ISO 37301 & Tranche 2 AML Reforms: How to Build a Compliant AML/CTF Program (That Auditors Love)
Why ISO 37301 Is a Winning Strategy
ISO 37301 defines what a certifiable compliance management system (CMS) must look like: documented obligations, risk assessment, leadership & governance, competence & training, operational controls, raising concerns, impartial investigations, monitoring & indicators, internal audit, management review, and continual improvement/corrective action. These “shall” requirements are not theory—they align naturally with AUSTRAC’s risk‑based expectations and the legal obligations found in the AML/CTF Act and AML Rules 2025.
AUSTRAC requires a risk‑based AML/CTF program tailored to the nature, size and complexity of your business, with a current ML/TF risk assessment before providing designated services. ISO 37301 requires documented context, scope, obligations, and a risk assessment process that is periodically reassessed.
AUSTRAC mandates governance (oversight by the governing body and compliance officer), program documentation and approvals, periodic reporting to the governing body, and independent evaluation. ISO 37301 requires leadership & commitment, compliance function independence, documented information control, internal audit, and management review.
The Core: Your ML/TF Risk Assessment
A credible AML/CTF program starts with a methodical ML/TF (and PF) risk assessment across services, customer profiles & types, delivery channels/technology, geographies, and third‑party/outsourced activities. AUSTRAC expects you to identify, assess and mitigate these risks, review and update regularly (or upon significant change), and have it up‑to‑date before serving customers. ISO 37301’s risk assessment clause (4.6) and AML requirements echo each other here.
Act: s 26C (undertake risk assessment), s 26D (review and update at triggers and at least every 3 years), s 26E (must be up‑to‑date before providing designated services).
Rules: 5‑1 (review cadence); AUSTRAC program guidance provides a practical roadmap for the assessment and periodic updates.
Pro tip (ISO): Keep your methodology documented (inputs, rating scales, criteria, residual risk) and your update triggers explicit (regulatory changes, new product/channel, AUSTRAC communications, adverse events). ISO 37301 requires documented information and periodic reassessment; AUSTRAC expects responsiveness to AUSTRAC‑issued risk intel.
Governance That Stands Up To AUSTRAC’s Expectations (and ISO 37301 Auditors)
A strong AML/CTF program relies on real accountability and oversight.
Governing body & top management: exercise appropriate ongoing oversight; ensure resources; approve risk assessment and AML/CTF policies; receive periodic reports.
AML/CTF Compliance Officer: designated at management level, with authority, independence and access to information, and notified to AUSTRAC.
Reporting cadence: structured 12‑monthly reporting from the compliance officer to the governing body, covering risk mitigation effectiveness, compliance status, deficiencies & remediation, and AUSTRAC interactions.
Pro tip (ISO): Evidence governance with board minutes, approval logs, and a RACI model. ISO 37301 requires documented roles and a functioning compliance function; AUSTRAC expects demonstrable oversight and resourcing.
Authoring the AML/CTF Program: Documents That Matter
Your AML/CTF program must be documented, approved, version‑controlled, and kept current. AUSTRAC may request your documentation, and the Act/Rules spell out what you need and when. ISO 37301 requires formal documented information creation, control and retention.
Act: s 26N (program documentation), s 26P (senior‑manager approvals & notifying governing body), s 26Q (AUSTRAC requests), s 26G (comply with your policies).
Rules: 5‑15 (documentation timing), 5‑3 (sanctions policy), 5‑4 (update policies after evaluation), 5‑10 (independent evaluations).
ISO: 7.5 (documented information creation, version control, retention and integrity).
Program content checklist:
Compliance Policy (plain language; non‑retaliation; commitment to applicable requirements)—ISO 5.2.
ML/TF Risk Assessment (methodology, results, update schedule)
Governance & Roles (Governing body, Senior manager, Compliance Officer; approvals; reporting)
CDD SOPs (initial/ongoing/simplified/enhanced; PEPs; beneficial ownership; reliance; nested services)
Sanctions SOP (lists, matching, escalation, freeze)
Transfers of Value SOPs (ordering/beneficiary/intermediary duties)
Reporting SOPs (SMR, threshold transactions, exception reporting; secrecy/tipping‑off)
Record‑keeping Policy (7‑year retention across transactions, customer docs, CDD & reliance, program records)
Training & Competence (role‑based training; effectiveness assessment; records)
Independent Evaluations (scope, frequency; remediation & policy updates)
Operating Your Program Day‑to‑Day
ISO 37301 requires operational planning & control (8.1), establishing & testing controls (8.2), raising concerns (8.3), and impartial investigations (8.4). AUSTRAC expects the same in practice.
Operational control: Ensure your CDD, sanctions screening, monitoring, and reporting processes have defined criteria, evidence trails, and competent operators.
Third parties & reliance: If you rely on another reporting entity, the AML Rules set contractual, assessment, and procedural requirements; ISO requires control of externally provided processes.
Raising concerns & investigations: Provide visible, accessible, confidential channels (accept anonymous reports, protect reporters), and run impartial investigations with outcomes reported to governance—mind the secrecy/tipping‑off prohibitions in the Act
Monitoring, Indicators, Independent Evaluations & Management Review
To show effectiveness (for AUSTRAC and ISO auditors), you need monitoring & indicators (KPIs), independent evaluations, and management reviews—and you must retain complete evidence.
Indicators & reporting: Define what you monitor (e.g., SMR timeliness, false‑positive rates, overdue CDD reviews, control test pass rates), how and when you report, and how you ensure accuracy/completeness
Independent evaluations: Conduct periodically, capture findings, implement Corrective Action Plans (CAPs), and update policies; ISO requires internal audit and corrective action evidence.
Management review: Governing body/top management review the program at planned intervals, with specific inputs (noncompliance trends, audit/evaluation results, adequacy of resources) and decisions for improvement.
Record‑Keeping: The Seven‑Year Rule (and Document Control)
AUSTRAC’s Act requires 7‑year retention for transaction & customer records, CDD & reliance evidence, and AML/CTF program documentation. ISO 37301 requires control of documented information—availability, integrity, version control, retention & disposition. Put simply: if you didn’t retain it, you didn’t do it.
Real‑World Example: Independent Real Estate Agencies (Tranche 2 Focus)
Independent real estate agencies face exposure via client onboarding, payments, and third‑party arrangements. Aligning with ISO 37301 and your AML obligations helps standardise controls and evidence:
CDD tailored to property transactions: beneficial ownership checks (companies/trusts), PEP screening, source‑of‑funds for high‑risk transactions; ongoing monitoring.
Sanctions checks on counterparties and payments prior to settlement; clear escalation & decision‑rights when potential matches arise.
Risk assessment inputs: cash‑intensive buyers, offshore structures, complex trusts, high‑risk jurisdictions, third‑party referrers; periodic reassessment as market conditions change.
Evidence: reliance agreements with lawyers/conveyancers (if used) that meet the requirements set out in the rules; documented approval & review cycles; training logs for frontline staff; annual compliance officer reports.
Frequently Asked Questions (FAQ)
Q1: Do I need ISO 37301 certification to satisfy AUSTRAC?
No—AUSTRAC doesn’t require ISO certification. But ISO 37301 gives you a structured, auditable CMS that maps cleanly onto AUSTRAC’s expectations, improving assurance and readiness for independent evaluations under the Rules.
Q2: How often must I review my ML/TF risk assessment?
Under the Act, at triggers (e.g., significant changes, AUSTRAC communications) and at least every 3 years—and it must be up‑to‑date before providing services. ISO 37301 also requires periodic reassessment.
Q3: What records must I keep (and for how long)?
Keep transaction records, customer documents, CDD & reliance evidence, and program documentation for 7 years. Maintain integrity and version control per ISO 7.5.
Q4: What is an independent evaluation under the AML Rules?
A periodic, objective review of your program’s effectiveness with findings and remediation, often complementing internal audits. Update policies post‑evaluation.
Need help building an ISO 37301‑aligned AML/CTF program?
AML Advisers designs audit‑ready programs for independent real estate agencies, conveyancers, law firms and accountancy firms for Tranche 2‑impacted businesses across SEQ, Gold Coast, Sunshine Coast, Ipswich and Northern NSW. We’ll deliver:
ML/TF risk assessment (methodology + report),
AML Compliance Policy and program documentation,
CDD, sanctions & reporting SOPs,
Governance reporting pack (board/committee),
Training & competence framework,
Independent evaluation plan, management review templates, and
Record‑keeping & evidence repositories (7‑year compliance).
Contact AML Advisers today to book a free, confidential consultation to navigate your Tranche 2 AML reforms preparation with an ISO 37301‑aligned AML/CTF program.
