Compliance, explained simply: Obligations, a Control Library, and a Firm Risk Register
A simple guide for Australian accounting firms preparing for AML/CTF Tranche 2. Learn how obligations, a control library and a firm risk register connect to make compliance operational and audit ready.
This guide is written for Australian accounting firms preparing for AML/CTF Tranche 2.
If you are an Australian accounting firm preparing for AML/CTF Tranche 2, compliance gets messy for one reason: most firms do not have a clear way to connect what is required to what staff actually do, and what evidence proves it was done.
A simple structure solves that:
1. Obligations (what you must do) 2. Controls (how you do it) 3. Firm Risk Register (why you do it, and what risk it reduces)
Important note on requirements versus best practice AUSTRAC does not prescribe that firms must maintain specific artefacts named "Obligations", "Control Library", or "Firm Risk Register".
What AUSTRAC expects is the substance: a risk based, written AML/CTF program that sets out the policies, procedures, and controls you use to identify, mitigate, and manage money laundering and terrorism financing risk, and that you can demonstrate it is implemented.
The obligations-controls-risk structure in this article is a practical way to organise those requirements so they are easier to implement, evidence, and review.
Why firms struggle Most firms fall into one of these traps: - A policy document exists, but nobody can show how it is executed day to day - A spreadsheet exists, but it is too hard to maintain so it becomes outdated - The firm focuses on <a href="/blog/kyc-austrac-customer-identification-verification">KYC</a> only, and assumes that equals compliance
The fix is not "more paperwork". The fix is a model that makes execution and evidence the default.
1) Obligations: the "what" Obligations are the requirements your firm must meet.
In AML/CTF terms, obligations generally cover areas like: - Having a written AML/CTF program - Customer due diligence (KYC) - Ongoing due diligence (monitoring and refresh) - Suspicious matter reporting - Record keeping - Training and governance
What a good obligation entry includes To be usable in an app (and not just a PDF), each obligation should be written in plain English and include: - What is required (one or two sentences) - Who owns it (role or team) - When it applies (onboarding, annual, event based) - Evidence expectations (what proves it happened) - Links to related controls and risks (so it is not a dead end)
Think of obligations as the backbone.
2) Control Library: the "how" A Control Library is a collection of the operational processes your firm runs to meet obligations and reduce risk.
Controls are the practical steps. This is what staff actually do.
Examples of controls in simple language: - Verify identity using reliable and independent sources, record the sources used - Screen for PEPs during onboarding and when risk changes - Escalate suspicious activity to the Compliance Officer using a standard triage note - Apply enhanced checks for higher risk clients and record the reason - Review high risk clients more frequently and require approval to proceed
What makes a control "good" A control is strong when it has: - A clear owner - Repeatable steps - A clear trigger (when to run it) - A defined output (what it produces) - An evidence trail (what you store and where)
Controls are where compliance becomes real.
3) Firm Risk Register: the "why" A Firm Risk Register captures what could go wrong and how your controls reduce that risk.
At its simplest, a risk register answers: - What is the risk - How likely is it - How severe is it - What controls reduce it - What evidence proves the controls are operating - Who owns it and when it is reviewed
A practical way to structure AML/CTF risks Most firms can group ML/TF risks into four simple lenses: - Customer risk - Service risk - Delivery channel risk - Foreign jurisdiction risk
This gives you a repeatable way to write risks without over engineering.
4) The linking model: how the three pieces fit together Here is the structure that makes this all work.
Risk -> Obligation -> Control -> Evidence
Example: - Risk: We onboard a client with unclear beneficial ownership and expose the firm to ML risk. - Obligation: We must conduct customer due diligence, including identifying and verifying relevant parties. - Control: Beneficial ownership workflow plus verification steps plus escalation rules. - Evidence: Ownership details captured, verification results recorded, supporting documents attached, decision note stored.
When you link the model properly you get three big benefits: 1) Staff know what to do 2) You can prove it happened 3) The program becomes maintainable
This is the difference between we have a program and we can demonstrate the program works.
5) What this looks like in an Australian accounting firm A simple operational flow looks like this:
1. Confirm what work you are doing and whether AML/CTF designated services apply 2. Create or confirm the client record 3. Run KYC and an initial risk assessment 4. Apply controls triggered by risk level - extra verification, extra approvals, enhanced checks, more frequent review 5. Capture evidence as you go 6. Review and sign off when required, especially for higher risk or exceptions
This is how you avoid relying on memory and good intentions.
6) Why this structure future proofs your program Regulatory expectations do not stand still.
Over time, obligations, guidance, and industry expectations tend to become more detailed and more operational. The bar usually moves toward stronger evidence, stronger governance, and clearer decision trails.
Having a clear link between risks, obligations, controls, and evidence strengthens your position now and makes it easier to adapt later. When requirements evolve, you update a control once and can clearly see what obligations and risks it impacts.
This is what audit ready looks like in practice.
7) How Nelvo fits into this Nelvo provides this structure inside the platform: - Obligations to define what needs to be met - A Control Library to define how the work is done and what evidence is produced - A Firm Risk Register to define why the controls exist and what risks they mitigate - A starter pack for accountants where the linking is already done (obligations -> controls -> risks), so firms start from a mapped baseline rather than a blank page
Important: Nelvo provides tools and templates. Your firm remains responsible for tailoring, implementing, and maintaining its AML/CTF program and meeting its legal obligations.
Summary AUSTRAC does not require you to call these things an Obligations register, Control Library, or Risk Register.
But firms that organise their program this way are usually the firms that can: - implement consistently - evidence consistently - adapt quickly when guidance changes
That is the point.
Disclaimer This article is general information only and is not legal, financial, or compliance advice. It is not tailored to your circumstances. AML/CTF obligations and regulator guidance can change. You should obtain independent professional advice and consult AUSTRAC guidance before making compliance decisions.