IIP Learning Hub
Chapter 9 - AML/CTF Reforms

Lesson 7 - AML/CTF Reforms: Frequently Asked Questions (FAQ)

Complete & Continue Next Lesson Learn More

This FAQ consolidates guidance to clarify key regulatory expectations and Licensee requirements to assist our Authorised Representatives in understanding and meeting the ongoing AML/CTF obligations under the revised framework.

1. When do the new AML/CTF requirements apply?

  • From 31 March 2026:

    • New clients: An AML/CTF Risk Assessment must be completed at onboarding.

    • Existing clients: An AML/CTF Risk Assessment must be completed on or before the next engagement or review advice.

2. What is expected of Advisers under AML/CTF obligations?

  • Advisers are expected to:

    • Properly assess, manage, and mitigate ML/TF risks and verify client identity

    • Understand the purpose and nature of the client relationship

    • Be alert to unusual transactions or inconsistent behaviour

    • Report suspicious matters to the Licensee for AUSTRAC SMR submission

3. How should the Risk Assessment and Identity Check be completed?

  • If using Xplan:
    Search for your client → Key DetailsIdentity Check, then complete the AML Risk Assessment and Identity Check fields.

  • If using iC2 as CRM:
    Complete the stand-alone AML/CTF Risk Assessment Form and FSC Form or use the iC2 Identity Check feature for each entity (Search for your client → Identity Check). Any completed stand‑alone forms must be uploaded to iC2 as a File Note.

  • Alternative option (or for CRMs other than Xplan or iC2):
    The Fact Find template has been updated to include an AML Risk Assessment page. You can either complete the assessment as part of the fact-finding process or the stand‑alone AML/CTF Risk Assessment Form and FSC Form for each entity. Forms are available for download in Compliance Hub (Template Register). Upload the completed forms to your CRM as a File Note.

  • Third (3rd) party systems

    • Third-party systems such as FAAA SafeID and Annature provide identity verification services that you may use to conduct an Identity Check for your client.

    • Use of these services does not remove the obligation to complete an AML/CTF Risk Assessment.

    • Accessing these third‑party systems may incur subscription fees.

    • A copy of the identity verification report must be uploaded to your CRM.

4. Do I need a new FSC form for every transaction?

  • No. A new FSC form is not required for every transaction where a valid FSC form is already on file and the client’s ID remains current and details unchanged.

  • You may need to reverify the client’s identity using an FSC Form only if their ML/TF Risk rating has increased to Medium or High, or if there are significant changes to their circumstances e.g. changes to ownership structures, beneficial owners or persons acting on their behalf.

‍5. Can I upload certified IDs or signed Client Declarations with TFNs to my CRM?

  • No. IIP has taken the position that Client ID and TFN information must not be stored on devices, servers, cloud platforms (such as OneDrive), CRMs, or in hard copy.

  • Only confirmation records of verification may be retained.

6. Do I need to destroy copies of client ID already on file?

  • Yes – but not retrospectively all at once.

    • Historical ID does not need to be destroyed immediately. Deletion may occur progressively (e.g. at a client’s next review or engagement).

    • Before destroying or redacting any existing files, ensure you already have a record of the identity verification procedure via FSC Form, or the Identity Check feature of your CRM, if available.

    • Do not retain any new copies of client IDs in cloud storage, CRM, or any other system.

‍7. What about TFNs, bank account details, and credit card information?

  • ‍These details should only be collected where operationally required, with evidence of client authorisation, and must not be retained on file.

  • Where forms include such details, upload only redacted versions and destroy unredacted copies. Existing forms that contain such details can be redacted or destroyed progressively (e.g. at a client’s next review or engagement).

8. Will I need to request new certified ID every time a provider asks for it?

  • No. Providers should be aware of the updated regime that Financial Planners no longer need to keep a copy of client’s ID. If you are asked to provide copies of certified ID, contact IIP Support before proceeding.

‍9. How often should AML/CTF Risk Assessment be reviewed?

  • ‍Periodically, at least every 3 years, or

  • As soon as practicable, when there are significant changes to customer type (such as becoming a PEP, or changing their corporate structure/beneficial owners), markets, or regulations.

‍ ‍👉Read our full AML/CTF Policy here: IIP Dealer Group - AML/CTF Policy