If it is the last week of June and you have not started, the worst thing you can do is decide it is too late and do nothing. It is not too late, and "nothing" is the only outcome AUSTRAC has no patience for. The reformed regime starts on 1 July 2026, but it does not demand a perfect compliance function on day one. It demands that you have genuinely started and that you can show it.
So before the panic sets in, get two dates straight, because most of the last-week confusion comes from blurring them.
1 July 2026 is when your obligations begin. From that day, if you provide a designated service, you are expected to have an AML/CTF program in place and to apply it: customer due diligence, screening, monitoring, record keeping, and reporting when it is triggered. Enrolment and registration on AUSTRAC's Reporting Entities Roll is a separate deadline, 29 July 2026. (The enrolment timeline, in plain terms) You do not have to be fully registered by 1 July, but you do have to be operating from 1 July. Knowing that takes the false deadline pressure off the wrong task and puts it on the right one.
Here is the order to work in. It is sequenced so that if you run out of time, you have done the highest-value things first.
Step 1: Confirm you are actually in scope (10 minutes)
Do not spend a week building a program for a service you do not provide. The reforms capture specific designated services across real estate, legal, accounting, and dealers in precious metals and stones, and the line is about what you do, not what your business card says. Check it before anything else. Our free compliance check tells you in about two minutes whether you are in scope and for which services, with no login. If you are out of scope, you can stop here. If you are in, you now know exactly what the program has to cover.
Step 2: Generate the program itself (the same day)
The program is the foundation everything else sits on, so it goes first among the real work. Building one from a blank document means reading the AUSTRAC reforms guidance, translating it into a risk assessment, then writing policies and procedures that match your firm. That is a multi-week job done by hand. Generating one from your business profile is a same-day job. Either way, what you need by 1 July is a single, risk-based AML/CTF program that reflects your actual services and clients. (What "a program in place" actually requires) Do not let this step expand to fill the whole week. A solid first version you can operate beats a perfect one that is still in draft on 1 July.
Step 3: Name your compliance officer (15 minutes)
Every program runs through a nominated AML/CTF compliance officer. In a small firm this is almost always the owner or a principal, and the only real requirement is that a named person genuinely owns it: they review flags, make the report-or-not call, keep training current, and are AUSTRAC's point of contact. (What the compliance officer is responsible for) Write the name into the program. This is fast, and an auditor looks for it early.
Step 4: Set the one process you will run every time (1 hour)
If you do nothing else operationally, get customer due diligence right, because it is the step you perform on every new client and the first thing tested. Decide, in writing, the steps you take before you provide a designated service: identify and verify the customer, identify beneficial owners for companies and trusts, screen against sanctions and politically-exposed-person lists, assign a risk rating, and step up to enhanced checks when a trigger applies. (A practical CDD checklist) The discipline that matters is consistency: the same steps, every client, recorded the same way. A process you apply to nine clients out of ten is a finding waiting to happen.
Step 5: Brief your staff (20 minutes)
Your front-line people are the ones who will actually spot the odd transaction or the client who will not explain a source of funds. They cannot flag what they have not been told to look for. You do not need a formal course this week. You need a short, recorded briefing: here is what we now have to do, here is what a red flag looks like, here is who you tell. (What staff training has to cover) Record that you did it. Training you delivered but never documented is, for compliance purposes, training that did not happen.
Step 6: Know your reporting paths before you need them (30 minutes)
You hope to use these rarely, but the program has to make them automatic. Two reports matter. A suspicious matter report is lodged when a staff member forms a suspicion on reasonable grounds, escalated to the compliance officer and filed with AUSTRAC within the statutory window (24 hours for terrorism-related matters, 3 business days otherwise), and you must not tip the customer off. (SMR and TTR reporting, step by step) A threshold transaction report covers any cash transaction of $10,000 or more, filed within 10 business days. You do not need to file anything this week. You need a clear path, known in advance, from a staff member's desk to a lodged report.
What "started in good faith" actually buys you
AUSTRAC has signalled that its day-one posture is about genuine effort, not perfection, for firms that have engaged with the regime. (What AUSTRAC expects if you are not fully ready) That is not a loophole, and it is not an excuse to coast. It means a firm that is mid-setup, with a program in place, a compliance officer named, CDD being applied, and a documented intent to finish, is in a categorically different position from a firm that ignored the date. The difference is evidence. Everything in this plan produces a record, and the record is what demonstrates you started in good faith.
If you are a sole trader wondering whether any of this is proportionate to a one-person practice, it is, and it scales down: the same obligations apply, just to a smaller client base. (How the obligations work for sole traders)
Where AML Mate fits
This whole plan is what AML Mate is built to compress into the week you have. The free compliance check confirms scope in two minutes with no login. Inside, generating your program is a guided, same-day task, and it comes with the operating layer already wired in: client onboarding with CDD and beneficial-ownership capture, PEP and sanctions screening, transaction monitoring against your red flags, SMR and TTR lodgement, training records, and seven-year record keeping, all under one named compliance officer and audit-ready. Start a 14-day free trial, cancel anytime, and use the days you have left to get the program built and running rather than spending them reading guidance. Seven days is enough to be operating in good faith. It is not enough to start on 30 June.