AML/CTF: Program starter kits summarised

AUSTRAC’s January 2026 starter kits offer practical guidance for turning policy into repeatable frontline decisions. They're less about adding new concepts and more about making your CDD and escalation logic consistent, evidenced and audit-ready.

Simplified guides to the starter kits

AUSTRAC's kits come in at over 100+ pages each. For ease and practicality, we've stripped them back to the key decisions and minimum building blocks allowing you to see where and how to clearly start and expand as needed. Download them here:

A simplified guide to AUSTRAC's starter kit for accounting

A simplified guide to AUSTRAC's starter kit for law and conveyancing

A simplified guide to AUSTRAC's starter kit for real estate

Starter kits at a glance

At a high level, the newly released starter kits can be read as four connected controls:

• Risk Assessment (the rating logic that determines how strong your checks and monitoring need to be)
• Customer Due Diligence (know who you are dealing with and who benefits)
• Screening (sanctions, PEPs and adverse media applied proportionately)
• Enhanced Due Diligence (the slow-down process when risk is high or suspicion is triggered, often centred on source of funds and source of wealth), and 

Risk Assessments

Risk assessment is the practical tool that drives how strong your controls need to be.

AUSTRAC’s rating logic in the starter kits is:

• High: yes to at least one high-risk factor (or other info suggests high risk)
• Medium: yes to at least two medium factors (or other info suggests medium risk)
• Low: neither applies

If you can’t confidently justify simplified CDD, start at medium.

Rating then drives CDD, screening, monitoring and review frequency:

• Low: simplified CDD may be used, review up to every 3 years
• Medium: no simplified CDD, review up to every 2 years
• High: enhanced CDD, review every year, stronger monitoring and approvals

Accounting

Accounting risk increases with higher value activity, complex structures, multiple jurisdictions, anonymity risk, and payment methods like cash and virtual assets. Delivery channels (remote identity confidence issues/spoofing) and country risk approaches should be clearly defined with escalation triggers and a pause point.

Law

Law firms often need to cover both conveyancing and other designated services. Key risk drivers: high-value or unusual property deals, trust account exposure, complex structures and nominee or shelf arrangements, intermediaries, remote channels and higher-risk jurisdictions. Practical controls include clear trust money rules, purpose recorded in plain language, and escalation where control/benefit can’t be established.

Real estate

Real estate risk assessment centres on brokering property transactions, with both buyer and seller treated as customers. Key risk factors include high-value unfinanced purchases (commonly medium), $50k+ cash (high), virtual assets (high), unusual service requests (high), opaque ownership/control, unexplained wealth, remote channel identity risk (including spoofing/deepfakes), and a country risk method staff can apply consistently.

Customer Due Diligence

AUSTRAC’s updated guidance frames CDD around three practical questions:

• Who are we dealing with?
• Who really controls the customer and who benefits?
• Does the story make sense for this transaction and/or relationship?

Across accounting, law and real estate, initial CDD is consistently about:

• Identifying and verifying the customer
• Identifying and verifying beneficial owners and controllers
• Understanding nature and purpose
• Assessing and documenting risk

Real estate note: AUSTRAC is explicit that both buyer and seller are customers for CDD.

Identify vs verify: identify is collecting details. Verify is taking reasonable steps to confirm them using independent and reliable sources, and recording what you did and why.

Timing: CDD must be completed before providing the designated service. Urgency is not a reason to delay. If you can’t complete CDD in time, take steps to complete it ASAP, don’t default to low risk, and pause services where appropriate until AMLCO direction.

Screening

AUSTRAC’s expectation is screening that is risk-based, evidence-based and defensible. The test is whether you can explain:

• Why you screened the way you did
• What risks it addressed
• How you reached and recorded decisions

Who to screen: screening can extend beyond the named customer to beneficial owners, controllers and authorised signatories, depending on risk.

What to screen: sanctions, PEP and (where risk indicators exist) adverse media. Tools are fine, but they don’t replace judgement, and you need an audit trail.

Matches: AUSTRAC doesn’t expect perfection. It expects reasoned clearing of false positives and escalation where matches can’t be cleared, with decisions recorded.

Ongoing screening: not set-and-forget. Re-screening should be risk-based and event-driven, triggered by material changes (ownership/control changes, new key roles, behaviour changes, new geographic exposure, or periodic reviews tied to risk rating).

Enhanced Due Diligence

EDD is required when either:

• The customer is assessed as high ML/TF risk, or
• You are required to submit an SMR

Across the starter kits, EDD is framed as a repeatable slow-down process that focuses on defensibility: should you proceed, and can you justify that decision later with evidence.

Common triggers across sectors include inconsistent stories, resistance to verification (especially with intermediaries / remote-only), high-risk jurisdictions, PEPs (especially foreign), sanctions matches you can’t clear, complex / opaque structures, suspicious trust account behaviour, rapid unexplained changes, and physical cash around $10,000+ (with higher cash thresholds also called out in real estate risk factors).

Accounting

EDD in accounting commonly relies on whether source of funds and source of wealth can be explained and supported in a way that fits the client profile and service.

High-level workflow:

• Fee earners escalate early and pause as required
• AMLCO runs EDD and documents defensibility (including SMR considerations)
• Senior management approves/declines where required
• Collect the “big four”: source of funds, source of wealth, open-source checks (including adverse media), nature and purpose
• Sanity check the story against behaviour and profile
• Record outcome (proceed with conditions, proceed with enhanced monitoring, or decline) and keep records 7 years

Law

EDD logic is the same across law and conveyancing, with heightened focus on structures that obscure control / benefit, remote / intermediary authority risk, and trust account funds flow risk.

High-level workflow mirrors accounting:

• Escalate and pause
• Run EDD across relevant parties (not just the instructing contact)
• Collect the “big four” (source of funds, source of wealth, open-source checks (including adverse media), nature and purpose) and test plausibility
• Written senior approval before proceeding for high-risk clients/parties
• Document outcome and monitoring plan

SMRs and LPP: legal professional privilege can affect reporting and process. Keep EDD requests procedural and focused to avoid tipping off and avoid unnecessarily pulling privileged content into EDD records.

Real estate

EDD in real estate is the same slow-down and defensibility control, often centred on SOF/SOW for a property transaction and whether behaviour fits the story.

High-level workflow:

• Agents escalate early and pause as required
• AMLCO runs EDD and manages SMR controls
• Written senior approval before proceeding for high-risk customers/parties
• Map ownership/control early where structures are layered
• Document outcome and conditions or decline

At a high level, AUSTRAC’s starter kit approach is about making decisions that are proportionate, repeatable and defensible: use Risk Assessment(s) to set the baseline, apply CDD to establish who controls and benefits and whether the story makes sense, use Screening to test sanctions/PEP exposure and (where appropriate) adverse media, and use Enhanced Due Diligence as the documented slow-down step whenever risk is high or suspicion is triggered.