What the ML/CTF risk assessment and AML/CTF policies have to contain under Part 1A of the AML/CTF Act (as amended by the AML/CTF Amendment Act 2024, in force 31 March 2026), and how the AML/CTF Rules 2025 Part 5 add detail. Working reference for AMLCOs and AML consultants — not legal advice.
Working reference, not legal advice
Drafting a defensible AML/CTF program is a specialist exercise. This page covers shape and structure; for the initial draft of a venue's program, engage an AML lawyer or an external AML consultant.
Section 26B of the AML/CTF Act defines the AML/CTF program as two components: (a) the reporting entity's ML/TF risk assessment and (b) its AML/CTF policies. They're typically drafted together as one document with two sections, but the obligations they cover — and the statutory provisions they answer to — are distinct.
Together, the two components make a complete picture: the risk assessment says what the venue is exposed to; the policies say what staff do at the patron-facing surface to mitigate those risks. Each references the other — the risk assessment produces the rules in the policies; the operational evidence the policies generate feeds back into the next risk-assessment review.
The risk-based methodology spans the risk assessment (ss 26C–26E ↗) and the AML/CTF policies (s 26F ↗) — it is where most program weakness shows up under review. Three components, all of which need to be specific to the venue:
Under the post-reform Act, the AMLCO must be able to show — for any specific transaction — which rule in the methodology fired, what threshold was met, what data triggered it, and what disposition was applied. This traceability is what the program's record-keeping obligations (Act s.116 — records relating to Part 1A; s.111 — CDD records) and transaction-monitoring duties produce in combination. Methodology documents that can't support that traceability fail evaluation.
Either internally (the AMLCO drafts the program) or externally (an AML lawyer, accounting firm or AML consultant drafts it for the venue). For most NSW registered clubs, the practical pattern is external drafting for the initial program — established consulting firms have written hundreds of NSW club programs and the cost-benefit favours getting the foundation right. Once written, ongoing maintenance shifts to the AMLCO. The program author isn't fixed by law; what's fixed is that the document has to meet the program requirements in Part 1A of the AML/CTF Act (ss.26B–26F) and the AML/CTF Rules 2025, and reflect the venue's actual risk profile.
30–60 pages combined (risk assessment + AML/CTF policies) for a typical NSW registered club, depending on operating complexity. Smaller community clubs with limited cash flow and modest EGM count may produce around 25 pages; larger urban clubs with higher EGM counts, more complex patron-onboarding, and active AML enforcement engagement may produce 70+ pages. The right length is whatever fully covers the venue's actual operating context — not whatever a template suggests. Programs that are too short typically fail because they don't engage with the venue's actual risk; programs that are too long typically fail because they include irrelevant material that obscures the working content.
The CDD elements of the AML/CTF policies (operationalising Part 2 of the Act, ss.28–32) specify (1) when initial CDD is required — under s.28 the venue must not provide a designated service to a customer unless it has carried out initial CDD, subject to the s.39E exemptions (notably item 16 — gaming-machine entry/play — and item 17 — gaming-machine cash-out / winnings payout below $5,000); (2) the identification and verification procedures applied at each onboarding (full name, date of birth, residential address, verified against a reliable independent source); (3) the enhanced CDD procedures for higher-risk customers and the mandatory s.32 ECDD triggers — foreign PEPs, FATF high-risk jurisdictions, an SMR followed by continued service, high ML/TF risk; (4) the source-of-funds and beneficial-ownership checks where applicable; and (5) the ongoing CDD obligations under s.30 — what triggers a customer review, how often the review happens, what gets updated. These are the operational rules floor and cage staff actually follow.
It's the documented framework that translates the venue's specific operating context into operational rules. Three components. (1) The risk assessment (Act ss.26C–26E) — the venue's structured analysis of the ML/TF risks it actually faces given its EGM count, cash-handling profile, geographic location, patron mix, foreign-national exposure, and other risk factors. (2) The risk rating — how the venue weights and scores those risks (high / medium / low, or a numeric scale). (3) The mitigation procedures in the AML/CTF policies (s.26F) — what controls the venue applies to high-risk situations (enhanced CDD under s.32, transaction monitoring rules, escalation protocols). The post-reform standard requires the methodology to be reproducible and traceable: the AMLCO should be able to show why the program flagged or didn't flag any specific transaction, with the rule, threshold, data, and disposition on record.
The AML/CTF policies (s.26F) specify the training requirements: who needs training, what content, how often, what records are kept. Typical NSW club shape: floor staff and cage staff get regular AML/CTF training covering CDD, suspicious-pattern indicators, escalation procedures, and tipping-off prohibitions. Senior management and the AMLCO get higher-touch training. Training records are Part 1A program records and are retained for seven years under s.116 (the seven-year clock runs from when the record is no longer relevant to Part 1A compliance). Training isn't separate from the AML/CTF program — it's a required content area of the policies (AML/CTF Rules 2025 Division 4), with documented attendance and competency assessment.
The AML/CTF policies specify the independent-evaluation schedule. Section 26F(4)(f) of the Act sets a statutory floor: independent evaluations must be at a frequency appropriate to the venue's nature, size and complexity, and at least once every three years. Three years is the minimum — many higher-risk venues run annual or biennial cycles; lower-risk venues commonly sit at the three-year floor. The evaluator must be independent of day-to-day operations (the AMLCO can't evaluate their own program). The evaluation covers (1) whether the program meets the program requirements in Part 1A of the Act (ss.26B–26F) and the AML/CTF Rules 2025, (2) whether the program reflects the venue's current risk profile, (3) whether operational records show the program is being followed, and (4) what remediation is needed for any gaps (AML/CTF Rules 2025 r.5-10). Many NSW clubs engage an external AML consultant, accounting firm or lawyer for the evaluation. The post-reform framework sharpened expectations on documentation of findings and remediation tracking.
Continuously, not annually. The program is a living document — when operations change (new EGMs, new cash-handling arrangement, new patron-onboarding flow, new third-party service provider), the ML/TF risk assessment and the AML/CTF policies should be updated to reflect the change. The AMLCO maintains a version log. Material updates should be re-approved by senior management before they take effect. Independent review provides a periodic backstop. The structural failure mode is a program that hasn't been touched in two years while operations have evolved meaningfully — that's the program AUSTRAC supervisory engagement asks about first.
Three sharpenings, all in the documentation and oversight layers. (1) The risk-based methodology has to support practical defensibility for every alert and reporting decision — the AMLCO should be able to show, for any specific transaction, which rule fired, what threshold was met, what data triggered it, and what disposition was applied. The record-keeping obligations in ss.111 and 116 support this. (2) Senior-management and governing-body oversight is now explicit in the Act — s.26H sets governing-body responsibilities, s.26P requires senior-manager approval of the risk assessment and the AML/CTF policies, and the AML/CTF Rules 2025 r.5-7(2) requires AMLCO-to-governing-body reporting at least every 12 months. (3) Independent evaluation has a statutory cadence — at least every three years (s.26F(4)(f)) — and tighter documentation expectations on findings, remediation, and follow-up (AML/CTF Rules 2025 r.5-10). None of this is structurally new; it's a sharpening that pushes programs from 'documents that exist' toward 'documents that hold up under evaluation'. Operative 31 March 2026.
How the post-reform AML/CTF Act Part 1A and the AML/CTF Rules 2025 set program content requirements — and what the retired “Rule 8.1” framework has been replaced with.
What the AMLCO does day-to-day, how the 2024 Amendment Act sharpens documentation expectations.
What makes a venue a reporting entity in the first place.
The post-reform AML/CTF framework expects the AMLCO to be able to explain every alert and reporting decision with a documented trace. Venue Axis captures every alert with rule, threshold, data, and disposition in one trace — the shape the documentation expectations ask for. First three months free, no card up front.