35+ AML/CTF templates you need. $99 AUD.

From 1 July 2026, accountants, real estate agents, jewellers, and conveyancers become AML/CTF reporting entities under Australian law. Fill in one form. Get the full compliance pack pre-filled with your firm details — in under a minute.

--
days
--
hours
--
minutes
--
seconds
until AML/CTF Tranche 2 obligations begin
Get your pack

↓ Download a free sample — Privacy Notice (DOCX)

AML/CTF + Privacy Act
KYC & CDD Notices
DOCX Format
Australian Made

How it works

1

Tell us about your practice

Your profession, software, and what client data you handle for KYC. Takes 2 minutes.

2

Pay securely

$99 via Stripe. Includes 12 months of regulatory alerts if you sign up.

3

We generate your documents

Pre-filled privacy document templates for you to complete, scoped to your AML/CTF obligations and software stack.

4

Download your pack

Professionally formatted DOCX. Ready to review, adapt, and implement before 1 July.

Tell us about your practice

Payment was cancelled. Your details are still here — try again when you are ready.
1–200 characters. Renders as your firm's name on the cover and in every document header. Letters, numbers, spaces, and common punctuation (& ' ‐ ()) only.
The person responsible for privacy in your practice. Used across the pack as the contact for privacy requests, complaints and breach notifications. Leave blank to insert a placeholder you can fill in later.
Include area code. Appears in the privacy contact section of the customer-facing Privacy Notice. Any format you use is preserved as-is.
In a small practice the same person typically holds both roles under the s.26F(4) small-practice substitution rule. Larger practices may designate a separate AML/CTF Compliance Officer.
Email address customers will use to make privacy enquiries, access requests, corrections and complaints. Will appear on every page of every published document. Distinct from the receipt email below.
The address that appears in your AUSTRAC enrolment and on the cover page. Leave blank to insert a placeholder you can fill in later.
11 digits. Appears on the cover page and metadata block of every published document. We validate the ATO modulus-89 checksum so a typo is caught before purchase.
9 digits (spaces are okay) if your practice is a Pty Ltd or other registered company. Leave blank if you operate as a sole trader, partnership, or trust without a corporate trustee.
We send your receipt and the secure download link here. Distinct from the privacy contact email above — this one stays internal to your business.

Select your profession above to see relevant options

Accounting & Tax
Real Estate
General Tools

These will appear in your Personal Information Disclosure Map and Personal Information Holdings Register.

Tick all that apply. These are the services that would make you a reporting entity under Table 6 of subsection 6(5B) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). If none apply, tick "None of the above".

These services are drawn from the AUSTRAC sector risk-assessment kits (January 2026) and the AML/CTF Amendment Act 2024 (C2024A00099). The wording is AUSTRAC's. If none of these apply but you think you may still be a reporting entity (e.g. a sub-sector outside the standard catalogue), tick "None of the above" and tailor §4 of the generated AML-DSM-001 by hand.

Tick all that apply. These are the services that would make you a reporting entity under Table 5 of subsection 6(5B) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). If none apply, tick "None of the above".

These services are drawn from the AUSTRAC sector risk-assessment kits (January 2026) and the AML/CTF Amendment Act 2024 (C2024A00099). The wording is AUSTRAC's. If none of these apply but you think you may still be a reporting entity (e.g. a sub-sector outside the standard catalogue), tick "None of the above" and tailor §4 of the generated AML-DSM-001 by hand.

Tick all that apply. These are the services that would make you a reporting entity under Table 6 of subsection 6(5B) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). If none apply, tick "None of the above".

These services are drawn from the AUSTRAC sector risk-assessment kits (January 2026) and the AML/CTF Amendment Act 2024 (C2024A00099). The wording is AUSTRAC's. If none of these apply but you think you may still be a reporting entity (e.g. a sub-sector outside the standard catalogue), tick "None of the above" and tailor §4 of the generated AML-DSM-001 by hand.

Tick all that apply. These are the services that would make you a reporting entity under Table 2 of subsection 6(5B) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). If none apply, tick "None of the above".

These services are drawn from the AUSTRAC sector risk-assessment kits (January 2026) and the AML/CTF Amendment Act 2024 (C2024A00099). The wording is AUSTRAC's. If none of these apply but you think you may still be a reporting entity (e.g. a sub-sector outside the standard catalogue), tick "None of the above" and tailor §4 of the generated AML-DSM-001 by hand.

Tick all that apply. These are the services that would make you a reporting entity under the relevant designated-service table in s.6 (Tranche 2 sectors are in Tables 2, 5 and 6 of subsection 6(5B) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)). If none apply, tick "None of the above".

These services are drawn from the AUSTRAC sector risk-assessment kits (January 2026) and the AML/CTF Amendment Act 2024 (C2024A00099). The wording is AUSTRAC's. If none of these apply but you think you may still be a reporting entity (e.g. a sub-sector outside the standard catalogue), tick "None of the above" and tailor §4 of the generated AML-DSM-001 by hand.

AML/CTF Act 2006 (Cth) Q2 of the designated-service decision tree. Tick the option that matches the practice's geographic footprint. If you operate from abroad, the answer can still be "Yes" if you are an Australian resident operating through a permanent establishment in a foreign country — confirm with counsel.

Q3 gate. The form does not auto-determine s.29 exemptions of the AML/CTF Act 2006 (Cth) — that determination is qualified-counsel territory by statute design. Tick "Yes" only if counsel has reviewed the in-scope rows above.

Q4. Tick "Yes" if another entity in the corporate group is a reporting entity and is maintaining a single AML/CTF program at group level. If "Yes", name the lead entity below.

How quickly does your practice commit to acknowledge a privacy complaint or data subject access request? Most practices adopt 5 business days, which aligns with the OAIC's general expectation of "promptly". You may adopt a faster commitment (1–4 business days) if you have the capacity, or a slower commitment (6–10 business days) if you operate part-time or seasonally. The 30-calendar-day response timeframe is separate — it is set by Privacy Act s.40(1A) and is not configurable.
Tick this if your practice is part of a reporting group, or otherwise shares CDD information with other regulated businesses for the purpose of detecting, deterring or disrupting money laundering, terrorism financing or other serious crime under AML/CTF Act 2006 (Cth) s.123(5). Most small / sole-trader practices answer "No".
Tick this if your practice retains identity-document copies in encrypted storage. Most small / sole-trader practices store extracted verification details only (no document images) and answer "No". Ticking this changes the customer-facing CDD privacy disclosure to acknowledge encrypted retention.

What you get

Privacy documents scoped to your AML/CTF reporting obligations under the Privacy Act 1988.

  1. 01
    Compliance Pack Cover & Map
    Cover page that maps every document in the pack against the 13 Australian Privacy Principles, with the AML/CTF Act overlays where they apply.
  2. 02
    AUSTRAC Starter Kit Index
    Index of the 28–36 AUSTRAC sector starter-kit DOCXs bundled with your pack, patched with your firm framing (cover page, header, date fields). AUSTRAC's text is unchanged.
  3. 03
    OAIC Privacy Management Plan (verbatim)
    OAIC's published Privacy Management Plan template — the roadmap that drives owner and due-date assignment for every other privacy document in the pack. OAIC headings and statutory cross-references preserved exactly.
  4. 04
    OAIC AML/CTF Privacy Collection Notice (verbatim)
    OAIC's published Template Privacy Collection Notice for reporting entities under the AML/CTF Act. OAIC section headings, order, and statutory framework preserved exactly under CC BY 4.0.
  5. 05
    Privacy Notice (customer-facing)
    Privacy policy template covering your AML/CTF data handling obligations. You are responsible for reviewing and adding this to your website.
  6. 06
    Privacy Notice Maintenance Procedure (internal)
    Internal procedure governing how the customer-facing Privacy Notice is maintained — section-by-section source-of-truth map, automated-decision-making evidence, tailor-marker consolidation, and the 90%-within-30-day re-issue cadence.
  7. 07
    Privacy Breach Response Procedure
    Step-by-step response plan for breaches involving identity documents and KYC data, aligned with the Notifiable Data Breaches scheme.
  8. 08
    Access Request (DSAR) Procedure
    Guidelines for handling client requests to access their data — including SMR carve-outs.
  9. 09
    Privacy Complaints Procedure
    Guidelines for handling privacy complaints from clients about your data handling.
  10. 10
    Government Identifier Handling Procedure
    Guidelines for storing, securing, and destroying driver's licences, passports, and other government IDs.
  11. 11
    Personal Information Holdings Register (procedure)
    Audit-defensible register of where KYC and client identity data lives across your systems, who can access it, and how long it is kept (OAIC-expected APP 1.2 + APP 11.1 evidence; not a Privacy Act-named document).
  12. 12
    Personal Information Holdings Inventory (rows)
    The per-holding rows the practice actually carries: categories, sources, purposes, recipients, storage location, retention period, and security measures. Maintained by the Privacy Officer.
  13. 13
    Personal Information Disclosure Map
    Audit-defensible record of how personal information moves between your systems, staff, and third parties (APP 6 + APP 8 + AML/CTF s.123(5) framing; OAIC-expected, not a Privacy Act-named document).
  14. 14
    APP 8 Cross-Border Disclosure Reasonable-Steps Record
    APP 8.1 reasonable-steps record for software that stores or processes personal information overseas (Xero, Clio, cloud platforms). Best-practice evidence; APP 8 does not require a documented assessment per se. AU-only abbreviated record if your stack is wholly Australian.
  15. 15
    Automated Decision-Making Disclosure Register
    Register of any automated tools used in client decisions, with disclosure language for your privacy notice.
  16. 16
    AML/CTF Program (umbrella)
    The AML/CTF policies, procedures, systems, and controls required by s.26F of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
  17. 17
    AML/CTF Compliance Officer Appointment
    Appointment letter, role description, and delegations register for the AML/CTF Compliance Officer required by s.26F(4) of the AML/CTF Act 2006 and the AML/CTF Rules.
  18. 18
    Designated Service Mapping
    Internal determination that maps the services your practice provides to the designated-services items in s.6(5B) of the AML/CTF Act, fixing your reporting-entity status.
  19. 19
    Designated Service Log
    Append-only log of the designated services determined to be in scope under s.6(5B) of the AML/CTF Act, sibling to the procedure-side determinations in Designated Service Mapping.
  20. 20
    KYC Collection Notice (customer-facing)
    The one-page customer-facing notice you give clients when collecting identity documents for customer due diligence.
  21. 21
    CDD Collection Procedure (internal)
    Internal companion procedure governing the s.28 collection moment: three-doc family at collection, staff workflow, customer-question scripts, and the change-control protocol for the customer-facing KYC notice.
  22. 22
    CDD Privacy Disclosure (customer-facing)
    Plain-English disclosure for your clients explaining how you use, disclose, and provide access to the personal information collected during customer due diligence.
  23. 23
    CDD Privacy Procedure (internal)
    Internal companion procedure governing your firm's CDD privacy decisions: identity-document handling model, APP 12 access decisions under the AML/CTF Act s.123 carve-out, s.123(5) reporting-entity disclosure pre-checks.
  24. 24
    PEP & Sanctions Screening Procedure
    Internal procedure satisfying s.28(2)(e)(i) and (ii) of the AML/CTF Act — PEP and sanctions screening as part of initial customer due diligence.
  25. 25
    PEP & Sanctions Screening Register
    Append-only register — one row per screening event (negative or positive). Carries Part 1A program-record evidence under AML/CTF Act s.116(3); retained 7 years after no longer relevant.
  26. 26
    Sanctions Hits Log
    Append-only log — one row per positive (or non-clear) PEP / sanctions hit your firm has had to handle. Cross-references the screening register so the two logs reconcile on audit.
  27. 27
    SMR Statutory Reference
    Statutory reference for the Suspicious Matter Report family — the parts of the AML/CTF Act 2006 and Privacy Act 1988 that govern when, how, and to whom an SMR is filed.
  28. 28
    SMR Data Handling Procedure
    Guidelines for handling data when filing Suspicious Matter Reports — including tipping-off prohibitions.
  29. 29
    SMR Register
    Append-only register of every SMR considered (filed and unfiled). Restricted to the AML/CTF Compliance Officer and named authorised compliance staff only — circulating it would risk a s.123(1) tipping-off offence.
  30. 30
    AML Records Retention & Destruction Reference
    Reference layer that states what the AML/CTF Act 2006 (ss.107, 113, 116) and Privacy Act APP 11.1/11.2 require for AML/CTF record retention and destruction in Australia.
  31. 31
    AML/CTF Record Retention Procedure
    7-year retention requirements for KYC documents, transaction records, and CDD assessments.
  32. 32
    AML Records Destruction Procedure
    Destruction methods, named authoriser, and legal-hold check, executed once the statutory retention period expires. Each destruction event is logged in the destruction log.
  33. 33
    AML Records Destruction Log
    Append-only log — one row per destruction event or legal-hold pause. Rows are never edited or deleted once written.
  34. 34
    AML/CTF Independent Evaluation Procedure
    Internal procedure satisfying s.26F(4)(f) of the AML/CTF Act — independent evaluation of your AML/CTF program at least once every 3 years.
  35. 35
    AML/CTF Independent Evaluation Log
    Append-only register recording each completed independent evaluation and tracking each finding through to remediation closure.
  36. 36
    Staff Privacy Training Curriculum
    Regulator-neutral exposition of staff training obligations under AML/CTF Act ss.26F(4)(e), 116 and Privacy Act APP 1.4(g), with links to free, statutorily authoritative external sources.
  37. 37
    Staff Privacy Training Checklist
    What your team needs to know about handling KYC data under the Privacy Act.
  38. 38
    Staff Privacy Training Attestation Register
    Append-only register of completed staff training events — one row per staff member × training source. Retained 7 years per AML/CTF Act s.116.
Scoped to AML/CTF reporting obligations under the Privacy Act

Simple pricing

$99
AML/CTF privacy document pack + 12 months of regulatory alerts
  • 70+ documents total: 28–36 AUSTRAC sector forms for your profession, the OAIC's Privacy Management Plan and AML/CTF Privacy Collection Notice, plus 35+ tailored documents covering everything else you need under the Privacy Act and AML/CTF Act — all pre-filled with your firm details
  • KYC collection notices, CDD disclosures, SMR data handling
  • 12 months of regulatory alerts — AUSTRAC, OAIC, Privacy Act changes
  • Breach response checklist (coming soon)
  • Tailored to your profession and software stack
  • Instant download after payment
Get Your AML/CTF Pack — $99

After 12 months, continue with Provost at $49/mo — updated documents, AI compliance advisor, breach response

Frequently asked questions

No. These are document templates generated from your inputs to help you meet your Privacy Act obligations as an AML/CTF reporting entity. They are a starting point — you should review them with your legal advisor before relying on them. We are not a law firm.
From 1 July 2026, AML/CTF Tranche 2 makes accountants, real estate agents, and other professions into reporting entities under the AML/CTF Act. As a reporting entity, the Privacy Act small business exemption no longer applies to your AML/CTF data handling. The Privacy Act names two specific documents (an APP privacy policy and an eligible-data-breach statement). The OAIC also expects reporting entities to be able to demonstrate APP 1.2 practices, procedures and systems for handling personal information — this pack gives you a starting point for that evidence, tailorable to your practice. Templates only — review with a qualified Australian legal advisor before relying on any of them. Read the full Tranche 2 explainer →
Not yet. The Privacy Act currently applies only to your AML/CTF-related data handling — KYC documents, customer due diligence records, and suspicious matter reports. The broader removal of the $3M small business exemption has been agreed in principle by the government but has not yet been legislated. This pack covers your AML/CTF privacy obligations specifically.
ChatGPT cannot tailor documents to your specific AML/CTF obligations, profession, or software stack. It does not know the interaction between the AML/CTF Act and the Privacy Act, the tipping-off prohibitions for SMRs, or the 7-year retention requirements. You will spend hours prompting and still miss critical requirements.
As this is a digital product delivered instantly upon purchase, we do not offer refunds once your compliance pack has been downloaded. If you experience a technical issue preventing download, contact support@privacycovered.com.au and we will resolve it promptly.
privacycovered.com.au is Australian compliance tooling for professional practices subject to the Privacy Act 1988.
For pre-purchase questions — sector fit, what's in the pack, group/firm-wide options — email sales@privacycovered.com.au. For technical issues with a pack you've already bought, email support@privacycovered.com.au.

Register for free regulatory alerts

Get notified when AML/CTF rules, Privacy Act, or AUSTRAC guidance changes. No cost. No spam.

Can't find a document you need?

Tell us what's missing and we'll prioritise building it.

Important Legal Disclaimer

Not legal advice. The documents, templates, and materials generated by privacycovered.com.au are provided for general informational and guidance purposes only. They do not constitute legal advice, tax advice, or professional advice of any kind within the meaning of the Legal Profession Uniform Law or any equivalent State or Territory legislation.

No lawyer-client relationship. Your use of this website and any generated documents does not create a solicitor-client, lawyer-client, or advisory relationship between you and privacycovered.com.au or any of its operators, employees, or contractors.

Seek independent legal advice. You should obtain independent legal advice from a qualified Australian legal practitioner before relying on or implementing any document or template produced by this service, particularly where obligations arise under the Privacy Act 1988 (Cth), the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), or any other applicable legislation.

Starting point only. All templates are intended as a starting point and general guide. They must be reviewed, customised, and verified by a suitably qualified professional before use in your organisation. No template should be adopted without independent assessment of its suitability for your specific circumstances.

No liability. To the maximum extent permitted by law, privacycovered.com.au and its operators disclaim all liability for any loss, damage, cost, or expense (whether direct, indirect, consequential, or otherwise) arising from your reliance on, or use of, any document or template generated by this service. Nothing in this disclaimer excludes or limits any guarantee, condition, or warranty implied by the Competition and Consumer Act 2010 (Cth), Schedule 2 (Australian Consumer Law), where doing so would contravene that Act or cause any part of this disclaimer to be void.

Laws change. Australian privacy, AML/CTF, and related laws are subject to amendment, repeal, and reinterpretation. Templates generated by this service may not reflect the latest legislative position, regulatory guidance, or case law at the time you use them. You are responsible for confirming that any document remains current and compliant at the date of use.