AML / KYC Policy
An AML/KYC policy documents your organisation's procedures for identifying customers, assessing money laundering risk, and reporting suspicious activity to AUSTRAC.
What is a AML / KYC Policy?
An Anti-Money Laundering and Know Your Customer (AML/KYC) policy is a compliance document that sets out how an organisation identifies its customers, assesses the money laundering and terrorism financing risk associated with their activities, monitors transactions, and reports suspicious matters to AUSTRAC.
In Australia, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) imposes obligations on 'reporting entities' — including banks, payment platforms, cryptocurrency exchanges, remittance services, and certain fintech companies. These entities must enrol with AUSTRAC, develop and maintain an AML/CTF program, conduct customer due diligence, and report suspicious matters.
Fintech startups often underestimate when they become reporting entities. If your platform facilitates payment transfers, currency conversion, digital currency exchange, or lending services, AML/CTF obligations may apply from day one — before you reach significant transaction volumes.
When do you need a AML / KYC Policy?
- ✓Before launching any payment, remittance, or digital currency exchange service
- ✓When your platform begins facilitating financial transactions between third parties
- ✓Before applying to enrol as a reporting entity with AUSTRAC
- ✓When conducting due diligence for a banking or payment processing partner
- ✓When raising capital from investors in regulated financial services
Key provisions to include
Customer Due Diligence (CDD)
Procedures for verifying customer identity before onboarding — documents accepted, verification standards.
Risk Assessment
Framework for assessing the money laundering and terrorism financing risk of products, customers, and geographies.
Enhanced Due Diligence
Additional verification requirements for high-risk customers, PEPs, and correspondent relationships.
Transaction Monitoring
Systems and procedures for monitoring transactions for suspicious patterns.
Suspicious Matter Reporting
Process and timeframes for reporting suspicious matters to AUSTRAC.
Record-Keeping
Duration and format for retaining KYC and transaction records — typically 7 years under the AML/CTF Act.
Staff Training
AML/CTF training requirements for all staff handling customer onboarding and transactions.
AML/CTF Compliance Officer
Designation of a responsible officer with authority to implement the policy and report to management.
Common mistakes to avoid
Not enrolling with AUSTRAC before commencing designated services — failure to enrol is an offence under the AML/CTF Act
Implementing a generic KYC policy without tailoring it to your specific business model and risk profile
Not updating the policy when the business's product or service scope changes
Failing to train staff adequately — AUSTRAC assesses AML/CTF culture and awareness as part of compliance assessments
Frequently asked questions
Does my fintech startup need to comply with the AML/CTF Act?
If your platform provides 'designated services' under Schedule 1 of the AML/CTF Act — including payment facilitation, currency conversion, digital currency exchange, or remittance — yes. You must enrol with AUSTRAC, develop an AML/CTF program, conduct customer due diligence, and report suspicious matters. The threshold for being a reporting entity is based on service type, not transaction volume.
What is AUSTRAC and what does it regulate?
AUSTRAC (Australian Transaction Reports and Analysis Centre) is Australia's financial intelligence agency and AML/CTF regulator. It oversees compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, collects financial intelligence from reporting entities, and investigates financial crime.
What is the difference between AML and KYC?
Know Your Customer (KYC) is the process of verifying a customer's identity and understanding their risk profile before and during an engagement. Anti-Money Laundering (AML) is the broader set of controls — including KYC, transaction monitoring, and suspicious matter reporting — designed to prevent financial crime. KYC is a component of an AML program.
Related documents
Draft your AML / KYC Policy in minutes
Try Neureson free for 3 days — no credit card required.
Start for free →