One of the questions we often get from AML Shield users is: “What should my transaction monitoring system look like? Does it need to be perpetually scanning for suspicious transactions, like a bank?”

This is one of the most confusing areas for smaller businesses — and understandably so. When most people hear “transaction monitoring,” their minds jump to images of sophisticated software dashboards, real-time alerts pinging every few seconds, and teams of analysts triaging flagged transactions around the clock. That’s what banks do. That’s not what you need to do.

Based on the AUSTRAC AML/CTF program starter kit documents, you do not need a complex, automated transaction monitoring system that runs perpetually like a bank. For a small DNFBP (such as an accounting practice or real estate agency with fewer than 16 staff), your “system” is a risk-based manual process that relies on staff awareness, periodic reviews, and escalation procedures.

Let’s break that down.

Your Monitoring System Is Largely Behavioural

This is the bit that surprises most people. According to the AUSTRAC starter kit Process document, under Client risk rating and ongoing customer due diligence process, your monitoring consists of two main components:

  • Behavioural monitoring — You are expected to monitor the client’s behaviours during your interactions with them and observe how they use your services throughout the practice relationship.
  • Periodic reviews — You must review client information and risk ratings at set intervals to ensure everything remains accurate and up to date.

That’s it. No real-time automated software required. Instead, the system relies on your staff observing interactions and keeping an eye out for unusual transactions and behaviours — including transactions involving $10,000 or more in physical currency.

If you’ve been losing sleep over whether you need to invest in expensive monitoring software, you can breathe a little easier. AML Shield has this covered.

Monitoring Is Risk-Based, Not Perpetual

Here’s where the risk-based approach really comes into play. The frequency of your monitoring isn’t the same for every client — it’s determined by the ML/TF risk rating you assigned during onboarding. As the starter kit Process document lays out:

  • Low-risk clients: Monitor behaviours to detect unusual activity. Conduct a periodic review every 3 years.
  • Medium-risk clients: Exercise a higher level of monitoring than for low-risk clients. Conduct a periodic review every 2 years.
  • High-risk clients: Exercise a higher level of monitoring than for medium-risk clients. Conduct a periodic review every year.

This tiered approach is entirely consistent with how the Financial Action Task Force (FATF) expects AML measures to work. The FATF’s risk-based approach recognises that not all customers, transactions, and products pose the same level of risk, and it emphasises the need for businesses to tailor their measures accordingly. The whole point is proportionality — directing your resources where they’re genuinely needed, rather than applying a blanket level of scrutiny to every single client relationship.

The risks and controls for a small sole practitioner will not be the same as for a medium-sized business or a large professional services firm. Tailoring your approach is key.

Yes, It Can Be Embedded in Staff Training

Your staff are the primary “sensors” for your monitoring system. The AML Shield starter kit Policy document, under Personnel training, explicitly states that training must cover:

  • How to identify ML/TF risks and indicators of criminal activity.
  • How to detect and escalate matters that must be referred to the AML/CTF compliance officer.

Think about what that means in practice. If your team is trained to notice when a client wants to pay for a service with unusually large amounts of cash, or requests a service that doesn’t match their profile, or suddenly changes the way they interact with your practice — they are fulfilling the “ongoing monitoring” requirement.

For the vast majority of Tranche 2 businesses, training and people will sit at the heart of your monitoring system. As AUSTRAC CEO Brendan Thomas has noted, staff in DNFBP sectors are generally not yet trained to spot red flags or report suspicious activity, and the new regime has made that even more pressing. This is one thing that your business likely needs to address before 1 July 2026.

The “Alert” Mechanism Is Escalation

Instead of an automated alert popping up on a screen, your system uses a much simpler mechanism: an Escalation form.

The AML Shield starter kit Process document, under Escalating matters to the AML/CTF compliance officer process, outlines that if staff identify unusual activity or risks not already captured in your risk assessment, they must complete an Escalation form and send it to the Compliance Officer.

Think of it as a structured way of saying: “Something doesn’t look right — here’s what I noticed, and here’s who needs to look into it.” It doesn’t require technology. It requires a process and the discipline to follow it.

Why This Matters Right Now

If you’re an accountant, lawyer, or real estate professional in Australia, this isn’t theoretical anymore. From 1 July 2026, Tranche 2 of Australia’s AML/CTF reforms will bring approximately 90,000 new entities — including professional services firms — under AUSTRAC’s regulatory umbrella for the first time. The compliance window is tight, and many of these businesses have no prior experience with regulated AML compliance.

AUSTRAC has indicated that perfection is not expected from day one — but enrolment, preparation, and genuine engagement with the regime are essential. The regime is principles-based and proportionate. That’s great news for small practices, because it means you can use an affordable solution like AML Shield that fits the size and complexity of your business rather than buying an enterprise-grade solution you don’t need.

The key message from AUSTRAC’s CEO is that governance sits at the top: it’s the responsibility of business leadership to understand ML/TF risks and ensure appropriate controls are in place and working. You don’t need a bank-grade system to do that. You need clarity, a process, and trained people.

Putting It All Together

For a small business that has face-to-face contact with customers, your transaction monitoring system boils down to three things:

  1. It’s manual. It relies on staff observation and knowledge of the client — not software scanning transactions in the background. The power of the ‘sniff test’ should never be underestimated. But intuition relies on a solid foundation of understanding what is normal behaviour, and what isn’t.
  2. It’s periodic. It involves formal reviews of client files every 1 to 3 years based on risk level, not continuous real-time surveillance.
  3. It’s process-driven. It uses the Escalation form and Trigger event review form to capture issues when they’re noticed, rather than generating automated alerts.

Thanks to the regulator’s willingness to approach Tranche 2 with an open mind, that’s the approach we can take in Australia. It’s what the AUSTRAC starter kit documents describe. As long as it’s proportionate to the risks your practice faces, and it’s aligned with how the FATF expects small DNFBPs to operate, you can operate on that basis.

The businesses that will thrive under the new regime aren’t the ones that buy the most expensive tools — they’re the ones that build clear, practical processes and make sure their people understand them. Start there, and you’re already ahead of the curve.