compliance purposes it didn't happen. (How client management, screening and records fit together)
Rhythm 3: Only when something is off
You hope to use these rarely, but the program has to make them automatic when the moment comes.
Suspicious matter reports (SMRs). When a staff member forms a suspicion on reasonable grounds that a matter may involve money laundering, terrorism financing, proliferation financing or another serious offence, it is escalated to the compliance officer, assessed, and — if warranted — lodged with AUSTRAC within the statutory timeframe (24 hours for terrorism-related, 3 business days otherwise). Crucially, you must not tip the customer off that a report has been or may be made. (SMR and TTR reporting, step by step) · (The tipping-off rules)
Threshold transaction reports (TTRs). Any cash transaction of $10,000 or more is reported within 10 business days. Watch for structuring designed to stay just under the line.
The job of the program is to make sure that when a junior staff member sees something odd, there is a clear, fast path from their desk to a lodged report — and that the decision (including a decision not to report) is documented.
The person who holds it together
Each of these rhythms runs through your nominated AML/CTF compliance officer. From 1 July that role isn't a title on an org chart — it's the person who reviews flags, makes the report-or-not call, keeps training current, and is AUSTRAC's point of contact. In a small firm it is usually the owner or a principal; the obligation is that someone genuinely owns it. (What the compliance officer is actually responsible for) Staff also need training appropriate to their role, so the people doing CDD and spotting red flags know what they're looking for. (Staff training requirements)
What this means with 13 days to go
If you don't yet have a program, generate one now — it's the foundation everything above sits on. (What "an AML/CTF program in place" actually requires) But if you do, spend the remaining time on the part that actually gets tested: make the three rhythms real. Decide who does CDD and how it's recorded. Name the red flags you'll monitor for. Confirm your compliance officer and brief your staff. Set where the records live. None of this requires the program to be perfect — it requires it to be running.
Where AML Mate fits
AML Mate is built for the running, not just the writing. Your generated program comes with the operating layer wired in: client onboarding with CDD and beneficial-ownership capture, PEP and sanctions screening with scheduled re-screening, transaction monitoring against your red flags, SMR/TTR lodgement, training records, and seven-year record keeping — all under one compliance officer, audit-ready. Start a 14-day free trial — no credit card — to generate your program and set up the day-one rhythm before 1 July. Not sure you're even in scope yet? The free compliance check tells you in two minutes, no login required.