Policy versus procedure in AML/CTF, what firms actually need to document

24/01/2026

A practical guide for accounting firms on what belongs in AML/CTF policy vs procedure, what AUSTRAC expects in a written program, and a minimum documentation pack you can implement.

Most firms can write a policy. The problem is the policy does not make work happen. Procedures do.

AUSTRAC expects reporting entities to have an AML/CTF program that specifies how they comply with AML/CTF legislation, and the program must be a written document that shows how the business identifies, mitigates and manages money laundering and terrorism financing risk.

If you are an accounting firm preparing for Tranche 2, this matters because the program is not just a compliance document. It is the set of rules and workflows your team will actually follow.

If you are newly regulated, enrolment opens on 31 March 2026, AML/CTF obligations start on 1 July 2026, and you must be enrolled by 29 July 2026 for newly regulated designated services.

Related reading: - KYC in Australia: What AUSTRAC Expects for Customer Identification and Verification - Reliable and independent verification

What you will get from this article

1. A simple definition of policy versus procedure 2. How this maps to your AML/CTF program documentation 3. What firms actually need to document, minimum viable pack 4. Examples you can copy into your own framework 5. How to keep it current as reforms approach

1. Policy versus procedure, in plain English

Policy

Policy is what you commit to and why.

It sets the standards and rules your firm will follow. It should be stable and not rewritten every time the workflow changes.

Procedure

Procedure is how the work is done.

It is the step by step process staff follow, including what evidence is captured, where it is stored, and who approves decisions.

Quick test

If it answers what and why, it is policy. If it answers how, who, when, and where, it is procedure.

2. Where policy and procedure sit inside the AML/CTF program

Your AML/CTF program must be written and must set out how you manage and mitigate risk and comply with your obligations.

Historically, many programs were structured into Part A and Part B. Under the reforms, the prescriptive requirement to separate the program into Part A and Part B has been removed, giving firms flexibility to structure the program in a way that works, as long as it effectively manages risk.

Practical takeaway for an accounting firm:

1. You still need both policy and procedure 2. You can structure them in a way that is usable for your team 3. You must be able to demonstrate how the program works in practice

3. What belongs in AML/CTF policy

Policy should be short and principle led. It should define standards, decision rights, and what good looks like.

An accounting firm typically needs these policy sections:

1. Risk management approach: how you apply a risk based approach and what changes when risk is higher. 2. Roles and responsibilities: who owns AML/CTF, who approves higher risk customers, who can escalate suspicion, and who controls access to sensitive information. 3. Escalation and confidentiality rules: how concerns are escalated, who is informed, and how confidentiality is protected. 4. Record keeping commitments: what records you keep, how they are stored, and the expectation that records are complete and retrievable. 5. Training commitments: who must be trained, how often, and how training ties back to the program. 6. Review and update approach: when the program is reviewed and how changes are approved and tracked.

4. What belongs in AML/CTF procedures

Procedures are the operational playbooks. They should be written so a new staff member can follow them without guessing.

An accounting firm should document procedures for the workflows that create the highest risk and highest exposure.

1. Customer onboarding and KYC procedure: step by step capture, verification method, evidence capture, and file close out. 2. Verification procedure: documents versus electronic data, what is recorded, and how mismatches are handled. 3. Beneficial ownership procedure: how ownership and control are identified and evidenced for common structures. 4. PEP and higher risk handling procedure: when screening occurs, what triggers escalation, and what approvals are required. 5. Enhanced customer due diligence procedure: triggers, measures, approvals, and evidence requirements. 6. Suspicion escalation and SMR handling procedure: internal escalation, decision making, confidentiality controls, and submission steps where required. 7. Record keeping procedure: where evidence is stored, naming conventions, minimum fields to capture, retention approach, and retrieval expectations. 8. Training delivery procedure: how training is assigned, tracked, refreshed, and remediated.

5. The minimum documentation pack for an accounting firm

If you want a minimum pack that is defensible and usable, document these 10 items.

1. AML/CTF program document: your policy and control framework in writing. 2. ML and TF risk assessment: the firm level assessment that informs your controls. 3. Customer onboarding and KYC procedure: including verification and evidence capture. 4. Verification procedure: document and electronic verification rules plus evidence standards. 5. Beneficial ownership procedure: common structures plus what evidence is acceptable. 6. PEP handling procedure: escalation, approvals, and decision notes. 7. Enhanced customer due diligence procedure: triggers, measures, approvals, evidence. 8. Suspicion escalation and SMR handling procedure: confidential escalation and reporting workflow. 9. Record keeping standard and register design: what is stored, where, and how it is retrieved. 10. Program review log and version history: what changed, when, and why.

6. How to write procedures that are lean and usable

Use this structure to avoid over engineering.

1. Purpose: one paragraph 2. Trigger: when the procedure applies 3. Roles: who does what 4. Steps: numbered, no ambiguity 5. Evidence: what must be saved at each step 6. Escalation: when to involve a senior reviewer 7. Exceptions: what to do when something does not fit the default path

Aim for procedures that generate evidence by default, not by staff remembering to write notes after the fact.

7. Keeping policy and procedure current as reforms approach

AUSTRAC has set expectations for newly regulated entities to be enrolled and ready by 1 July 2026, including having an AML/CTF program, a compliance officer, and staff training.

Two practical rules:

1. Version everything, policy and procedures 2. Keep stable policy statements separate from procedures that may change as systems and guidance evolve

8. How Nelvo helps

1. Stores your AML/CTF policies and procedures as controlled documents with version history 2. Links procedures to evidence capture and registers so the file is easier to defend 3. Supports consistent execution through structured workflows and templates aligned to your program

Disclaimer

This article is general information only and is not legal, financial, or compliance advice. It is not tailored to your circumstances. While we aim to keep content current and accurate, AML and CTF obligations and regulator guidance can change. You should obtain independent professional advice and consult AUSTRAC guidance before making compliance decisions.