From First Deposit to First SMR: An AUSTRAC AML/CTF Checklist for New Forex Brokers

Launching a forex brokerage is often a race to connect platforms, payments, and liquidity. In Australia, it’s also a race to stand up an AML/CTF operating model that works on day one—before you have a large team or mature tooling.

This post is a practical implementation checklist for AUSTRAC-aligned AML/CTF foundations: KYC/CDD, ongoing due diligence, Suspicious Matter Reports (SMRs), and recordkeeping. It’s general guidance only—always confirm your specific obligations and timelines with Australian counsel/compliance specialists.

1) Start with scope: map your AUSTRAC obligations to your actual product

Before you buy tools or write policies, get clear on what you’re offering and where AML/CTF risk actually enters your stack. For forex brokers, the highest-risk seams are typically onboarding, funding, withdrawals, and third-party payment flows.

Use this scoping checklist to avoid building the wrong controls:

• Products & flows: Spot FX/CFDs, copy trading, PAMM/MAM, crypto deposits, local bank transfers, cards, e-wallets, vouchers.
• Customer types: retail, wholesale/professional, corporate accounts, introducers/IBs (and whether they touch client funds).
• Geographies: where customers are located, where payments originate, where entities/banks are domiciled.
• Delivery channels: online-only, assisted onboarding, affiliates, white-label partners.
• Third parties: KYC vendor, screening provider, PSPs, banks, liquidity providers.

Output you want: a one-page “AML/CTF control map” that lists each flow (e.g., card deposit → trading → withdrawal) and the control points (verification, screening, monitoring, approvals, reporting, retention).

2) Build a KYC/CDD engine that’s operational (not just a policy)

Most startups can write a Customer Due Diligence procedure. The hard part is making it consistent, auditable, and fast enough that sales doesn’t bypass it.

Implement KYC/CDD as a decisioning workflow with clear states and stop/go rules:

• Minimum CDD gate before trading or withdrawals: define what must be verified (identity, address where required, and any other risk-based elements).
• Customer risk rating at onboarding: low/medium/high based on geography, customer type, payment method risk, product risk, and adverse information.
• Sanctions/PEP screening: screen the customer and, for companies, screen directors/UBOs; define match-handling (true match vs false positive) and escalation.
• Source of funds / source of wealth prompts: don’t ask everyone for everything—trigger this based on risk rating, deposit size, velocity, or unusual patterns.

Practical setup tips that reduce rework:

• Create a single customer record that links: KYC evidence, screening results, risk score, and funding instruments.
• Define re-verification rules (e.g., document expiry, name change, material profile change).
• Add “no third-party funding” controls unless you explicitly support it: name matching between customer and payer, and exception handling with documented rationale.

3) Ongoing due diligence: turn monitoring into a weekly routine, not a quarterly panic

Ongoing due diligence is where many brokers fall down—not because they don’t care, but because monitoring becomes a backlog. Your goal is a light-but-consistent cadence with clear thresholds.

A startup-friendly ongoing due diligence model typically includes:

• Behavioral monitoring: deposit/withdrawal velocity, rapid in/out movement, repeated failed withdrawals, multiple cards/bank accounts, unusual device/IP changes.
• Trading-related signals (where relevant): patterns inconsistent with stated experience/means; “parking” funds with minimal market exposure; sudden spikes after long dormancy.
• Screening refresh: periodic rescreening for sanctions/PEP/adverse media and event-based rescreening (e.g., profile changes).

Make it executable with a simple operating rhythm:

• Daily: review high-severity alerts (sanctions hits, blocked jurisdictions, high-risk payment anomalies).
• Weekly: triage medium alerts and close with documented outcomes.
• Monthly: sample-based QA on closed cases; tune thresholds to reduce noise.

Most importantly, define what “done” means for an alert: evidence reviewed, decision made (clear/escalate/restrict), and a short narrative logged.

4) SMR readiness: design your escalation path before you need it

Suspicious Matter Reports (SMRs) are not just a formality—they require a repeatable internal process so staff know what to do when something feels off. The biggest failure mode is ambiguity: no one is sure whether to escalate, and time passes.

Create an SMR-ready escalation path with:

• Clear internal triggers: structuring indicators, rapid movement of funds, inconsistent identity/payment ownership, unusual geographic patterns, adverse media, suspected account takeover.
• A documented handoff: frontline ops → compliance/MLRO function (even if that’s a part-time role initially).
• Case file standards: what evidence must be attached (KYC docs, ledger, PSP logs, chat/email notes, trading activity summary, screening results).
• Decision outcomes: continue with monitoring, restrict withdrawals, request additional info, offboard, file SMR.

Operational note: staff training should include “how to write a good internal narrative.” Short, factual, timestamped notes beat long opinions.

5) Recordkeeping that survives audits, disputes, and vendor changes

Recordkeeping is where “we have the data somewhere” becomes expensive. You want retention that’s searchable, exportable, and resilient even if you swap vendors (KYC, CRM, PSP).

Use this recordkeeping checklist to define your minimum viable compliance archive:

• Customer identification records: documents, verification results, liveness/selfie checks (if used), and who approved exceptions.
• Screening evidence: sanctions/PEP/adverse media results, match disposition, timestamps, and rescreen history.
• Risk assessments: onboarding risk score + any subsequent changes with reasons.
• Transaction records: deposits/withdrawals, payment instrument identifiers, payer/payee details, timestamps, amounts, currency, and PSP references.
• Case management: alerts, investigations, outcomes, and escalation notes.
• Training and governance: training completion logs, policy versions, approvals, and periodic review notes.

Two practical rules help startups avoid chaos:

1. Store evidence in the system of record, not in inboxes.
2. Make retrieval a feature: test exporting a complete customer file (KYC + funding + cases) in under 10 minutes.

6) Implementation checklist: what to do in the first 30–60 days

If you’re a new broker, you need a plan that fits a small team. Here’s a pragmatic checklist to get from “policy draft” to “operational controls.”

Week 1–2: Foundations

• Appoint accountable owners (e.g., MLRO/compliance lead; ops lead; tech owner).
• Document your product/payment flows and control map.
• Draft your risk assessment methodology (simple scoring is fine if it’s consistent).
• Choose KYC + screening vendors and define match-handling rules.

Week 3–4: Workflow + evidence

• Implement onboarding states: pending → verified → restricted → closed.
• Configure CDD gates (what must be verified before trading/withdrawals).
• Implement sanctions/PEP screening at onboarding and on profile changes.
• Build the “customer compliance file” view (KYC, screening, risk score, funding instruments, notes).

Week 5–8: Monitoring + reporting readiness

• Configure monitoring rules (velocity, third-party funding, high-risk geos, unusual withdrawals).
• Set alert severity levels and SLAs (who reviews what, by when).
• Create an SMR escalation playbook and case template.
• Run a tabletop exercise: simulate 2–3 suspicious scenarios and verify you can assemble evidence quickly.

If you can do those steps, you’ll have a defensible baseline: consistent onboarding, ongoing monitoring, a clear escalation path, and records you can actually produce.

The Bottom Line

AUSTRAC-aligned AML/CTF for forex brokers is less about writing a perfect manual and more about building repeatable workflows: KYC/CDD gates, ongoing due diligence routines, SMR escalation, and audit-ready recordkeeping.

Start with a control map of your real money flows, then implement decisioning and evidence capture inside your operating systems.

If you want to operationalize onboarding, monitoring, and case-ready records inside your brokerage stack, talk to Brokeret: /get-started.