Skip to main content

Create your AUSTRAC compliance policy

How to set up your AUSTRAC AML/CTF compliance policy in ChangeGPS Evo, configure risk-level rules, and generate a versioned policy document.

ChangeGPS Evo includes a built-in AUSTRAC (Australian Transaction Reports and Analysis Centre) policy builder that lets you configure your firm's Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) compliance requirements and generate a versioned policy document.

This article walks you through setting up your AUSTRAC compliance policy, configuring risk-level rules, and generating the policy document.

AUSTRAC Tranche 2 compliance — The settings in this section determine Customer Due Diligence (CDD) requirements based on client risk levels. These settings are effective from 1 July 2026. Review with your compliance counsel before publishing.

Before you begin

  • You must have ChangeGPS administrator access to your Evo instance. Only ChangeGPS admins can access and configure the AUSTRAC policy settings.

  • Your firm's Engage Settings (under Company Settings) should already be configured, including your applicable jurisdiction, professional body, and sole practitioner status. The AUSTRAC policy builder is in the same Company Settings area.

  • Decide in advance who in your firm will act as Compliance Officer(s). You will nominate these users during setup. They will receive approval notifications when a compliance issue is detected, such as a Politically Exposed Person (PEP) match or a sanctions hit.

Step 1: Access AUSTRAC policy settings

The AUSTRAC policy builder is accessed through Company Settings in ChangeGPS Evo. To navigate there:

  1. Select Company Settings from the left navigation panel.

  2. Select the App Settings tab, then open Engage Settings.

  3. Review your Engage Settings — jurisdiction, professional body, sole practitioner status, and Compliance Officers — if you haven't already.

  4. Scroll down to the Additional Configuration section.

  5. Select AUSTRAC Policy.

Step 2: Enter policy information

The Policy Information section contains the following fields:

  • Policy ID — System-assigned automatically (for example, default-compliant-2026). You cannot edit this field.

  • Policy Name — Enter a name for your policy. The default is Standard Compliant Policy (AUSTRAC Tranche 2).

  • Description — Enter a brief description. The default is Recommended policy meeting AUSTRAC requirements. Reviewed by legal counsel.

Step 3: Configure risk-level rules

The policy uses three risk tiers — Low Risk, Medium Risk, and High Risk. Select each tab and configure the verification and monitoring settings for that risk level.

For each risk tier, set:

  • Verifications Required — The number of identity verifications required for clients at this risk level.

  • Monitoring Frequency — How often clients at this risk level are reviewed (for example, Annual 12 months, Biennial 24 months, Triennial 36 months, ).

  • Required Documents — The identity documents required (Drivers Licence, Passport).

Set the following Customer Due Diligence (CDD) requirements to enable:

  • Ongoing Monitoring Required

  • Senior Approval Required

  • Source of Wealth Required

  • Intended Nature Required

  • Enhanced Due Diligence Required

  • Source of Funds Required

  • Purpose of Relationship Required

Check the boxes that apply to your firm's policy for high-risk clients.

Step 4: Review the policy body

The Policy Body section displays the narrative text that will be included in the generated policy document. The settings summary you configured above is appended to this document automatically.

The default policy body is locked. To make changes to the narrative text, select Edit. You can use the toolbar to format text and insert merge fields.

The policy body content covers your firm's obligations under AUSTRAC.

Note: Two types of merge field tags appear in the editor — User must fill in (highlighted in red/orange) and Auto-populated on generation (highlighted in blue). Fields marked "user must fill in" require your input before generating the document.

Step 5: Save your policy

Once you have configured all risk-level settings and reviewed the policy body, select Save Policy to save your changes.

To discard your changes and return to the default settings, select Reset to Defaults.

Step 6: Generate the policy document

The Policy Documents section allows you to generate a versioned copy of your policy based on the current settings.

To generate the document:

  1. Select the Format — either Word Document (.docx) or PDF.

  2. Optionally, enter a Change Description to note what changed in this version (for example, Updated High Risk CDD requirements).

  3. Select Generate Document.

The document is generated and added to the Document History table below. Each version shows the version number, generation date and time, the user who generated it, format, file size, and an optional change note. You can download any previous version using the download icon.

Tips and best practices

  • Review before finalising — Before treating the generated document as your firm's policy, spend a few minutes reading through it to confirm it reflects how you intend to run the firm: who holds each role, how risk levels are applied, and what due diligence you'll require. Treat it like any other ChangeGPS report — a starting point you verify, not a final output you file without reading.

  • Review with compliance counsel — Because these settings determine your CDD obligations under AUSTRAC Tranche 2, confirm your risk-level configuration with your compliance counsel before generating and distributing the final document, particularly for High Risk requirements.

  • Use the Change Description field — Enter a note each time you generate a new version (for example, Updated High Risk CDD requirements — reviewed 21 June). This makes it easy to track what changed between versions in the Document History.

  • Nominate Compliance Officers in Engage Settings — If multiple users in your firm manage compliance, designate them under Engage Settings so they receive approval notifications when a compliance issue is detected.

  • The monitoring period badge updates live — The badge next to Monitoring Frequency (for example, 36 months or 12 months) updates automatically as you change the dropdown — use it as a quick visual confirmation before saving.

Did this answer your question?