Nobody knocks on your door on 1 July 2026. There is no inspection that morning, no certificate that arrives in the post. The reformed regime starts quietly, and for most small firms the day the obligations begin will feel like any other day. That is exactly why it is easy to misjudge.
The day that actually matters comes later. It is the day a client complaint, a sector-wide review, a follow-up on a report, or a routine query puts the question to you: what did you do? And by then, the answer is not what you remember or what you intended. It is whatever you wrote down. (What AUSTRAC expects if you are not fully ready)
This is the part of "good faith" that gets lost in the rush to the deadline. Good faith is not a state of mind AUSTRAC can read. It is a trail. A firm that genuinely engaged with the regime and a firm that did nothing can both say they tried. Only one can show it. So with six days to go, it is worth shifting the question from "what do I have to do" to "what will I be able to produce." Here is the minimum evidence set, obligation by obligation.
The program, and the risk assessment underneath it
The first thing anyone reviewing your firm looks for is the AML/CTF program itself: a single, risk-based document that reflects your actual services and clients. (What "a program in place" actually requires) But the program is only as defensible as the risk assessment it sits on. A generic template that could belong to any firm in your sector is a weak record. One that names your real risks, the kinds of clients you take on, the services you provide, the channels you deal through, the jurisdictions you touch, is a strong one. (How to build a risk assessment that holds up) The evidence is not just that a program exists. It is that you thought about your own business and wrote down what you concluded.
Customer due diligence, per client
This is the record an auditor reaches for second, because it is the obligation you perform most often. For every new client, before you provide a designated service, you should be able to show: who they are and how you verified it, the beneficial owners where the client is a company or trust, the screening you ran, the risk rating you assigned, and any enhanced steps a trigger called for. (A practical CDD checklist) The discipline that turns this into evidence is sameness. The same steps, every client, recorded the same way. A CDD process you applied carefully to nine clients and skipped on the tenth is not nine good records. It is one finding.
Screening, with a date and an outcome
A screening result is only evidence if it is timestamped and resolved. "We screen clients" is a claim. "We screened this person against sanctions and politically-exposed-person lists on this date, here is what came back, and here is what we did about a possible match" is a record. Because the lists change, the date matters as much as the result, and higher-risk clients need re-screening on a schedule rather than once at onboarding. (How screening, CDD and records fit together)
The compliance officer, named in writing
Every program runs through a nominated AML/CTF compliance officer, and this is one of the fastest pieces of evidence to get right and one of the first an auditor checks. In a small firm it is usually the owner or a principal. What has to exist on paper is a named person who genuinely owns the role: reviews flags, makes the report-or-not call, keeps training current, and is AUSTRAC's contact. (What the compliance officer is responsible for) Write the name into the program. An empty title is a gap that shows immediately.
Training, as a record and not a memory
You may well have briefed your staff. The question is whether you can prove it. A training record is a short note of who was trained, when, and on what: what the firm now has to do, what a red flag looks like, and who to tell. (What staff training has to cover) Training you delivered but never documented is, for compliance purposes, training that did not happen. Twenty minutes of briefing plus one line recording it is worth far more than an hour you cannot evidence.
Monitoring, and the decision log
Transaction monitoring leaves two kinds of evidence. The first is that you defined what you watch for: the red flags in your program, the indicators that fit your business. The second, and the one firms forget, is the decision log. When a flag was raised and you looked into it, the outcome belongs in writing, including when the decision was not to report. A documented "we reviewed this, here is why it was not suspicious" is a strong record. A flag that was raised and then vanished with no note is the worst kind of gap, because it looks like you saw something and ignored it. (How to run the program day to day)
The reports themselves, and the reasoning behind them
You hope to use these rarely, but when you do, both the report and the thinking are evidence. A suspicious matter report is lodged when a staff member forms a suspicion on reasonable grounds, escalated to the compliance officer and filed with AUSTRAC within the statutory window (24 hours for terrorism-related matters, 3 business days otherwise), and the customer must not be tipped off. A threshold transaction report covers any cash transaction of $10,000 or more, filed within 10 business days. (SMR and TTR reporting, step by step) Keep the lodged report, and keep the short record of why you reached the decision you did.
Seven years, in one place
All of the above is retained for seven years: identity and verification records, screening results, your risk assessment, monitoring decisions, training notes, and the reasoning behind any report or non-report. The retention rule is what makes the difference between a trail and a pile. Records scattered across email, a shared drive, and someone's memory are technically kept and practically unfindable. The test is simple: if the question came next month, could you produce the relevant file in minutes rather than days?
What the trail actually buys you
This is the same point the last-week plan lands on, seen from the other side. AUSTRAC's day-one posture is about genuine effort for firms that engaged, not perfection. That posture only helps you if your effort is visible. A firm mid-setup with a program in place, CDD being applied, a named compliance officer, and a record of all of it is in a categorically different position from one that did the same work but kept none of it, and both are miles ahead of a firm that did nothing. The work and the record are not two separate jobs. The record is how the work counts.
Where AML Mate fits
AML Mate is built so the trail forms as a by-product of doing the work, not as extra paperwork afterwards. Your generated program carries a risk assessment tied to your business profile, and the operating layer logs as it goes: client onboarding with CDD and beneficial-ownership capture, dated PEP and sanctions screening, monitoring against your red flags, SMR and TTR lodgement, training records, and seven-year record keeping, all under one named compliance officer and audit-ready in one place. Not sure you are even in scope? The free compliance check tells you in two minutes, no login. Then start a 14-day free trial, cancel anytime, and use the six days you have left to build a program that records itself. On 1 July nobody asks to see your trail. The point is to have one for the day they do.