Ostride LabsGlossaryAML/CTF Program

Glossary

Isometric AML CTF compliance system with customer identity verification, transaction screening, alerts and audit records

  • 6 min

On this page

Read more

Isometric illustration of agentic AI system connected to cloud, data, workflow and security controls

Agentic AI

6 min

AUSTRAC: What It Expects from Modern Product Teams

13 min

AML/CTF Program

Updated 7 May 2026

()

Quick summary

An AML/CTF program is a documented framework that helps a reporting entity identify, manage and reduce the risk of money laundering and terrorism financing. In Australia, AML/CTF obligations are regulated by AUSTRAC and apply to businesses that provide designated services under the AML/CTF regime.

A strong AML/CTF program is not just a policy document. It should be reflected in customer onboarding, identity verification, transaction monitoring, escalation workflows, reporting and audit evidence.

Definition

AML/CTF stands for Anti-Money Laundering and Counter-Terrorism Financing. An AML/CTF program sets out how a business identifies financial crime risk and applies controls to reduce that risk.

In practical terms, it defines how the business identifies and verifies customers, assesses money laundering and terrorism financing risk, monitors customers and transactions, applies enhanced checks to higher-risk customers, reports suspicious matters where required, trains staff, keeps records and reviews the effectiveness of its controls.

AUSTRAC guidance explains that reporting entities must identify and know their customers, document customer identification procedures and maintain ongoing customer due diligence systems and controls.

Key milestones

  • Risk assessment: identify ML/TF risks across customers, products, services, channels and jurisdictions.
  • Customer identification: define customer identification and verification procedures.
  • Ongoing due diligence: monitor customer behaviour and transactions over time.
  • Enhanced due diligence: apply stronger checks to higher-risk customers or situations.
  • Reporting and records: keep evidence of checks, decisions, escalations and reports.
  • Review: test and improve the program as products, risks and regulations change.

Who it applies to

AML/CTF obligations apply to reporting entities that provide designated services under Australia’s AML/CTF regime. This commonly includes financial and regulated businesses where customer onboarding, payments, funds movement or financial services create financial crime risk.

  • FinTech companies
  • payments and remittance providers
  • banks, lenders and credit providers
  • digital finance and wallet platforms
  • wagering and gaming businesses
  • crypto and digital asset service providers where obligations apply
  • businesses affected by Tranche 2 AML reforms

Key obligations

An AML/CTF program should be risk-based, operational and auditable. It should explain how the business identifies risk, applies controls and proves those controls are working in practice.

Core obligations and controls usually include:

  • customer identification and verification,
  • customer risk assessment,
  • ongoing customer due diligence,
  • transaction monitoring,
  • enhanced due diligence for higher-risk customers,
  • suspicious matter escalation and reporting,
  • staff training,
  • record keeping,
  • independent review,
  • control testing and evidence retention.

Affected sectors

AML/CTF is now a product and engineering issue because many controls are executed through software. A program may look complete on paper but fail in practice if onboarding, identity verification, monitoring, case management or reporting systems are poorly designed.

  • FinTech and payments: onboarding, eKYC, transaction monitoring and reporting workflows.
  • Lending and credit: customer identification, risk scoring and enhanced checks.
  • Digital finance: wallet activity, funds movement, sanctions screening and fraud signals.
  • Wagering and gaming: customer due diligence, behavioural monitoring and escalation.
  • Regulated services: audit trails, evidence retention and compliance reporting.

Implementation roadmap

A practical AML/CTF program should be designed into the operating model and product architecture from the beginning. For digital businesses, this often depends on secure API integrations, reliable data flows, clear access control and well-tested compliance workflows.

  1. Map designated services: identify which products or services create AML/CTF obligations.
  2. Assess ML/TF risk: review customer, product, channel, transaction and jurisdiction risk.
  3. Define controls: set onboarding, eKYC, monitoring, escalation and reporting rules.
  4. Design workflows: connect product flows, compliance review, case management and operations.
  5. Implement evidence capture: log checks, decisions, approvals and exceptions.
  6. Test controls: validate the program with realistic customer and transaction scenarios.
  7. Train teams: make sure operations, support, compliance and product teams understand their roles.
  8. Review regularly: update the program as products, risks and AUSTRAC expectations evolve.

A structured Discovery Sprint can help map the product, data, compliance and engineering work before AML/CTF controls are built or remediated.

Evidence and audit trail

Auditability is critical. A business should be able to prove what happened, what data was used, what decision was made, who reviewed it and when escalation occurred.

A strong AML/CTF evidence model should include:

  • customer identity data used for verification,
  • verification results and data sources,
  • customer risk rating and reason codes,
  • transaction monitoring alerts,
  • case notes and investigation history,
  • approval and escalation records,
  • reports submitted where required,
  • timestamps and user activity logs,
  • control testing results,
  • records of program review and updates.

This connects AML/CTF readiness with information security risk, cyber security, cloud security hardening and compliance and architecture.

FAQs

What is an AML/CTF program?

It is a documented framework that explains how a reporting entity identifies, manages and reduces money laundering and terrorism financing risk.

Is an AML/CTF program only a policy document?

No. The policy matters, but the controls must also work in daily operations, product flows, onboarding systems, monitoring tools and reporting workflows.

What is the difference between Part A and Part B?

Historically, Part A has focused on identifying, mitigating and managing ML/TF risk across the business. Part B has focused on customer identification procedures, often called KYC procedures.

Why does engineering matter for AML/CTF?

In digital businesses, many AML/CTF controls are executed by software. If data, APIs, monitoring rules, permissions or audit logs are weak, the program may fail in practice.

Resources

Need to assess whether your AML/CTF controls are technically executable and auditable? Book a technical compliance review with Ostride Labs.

Rating:

Share

Our newsletter (you’ll love it):

    Let's talk!