AUSTRAC's step 1.2: Building a policy your team will actually use

After working through AUSTRAC’s Risk Assessment guidance in Step 1.1, the next step is Step 1.2: the policy document. This is where you stop talking about risk in theory and start putting it into practice. 

What AUSTRAC’s policy document is 

Your policy document is your internal operating manual for AML/CTF. It outlines clear roles, responsibilities, timing, escalation, reporting, and maintenance. All written in plain English so staff can follow it day to day.

Your policy sits alongside:

• your Risk Assessment (what risks you face and what you will tolerate)
• your Process documents and forms (the exact steps and templates staff use)

Your policy should constantly point staff to your supporting materials like forms, tools, and processes - so nobody is guessing or inventing their own approach to compliance.

The simplest way to write a policy that works

A policy that works answers five questions, over and over:

1. What must happen?
2. Who does it?
3. When does it happen?
4. What gets recorded, and where?
5. When do we stop and escalate?

If you nail those, you are most of the way there.

Your AUSTRAC starter kit policy is already structured to help with this. It splits everything into 3 (and a front matter) parts:

• Front matter (version control, definitions, where this fits)
• Part 1: Personnel (roles, due diligence, training)
• Part 2: Customers (CDD, monitoring, escalation, reporting, tipping off, offboarding)
• Part 3: Keeping it alive (updates, effectiveness checks, independent review, record keeping, enrolment)

Front matter

It’s tempting to skim past this section, but it matters. AUSTRAC expects to see evidence that your AML program is managed like a real system, not just written once and forgotten.

Include:

• Version control (approved date, who approved it, what changed, next review due)
• Key definitions for terms used internally (material change, reasonable escalation)
• A short explanation of how this policy fits in your AML program, including links to the risk assessment and operational procedure
• A simple note that old versions are kept for 7 years

These small details prevent “we changed it at some point” becoming a compliance problem later.

Part 1: Personnel

Fill key AML roles

Your policy should clearly define these roles:

• Governing body (aka AUSTRAC, responsible for oversight)
• Senior manager(s) (responsible for approval and resourcing)
• AML/CTF compliance officer (responsible for day-to-day control)
• Customer facing personnel (responsible for CDD, monitoring, escalation)

This is more than an organisational chart. Each role represents a control within the compliance system.

Choosing the compliance officer

The compliance officer is the operational centre of the program.

In practice, the role works best when the person:

• can hold boundaries with sales or operations when needed
• is comfortable making decisions with incomplete information (and documenting the reasoning)
• understands how work actually flows through the business
• maintains organised, consistent records
• knows when to escalate a matter - and when work should stop

Give them authority, not just responsibility
In practice, the policy should state that the compliance officer can:

• pause onboarding or progression until CDD is complete
• require enhanced due diligence on high risk customers
• direct what gets escalated and how it is recorded
• restrict access to SMR related information
• trigger updates to the program when new risks appear

Be realistic about time 
For many SMEs, this is not a “few minutes a week” task. It is steady admin, decision making, training, checking, and reporting. If the business is growing, or the sector is higher risk, it can quickly move from part time into a meaningful chunk of someone’s week.

Plan for continuity
Your policy already notes the need to replace the compliance officer quickly if they leave. Make that real by documenting:

• a named deputy or temporary cover approach
• where key records live (not just in someone’s inbox)
• how you notify AUSTRAC in timeframes
• a simple handover checklist

Personnel due diligence (PDD)

Your policy should nail the mechanics: initial checks, ongoing triggers, and what to do if someone is not suitable. 

To make this practical and less generic, include examples your team will recognise, such as:

• a team member starts resisting basic record keeping
• shortcuts become routine (“we will do it later” becomes “we never do it”)
• conflicts of interest appear (side work, personal relationships in deals)
• staff feel pressured to ignore escalation to keep deals moving

The goal is not suspicion – it's building a culture where compliance is treated as normal business practice.

Training that actually sticks

If training is a single annual slideshow, it rarely translates into day-to-day behaviour.

Aim for a stronger approach:

• onboarding training for new starters and role changes
• short refreshers when AUSTRAC guidance changes, or your process changes
• scenario based examples that match your work
• tracking completion (so you can prove it)

Use our Compliance Officer Role Planner to identify the best person in your business for the role.

Part 2: Customers

This section of your policy should be clear and specific. Timing matters.

Timing of Customer Due Diligence (CDD)

Depending on your industry, your policy should clearly state when initial CDD must occur:

Real Estate

• direct customer: before signing a brokering agreement
• counterparty: before exchange of contracts

Legal

• client: before providing the designated service

This includes services such as

• assisting with the purchase or sale of a company
• creating or restructuring a trust or company
• assisting with financing arrangements
• holding or controlling client assets in connection with a transaction

Conveyancing

• seller client: before acting under the retainer
• buyer client: before the key transaction event, such as 
• agreement on the sale price in a private treaty
• the buyer becoming successful at auction

In practice, the window for verifying counterparties can be tiny. That is why the starter kit includes delayed CDD, with defined controls, and a hard deadline.

Escalation rules

Give your team a simple, clear list of when to stop and escalate. For example:

Escalate if:

• something appears inconsistent or suspicious
• the customer is assessed as high risk
• sanctions screening returns a potential match
• beneficial ownership is unclear or unusually complex
• the matter falls outside your documented risk appetite

Then be explicit about what happens next:

• who reviews it
• whether work pauses while it’s assessed 
• what must be recorded and where

Reporting and tipping off

This section should be short and very clear. Your policy should specify:

• what is reportable
• who files reports (usually the compliance officer)
• who can know about them (need to know only)
• what staff should say when requesting more info (always “to meet AML obligations”, never “because you look suspicious”)

Part 3: Maintain the program

This section ensures the program stays current after it goes live.

Your policy should explain how you will:

• update the program after a material change
• run periodic effectiveness checks and report to the governing body
• arrange an independent evaluation at least every 3 years
• keep records, including old versions, for 7 years
• maintain AUSTRAC enrolment details and update changes fast

This is the difference between a document you wrote, and a program you actually run.

What’s next?

Once Step 1.2 is done:

• approve the policy
• store it with proper version control
• make sure staff know where it lives

Then move straight into Step 1.3: process documents, where compliance becomes action, not intention

Where APLYiD fits

Policies only work if the business can follow them without adding friction to everyday work. That is exactly where APLYiD helps.

With APLYiD, you can:

• structure onboarding and CDD workflows so required steps happen in the right order, every time
• standardise evidence and record keeping, so you are not chasing screenshots and emails later
• create clean escalation paths (high risk, sanctions hits, suspicious activity), with clear audit trails
• support ongoing monitoring and periodic reviews, so nothing quietly expires
• control access to sensitive reporting information, helping with tipping off controls
• prove compliance quickly, because the outputs are structured, consistent, and easy to retrieve

In simple terms: your policy sets the rules. APLYiD helps you run them consistently.