fbpx

Audit-Ready: The AUSTRAC Compliance Playbook for Small Advice Firms

Audit-Ready: The AUSTRAC Compliance Playbook for Small Advice Firms

With AUSTRAC stepping up reviews across the advice ecosystem, this practical story shows how a small advice firm clarified its designated services, modernised its AML/CTF program and embedded monthly spot-checks so every KYC, beneficial ownership, PEP screen, transaction monitoring note and SMR decision is complete and retrievable for seven years.

1) The Wake-Up Call

After a webinar on recent AUSTRAC enforcement, our founder asked, “Are we a reporting entity—and could we prove it?” The question exposed scattered files, inconsistent KYC, and training gaps. A mentor’s blunt advice set the tone: “Document your business or get out.”

  • Suspected designated services but no definitive register
  • AML/CTF program last updated in 2019
  • Remote staff couldn’t find the latest forms

“If it isn’t written down, it doesn’t exist.”

2) First Challenge: Are We Providing Designated Services?

Service Inventory → AUSTRAC Mapping

  1. List every revenue line and client touchpoint (advice, product issuance, remittances, onboarding support).
  2. Map to AUSTRAC’s designated services categories.
  3. Decide if you are a reporting entity and confirm registration obligations.

Outcome: yes, several activities were designated. We logged scope, appointed a responsible executive, and recorded the decision trail.

Tip:

Keep the register in your single source of truth (SSOT) with version control.

3) Core Fix: Refresh the AML/CTF Program, Risk Assessment and Training

Appointing an AML/CTF Compliance Officer
  • Named a compliance officer with authority and budget.
  • Conducted an enterprise-wide ML/TF risk assessment by product, channel, geography and customer type.
  • Updated the two-part AML/CTF program (Part A governance, Part B KYC procedures).
  • Scheduled quarterly AML/CTF training and annual CPD aligned with ASIC expectations and the Financial Adviser Code of Ethics.

Result: clear ownership, current policies, and a culture of vigilance.

4) Make Evidence Findable: From Chaos to a Single Source of Truth

Remote Workers Following Instructions

We standardised intake using 13 customer identification forms for individuals, companies, trusts and more—so every adviser collects the same data, the same way, every time.

Single Source of Truth
  • Centralised repository with client KYC, beneficial ownership charts, and PEP screening evidence.
  • Naming conventions and mandatory metadata for fast retrieval.
  • Access controls with audit trails.

Seven-year rule: Under the AML/CTF Act, keep customer identification records for seven years after you stop providing designated services to them.

5) The Monthly Spot-Check Loop

“Trust is good; evidence is better.”

  1. Randomly select 10 clients per month across segments.
  2. Verify complete KYC packs, beneficial ownership attestations and PEP screening screenshots or vendor logs.
  3. Review transaction monitoring notes and escalation rationale.
  4. Check SMR decisions (filed or not filed) with documented reasoning.
  5. Test seven-year retrievability: can a new staffer retrieve the full record in under five minutes?
  6. Log findings, assign actions, re-test within 30 days.
RACI Snapshot
  • Responsible: Account owners gather evidence.
  • Accountable: Compliance officer signs off.
  • Consulted: Operations and IT.
  • Informed: Executive team.

6) Closing CDD Gaps—Before AUSTRAC Finds Them

Spot-checks surfaced three patterns: missing beneficial ownership documents, stale PEP rescreens, and thin transaction narratives. We ran a two-week remediation sprint.

What Changed

  • Automated PEP/sanctions rescreening cadence tied to risk ratings.
  • Required transaction “story” notes: purpose, counterparties, triggers, and monitoring outcome.
  • Introduced a “CDD expiry dashboard” to flag refresh dates.

Result: ongoing customer due diligence (OCDD) up to standard, with demonstrable evidence chains.

7) Proving It: Dry-Run Audit and Metrics

Evidence Under Pressure
  • Average retrieval time per client file: 2 minutes 40 seconds.
  • 100% of SMR decisions had documented rationales and timestamps.
  • Zero orphaned KYC files; all linked to client IDs.
Dialogue from the Board Update

Director: “Could we withstand an AUSTRAC review tomorrow?”
Compliance Officer: “Yes. Records are complete, consistent, and retrievable for seven years. Training logs and risk assessments are current.”

We also tested backups and export formats so law practices and external counsel could review compliance records if needed.

8) The Takeaway: Document or Don’t Play

In financial advice, undocumented processes are invisible processes. Build your SSOT, refresh your AML/CTF program, and run monthly spot-checks. Do this and you reduce the chance of remediation programs and infringement notices—and you sleep better.

Immediate Actions

  1. Confirm whether you provide designated services; record the decision trail.
  2. Update AML/CTF program, ML/TF risk assessment, and staff training plan.
  3. Operationalise the monthly spot-check loop and a seven-year retention test.

Need a starting point? Review AUSTRAC’s record-keeping guidance, your professional association’s AML/CTF hub, and CPD record-keeping resources.

Related Links:

Recent Posts:

Seven Years or Seven Headaches: AUSTRACs Record-Keeping CrackdownSeven Years or Seven Headaches: AUSTRACs Record-Keeping Crackdown
No Certificate, No Switch-On: Winning Electrical Audits in 2025No Certificate, No Switch-On: Winning Electrical Audits in 2025
24 Hours, 5 Days, 7 Years: The NDIS Reporting Drill Every Provider Must Nail24 Hours, 5 Days, 7 Years: The NDIS Reporting Drill Every Provider Must Nail