AML isn’t ‘easy’ but it also shouldn’t feel impossible

If your firm has ever looked at the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) obligations and thought, “Can’t I just grab a policy and get started?” it’s definitely not alone. This is one of the most common questions we hear, and it’s never really about cutting corners. Behind that question is something far more human: the hope that something complex might actually turn out to be simple.

The reality, however, is that AML/CTF obligations are not simple.

But they also don’t have to be the overwhelming, opaque burden that many fear.

In the lead-up to Tranche 2 reforms, we’re seeing more businesses trying to get ahead of their AML/CTF obligations and that’s a good thing. What’s less helpful though, is the growing narrative that AML can be solved with a downloaded policy, a templated document or a bundled software solution. It can’t.

Understanding the living framework

AML/CTF is not just a document, it is a living framework that starts with understanding whether you are providing ‘designated services’ and if so, which ones.

Even something as seemingly straightforward as enrolling with the Australian Transaction Reports and Analysis Centre (AUSTRAC) can trip people up. The descriptions of ‘designated services’ in the enrolment form don’t neatly align with the legislation or how businesses actually operate, and without proper advice, it’s surprisingly easy to get it wrong.

And when it comes to AML, “getting it wrong” doesn’t just mean inefficiency. It can mean significant regulatory exposure.

The nuance of ongoing obligations

One of the most common questions we get is: “Is AML easy?” The honest answer is no.

The legislation is detailed, the guidance is evolving and the expectations are increasing. Many firms miss the nuance and focus only on a policy, without fully grasping the ongoing nature of these obligations. While AML/CTF obligations are not simple, they become manageable once you properly understand them and have the right frameworks in place.

The real challenge isn’t the obligations themselves, instead it’s the gap between what firms think they need to do and what the law actually requires.

Take customer due diligence (CDD) as an example. Many firms assume the job is done once they onboard a client. In reality, AML requires ongoing vigilance; it is never “set and forget.” Ongoing CDD requires you to monitor whether a client’s behaviour and risk profile still align with what you know about them, to update information and to act when something changes.

But equally, it doesn’t mean re-verifying every client on a fixed cycle or running unnecessary checks just because a system says so.

Avoiding the three common compliance mis-steps

Good AML/CTF compliance relies on risk‑based, thoughtful and tailored approaches, and in our experience, issues rarely arise from bad intentions. They come from three common mis-steps.

• The first mis-step is treating AML/CTF as a document, not a system. Implementation creates compliance, so policies do not just sit in a folder on the computer. Firms implement these documents as a core system in their business.
• Another mis-step is over-relying on “one-stop-shop solutions”. Sometimes bundling your AML program with your CDD creates conflicts, particularly when systems drive activity that the law does not require. One-stop-shops may have expertise in a particular element of the process and fall short on another. This can then lead to unnecessary cost and over-compliance.
• The last mis-step is underestimating the human element. There is no amount of automation that can replace human judgement. Enhanced CDD makes this particularly clear, because firms customise additional steps to the specific risks identified, and Suspicious Matters Reports (SMRs) show it as obligations trigger on suspicion rather than proof.

Major cause of failures

Most failures we see aren’t about the decision to report. They’re about delays, uncertainty, or missed escalation internally.

What’s encouraging is that once firms move past the initial uncertainty, the narrative changes. From there AML stops being something they “have to deal with” and starts becoming part of how they run a better, more resilient business.

Firms begin to understand their clients more deeply, their processes become clearer, their teams become more confident in identifying and managing risk, and importantly, they sleep better at night knowing their framework actually works.

Where should firms focus?

Start with clarity and understand what services you’re providing and how they fit within the AML/CTF regime.

Your AML/CTF Program comprises your ML/TF risk assessment, policies, and controls, and these reflect your actual business operations rather than a generic version.

From there, consider implementation and how you will evidence this. How does the framework show up day-to-day? Are records centralised and auditable? Do team members know what to look for and what to do? AML/CTF compliance is all about being able to demonstrate what you did, when you did it, and why.

Finally, recognise that AML/CTF obligations are NOT static. Businesses will evolve, the law will evolve and internal frameworks need to evolve at the same time.

At its core, AML/CTF isn’t just a regulatory obligation. It’s about trust. Trust in your firm, from your clients, and from the broader system you operate within.

And while the pathway there isn’t always straightforward, it also isn’t something that needs to be navigated alone, or blindly. When done properly it strengthens firms and in today’s environment with new regulatory scrutiny this is essential and expected.