LM-G03 Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)

THE AI COMMAND

LEARNING MODULE

TAIC-LM-G03

Anti-Money Laundering and

Counter-Terrorism Financing

Act 2006 (Cth)

From AUSTRAC obligations to AI-enabled compliance practice

Field	Value
Module ID	TAIC-LM-G03
Domain	Governance, Risk and Compliance (GRC)
Audience tier	Practitioner (with Foundation primer and Leader extension)
Estimated reading time	Module: 23 minutes (5,000 module body words at 220 words per minute, excluding cover and references). Allow 10 to 15 additional minutes for visuals and reflection. Assessment: 25 to 30 minutes.
Prerequisites	TAIC-LM-G01 Corporations Act 2001 (recommended). Working familiarity with the Australian financial services regulatory perimeter, customer onboarding processes, and risk-based controls.
Cross-references	TAIC-LM-G02 Privacy Act 1988 and APPs. TAIC-LM-G05 APRA CPS 230 Operational Risk Management. TAIC-LM-G07 Sanctions and DFAT Consolidated List. TAIC-LM-G09 ASIC Market Integrity Rules.
Learning outcomes	1. Identify designated services and the obligations they trigger under the AML/CTF Act 2006 (Cth) (Bloom: Remember, Understand). 2. Apply customer identification and ongoing due diligence to a realistic scenario (Bloom: Apply). 3. Analyse a transaction pattern to determine whether a Suspicious Matter Report is required (Bloom: Analyse). 4. Evaluate the design of a Part A and Part B AML/CTF program against regulator expectations (Bloom: Evaluate). 5. Construct an AI-assisted workflow that drafts SMR narratives and program updates while preserving privacy and audit-trail integrity (Bloom: Create). 6. Assess Tranche 2 readiness gaps for an extended reporting entity (Bloom: Evaluate).
Authoring date	April 2026 (post Tranche 2 commencement signal date)

TheAICommand. Intelligence, At Your Command.

Executive Summary

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act) is the Commonwealth statute that obliges Australian reporting entities to detect, deter, and disrupt the movement of illicit funds and the financing of terrorism. The Act is administered by the Australian Transaction Reports and Analysis Centre (AUSTRAC), which is both Australia's anti-money laundering regulator and its financial intelligence unit. The Act sits over a layered regime of customer due diligence, transaction monitoring, mandatory reporting, governance program design, and record-keeping. From 1 July 2026 the Act extends to Tranche 2 reporting entities including law practices, accounting practices, real estate professionals, and dealers in precious metals and stones, materially enlarging the regulated population.

Why this matters

Australian financial services entities sit at the centre of the AML/CTF perimeter. Civil penalties for systemic breach run to tens of millions of dollars per contravention, and recent enforcement outcomes have crossed the billion-dollar threshold for Australian Authorised Deposit-taking Institutions (ADIs). Beyond the financial exposure, Boards and Senior Managers are accountable under the Financial Accountability Regime (FAR) for the soundness of AML/CTF controls, and APRA prudential standard CPS 230 captures AML/CTF reporting as a critical operation. The cost of getting this wrong is compounding: regulator action, FAR consequences, capital impact, and reputational loss.

What you will be able to do

Read the AML/CTF Act 2006 (Cth) and identify which obligations apply to a given product, service, or business line.
Decompose a customer or transaction scenario into the right obligation pathway (CDD, ECDD, SMR, TTR, IFTI, sanctions screening).
Draft, review, and stress-test a Part A and Part B AML/CTF program against AUSTRAC published guidance.
Stand up a governed AI workflow in Claude or ChatGPT that drafts compliance artefacts without leaking customer data.
Brief a Board or Senior Manager on Tranche 2 readiness with quantified gap evidence.

Regulatory and Strategic Context

Issuer and statutory authority

The AML/CTF Act 2006 (Cth) is an Act of the Commonwealth Parliament. It is supplemented by the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (the AML/CTF Rules), which carry binding regulatory detail under section 229 of the Act. AUSTRAC publishes guidance, regulator priorities, and typology bulletins which, while not binding instruments, set the operational expectations a reasonable reporting entity should meet. The Financial Action Task Force (FATF) sets the international standards that Australia implements through this Act, and Australia is subject to FATF Mutual Evaluations on its compliance posture.

Scope of application

The Act applies to a person who provides a designated service. Section 6 of the Act lists the designated services in three tables: financial services, bullion, and gambling. Item numbering has been amended over the life of the Act and practitioners should always work from the current consolidated version. The financial sector table is the longest and captures account-based services, lending, foreign exchange, derivatives, custodial services, life insurance investment products, superannuation services, and digital currency exchange. Membership of a designated business group is permitted under Part 4 of the Act and allows a corporate group to share programs and certain reporting under specified conditions.

The geographical reach of the Act is extra-territorial in two important ways. First, a service provided at or through a permanent establishment of the entity in Australia falls within scope even if the customer is overseas. Second, services provided by an Australian permanent establishment to a customer outside Australia carry full obligations. This matters for offshore branches, foreign subsidiaries, and cross-border product distribution.

Key dates and transitional periods

The Act commenced on 13 December 2006 with a phased implementation through 2008. Successive amendments expanded the regime, including the introduction of digital currency exchange registration (effective 3 April 2018) and the strengthening of beneficial ownership and politically exposed person (PEP) requirements through subsequent Rules amendments. The most material recent change is Tranche 2: reporting entity status extends from 1 July 2026 to lawyers, accountants, conveyancers, real estate professionals, and dealers in precious metals and stones when they provide listed designated services. AUSTRAC's transitional approach in the months either side of 1 July 2026 will favour entities that can demonstrate good faith program build, evidence of risk assessment, and active engagement with the regulator.

Interplay with adjacent frameworks

Three adjacent frameworks are essential to operate this Act in a financial services environment. The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) (TAIC-LM-G02) regulate the collection, use, disclosure, and storage of customer information used in CDD and SMR processes; APP 3 (collection), APP 6 (use and disclosure), and APP 11 (security) carry specific operational consequences. APRA prudential standard CPS 230 Operational Risk Management (TAIC-LM-G05) requires regulated entities to identify AML/CTF reporting and sanctions screening as critical operations and to set tolerance levels for disruption. The Charter of the United Nations Act 1945 (Cth) and the Autonomous Sanctions Act 2011 (Cth) (TAIC-LM-G07) impose a parallel sanctions screening regime against the DFAT Consolidated List that sits beside the AML/CTF Act and is enforced by DFAT, not AUSTRAC. ASIC Market Integrity Rules (TAIC-LM-G09) interact at the trading and surveillance layer.

In practice, AML/CTF Compliance must operate as a node in a wider control mesh, not a stand-alone function. The largest enforcement outcomes have arisen where the AML node was structurally disconnected from product, technology, and risk reporting paths.

Core Concepts and Defined Terms

Defined terms

Term	Definition
Reporting entity	A person who provides a designated service. Defined in s5 of the Act and identified by reference to s6.
Designated service	A service listed in s6 of the Act and the AML/CTF Rules. Each line item carries its own customer scope and trigger.
Designated business group	A group of reporting entities that elects under Part 4 to share AML/CTF program elements and certain reporting tasks.
Customer due diligence (CDD)	The process of identifying and verifying a customer, beneficial owner, and PEP status. Combines applicable customer identification procedures (ACIP) and ongoing CDD.
Enhanced customer due diligence (ECDD)	Additional measures triggered by high-risk indicators, such as foreign PEP status, complex ownership, high-risk jurisdictions, or unusual patterns. Required under Chapter 15 of the AML/CTF Rules.
Suspicious Matter Report (SMR)	A report under s41 of the Act when a reporting entity forms a suspicion on reasonable grounds. Filed with AUSTRAC.
Threshold Transaction Report (TTR)	A report under s43 for cash or e-currency transactions of $10,000 AUD or foreign currency equivalent.
International Funds Transfer Instruction (IFTI)	A report under s45 for funds transfer instructions sent or received internationally.
Tipping off	An offence under s123: disclosing the existence of an SMR or related information to a person likely to prejudice an investigation.
AML/CTF program (Part A and Part B)	A documented program required under Part 7 of the Act. Part A is the risk-based framework. Part B is the customer identification component.
Politically exposed person (PEP)	A person who holds, or has held, a prominent public position, defined across foreign, domestic, and international organisation categories under the AML/CTF Rules.

Central obligations

Designated service trigger

Obligations attach to the act of providing a designated service. Identification of which Item in s6 applies, and to what type of customer, is the first decision in any control design. Onboarding flows must be wired to the Item, not just to the product code; the same product can fall under different Items depending on customer type, channel, or jurisdiction.

Customer due diligence and ongoing CDD

CDD must be carried out before the designated service is provided to a new customer, and on an ongoing basis throughout the relationship. The ACIP (applicable customer identification procedure) must be set out in Part B of the program, must align with Chapter 4 of the Rules, and must verify identity using reliable and independent documentation or electronic data sources. Ongoing CDD includes transaction monitoring, periodic reviews, and event-driven reviews on red flags.

Enhanced due diligence triggers

ECDD is mandatory where the customer or transaction is rated as higher-risk, where a PEP relationship is identified, where a correspondent banking relationship is established, where the customer is in or transacting with a high-risk jurisdiction, or where the entity forms a suspicion. Senior management approval is required for foreign PEP relationships. The ECDD measures must be documented and proportionate to the risk.

Reporting obligations

SMRs are filed when a reasonable suspicion arises. The deadline is 24 hours for any matter that raises a suspicion of terrorism financing. For all other suspicions, the deadline is 3 business days. TTRs and IFTIs follow a 10 business day rule. All reports are filed through the AUSTRAC Online portal, and the report must contain customer, transaction, and reasoning fields. The tipping off offence in s123 makes it an offence to disclose the existence of an SMR or any information that would suggest one has been or may be lodged.

AML/CTF program design

Part 7 of the Act requires a written program. Part A must set out the entity's money laundering and terrorism financing risk assessment, ECDD framework, transaction monitoring program, employee due diligence and training, oversight by Boards and Senior Management, AML/CTF Compliance Officer role, independent review cycle, and procedures for ongoing customer due diligence. Part B must set out the ACIP. The program must be approved by the governing body, reviewed periodically, updated for risk changes, and subject to independent review at least every two to three years (the Rules specify trigger events in Chapter 8).

Sanctions screening interplay

Sanctions screening operates against the DFAT Consolidated List under a separate statute. AML/CTF systems generally house the screening engine because of overlapping data flows, but the legal authority and the obligation set are different. DFAT, not AUSTRAC, takes enforcement action for sanctions breaches. Many enforcement matters surface a hybrid AML/sanctions failure pattern.

Practical Application in Australian Financial Services

The next four worked examples translate the obligation set into operational artefacts. Each uses de-identified scenarios with merge field placeholders. No real customer data.

Example 1: Authorised Deposit-taking Institution (ADI)

Trigger event: A new business banking customer (Customer A, an Australian-incorporated private company with a parent in a high-risk jurisdiction) opens a transaction account and immediately receives a series of structured deposits totalling $148,000 over four business days.

Obligation activated: the relevant account-based designated service Item under s6. Section 41 triggers an SMR if a reasonable suspicion arises that the structured deposits may constitute structuring (a Division 400 Criminal Code offence). Section 43 triggers a TTR for any single deposit at or above the $10,000 threshold.

Artefact produced: A draft SMR narrative populated with Customer A's identifiers, the deposit pattern, the analyst's reasoning, and the attached transaction monitoring alert ID. A TTR record is generated automatically through the core banking system. The Part A program triggers an ECDD review of beneficial ownership given the foreign parent.

Audit trail expected: Transaction monitoring alert metadata, analyst reasoning notes, supervisor approval, AUSTRAC submission receipt, ECDD case file, and the link back to the customer's ongoing CDD record. The artefact must be retained for seven years under s107 of the Act.

Example 2: General insurer

Trigger event: A new commercial property policy is issued to Customer B, a single-purpose entity. The premium is paid in cash by a third party at the broker's office and the insured property is in a regional area with limited recent claims activity.

Obligation activated: the relevant general insurance designated service Item under s6 is engaged for some general insurance products through specified channels. The cash premium triggers a TTR. The third-party payer triggers an ECDD enquiry into the source of funds and the relationship between the payer and the insured.

Artefact produced: An ECDD case file summarising the source-of-funds enquiry, third-party payer rationale, and approval trail. A TTR. Where suspicion crystallises, an SMR. The broker is reminded of its own AML/CTF obligations under any joint program arrangement.

Audit trail expected: The case file must show what was asked, what was answered, what evidence was sighted, and who approved continuation of the policy.

Example 3: Superannuation trustee

Trigger event: A member (Customer C) requests an early release of superannuation under compassionate grounds and provides supporting documentation that, on review, contains internal inconsistencies (different signatures, a recent address change, and a beneficiary nomination change in the prior month).

Obligation activated: the relevant superannuation designated service Item under s6 is engaged. ECDD triggers because of indicia consistent with elder abuse, identity-takeover fraud, or laundering of stolen funds. SMR consideration is mandatory.

Artefact produced: An ECDD memorandum, a fraud and abuse referral to the trustee's vulnerability framework, an SMR if the suspicion is reasonably held, and a hold on payment. Member-facing communication must be drafted carefully to avoid breaching s123 (tipping off).

Audit trail expected: Documented reasoning, version history of member communications, evidence of the fraud and abuse referral, AUSTRAC submission receipt, and a clear link to ongoing CDD updates.

Example 4: AFSL holder (managed investment scheme operator)

Trigger event: A wholesale investor (Customer D) subscribes to a unit trust through an Australian Financial Services Licence (AFSL) holder. The subscription is funded from a foreign jurisdiction with which Australia has a high-risk advisory in place. The investor's beneficial owners include a foreign PEP.

Obligation activated: the relevant managed investment scheme and securities designated service Items under s6. ECDD applies due to foreign PEP and high-risk jurisdiction. Part A program requires senior management approval to enter or continue the relationship.

Artefact produced: An ECDD pack including beneficial ownership chart, source-of-wealth and source-of-funds evidence, screening results against the DFAT Consolidated List, foreign PEP risk acceptance memorandum signed by the senior manager, and ongoing monitoring profile.

Audit trail expected: Approval trail, screening match metadata, ongoing monitoring frequency, and a control linkage to FAR-accountable Senior Managers under the Financial Accountability Regime.

Visual Pack

The six visuals below are inline within the regulatory, conceptual, application, and AI workflow sections. Each is rendered as a designer-ready specification that a learning experience designer can take into Lucidchart, Whimsical, or Figma without further interpretation.

Visual 1: Regulatory authority map

Specification for a jurisdictional flowchart. Eight nodes, three layers, top-down vertical orientation.

Layer	Node	Function and connection
Statute layer	AML/CTF Act 2006 (Cth)	Source authority. Connects down to AUSTRAC and to the AML/CTF Rules.
Statute layer	AML/CTF Rules Instrument 2007 (No. 1)	Binding rules under s229. Connects down to AUSTRAC.
Regulator layer	AUSTRAC (regulator and FIU)	Receives reports, regulates, and shares intelligence. Connects laterally to ASIC, APRA, ATO, and AFP.
Regulator layer	DFAT	Sanctions enforcement. Sits beside AUSTRAC, not under it.
Regulator layer	FATF (international)	Sets standards. Connects to AUSTRAC and Treasury.
Entity layer	Reporting entity (financial sector)	Receives obligations from AUSTRAC. Connects to designated business group nodes.
Entity layer	Reporting entity (Tranche 2 from 1 July 2026)	New cohort: lawyers, accountants, real estate, precious metals dealers.
Entity layer	Customer	End point. Subject to CDD, ECDD, and ongoing monitoring.

Visual 2: SMR decision tree

Specification for a process diagram with a single entry point and four terminal states. Render as Mermaid flowchart for the designer.

flowchart TD

A[Trigger event: alert, transaction, customer behaviour, employee tip] --> B{Reasonable suspicion?}

B -- No --> C[Document and close. Update monitoring rules.]

B -- Yes, terrorism financing indicia --> D[Lodge SMR within 24 hours under s41]

B -- Yes, other AML indicia --> E[Lodge SMR within 3 business days under s41]

D --> F[Apply tipping off controls under s123]

E --> F

F --> G[Update transaction monitoring scenarios and customer risk rating]

Visual 3: Comparative table (AML/CTF Act vs FATF vs EU 6AMLD)

Dimension	AML/CTF Act 2006 (Cth)	FATF 40 Recommendations	EU 6AMLD
Issuer	Commonwealth of Australia	FATF inter-governmental body	European Union (Directive 2018/1673)
Binding force	Statute and Rules under s229	Soft law, evaluated through Mutual Evaluation Reports	Directive transposed by member states
Designated service model	Itemised list in s6	Risk-based, sectoral focus	Defined obliged entities in Articles 2 to 4
Customer due diligence	Mandatory ACIP plus ongoing CDD plus ECDD triggers	Risk-based CDD, ECDD for high-risk customers	Risk-based, harmonised standards
Beneficial ownership	Required under Chapter 4 of the Rules	Recommendation 24 and 25	Mandatory central registers
SMR equivalent	SMR under s41, 24 hours / 3 business days	Recommendation 20 STR obligation	Suspicious Activity Report
Tipping off	Offence under s123	Recommendation 21	Member state offence
Penalty ceiling (illustrative)	Civil penalty calculated by reference to penalty units under the Crimes Act 1914 (Cth); per-contravention exposure for a body corporate is in the tens of millions of dollars and aggregate exposure across systemic matters has exceeded $1 billion in landmark settlements	No direct penalty (peer review)	Up to 10% of group turnover (criminal cases up to 4 years imprisonment)
Tranche 2 status	Live from 1 July 2026	Already in scope (Designated Non-Financial Businesses)	Already in scope

Visual 4: AML/CTF RACI

Activity	Board	AML/CTF Compliance Officer	Senior Manager (FAR-accountable)	First Line
Approve Part A and Part B program	A	R	C	I
Maintain ML/TF risk assessment	I	R	C	C
Lodge SMR under s41	I	A	C	R
Lodge TTR or IFTI	I	A	I	R
Sign foreign PEP relationship approval	I	C	A/R	I
Independent review	A	C	I	I
Tranche 2 readiness	A	R	C	C
Sanctions screening governance	I	C	A/R	R

RACI key: R = Responsible, A = Accountable, C = Consulted, I = Informed.

Visual 5: Quantitative chart (illustrative)

Specification for a bar and line combination chart. X axis: financial year (FY22 to FY26). Y axis (left): AUSTRAC enforcement action volume (count). Y axis (right): aggregate civil penalty exposure ($m, illustrative). All figures must be labelled "illustrative" in the rendered visual.

Financial year	Enforcement actions (illustrative count)	Civil penalties imposed ($m, illustrative)	Headline driver theme
FY22	3	1,300	Programme failure, large reporting backlog
FY23	5	350	Customer identification and ongoing CDD failures
FY24	7	1,800	Cross-border transaction reporting and IFTI
FY25	9	950	Programme governance and Senior Manager accountability
FY26 (YTD)	6	600	Tranche 2 readiness and sanctions screening interplay

Numbers in this table are illustrative only. They are not drawn from AUSTRAC enforcement data.

Visual 6: Five things to remember

The Five Things to Remember 1. Section 6 designated services are the gateway. If you cannot identify the Item, you cannot design the control. 2. SMR timing is non-negotiable: 24 hours for terrorism financing suspicion, 3 business days for everything else. 3. ECDD is the highest-leverage control. Foreign PEPs, complex ownership, and high-risk jurisdictions all trigger it. 4. Tipping off (s123) is a separate offence. Member-facing communication must be sanitised at source. 5. Tranche 2 commences 1 July 2026. The build window is now.

Operating the AML/CTF Framework With AI

This section explains how to run the AML/CTF Act day to day with large language model support (Claude or ChatGPT, Enterprise tier) without ceding judgement, leaking customer data, or creating an audit-trail vacuum.

Use cases at scale

Drafting SMR narratives from de-identified case data: analyst supplies structured indicators, model assembles the narrative.
Mapping s6 designated service Items against a product catalogue to surface onboarding control gaps.
Programme gap analysis: comparing Part A against AUSTRAC guidance and flagging missing components.
Control narrative drafting for new product approvals from a controls library.
Board paper distillation: producing a 250 word executive summary from a 30 page programme update.
Regulator response triage: drafting first-pass replies to AUSTRAC RFIs ready for legal and senior manager review.
Typology synthesis: pulling AUSTRAC bulletins and FATF reports into a single internal briefing.
Tranche 2 readiness: comparing capability against new obligations and producing a remediation roadmap.

Project space setup

Claude Project

Step 1. In Claude.ai, create a Project "AUSTRAC AML CTF Workspace" on Enterprise or Team. Step 2. Upload knowledge sources: redacted Part A program, AML/CTF Act 2006 (Cth) consolidated text, AML/CTF Rules, AUSTRAC compliance guide, FATF 40 Recommendations, and a controls library extract. Step 3. Set the system prompt: "You are an AML/CTF compliance analyst for an Australian reporting entity. You operate under the AML/CTF Act 2006 (Cth), the AML/CTF Rules, AUSTRAC guidance, and FATF Recommendations. You never reproduce real customer identifiers. You always flag tipping off risk under s123. You always cite section, rule, or guidance for every conclusion. You produce drafts for human review." Step 4. Naming: TAIC-{entity}-{type}-{YYYYMMDD}-{version}. Step 5. Configure a Skill "smr-narrative" codifying the narrative template and validation rules.

ChatGPT Project or Custom GPT

Step 1. Create a Project (Plus, Team, or Enterprise) "AUSTRAC AML CTF Workspace". Step 2. Upload the same knowledge sources. Step 3. Use the same system prompt scaffold. Step 4. For Custom GPT, set Capabilities to file search only and disable web browsing for sensitive workflows. Step 5. On Enterprise, confirm no-training at workspace level and identity-provider integration with Microsoft 365 or Google Workspace. Step 6. Naming convention is identical.

Prompt library

Prompt 1: Obligation mapping

Role: AML/CTF analyst. Context: an Australian {{ENTITY_TYPE}} is launching {{PRODUCT}}. Task: Map the product to the designated services Items in s6 of the AML/CTF Act and identify the obligations triggered. Constraints: cite section and Rules reference. Do not include any real customer data. Output Format: a table with columns Item, Service description, Customer scope, Obligations triggered, Open questions. Quality Bar: every Item must have an explicit citation. Any obligation flagged must reference the underlying section or Rule. Open questions must be specific.

Prompt 2: Control narrative drafting

Role: AML/CTF control owner. Context: control identifier {{CONTROL_ID}} sits in the {{DOMAIN}} pillar of the Part A program. Task: Draft a control narrative covering objective, design, performance, evidence, and key risk indicator. Constraints: 350 to 450 words. No customer identifiers. Reference the relevant section of the Act or Rules and any AUSTRAC guidance. Output Format: structured headings as listed. Quality Bar: each section must contain at least one specific evidence artefact reference and one named owner role.

Prompt 3: Gap or maturity assessment

Role: AML/CTF programme reviewer. Context: the entity's current Part A programme version is uploaded. Task: Compare the programme against AUSTRAC compliance guide expectations and FATF Recommendations 9 to 23. Constraints: produce a maturity rating (1 to 5) per pillar and a remediation pack. Output Format: pillar table plus a remediation roadmap with priority, owner, due date placeholder. Quality Bar: every gap finding must cite the source. No score may be awarded without supporting evidence.

Prompt 4: Board paper executive summary

Role: AML/CTF Compliance Officer drafting for a Risk Committee. Context: the attached programme update runs to 30 pages and covers risk, controls, incidents, and Tranche 2 readiness. Task: Produce a 250 word executive summary plus three recommendations. Constraints: plain English. Australian spelling. Cite all materially negative findings. Output Format: heading, summary, three numbered recommendations with named accountable owner. Quality Bar: every recommendation must be SMART and traceable to the underlying programme finding.

Prompt 5: Regulator response drafting

Role: AML/CTF Compliance Officer drafting a response to an AUSTRAC notice. Context: the notice requests information on {{TOPIC}}. Task: Draft a first-pass response. Constraints: cite the request, the controlling Act provisions, and any prior correspondence. No customer-level data. Output Format: response letter with section headings matching the regulator's questions. Quality Bar: every paragraph supports a named claim. No speculative content. Marked DRAFT FOR LEGAL REVIEW.

Prompt 6: Self-disclosure drafting

Role: AML/CTF Compliance Officer. Context: an internal control failure may amount to a contravention. Task: Draft a self-disclosure letter to AUSTRAC. Constraints: facts only, no legal opinion. Reference timeline, customer impact, remediation, and root cause status. Output Format: letter with annexed timeline. Quality Bar: every fact sourced from the internal investigation file.

Governance, audit, privacy, and risk appetite controls

De-identification is mandatory. Real customer identifiers (name, customer number, account number, date of birth, address) must never be entered into a model prompt. Use stable pseudonyms and merge field placeholders. Where the analyst needs the link from pseudonym to underlying customer, that link is held outside the model context.

Human-in-the-loop checkpoints apply at every output stage. No SMR, regulator response, or board paper is filed or sent without a documented human review and senior manager sign-off. The model output is the draft, not the artefact.

Prohibited inputs include PII, market sensitive data, sanctions intelligence (DFAT-restricted material), claimant medical or financial vulnerability data, and any information protected by tipping off restrictions under s123. If a workflow requires this content, escalate to a controlled environment under the entity's data classification policy.

Retention and logging: every model interaction relevant to AML/CTF activity is logged through the Enterprise tenant logging facility, retained in line with the seven-year obligation in Part 10 of the Act (s107 and related), and made available to internal audit on request. Model selection: Enterprise SaaS with no-training is the standard; on-prem or private cloud is required where the workflow handles customer-level data; public consumer-tier is prohibited.

CPS 230: AML/CTF reporting is generally a critical operation for an APRA-regulated entity. The model workflow must therefore have a documented service provider risk assessment, a disruption tolerance, and an evidenced operational resilience test that includes failover to a non-AI workflow. APP alignment: APP 3, APP 6, and APP 11 drive the prompt hygiene rules above; APP 1 governs disclosure of AI assistance to customers where appropriate.

Quality assurance loop

Run this five-step QA rubric against every AI output before it leaves the analyst's desk.

Source check. Every factual claim has a citable source. Every section or rule reference is correct.
Privacy check. No real customer identifiers, no third-party PII, no sanctions intelligence.
Tipping off check. No language that could disclose the existence of an SMR or a related investigation.
Material accuracy check. The output's central conclusion would survive an internal audit interview.
Evidence check. The output is annotated with the supporting evidence artefacts and would stand up at an AUSTRAC enforcement interview.

Red team prompt

Red team prompt to stress-test your own draft: "You are an AUSTRAC investigator reviewing this output. Identify five reasons it could be non-compliant, evasive, or unsupported. Cite the section or guidance you are testing against. Score 1 to 10 on credibility. Recommend the smallest edits that would lift the score by 3 points."

Scaling pattern

Operationalise across the team as follows. First, codify each prompt as a versioned template in the project space (v1.0, v1.1) with a change log. Second, run a weekly evaluation cadence sampling outputs against the QA rubric. Third, set KRIs: percentage of outputs failing the source check, percentage failing the privacy check, percentage requiring three or more revisions before sign-off. Fourth, treat each model release as a change event: re-run the evaluation set and only promote at parity or better with a rollback path. Fifth, maintain a register of accepted and rejected use cases with rationale and review date.

Common Pitfalls and Watch-outs

Six common failure modes recur in AML/CTF supervision and enforcement outcomes. Each is followed by a one-line corrective action.

Treating the program as a static document rather than a living system. Corrective action: bind the program to the risk assessment, review at every material change, and date-stamp every revision.
Confusing legal coverage with operational coverage. Corrective action: trace every Item in s6 from product approval to onboarding, monitoring, and reporting.
Late SMR lodgement on terrorism financing matters. Corrective action: build a hard 24-hour SLA into the case management workflow with auto-escalation.
Outsourcing transaction monitoring without retaining accountability. Corrective action: maintain a Senior Manager owner under FAR with documented service provider risk and a quarterly assurance pack.
Over-reliance on screening engines without periodic recalibration. Corrective action: document the calibration cycle, false positive rate, and the threshold change governance.
Tipping off through customer service scripts. Corrective action: require AML approval of any customer-facing communication where an investigation is in flight.
Misclassifying digital currency exchange or cross-border services. Corrective action: re-walk s6 designations whenever a product, channel, or jurisdiction changes.

Decision Frameworks and Tools

Decision tree: Should I lodge an SMR?

Render as Mermaid for the designer.

flowchart TD

Q1[Has an alert, behaviour, or transaction triggered enquiry?] -- No --> Close[Document and close]

Q1 -- Yes --> Q2[Is the suspicion held on reasonable grounds?]

Q2 -- No --> Investigate[Investigate further. Document.]

Q2 -- Yes --> Q3{Indicia of terrorism financing?}

Q3 -- Yes --> SMR24[Lodge SMR within 24 hours under s41]

Q3 -- No --> SMR3[Lodge SMR within 3 business days under s41]

SMR24 --> S123[Apply tipping off controls under s123]

SMR3 --> S123

Maturity ladder for an AML/CTF program

Tier	Label	Indicators
1	Initial	Program exists on paper. Risk assessment is generic. Reporting volumes are low and unexplained.
2	Repeatable	Programme is reviewed annually. Risk assessment maps to s6 Items. Some Senior Manager visibility.
3	Defined	Risk-based design across CDD, ECDD, monitoring, and reporting. FAR accountability mapped. Independent review every two years.
4	Managed	Quantitative KRIs feed Risk Committee. Sanctions and AML controls are integrated. Tranche 2 readiness in flight.
5	Optimised	AI-enabled drafting and analytics with human-in-the-loop. Real-time monitoring. Continuous improvement and AUSTRAC engagement.

Self-check questionnaire

Can I produce a current, dated, and Board-approved Part A and Part B program in under 30 minutes?
Can I trace any product or service in my entity to a specific Item in s6 of the Act?
Have I lodged an SMR in the past 12 months and can I evidence the reasoning behind the decision?
Has the program been independently reviewed within the last two to three years?
Have I run a Tranche 2 readiness assessment if my entity, or its clients, are in scope from 1 July 2026?
Is my AML/CTF AI workflow logged, governed, and consistent with APP 3, APP 6, and APP 11?
Can my Senior Manager (FAR-accountable) speak to the entity's AML risk profile in their own words?

Closing

This module is one of the foundation modules in TheAICommand learning library for Australian financial services governance, risk, and compliance. It pairs with the AML/CTF assessment (TAIC-LM-G03-AMLCTFAct-Assessment) and with the cross-referenced modules listed on the cover.

TheAICommand. Intelligence, At Your Command.

Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)