Welcome to Bhalekar Consulting
AI-powered digital solutions. Register now and get tailored services for your business.
AI & Data-Centric Strategy
Enterprise-grade Consulting
Custom Digital Engineering
Your browser does not support the video tag.
Welcome Back to Bhalekar Consulting
Access your dashboard and manage your services with ease.
Client Portal Access
Track Your Subscriptions
AI-Driven Insights
Your browser does not support the video tag.
ONBOARD by Bhalekar · Master FRD v2.0
AML/CTF Compliance Module — Full Build Specification
For Lead Developer — Rebuild of the Bhalekar Onboard Platform.
From 1 July 2026 , Australian accounting firms (Tranche 2 of the AML/CTF Act) must meet obligations regulated by
AUSTRAC (Australian Transaction Reports and Analysis Centre). The same reform also captures lawyers and real estate agents nationally; this product positions Onboard as the single platform so a firm “never needs any other compliance tool.”
Critical programme dates (FRD): Every feature in the specification must be live and tested by 26 June 2026 — firms need setup time before 1 July 2026 . AUSTRAC enrolment opens 31 March 2026 ; reporting entities must enrol within 28 days of first providing a designated service after 1 July 2026.
$1,500 implementation + $500/year hosting
One instance per firm — no shared DB
Compliance-ready infrastructure (not a legal “guarantee”)
Document
v2.0 Master Build Spec · April 2026
Based on
v1.0 FRD + external AML/CTF OS review
Build deadline
26 Jun 2026 — ALL features
Go-live
1 Jul 2026 Tranche 2
Program templates
Align AUSTRAC Accounting Program Starter Kit (Jan 2026)
Priority tags
Must / Should / Nice · Existing / Enhance / Build
Must Have
Launch blocker
Build this or the product cannot launch.
Should Have
Complete product
Do after Must Haves — still part of a complete offering.
Nice / Existing / Enhance / Build
Other tags
Nice: time permitting · Existing: already in Onboard — verify against criteria · Enhance: extend · Build: new.
Sec. 3.1 — What Onboard already has
The build must preserve these and integrate them with new compliance modules:
Client onboarding workflow — entity type selection and data collection
Email client — internal email communication
Customer 360 view — unified client profile with documents, emails, notes, and communications
Fee collection — invoicing and payment collection from clients
Client portal — web portal for clients to submit documents and communicate
Sec. 3.2 — High-level additions (Sections 7–18)
AUSTRAC enrolment management
AML/CTF Program builder and document management
Full CDD engine — standard, enhanced, and simplified
Beneficial ownership mapping for all entity types
Risk rating engine — auto Low / Medium / High per client
Ongoing monitoring — periodic re-verification and event-based triggers
Suspicious matter and threshold transaction reporting workflows
7-year record retention with tamper-evident audit log
Staff training and competency module
Firm-wide risk assessment builder
Governance and breach register
Third-party reliance register
Regulatory update feed and compliance calendar
Compliance dashboard for the compliance officer
Commercial & regulator
Pricing: USD/AUD as stated — $1,500 one-time implementation + $500/year hostingRegulator: AUSTRACProvisioning target: under 10 minutes manual work per new firm — automate DB, bucket, DNSInternal admin tool: not client-facing — provisions PostgreSQL, S3, subdomain, seeds templates & training
Role
Access summary (per FRD)
Partner / Business Owner Full access to all modules, approvals, exports; signs off governance and risk assessment. AML/CTF Compliance Officer Full compliance module; all CDD, SMR, risk, audit; receives all compliance alerts. Accountant / Staff Own client work; initiate CDD; raise SM flags; cannot approve high-risk clients. Practice Manager Firm-wide settings, onboarding, fee collection, client records; run reports. Admin Staff Client data entry and document upload; limited compliance access. External Reviewer Read-only audit packs & evidence vault for a defined period. Client Portal only — CDD forms, uploads, consents, review requests.
Sec. 4.1 Hosting model
Deployment One Docker stack per firm on a shared cluster Subdomain firmname.onboard.com.auDatabase Separate PostgreSQL per firm — no cross-firm tables File storage Separate encrypted S3-compatible bucket per firm Backups Daily; 7-year retention (AUSTRAC) Location Australia only — Sydney or Melbourne DCs Cloud AWS ap-southeast-2 or Azure Australia East
Sec. 4.3 Recommended stack (excerpt)
Nginx — TLS termination
Node (Express) or Python (FastAPI)
PostgreSQL 15+ — encrypted tablespaces
Redis — sessions & rate limiting
AWS SES (Sydney) or SendGrid with AU data routing
PostgreSQL full-text search (MVP)
CloudWatch or Datadog
pg_dump daily + S3 versioning, 7 yearsDocker Compose (dev); ECS Fargate or similar (prod)
GitHub Actions → staging → production
Sec. 4.4 $1,500 implementation flow
Firm signup: name, ABN, MLRO, staff count
Admin provisions: DB, bucket, DNS
Seed: AML/CTF program templates, risk assessment templates, training
Welcome email: credentials + checklist
Checklist: profile, invitations, AUSTRAC enrolment, first program
Sec. 4.5 $500/year renewal rules
Invoice 60 days before anniversary
30 days past due → read-only (view/export only; no new clients/workflows)90 days past due → suspended — data retained (7-year rule), not deletedReactivate on payment; export always available even if suspended
Sec. 4.2 — All identity & compliance data must remain in Australian DCs; no offshore CDN/API without consent and legal review.
Sec. 5.1 Encryption
AES-256-GCM on DB fields: TFN, passport, licence #, DOB, home address — field-level, not disk-onlyTLS 1.2 min (1.3 preferred); HTTPS only; HTTP redirect S3 docs: SSE-S3 or SSE-KMS bcrypt cost ≥12; no MD5/SHA1; keys in KMS/Vault; rotate annually; encrypted backups
Sec. 5.2 Auth & sessions
MFA required staff; TOTP (not SMS-only); recommended clientsJWT staff 8h ; portal 30 min ; refresh in httpOnly cookies Password ≥12 + upper/lower/digit/symbol; HIBP on registration Lockout after 5 fails; email unlock; log failures; optional IP allowlist (MLRO)
Sec. 5.3–5.5 App & audit
Parameterized SQL; XSS sanitisation; CSP ; CSRF on state-changing methods Rate limits: login 5/min/IP ; API 100/min/user ; uploads 20/hour/user ; max file 20MB ; magic-byte validation; ClamAV or GuardDuty Headers: HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy no-referrer Audit log immutable — who, action, entity, before/after, UTC ms, IP, UA, fingerprint, outcome Annual pen test (CREST AU recommended), log review, key rotation, account review, OWASP Top 10 in code review
Sec. 6 — Privacy & APPs (summary)
Privacy Notice before any portal personal data — who, why, storage, retention, access/correction
Data minimisation — only AUSTRAC-required CDD fields (Section 9)
Access/correction requests fulfilable from admin console
Data breach register + notification workflow (serious harm → OAIC & individuals)
TFN: field encryption, log every view, exclude from exports unless legally required
No cross-border disclosure without documentation and equivalent protection
Gateway: is the engagement a designated service?
SC-1.1 Questionnaire — company/trust restructuring, registered office, client funds, real estate buy/sell, nominee director/trustee → Regulated / Not Regulated / Needs ReviewSC-1.2 Pre-engagement gate — banner; block Active until CDD or approved exceptionSC-1.3 Immutable classification decision logSC-1.4 Override Not→Regulated (Partner/MLRO; rationale; dashboard flag)SC-1.5 Re-classification on scope change (Should)SC-1.6 In-app designated services reference (Should)
AE-1.1 Readiness checklist + progress %AE-1.2 Dashboard countdowns; emails at 90/30/14/7 daysAE-1.3 Business profile for AUSTRAC (pre-populated)AE-1.4 Store enrolment confirmation + ref in vault (7y)AE-1.5 Update events (personnel/services) — ~14-day due (Should)
Templates align AUSTRAC Accounting Program Starter Kit (Jan 2026) .
PB-1.1–1.2 Part A governance · Part B CDD procedures (configurable)PB-1.3 Version control + timeline; read-only historyPB-1.4 MLRO designation fieldsPB-1.5–1.6 Annual review workflow · Board/owner digital sign-offPB-1.7 Independent review tracker (Should)PB-1.8 Branded PDF export with signatures & history
Entity types: Individual; Company (Pty/Public); Trust (Discretionary/Unit); Partnership; SMSF; Foreign Entity.
CDD-1.1–1.6 Per-entity paths, directors/BOs/partners/trustees, ASIC extract / trust deed / partnership agreement / ATO SMSF confirmationCDD-1.7 ABR real-time validation (inline tick/warning)CDD-1.8 ID uploads — passport, licence, Medicare, PoA ≤3mo; virus scan; magic bytesCDD-1.9 Nature & purpose + source of fundsCDD-1.10 Digital consent — immutable timestamp, IP, fingerprint, device, version (Existing)CDD-1.11 CDD completion certificate → vaultCDD-1.12 Badges: Complete / Incomplete / Expired / Enhanced required
Beneficial ownership (CDD-2.1–2.4)
>25% BOs; multi-level tree; listed-company escalation; associated persons CDD Enhanced (CDD-3.1–3.6)
PEP/jurisdiction/opacity/hit/manual triggers; ComplyAdvantage stores; SoW; Partner/MLRO Approve/Restrict/Decline; case file Simplified (CDD-4.1–4.2)
Immutable justification; audit-flagged in exports
Module 5 — Ongoing (OM-1.1–1.7)
Re-verify: Low 3y / Medium 12m / High 6m (adjustable); 30-day reminders; events (directors, BO, service, screening, payments, manual); portal self-update; review history; monthly rescreen; overdue widget; legacy import (Should) Module 6 — Firm risk (RA-1.1–1.7)
Wizard: client/service/channel/payment/geographic; inherent 1–3; controls weak/adequate/strong; residual; heatmap (Should); register PDF/XLSX; annual review; link to client risk engine (Should) Module 7 — SMR/TTR (SMR-1.1–1.10)
Staff flags; tipping-off full-screen + tick; triage; 24h timer from suspicion formed; narrative; Submit/Do not report/Investigate; AUSTRAC ref storage; post-report controls; TTR ≥$10k cash + structuring note; cross-border instruments (Should)
RK (8): vault metadata; 7y from relationship end; relationship end date; SHA-256 tamper check; legal hold (Should); ZIP audit export + TOC; chain of custody (Should); manual delete approval post-retention (Should)
TR (9): foundation + MLRO tracks; pages not video; 15Q MCQ ≥80%; 3 fails notify MLRO; PDF cert in vault; tracker; 12m refresher + block high-risk approvals if overdue; new-staff assign (Should); policy attestation
GV (10): MLRO profile + handover log; governance sign-off; breach register; CAPA; internal testing (Should); action register; conflicts register (Nice)
TP (11): reliance register + adequacy checklist; introducer register; reliance flags + deregistration alert (Should)
DB (12): health score 0–100 (weights 30/25/20/15/10; amber <70, red <50); CDD widget; risk chart + >20% high prompt; training widget; SMR/TTR summary; deadlines; audit PDF; AUSTRAC feed (Should); template alerts (Should); calendar (GCal/Outlook Phase 2)
19.1 Email (EC-1.1–1.4)
Secure document request → vault; tag compliance evidence emails; read tracking (Should); no-contact / SMR banner (Must Enhance).
19.2 Customer 360 (C360-1.1–1.4)
Compliance tab; ownership panel + per-person CDD status; matter-level CDD-at-commencement + breach if incomplete; payment signals (third-party payer, splits, cash near $10k).
19.3 Fee collection (FC-1.1–1.4)
Payer mismatch flag; 24h split >$10k structuring flag; cash → pre-filled TTR; third-party payer documentation.
19.4 Client portal (CP-1.1–1.4)
Guided CDD steps + progress; privacy acknowledgement; re-verification flow; document status tracker (Should).
ID Integration FRD notes
INT-1.1 ABR API api.business.gov.au; timeout graceful — warn, don’t block submit INT-1.2 ComplyAdvantage Batch rescreen; full API payload; webhooks; ~USD $300–600/mo budget; alt. World-Check INT-1.3 AWS SES Sydney; SPF/DKIM/DMARC; no Gmail SMTP in prod INT-1.4 AWS S3 Private; versioning; SSE; Glacier after 2y; 7y total lifecycle INT-1.5 Stripe / Pin $500/yr billing portal INT-1.6 Xero PM Phase 2 — push clients, pull matter status (Should) INT-1.7 AUSTRAC Online No public API — manual submit + ref in Onboard (Nice / future)
Sec. 20 — Core entities (all include created_at, updated_at, created_by, firm_id)
Every record is isolated per firm.
firm — id, name, abn, address, subscription_status, compliance_officer_id
user — id, firm_id, name, email, role, mfa_enabled, training_status, last_login
client — id, firm_id, entity_type, legal_name, abn, risk_rating, cdd_status, relationship_end_date
associated_person — id, client_id, person_type, individual_cdd_id
individual_cdd — id, person_id, full_name, dob, address, nationality, occupation, id_type, id_number, pep_flag
document — id, client_id, document_type, file_ref, upload_date, uploaded_by, expiry_date, retention_expiry, hash
consent_record — id, client_id, signed_at, ip_address, browser_fingerprint, document_version, signature_data
screening_event — id, client_id, screened_at, provider, result, hit_details, reviewed_by, review_outcome
risk_profile — id, client_id, risk_rating, calculated_at, risk_factors_json, override_by, override_reason
engagement — id, client_id, matter_name, service_type, scope_classification, cdd_complete_at_commencement
smr_case — id, client_id, raised_by, raised_at, narrative, decision, decision_at, decision_by, austrac_reference
ttr_record — id, client_id, amount, transaction_date, cash_flag, reported_at, austrac_reference
amlctf_program — id, firm_id, version, part_a_json, part_b_json, approved_by, approved_at, status
risk_assessment — id, firm_id, version, risk_factors_json, inherent_score, residual_score, approved_by, approved_at
training_record — id, user_id, track, started_at, completed_at, score, certificate_url
breach_item — id, firm_id, discovered_at, description, severity, root_cause, corrective_actions_json, closed_at
audit_log — id, firm_id, user_id, action, entity_type, entity_id, before_json, after_json, ip, timestamp — append-only, no updates/deletes
12-week plan (April → 26 June 2026)
Wk Goal Scope (FRD)
1–2 Infrastructure & security Per-firm deploy, PostgreSQL, S3, TLS, RBAC, append-only audit, field encryption, MFA, CI/CD, staging 3 Scope + AUSTRAC SC-1.1–1.6, AE-1.1–1.5 4–5 CDD standard + BO CDD-1.1–1.12, CDD-2.1–2.4, INT-1.1, uploads + virus scan 6 CDD enhanced + screening CDD-3.1–3.6, CDD-4.1–4.2, INT-1.2, PEP flow 7 Program + firm risk PB-1.1–1.8, RA-1.1–1.7 8 SMR + vault SMR-1.1–1.10, RK-1.1–1.8 9 Monitoring + training OM-1.1–1.7, TR-1.1–1.8 10 Governance + upgrades GV-1.1–1.7, EC/C360/FC/CP sets 11 Dashboard + reliance DB-1.1–1.10, TP-1.1–1.4 12 Test & harden Regression Must Haves, OWASP, 1k clients perf, critical/high bugs 26 Jun Production First firms onboard; 5-day monitor pre–1 Jul
Sec. 23.1 — Required test themes: regulated engagement cannot go Active without CDD; scope mapping for six service types; CDD engine correct fields per entity type (per Sec. 23.1); ABN active/cancelled/mismatch; three-level beneficial ownership; PEP → enhanced + blocking approval; ComplyAdvantage storage; SMR 24h timer + tipping-off on relevant screens; SMR decision states; vault delete blocked pre-expiry; hash tamper alert; relationship end → deletion eligibility exactly +7 years; Accountant cannot list SMR cases; client cannot access admin; audit log append-only.
Sec. 23.2 Performance (targets)
CDD submit <3s incl. upload confirm Dashboard <2s @ 500 clients Client audit ZIP <30s Screening <5s + non-blocking UI 100 concurrent users / firm
Sec. 23.3 Browsers
Desktop: Chrome, Firefox, Safari, Edge (latest). Mobile: Chrome Android, Safari iOS — portal fully functional. Min width: 320px portal, 1024px admin.
“We already have a process” Defensible digital evidence vs. emails/spreadsheets that fail audit.
“Too expensive” $500/yr vs. partner hour; AUSTRAC penalties from ~$3k minor breach.
“We can wait until 1 Jul” Program must exist before first post–1 Jul designated service — onboard before the date.
“Guarantee compliance?” No — market as compliance-ready infrastructure ; human judgment remains.
“Data security?” AU DCs, AES-256, MFA, RBAC, annual pen test — vs. email attachments today.
“Rules change?” Regulatory feed + template alerts; subscription funds maintenance.
Pricing (unchanged from FRD header)
$1,500 one-time implementation + $500/year hosting — see Sec. 4.4–4.5 for renewal and suspension behaviour.
Prepared for: Lead Developer / Engineering Team · Author: Bhalekar Product Team · Sec. 25 Document control: living spec — update feature Status after each sprint when tests in Sec. 23 pass.
Confidential — FRD intended for Onboard development team only.
© 2026 Bhalekar Pty Ltd. All rights reserved.