Skip to content
English - Australia
  • There are no suggestions because the search field is empty.

easyAML (Platform) Set-up Checklist

This comprehensive seven-phase setup checklist covers the full operational journey from first login through to ongoing post-launch compliance obligations, with timing estimates per phase.

Phase 1 — First login and account setup

☐ Log in at app.easyaml.com and set up MFA

Passkey recommended — also supports authenticator app or SMS

  • Passkey — uses Face ID, Touch ID or PIN. Phishing-resistant and fastest day-to-day. Recommended for most office staff.
  • Authenticator app (Google Authenticator, Authy) — works offline and internationally. Best for international staff or offshore VAs.
  • SMS — fine for local Australian staff. Codes expire after 2 minutes. Not suitable for international mobiles.
Tip: Invitation links are valid for 4 weeks. If expired: go to app.easyaml.com, enter your email, and use Forgot Password to get a fresh link.

☐ Confirm business details in the in-platform setup tutorial

ABN, legal name, trading name, sector(s), organisational structure

The setup tutorial launches on first login and persists across sessions — leave and return at any point. Select all sectors that apply (real estate, conveyancing, legal, accounting, TCSP, precious metals). Sector configuration drives training allocation, CDD flow selection, and AML Program content.

☐ Enter your AUSTRAC Account Number (AAN)

Account Settings > Business & Regulatory Information > AUSTRAC Enrolment

Set the 'Enrolled with AUSTRAC' toggle to Yes, paste your AAN, and save. The AAN auto-populates into all AUSTRAC reports from this point forward.

Important: Must be added before lodging any reports to AUSTRAC. You can continue platform setup without it in the interim.

Phase 2 — Invite your team and assign roles

Allow 15-30 minutes.

☐ Review all nine platform roles before inviting anyone

Roles drive training requirements, permissions, and audit obligations — get them right from the start

Each person gets one primary AML role. The role determines which training modules are allocated automatically and what they can do on the platform. Full role guide: knowledge.easyaml.com

  • Compliance Officer (CO) — full access, signs off RA, Program, SMRs and TTRs, lodges AUSTRAC reports.
  • 2IC (Deputy CO) — same as CO except cannot add or remove the primary CO.
  • Senior Manager — can draft RA, review CDD, oversee training.
  • Board Member — oversight only, views Program, training and reporting.
  • CDD User — signs off transactions, performs CDD, escalates risk decisions.
  • Frontline Staff — initiates KYC/KYB, sends VOI links. Cannot sign off transactions or view completed ID documents.
  • Training Only — completes training modules only. Does not consume a paid seat.
  • External Auditor — read-only access. Included free at all tiers.
  • Integration Developer — API access only.
Common mistake: Do not assign Frontline Staff to anyone who needs to sign off transactions — they cannot. This creates a bottleneck where the CO must close every transaction at volume.

☐ Invite team members via Account Settings > Users > + Invite User

Enter individual email, assign one primary AML role, send invitation

Invitations are valid for 4 weeks. Re-issue via Account Settings > Users > Re-Invite, or the user can self-serve with Forgot Password at app.easyaml.com.

Sole operator: open the Add Users step and exit without adding anyone — the step marks as complete.

Troubleshooting guide: knowledge.easyaml.com/how-can-i-invite-other-staff-members

☐ Appoint a 2IC (Deputy Compliance Officer) (Optional)

Critical for leave cover and business continuity

Without a 2IC, the firm cannot sign off transactions, lodge SMRs, or respond to AUSTRAC during the CO's absence. Multiple 2ICs are supported.

Best practice: Have the 2IC in place and fully trained before the primary CO takes any extended leave.

☐ Confirm all invited users have activated accounts and can log in

Check Account Settings > Users for activation status

Common causes for non-activation: spam filtering, corporate email gateway, typo in email address, or expired link. Fix: CO clicks Re-Invite, or user uses Forgot Password at app.easyaml.com. Support: 1300 425 495.

Phase 3 — Risk Assessment and AML/CTF Program

Allow 30-45 minutes.

☐ Complete the ML/TF Risk Assessment

Compliance > ML/TF Risk Assessment — allow 25-30 minutes

The RA is a guided, industry-specific questionnaire. The CO is responsible for approving it. A Senior Manager can assist with drafting. Save and return at any point.

RA date: use today's date (most accurate) or 1 July 2026 if you want documentation to align with your operational commencement date. Either is acceptable to AUSTRAC.

Critical path: The AML Program cannot generate until the RA is approved. Do not skip or rush this step.

☐ Review and formally approve the generated AML/CTF Program

Compliance > AML Program — this is your firm's legal governance document

The Program generates automatically on RA approval. It covers: governance and structure, risk framework, CDD methodology by customer type, and operations/reporting/records.

Download a PDF via Compliance > AML/CTF Program > Download PDF. Each export is timestamped and version-numbered. The Program auto-updates when the RA changes — previous versions are preserved in the audit trail.

Guide: knowledge.easyaml.com/how-do-i-access-my-aml-program

Good to know: The quarterly effectiveness digest (automated) alerts the CO to any items where the Program is not operating as intended. No manual calendar tracking needed.

Phase 4 — Personnel due diligence and training

Allow several days to roll this out across the team.

☐ Complete Personnel Due Diligence (PDD) for yourself as CO

Identity verification, police check, sanctions screening, self-disclosure required

Required under AUSTRAC Rules 5-14 before 1 July 2026. CO PDD components:

  • Identity verification (VOI via the platform)
  • Police check — upload from CrimCheck, AFP, or state police.

    Sole trader/practitioner note: AUSTRAC doesn't strictly mandate a police check on yourself — what's required is a documented fit-and-proper assessment. An NPC (~$50, 1–2 days online) is the easiest evidence to put on file. If your industry licence already required one, just record the licence number, issuing authority, and date instead.
  • Bankruptcy check (recommended)
  • Sanctions and adverse media screening
  • Reference checks, qualification confirmation, regulatory breach history
  • Self-disclosures

If your industry licence already required a police check, document the licence number, issuing authority, and date and upload as supporting evidence.

Important: PDD must be completed before providing designated services. Not a recurring annual obligation unless your firm's policies require it.

☐ Initiate PDD for all AML-facing staff (2IC, CDD Users, Frontline Staff)

Depth varies by role — CO and 2IC require the most thorough checks

  • CDD User — identity, sanctions/adverse media, self-disclosure required. Police check recommended.
  • Frontline Staff — identity, sanctions/adverse media, self-disclosure required. Other checks optional based on firm's risk.

Plan the PDD rollout alongside training — both gate operational access and both should start well before 1 July 2026.

☐ Complete your CO training module

Modules appear automatically in your dashboard based on role and sector

Training is self-paced. Complete mandatory modules before conducting any CDD work. CO training covers: AML/CTF Act obligations, program oversight, SMR/TTR decision-making, and red flag recognition.

Common issue: If training modules are not appearing in a user's dashboard, check that a role has been assigned. Training auto-allocates as soon as the role is set.

☐ Monitor and confirm team training completion from the CO dashboard

No operational CDD access until mandatory modules are complete

The CO dashboard shows training completion status for all users. Module allocation is automatic and role-based. Training certificates are issued on completion and stored in the platform for 7 years.

AUSTRAC webinars (Thursdays 11am, plus daily shorter sessions at easyaml.com/webinars) supplement the mandatory in-platform modules.

Deadline: If launching on 1 July 2026, training must be done before that date. Build runway — do not leave training until the final week.

Phase 5 — First transaction, end to end

Allow 15-30 minutes per transaction.

☐ Create the transaction in easyAML before providing any designated service

CDD must be completed before the service is provided — not after

Open a new transaction and enter matter details (customer name, service type, matter description). This creates the audit trail and opens the CDD workflow.

Regulatory requirement: CDD before service = compliant. CDD after service = potential AUSTRAC breach. Timing is a regulatory requirement, not a platform preference.

☐ Run KYC for individual customers, or KYB for entities

Send the VOI link via SMS or email — no app download needed on the customer's side

For individuals (KYC): send the VOI link. The customer completes verification in their mobile browser in 1-2 minutes. First-attempt pass rate is approximately 85%.

For entities (KYB): enter the company or trust name and ABN. The platform queries ASIC in real time, unwraps the ownership structure to the 25% beneficial-ownership threshold, and prompts for KYC links to each identified natural-person controller. If a trust is found during the unwrap, upload the trust deed — the AI trust-deed reader pre-fills trustees, appointor, and beneficiaries for your review.

Manual VOI: available for customers who cannot complete the digital flow. Upload scanned documents and the platform runs PEP/sanctions/adverse-media screening automatically.

☐ Review PEP, sanctions, and adverse media screening results

Runs automatically on KYC/KYB completion — visible to CDD User and above

PEP screening is mandatory for every customer — not just high-risk ones. Skipping it is a compliance breach even if the customer turns out not to be a PEP.

A sanctions hit may mean you cannot proceed at all. Do not provide services to a sanctioned person or entity. A foreign PEP always triggers Enhanced CDD.

☐ Review the risk rating and action any Enhanced CDD (ECDD) triggers

Low / Medium / High — high risk triggers ECDD and CO sign-off before proceeding

High risk triggers: Source of Wealth and Source of Funds evidence required (approximately 47 pre-built source types). CO or Senior Manager must sign off before designated services proceed. Quarterly re-screening applies.

Manual escalation is available if you observe factors the automated scoring would not capture — audit-logged with your name, timestamp, and reason.

Important: Do not provide designated services to a high-risk customer before ECDD is complete and the CO has signed off.

☐ Sign off the transaction (CDD User or CO)

Formal confirmation that CDD obligations have been met — only CDD User and above

CO sign-off is explicitly required if: the transaction is High Risk, a PEP or sanctions hit was returned, supplementary documents are attached, or the sector mandates it.

Pre-commencement customers (clients you were already serving on 1 July 2026): no need to redo CDD unless a suspicion arises or the relationship significantly changes.

☐ Understand the Unusual Activity Report (UAR) and SMR workflow

Staff raise UARs, CO reviews and decides whether to escalate to an SMR — 3 business days to lodge

Staff raise a UAR in the platform when they observe a concern. They do not see whether it becomes an SMR (tipping-off protection). The CO reviews the UAR with full transaction context and screening results in one view. If reportable, the SMR template auto-populates from the CDD record.

Only the CO can lodge an SMR. SMRs are confidential intelligence to AUSTRAC — not criminal accusations. Reporters are legally protected.

Tipping-off: Never tell the customer an SMR has been or will be lodged. Tipping-off carries up to 2 years imprisonment.

☐ Confirm the audit trail is complete

easyAML retains all records for 7 years automatically — no manual action required

Every action is logged: user, action, target, timestamp, and before/after values. 7-year retention continues even if you cancel your subscription — read-only access is maintained at no charge. External auditors receive free read-only access at all tiers.

Good to know: All audit trail maintenance is automatic. Your obligation is to perform CDD correctly — easyAML handles the record-keeping from there.

Phase 6 — Ongoing compliance obligations

Recurring after go-live.

☐ Ongoing monitoring runs automatically — no action required

Included at all subscription tiers at no per-event charge. Re-screening cadence: low risk annually, medium 6-monthly, high quarterly. ASIC change monitoring runs continuously for all Australian company customers.

The only charge from ongoing monitoring is if a detected change requires a KYC or KYB re-verification — billed at standard unit rates.

☐ Review the quarterly effectiveness digest when it arrives

The platform reviews CDD completion rates, SMR/TTR lodgement timing, training currency, and overdue re-screening each quarter. Review the digest and action any outstanding items.

☐ Lodge Threshold Transaction Reports (TTRs) for physical cash at or above $10,000

10-business-day lodgement window from the transaction date

The platform pre-populates the TTR from transaction data. CO copies the finalised content into AUSTRAC Online.

Watch for structuring: deliberately splitting transactions below $10,000 to avoid the TTR threshold is itself an offence and a mandatory SMR red flag.

☐ Prepare and lodge the Annual Compliance Report to AUSTRAC

Due January-March each year — first report covers 1 July to 31 December 2026

Approximately 100 questions covering the prior calendar year. easyAML auto-populates the bulk of it from platform data. CO reviews, adds narrative responses, and lodges via AUSTRAC Online. Typically reduces from days of manual data gathering to 1-2 hours of review.

☐ Report at least annually to your governing body

Board, partnership, or owner — formal compliance report with issues identified and remediation

Use the Annual Compliance Report draft as the base. Document that the governing body reviewed the report and any decisions made as a result.

☐ Plan for the 3-year independent AML evaluation

First evaluation not due until 1 July 2029 at earliest

When the time comes, invite the auditor as an External Auditor user in easyAML — free at all tiers. They receive read-only access to the full audit history without any data exports needed.

Phase 7 — Additional configuration

As needed after go-live.

☐ Send client-facing communication to prepare your customers for VOI

Clients who are prepared complete VOI faster and with fewer support calls.

☐ Configure your SMS Sender ID for branded outbound SMS

Account Settings > Operations > Metadata > SenderID

ACMA Sender ID Registration rules effective 1 July 2026 require the Sender ID to be registered. easyAML can handle registration on your behalf — ask your BDM.

☐ Explore integrations with your practice management software

Integrations reduce double-entry and allow transactions to be initiated from within your existing workflow.

Quick reference

Key dates

  • 31 March 2026 — AUSTRAC enrolment window opened
  • 29 July 2026 — Deadline to notify AUSTRAC of your Compliance Officer
  • 1 July 2026 — Tranche 2 obligations commence — all CDD must begin from this date
  • January-March 2027 — First Annual Compliance Report due (covering 1 July to 31 December 2026)
  • 1 July 2029 — Earliest date the first independent AML evaluation is due

Contacts

This article is based on AUSTRAC guidance current as at May 2026. easyAML is not a legal adviser. For regulatory advice specific to your circumstances, consult a qualified AML/CTF compliance professional.

Additional detail

Is there a customer-facing setup checklist?

Yes — a comprehensive seven-phase setup checklist covers the full operational journey from first login through to ongoing post-launch compliance obligations, with timing estimates per phase.

Related articles