AML/CTF Foundations for Accountants – Firm Verify

AML/CTF Foundations for Accountants | Firm Verify Help

Prepared with reference to AUSTRAC guidance current as at May 2026. AML/CTF requirements are evolving — confirm current obligations and seek legal or compliance advice before relying on this document.

Contents

What are AML/CTF laws?
Why accounting firms are now regulated
The Tranche 2 reforms — what changed and when
AUSTRAC — regulator and financial intelligence unit
Designated services — what catches your firm
What your firm must implement
Customer Due Diligence
Reporting obligations and the tipping off rule
Consequences of non-compliance
Key takeaways

1. What are AML/CTF laws?

Anti-Money Laundering and Counter-Terrorism Financing laws exist to prevent the financial system from being used to conceal criminal proceeds or fund terrorist activity. Australia's regime is administered by AUSTRAC.

Anti-Money Laundering (AML)

Prevents criminals from disguising the origins of funds derived from illegal activity — such as drug trafficking, fraud, or corruption — by moving them through the legitimate financial system.

Counter-Terrorism Financing (CTF)

Prevents funds — whether from legal or illegal sources — from being channelled toward terrorist organisations or violent acts. Unlike money laundering, the source of funds may be entirely legitimate.

Proliferation Financing (PF)

A third and growing concern: preventing the financing of weapons of mass destruction. Your firm's AML/CTF program must also include a proliferation financing risk assessment.

Australia's framework: The regime is governed by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and the AML/CTF Rules made under it. Both are administered by AUSTRAC. Firms subject to the regime are called reporting entities.

2. Why accounting firms are now regulated

For nearly two decades, Australia's AML/CTF regime only covered banks, financial services firms, and remittance dealers. Accountants, lawyers and real estate agents were exempt — a gap that criminals actively exploited.

Professional services as a target

Criminals target accountants because of their access to company formation, trust structures, property transactions, and banking relationships — precisely the mechanisms used to launder money and hide assets.

The FATF finding

Australia's 2015 FATF mutual evaluation highlighted the significant ML/TF risks posed by accountants and lawyers operating outside the AML/CTF regime. That finding directly triggered the Tranche 2 reforms.

What FATF found: Australia was among a small number of FATF member countries that had not extended AML/CTF obligations to professional services — identified as a major vulnerability in Australia's financial intelligence framework that professional money launderers were known to exploit.

The consequence for your firm: From 1 July 2026, accounting firms that provide designated services become reporting entities under the AML/CTF Act. This creates legally enforceable obligations — not guidelines or best practice recommendations.

3. The Tranche 2 reforms — what changed and when

Australia's AML/CTF reforms were enacted in two tranches. Tranche 1 covered banks and financial institutions. Tranche 2 extends the regime to professional services for the first time.

2006	Tranche 1 enactedAML/CTF Act 2006 comes into force. Banks, credit unions, remittance dealers and financial services firms become reporting entities.
2015	FATF mutual evaluationAustralia's evaluation highlights professional services as a major ML/TF vulnerability. Recommendation to extend the regime to accountants, lawyers and real estate agents.
Nov 2024	Tranche 2 legislation passedThe AML/CTF Amendment Act 2024 passes Parliament on 29 November 2024, formally extending the regime to professional services including accounting firms.
31 Mar 2026	AUSTRAC enrolment opensReporting entities can begin enrolling with AUSTRAC. You do not need to have completed all compliance steps before enrolling.
1 Jul 2026	Full compliance requiredTranche 2 obligations take effect. Accounting firms providing designated services must be enrolled with AUSTRAC and have a compliant AML/CTF program in place.
29 Jul 2026	Enrolment deadlineLast date to enrol with AUSTRAC for Tranche 2 reporting entities. Late enrolment is itself a contravention of the Act. Newly regulated businesses must also notify AUSTRAC of their Compliance Officer by the later of 14 days after enrolment or 29 July 2026.

4. AUSTRAC — regulator and financial intelligence unit

AUSTRAC serves a dual function: it is both Australia's AML/CTF regulator and its financial intelligence unit.

Regulator

Sets and enforces AML/CTF obligations. Issues guidance, conducts compliance assessments, and takes enforcement action against non-compliant reporting entities.

Financial intelligence unit

Collects, analyses, and shares financial intelligence with law enforcement agencies including the AFP, ACIC, and state police forces. SMR data directly supports criminal investigations.

Enforcement powers

Civil penalty proceedings, remedial directions, enforceable undertakings, infringement notices, external audit requirements, and compulsory examination powers.

Compulsory examinations

AUSTRAC can issue a notice requiring individuals to attend an examination, answer questions, and produce documents — including documents held by your firm.

Civil penalties: AUSTRAC can apply to the Federal Court for civil penalty orders. For a body corporate, penalties can be up to 100,000 penalty units — currently $33 million per contravention (at $330 per unit, effective 7 November 2024). Individual practitioners also face personal liability — up to 20,000 penalty units ($6.6 million) per contravention.

AUSTRAC publishes enforcement actions. Civil penalty proceedings and enforceable undertakings are public record. Non-compliance creates lasting reputational damage that is searchable and permanent.

5. Designated services — what catches your firm

Your AML/CTF obligations only apply when you provide a designated service. Nine new designated services were added for professional services under Tranche 2. Most accounting firms are caught by several.

#	Designated Service	For accountants
1	Assisting to buy, sell or transfer real estate	Less common
2	Assisting to buy, sell or transfer a body corporate or legal arrangement (controlling interest)	Possible
3	Receiving, holding or managing client money or property in connection with a transaction	Possible
4	Assisting with equity or debt financing for a body corporate or legal arrangement	Possible
5	Selling or transferring a shelf company	Less common
6	Creating or restructuring a company, trust, partnership or other legal arrangement	Very common
7	Arranging for a person to be a director, secretary or trustee	Very common
8	Arranging for a person to be a nominee shareholder	Possible
9	Providing a registered office address or principal place of business for a company	Catches most firms

Item 9 is the most important one to understand. If your firm's address appears as the registered office for any client company — even if you do nothing else — you are providing a designated service from 1 July 2026 and must enrol with AUSTRAC.

6. What your firm must implement

Once you become a reporting entity, your firm has eight categories of ongoing obligation. These are not optional — each is a legally enforceable requirement under the AML/CTF Act.

#	Obligation	Summary
1	Enrol with AUSTRAC	From 31 March 2026. Enrolment deadline 29 July 2026.
2	AML/CTF Program	Document your risk assessment, policies and procedures. Must be in place by 1 July 2026.
3	Customer Due Diligence	Identify and verify clients before providing designated services. Includes PEP screening and sanctions checks for all new clients.
4	Ongoing Monitoring	Monitor clients and update risk ratings throughout the relationship.
5	Suspicious Matter Reports	Report to AUSTRAC when you suspect ML/TF activity. See Topic 8 for timing obligations.
6	Personnel Training	Train all staff performing AML/CTF functions. Keep training records.
7	Record Keeping	Retain CDD and transaction records for a minimum of 7 years.
8	Program Review	Keep your program current and up to date. An independent evaluation must be conducted at least every 3 years — first Tranche 2 deadline is 1 July 2029.

Where to start: AUSTRAC has published an Accounting Program Starter Kit for firms below a certain size and risk profile. Larger or higher-risk firms should treat the Starter Kit as a base and customise from there. Firm Verify guides you through building your program step by step.

7. Customer Due Diligence — what it requires

Before providing any designated service to a new client, your firm must identify and verify who they are. This process is called Customer Due Diligence (CDD) — also referred to as Know Your Customer (KYC).

1	Collect identity informationFull legal name, date of birth, residential address, and a government-issued ID document (driver's licence, passport) for individuals.

2	Verify the informationCheck it against a reliable, independent source — such as an electronic verification service (e.g. BGLiD) or physical document checks.

3	Identify beneficial ownersFor companies and trusts, identify who ultimately owns or controls the entity — generally anyone with 25% or more ownership or effective control.

Screen for PEPs and sanctionsFor all new clients, determine on reasonable grounds whether the customer, persons acting on their behalf, or persons on whose behalf the service is received are Politically Exposed Persons (PEPs) or designated for targeted financial sanctions. This applies to all initial CDD — not only high-risk engagements.

5	Understand the nature of the relationshipWhat services will be provided? What is the expected transaction profile? What is the source of funds?

Apply the right level of CDDBased on your risk assessment: Simplified (low risk), Standard (medium risk), or Enhanced (high risk). Enhanced CDD is mandatory for foreign PEPs, high-risk jurisdictions, and complex or unusual structures. Note: PEP and sanctions screening is part of all initial CDD — not a feature of enhanced CDD only.

7	Monitor ongoingCDD is not a one-time event. You must update client information and risk ratings when circumstances change throughout the relationship.

Key rule: CDD must be completed before you begin providing the designated service — not concurrently, and not afterwards. Signing an engagement letter before completing CDD creates legal exposure.

8. Reporting obligations and the tipping off rule

Reporting entities must report certain matters and transactions to AUSTRAC. The most important — and most commonly misunderstood — is the Suspicious Matter Report.

Suspicious Matter Reports (SMRs)

You must submit an SMR if you suspect — or have reasonable grounds to suspect — that a matter is related to ML/TF activity. Suspicion alone is the trigger. There is no minimum transaction value.

Timing: Within 3 business days (most offences) or 24 hours (terrorism financing). Where legal professional privilege is claimed, a 5 business day timeframe applies.

Threshold Transaction Reports (TTRs)

Required when physical currency (cash) of $10,000 or more is received or paid in connection with a designated service. Only relevant if your firm handles physical cash in designated service transactions. Electronic payments — including SMSF pension payments — are not physical cash and do not trigger TTR obligations. Filing deadline: 10 business days.

The tipping off offence — updated law (from 31 March 2025) It is a criminal offence to make a disclosure that would or could reasonably be expected to prejudice an investigation. This means you must not tell a client that an SMR has been or may be filed, nor share any information that could alert them to a potential investigation — including indirectly. Do not confirm, deny, or hint at any SMR or related investigation to the client or anyone outside your firm's compliance process.

Record keeping: All CDD records, transaction records, and SMR documentation must be retained for a minimum of 7 years after the end of the customer relationship. AUSTRAC can request records at any time.

9. Consequences of non-compliance

Non-compliance carries serious financial, legal, and professional consequences for both the firm and individual practitioners.

$33M

Maximum civil penalty for a body corporate per contravention (100,000 penalty units at $330/unit, effective 7 Nov 2024)

$6.6M

Maximum civil penalty for an individual per contravention (20,000 penalty units)

7 yrs

Maximum imprisonment for certain criminal offences under the AML/CTF Act

Civil penalties Court-ordered fines applied per contravention. AUSTRAC can pursue multiple contraventions simultaneously — penalties compound rapidly.	Criminal prosecution Knowingly facilitating financial crime can result in criminal charges. Individuals — not just the firm — face imprisonment.
Regulatory action Remedial directions, enforceable undertakings, external audit requirements at the firm's cost, and compulsory examination notices.	Professional consequences CPA Australia, CAANZ and the Tax Practitioners Board can take disciplinary action. Registration and licensing may be at risk.

The corporate veil does not protect individuals. Partners, directors and senior managers face personal liability for their firm's non-compliance — not just the entity itself.

Key takeaways

1	The law is the AML/CTF Act 2006 and the AML/CTF Rules. Both are administered by AUSTRAC. Compliance is legally enforceable — not optional.
2	Accountants are now in scope. The Tranche 2 reforms extend the regime to professional services from 1 July 2026 — the direct result of Australia's 2015 FATF mutual evaluation.
3	Item 9 catches most firms. If your address is the registered office for any client company, you are providing a designated service and must enrol with AUSTRAC.
4	Enrol by 29 July 2026. Enrolment opens 31 March 2026. Late enrolment is itself a contravention. Your AML/CTF program must be in place by 1 July 2026. Notify AUSTRAC of your Compliance Officer by the later of 14 days after enrolment or 29 July 2026.
5	CDD before you engage. Customer Due Diligence must be completed before you provide any designated service. PEP and sanctions screening applies to all new clients — not only high-risk ones.
6	Report suspicions — never tip off. File an SMR if you suspect ML/TF activity. Never disclose anything that could prejudice an investigation — including confirming or denying that an SMR exists. The tipping off offence is a criminal offence under the updated law (from 31 March 2025).
7	Penalties are serious and personal. Up to $33 million per contravention for a body corporate. Individual practitioners face personal liability — the corporate veil offers no protection.