Get started
Get started

Free set up for all new subscriptions before Nov 30th 2023. Save $1,000. Book a demo now

AUSTRAC Tranche 2 Compliance Guide for Australian Accountants and Tax Agents (2026)

From 1 July 2026, Australian accountants, tax agents, and bookkeepers become reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. This guide explains exactly what Tranche 2 means for your practice, what you are required to do before the deadline, and how IdentityCheck by StackGo can help you meet your customer due diligence obligations without adding manual work to your team.

Whether you run a sole-trader practice or a mid-sized firm, this page covers the key obligations, the compliance timeline, and practical steps you can take right now.

What is AUSTRAC Tranche 2?

Australia's existing Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime has applied to financial institutions, banks, and remittance services since 2006. Tranche 2 is the expansion of that regime to a wider group of businesses and professions.

The expanded regime covers what the legislation calls "designated non-financial businesses and professions" (DNFBPs). This group includes accountants, tax agents, bookkeepers, auditors, lawyers, conveyancers, real estate agents, and dealers in high-value goods.

The underlying rationale is straightforward. These professions handle transactions, manage assets, and provide advice that can be exploited for money laundering or terrorism financing. International bodies such as the Financial Action Task Force (FATF) have long assessed Australia's AML/CTF framework as incomplete because DNFBPs were excluded. Tranche 2 closes that gap.

For accounting firms, this means that if you provide certain designated services (such as managing client money, forming companies, or providing tax and financial advice in connection with transactions), you must now comply with AML/CTF obligations in the same way that banks and financial services firms already do. The critical dates are 30 May 2026 for AML/CTF officer notification and 1 July 2026 for full enrolment and go-live.

Does This Apply to My Accounting Firm?

The obligations apply to you if your practice provides one or more "designated services" as defined under the AML/CTF Act. The table below gives a plain-English summary of who is in scope.

Practice Type Likely In Scope? Reason
Registered tax agent (individual or firm) Yes Tax services connected to transactions or business structures are designated services
Bookkeeper providing payroll and BAS services Yes (likely) Managing client funds or financial accounts falls within scope
Accountant providing SMSF administration Yes Managing financial assets on behalf of clients is a designated service
Accountant providing company formations or trust setups Yes Acting as a registered agent for entity creation is explicitly in scope
Sole-trader BAS agent (BAS only, no tax advice) Yes (likely) BAS services involving client accounts are within scope; confirm with AUSTRAC guidance
Accountant providing purely advisory services with no transaction involvement Possibly not Pure advice without involvement in client funds or entity creation may fall outside scope; seek legal confirmation

If your practice is registered with the Tax Practitioners Board (TPB), you should also be aware that the TPB requires registered tax agents to comply with all laws relevant to their services. That means your TPB registration and your AUSTRAC obligations are linked. Non-compliance with AUSTRAC can affect your standing with the TPB.

If you are uncertain whether your specific services are in scope, review AUSTRAC's published guidance on designated services for DNFBPs, or seek legal advice before the July 2026 deadline.

What Do You Need to Do Before 1 July 2026?

The following steps apply to the majority of accounting and tax agent practices in scope. Work through these in order. Steps 1 and 2 have the earliest deadlines.

  1. Step 1 — Confirm whether your services are in scope (do this now)

    Review the AUSTRAC guidance on designated services for DNFBPs. Map each service your practice provides against the list of designated services. Document your assessment. If any service is in scope, proceed with all steps below.

  2. Step 2 — Appoint your AML/CTF Compliance Officer and notify AUSTRAC by 30 May 2026

    You must appoint a person within your practice as your AML/CTF Compliance Officer and notify AUSTRAC of that appointment. In a sole-trader or small practice, this will usually be the principal. The notification deadline is 30 May 2026. Missing this deadline puts you in breach before the go-live date. Notification is submitted through the AUSTRAC Online portal.

  3. Step 3 — Enrol with AUSTRAC by 1 July 2026

    All reporting entities must enrol with AUSTRAC through the AUSTRAC Online portal. Enrolment is separate from the officer notification in Step 2. You will need your ABN, business details, and information about the designated services you provide. Complete this before 1 July 2026, which is the mandatory go-live date for the expanded regime.

  4. Step 4 — Develop and implement an AML/CTF program

    You are required to have a documented AML/CTF program in place. This program must cover how you identify and verify clients (customer due diligence), how you assess and manage risk, how you detect and report suspicious activity, and how you train your staff. AUSTRAC provides a template for small and medium businesses. Your program must be tailored to your practice, not just a generic copy of a template.

  5. Step 5 — Set up your customer due diligence (CDD) process

    Before providing a designated service to any new client, you must verify their identity. This means collecting and verifying their full name, date of birth, and residential address using a reliable, independent source. You must also screen clients against Politically Exposed Person (PEP) and sanctions lists. This process must be completed before the service is provided, not retrospectively.

  6. Step 6 — Apply CDD to existing high-risk clients

    You are not required to re-verify every existing client on 1 July 2026. However, you must apply a risk-based approach. Clients with complex structures, offshore connections, high transaction volumes, or other risk indicators must be prioritised for CDD. Document your risk-rating methodology and keep records of assessments. Lower-risk clients can be reviewed on a rolling basis as part of ongoing monitoring.

  7. Step 7 — Establish record-keeping and SMR processes

    You must keep records of all CDD conducted, including the documents sighted and the verification outcome. Records must be kept for at least seven years. You must also have a process for identifying and filing Suspicious Matter Reports (SMRs) with AUSTRAC when you suspect a client may be involved in money laundering, terrorism financing, or other financial crime.

  8. Step 8 — Train your staff

    Your AML/CTF program must include a staff training component. All staff who interact with clients or process transactions need to understand their obligations, how to conduct or support CDD, and how to identify and report suspicious matters. Training must be documented and refreshed regularly.

What is Customer Due Diligence (CDD) and How Do You Do It?

Customer due diligence is the process of verifying who your client is before you provide a designated service to them. Under the AML/CTF Act, this is a mandatory obligation, not a discretionary step.

What CDD requires

For individual clients, CDD requires you to:

  • Collect the client's full legal name, date of birth, and residential address
  • Verify that information against a reliable, independent source (such as a driver's licence, passport, or other government-issued document)
  • Screen the client against Politically Exposed Person (PEP) lists
  • Screen the client against Australian and international sanctions lists
  • Retain records of the verification and the documents sighted for at least seven years

For business clients, CDD is more involved. You must verify the business entity itself (ABN, ASIC registration, registered address) and also identify and verify the beneficial owners — the individuals who ultimately own or control the business. Beneficial ownership thresholds typically apply at 25% or more of ownership or control.

Ongoing monitoring

CDD is not a one-time event. You must monitor client relationships on an ongoing basis. This means reviewing client information when it changes, re-assessing risk when circumstances change, and updating records accordingly.

How IdentityCheck automates CDD for accounting firms

IdentityCheck by StackGo integrates directly into the practice management tools your team already uses, including XPM (Xero Practice Manager), Karbon, HubSpot, and FYI Docs.

When a new client is added to your practice, a one-click identity verification request is sent from within your existing tool. The client completes verification on their device. IdentityCheck performs automated PEP and sanctions screening in the background. The result is written back into your client record automatically, with a full audit trail. No separate portal, no manual data entry, no separate compliance workflow.

How IdentityCheck Helps Accounting Firms Meet Tranche 2

  • Built into your existing practice management tools. IdentityCheck works inside XPM, Karbon, HubSpot, and FYI Docs. Your team does not need to learn a new system or switch between platforms. The verification trigger, the result, and the audit record all live inside the tools you already use every day.
  • One-click CDD with automatic PEP and sanctions screening. Every identity verification includes automated screening against PEP lists and sanctions lists as a standard part of the process. You get a single outcome that covers both identity verification and AML screening, recorded automatically.
  • Automatic record writeback for audit readiness. AUSTRAC requires you to maintain records of CDD for at least seven years. IdentityCheck writes the full verification record back to the client record automatically. If AUSTRAC ever requests evidence of your CDD, you can produce it immediately.
  • Scales from sole traders to multi-partner firms. Whether you have 50 clients or 5,000, IdentityCheck handles the volume without adding headcount. Bulk verification requests can be sent for existing client remediation. The system grows with your practice.

IdentityCheck is available at stackgo.io/identitycheck/.

Frequently Asked Questions

Does my sole-trader accounting practice need to register with AUSTRAC?

Yes. If you provide designated accounting or tax services as defined under the expanded AML/CTF Act, you must enrol with AUSTRAC regardless of the size of your practice. This includes sole traders, micro-firms, and larger practices equally. The obligation is based on the nature of the service you provide, not the number of staff or clients you have.

What is the AUSTRAC AML/CTF officer requirement?

Under Tranche 2, every reporting entity must appoint an AML/CTF Compliance Officer and notify AUSTRAC of that appointment. The deadline for notification is 30 May 2026. In a small or sole-trader practice, the principal can fulfill this role. The officer does not need specialist qualifications, but must understand the obligations well enough to implement and maintain the program.

What happens if I don't comply with Tranche 2 by 1 July 2026?

Non-compliance can result in significant civil and criminal penalties, including court-ordered civil penalties that can reach millions of dollars. Non-compliance can also affect your registration with the Tax Practitioners Board (TPB). Starting early is strongly recommended.

How do I verify a client's identity under the new AML rules?

CDD requires you to collect and verify a client's full name, date of birth, and residential address using a reliable, independent source such as a driver's licence or passport. You must also screen the client against PEP lists and sanctions lists. Tools like IdentityCheck automate this process inside your existing practice management software.

Do I need to check every client or just new ones?

You must apply CDD to all new clients before providing a designated service from 1 July 2026. For existing clients, apply a risk-based approach — higher-risk clients must be prioritised for re-verification. You are not required to re-verify every existing client immediately, but you must have a process for ongoing monitoring.

Can I use my existing client records or do I need to re-verify?

Existing records can be used as a starting point, but they must meet the standard required under the AML/CTF Act. If you only have a name and email from a client intake form, those records are unlikely to satisfy CDD requirements. If you already hold verified copies of identity documents and have screened against PEP and sanctions lists, you may be able to document that those records meet the required standard. When in doubt, re-verify.

Book a 30-Minute Walkthrough of IdentityCheck

If you want to see how IdentityCheck works inside your practice management tools and understand how it maps to your Tranche 2 obligations, book a 30-minute walkthrough with the StackGo team.

We will walk through the verification workflow, show you the audit record that is generated, and answer questions specific to your practice type and client base.

Book your 30-minute walkthrough

Or visit stackgo.io/identitycheck/ to learn more.