5 AML/CTF Gaps Your Compliance Program Is Probably Missing

Every AML/CTF compliance program covers the basics: customer identification, suspicious matter reporting, record keeping. But enforcement actions rarely target the obvious gaps. They target the obligations that sit between the major requirements — the conditions, thresholds, and dependencies that compliance teams assume are covered when they’re not.

Here are five gaps we see repeatedly when organisations run their AML/CTF programs through obligation-level analysis — across both the existing AUSTRAC Rules 2007 and the new Rules 2025 (Tranche 2, effective 31 March 2026). These apply equally to traditional financial services and the 70,000+ new reporting entities entering the regime.

1. Ongoing customer due diligence triggers

Most programs cover initial CDD thoroughly. The gap is in the ongoing obligations.

The AUSTRAC AML/CTF Rules require entities to update their CDD when specific trigger events occur: changes in customer behaviour, new products or services, identified suspicious activity patterns, or changes in the customer’s risk profile.

The common gap: Programs state that CDD is “maintained” but don’t specify the trigger events, the response procedures for each trigger, or the timeframes for updating customer risk assessments. The obligation isn’t just “do CDD” — it’s “do CDD when these specific conditions arise, in this manner, within this timeframe.”

Risk: This was a core finding in the CBA, Westpac, and SkyCity enforcement actions. AUSTRAC specifically cited failures to update CDD when red flags appeared.

2. Proportionate risk assessment methodology

The Rules require that your AML/CTF program be “proportionate” to the ML/TF risk your business faces. This isn’t a single obligation — it cascades through multiple requirements:

• Risk assessment must consider the nature, size, and complexity of the business
• Controls must be proportionate to the assessed risk
• Enhanced CDD must be applied to higher-risk customers and products
• Simplified CDD is only available for genuinely lower-risk scenarios

The common gap: Programs state they have a “risk-based approach” but don’t document how risk levels were determined, what methodology was used, or how the proportionality assessment maps to specific control decisions. The word “proportionate” appears in multiple obligations — each one needs specific, demonstrable methodology.

3. Beneficial ownership verification depth

Customer identification gets attention. Beneficial ownership verification often gets less. The Rules don’t just require identifying beneficial owners — they require:

• Identifying all individuals who ultimately own or control 25%+ of the customer
• Taking reasonable measures to verify their identity using reliable, independent sources
• Understanding the ownership and control structure
• Updating this information when changes occur

The common gap: Programs identify beneficial owners at onboarding but don’t verify their identity to the same standard as the customer. The “reasonable measures” for verification and the triggers for re-verification are often undefined. This becomes critical with complex structures (trusts, multi-layered entities).

4. Third-party reliance conditions

Many reporting entities rely on third parties (correspondents, agents, introducers) for elements of their CDD process. The Rules permit this — but with specific conditions:

• The entity must be satisfied the third party has conducted the relevant CDD
• The entity must obtain the CDD information from the third party within a specified timeframe
• The entity remains ultimately responsible for the CDD outcome
• The arrangement must be documented with specific terms

The common gap: Programs reference third-party reliance but don’t specify which obligations are delegated, what verification the entity performs on the third party’s CDD, or how the entity ensures ongoing compliance. The conditions for valid third-party reliance are more specific than most programs acknowledge.

5. Transaction monitoring system review and testing

Having a transaction monitoring system isn’t enough. The Rules contain specific obligations about maintaining and testing the system:

• Systems must be regularly reviewed for effectiveness
• Detection scenarios must be appropriate to the entity’s risk profile
• Changes in business, products, or customer base must trigger scenario reviews
• The system must be able to identify complex or unusual patterns of transactions

The common gap: Programs state they have “transaction monitoring” but don’t specify the review frequency, the criteria for scenario adequacy, or the testing methodology. This was explicitly cited in the CBA penalty — the IDM reporting gap persisted because the monitoring system wasn’t reviewed against actual transaction patterns.

Why these gaps persist

These aren’t gaps in awareness. Compliance teams know about CDD, beneficial ownership, and transaction monitoring. The gaps are in the conditions and sub-obligations within each requirement.

A rule-level assessment checks 768 boxes (614 from the 2007 Rules + 154 from the 2025 Rules). An obligation-level assessment checks 5,534 propositions — each one a specific, testable requirement that can be independently violated and enforced.

The five gaps above involve obligations that sit within rules the compliance team has marked as “covered.” They’re invisible to rule-level assessments but visible to enforcement actions.

Finding your obligation-level gaps

The shift from rule-level to obligation-level assessment is the single highest-impact improvement most AML/CTF programs can make. It’s the difference between “we have a CDD process” and “our CDD process covers all 47 specific obligations relating to customer due diligence, including the 12 conditions and 8 trigger events.”

---

AuditDSS decomposes the AUSTRAC AML/CTF Rules (2025 + 2007) into 5,534 testable obligations and scores every gap across four risk axes. Upload your AML/CTF program and see exactly where these gaps are. Start your assessment.