What we're hearing from accountants in May 2026 — twelve questions, twelve answers

In conversations with accounting firms, bookkeeping practices, multi-partner groups, and SMSF specialists across Australia, Tranche 2 comes up in the first five minutes of every call — and twelve questions surface across nearly every conversation. Some are about the legislation. Most are about operations. Here are all twelve, answered with the specifics those conversations have told us people actually need.

These are not the questions a generic AML explainer is written to answer. They’re the questions that come up when a real principal or senior manager is trying to figure out what their firm specifically has to do, by when, at what cost, with the systems they already have. The answers are different for a 50-client practice running everything manually versus a 300-client practice on Karbon. We’ve tried to reflect that.

1. Do we actually need to comply? We’re not sure we’re a “reporting entity.”

If your firm provides any of the following services, you are a reporting entity from 1 July 2026: accounting work, tax advice, bookkeeping, SMSF administration, company secretarial services, or trust and entity administration services. This list is set out in Section 6 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).

Most accounting firms provide at least one of these services. The common misread is that only “specialist” AML work triggers the obligation — but the Act covers standard accounting and tax practice directly. If you invoice for tax returns or BAS preparation, you are inside the scope.

There is a separate question of which clients within your book require Customer Due Diligence. That is a different question — answered in Question 3 below. The reporting-entity question is simpler: does your firm provide any of the services listed in Section 6? If yes, you are in.

2. What does the 1 July deadline actually require us to have in place?

By 1 July 2026, every reporting entity must have:

An AML/CTF Program document — a written program that describes how your firm identifies, assesses, and manages money laundering and terrorism financing risks. This is a firm-level document, not a per-client record.
A nominated AML/CTF Compliance Officer — registered with AUSTRAC. The 30 May notification deadline for compliance officer registration is the one most firms are not tracking. That deadline precedes 1 July.
Customer Due Diligence records — identity verification and AML screening on relevant clients. You need to be running CDD from 1 July, which means your systems need to be set up before that date, not on it.
An ongoing monitoring mechanism — a process for detecting changes in client risk profiles after onboarding.

What you do not need by 1 July: a perfect, audited, fully mature program. AUSTRAC’s approach to new entrants to the regime is supervisory-first. The firms who will face the hardest scrutiny are those with nothing in place — no program, no officer, no records — not those with an imperfect program that is clearly being built in good faith.

The non-negotiables are the program document and the compliance officer. Everything else follows from having those two things sorted.

3. Which clients actually need to be verified?

This is the question that generates the most divergent answers across firms — and the most operationally significant ones.

The narrow reading: only verify clients receiving designated services. The problem with this reading is explained in detail in The designated-services trap, but the short version is this: AUSTRAC’s risk-based framework requires you to demonstrate that you understand the risk your client base represents. You cannot demonstrate that without baseline information on all clients, not just the ones currently receiving a designated service.

The practical answer: screen everyone at onboarding, tier your monitoring intensity by what you find. A standard ID and AML screen costs under $7 per client. The cost of not having a record — when AUSTRAC asks “show me your risk assessment for client X” and client X was never screened — is not quantifiable but is consistently worse.

For firms with existing client books: the obligation runs to existing clients as well as new ones. You need a plan for backfilling your current book before 1 July. That plan does not require verifying 500 clients in a week. It requires a documented, prioritised program that is visibly underway.

4. What counts as identity verification under the Act?

Under Chapter 4 of the AML/CTF Rules, identity verification must confirm the customer’s identity using a reliable, independent source. The key word is “independent” — the customer self-declaring their identity is not verification. Their document alone is not verification. Verification requires checking the identity claim against an authoritative source.

In practice, this means: biometric identity verification (a selfie matched against a government document), with the identity then checked against document registers to confirm the ID is genuine and belongs to the person presenting it. A scan of a passport does not satisfy this. A photo of a driver’s licence uploaded to a shared drive does not satisfy this.

For individual clients, this is a single step: biometric KYC. For corporate clients, it is more complex — the firm also needs to identify and verify the beneficial owners behind the entity (see Question 6).

The identity check must produce a verifiable record. Not a PDF in a folder, not a note in your CRM. A compliance record showing: who was verified, what method was used, what the result was, and when it was done.

5. We have 1,100 existing clients. How do we backfill that before July?

This is the most common operational question from firms with established books, and the one that most directly shapes what tool and workflow they need.

The answer is not “verify 1,100 clients before June 30.” That is neither operationally feasible nor what AUSTRAC expects. The answer is: build a risk-tiered backfill plan and execute it visibly.

Practical breakdown for a 1,100-client book:

Tier 1 — highest risk, verify first: corporate clients with complex structures (companies, trusts, SMSFs), clients in higher-risk sectors, any client where you have limited information on record. For most firms, this is 10-20% of the book.
Tier 2 — active clients receiving designated services: any client currently receiving accounting, tax, or SMSF work. These are the ones AUSTRAC will look at first.
Tier 3 — remaining individual clients: verify systematically as capacity allows. Priority goes to clients whose engagements are being renewed or who are coming in for year-end work — use those touchpoints as the trigger.

For bulk verification at volume, the critical workflow question is: how does the request go out and how does the response come back? For firms using Karbon, the IdentityCheck integration handles this: the practitioner sends a verification request from inside the Karbon task, the client completes it on their phone via a branded email and SMS link, and the result writes back into Karbon automatically. The firm does not manage the individual responses manually.

For firms not on Karbon, the same request-response process works via a direct link. The bottleneck is always outbound communication volume — firms that start this process in May have the runway; firms starting in June do not.

6. We have lots of corporate clients. What’s the UBO obligation?

For corporate clients — companies, trusts, SMSFs, partnerships — verifying the individual in front of you is not sufficient. You must also identify and verify the beneficial owners of the entity: the natural persons who ultimately own or control it above the 25% threshold.

This is covered in detail in our piece on UBO collection under Tranche 2. The four components of a compliant UBO process are: a structured entity onboarding form that captures shareholding and control structure, an ACN-sourced UBO report from authoritative registers (not a client self-declaration), AML screening run on each identified beneficial owner, and ongoing monitoring to detect ownership changes after onboarding.

The most common gap is the second step. Firms ask clients to tell them who their shareholders are and upload whatever documents they have. That is document collection. It is not beneficial ownership verification. The obligation is to confirm the ownership structure against an authoritative source — ASIC-linked corporate register data — not just to receive what the client provides.

For Karbon users: the UBO flow in IdentityCheck triggers from the same Karbon task as the individual KYC. The beneficial ownership report is generated from the ACN, the identified owners are screened, and the full record sits in the same compliance file as the individual identity check. One workflow. One place to find everything.

7. How does this integrate with Karbon? We’re not going to use a separate system.

This comes up in conversations with Karbon users, and it is a reasonable position. A firm running 200-300 clients on Karbon has spent years building their job templates and workflow. Adding a parallel compliance system with its own logins and its own queue is not a process improvement — it is a process multiplication.

The IdentityCheck + Karbon integration is a task-layer integration, not a separate system. Here is what it actually looks like in the workflow:

New client is created in Karbon.
The AML compliance task appears in the onboarding job template — it is part of the job, not a separate action.
The practitioner opens the task, clicks “Send Verification.” A 5-second confirmation window catches accidental sends.
The client receives a branded email and SMS with a link to complete biometric ID verification on their phone. No app required.
The result writes back into the Karbon task: AML status, risk score, next review date, link to the full compliance record. The task closes when verification is complete.
The onboarding job continues.

The practitioner does not log into a separate platform to check results. The compliance record does not live in a separate system. It is in Karbon, in the job, where the practitioner expects to find it.

For XPM users: the integration mechanism is different (note-triggered rather than task-layer) but the workflow outcome is the same — the verification request goes out from inside XPM and the result comes back to the same record. If your firm is on XPM and wants to see specifically how this runs, get in touch and we’ll walk through it directly.

8. What about ongoing monitoring? How do we know when something changes?

AML compliance is not a one-time event at onboarding. AUSTRAC’s risk-based framework requires that a reporting entity monitors client risk on an ongoing basis — detecting changes in risk profile after the initial CDD is complete.

What this means in practice: every client in the system is enrolled in continuous AML screening — PEP (Politically Exposed Person) databases, sanctions lists, and adverse media sources — at a frequency that reflects their risk tier. Low-risk clients are monitored at standard frequency. Higher-risk clients more frequently.

When a client’s status changes — a sanctions match, a new adverse media hit, a PEP designation — the system generates an alert. The practitioner receives a notification. The firm does not need to remember to re-run a check, and it does not need to be running a manual re-screening cycle on its book.

The monitoring sources are updated frequently: PEP databases pull from 3,000+ sources, sanctions lists from 70+ global lists updated every 30 minutes, adverse media from 15,000+ sources across 195 countries. Manual re-checking against this volume of data is not a realistic process for a firm with more than 30 clients.

The AUSTRAC question an ongoing monitoring system answers is: “How would you know if a client’s risk profile changed after onboarding?” “We would run a manual check” is a weaker answer than “we are enrolled in continuous monitoring and the alert comes to us.”

9. We already use another tool for client onboarding. Do we need to change?

Depends on what that tool does. Other onboarding tools serve a real purpose — document collection, engagement letter delivery, general intake — and many firms running IdentityCheck continue to use them for those functions.

The distinction worth being precise about is this: document intake covers the ask. AML compliance covers the obligation.

A general onboarding tool can ask a client to upload their photo ID and sign a form. It cannot: verify that document against government registers using biometric matching; run the client through PEP, sanctions, and adverse media screening; generate a compliant AML risk assessment; produce a record in the format AUSTRAC would expect to see; or enrol the client in ongoing monitoring.

Collecting a client’s documents is not the same as verifying their identity and assessing their AML risk. The two functions can coexist — and for most firms they do. The firm uses their existing tool for general onboarding admin and adds IdentityCheck for the compliance-specific steps. The Karbon integration means the compliance step sits inside the job template without requiring a separate system context switch.

10. What about clients who push back on providing ID? We have long-term relationships.

This is the most common hesitation from firms with 10+ year client relationships, and it is a real operational concern. The client who has been with the firm for fifteen years and signs the engagement letter without reading it is not going to enjoy being asked to take a selfie with their passport.

Three things that work in practice:

First: frame it as firm-wide, not client-specific. “We’re required to verify all clients under new AML legislation” is a different conversation than “we need to check your identity.” It is not a suspicion of the client; it is a regulatory baseline applied uniformly. Long-term clients accept this framing more readily than individual scrutiny.

Second: the verification is fast. The client flow — opening the link, photographing their ID, taking a selfie — takes under three minutes on a phone. Firms that lead with this in the explanation get significantly less pushback than firms that describe it abstractly.

Third: the obligation is real. Under Section 32 of the AML/CTF Act, a reporting entity must not provide a designated service to a customer it has not identified and verified. The firm is not offering the client a choice between verifying and not verifying — it is choosing between verifying and not providing the service. That is not a position most long-term clients want to force the firm into when it is explained plainly.

The firms that handle this most smoothly are the ones who communicate early — email ahead of the verification request, explaining what is coming and why — rather than sending a cold verification link with no context.

11. What records do we need to keep, and for how long?

Under the AML/CTF Act, reporting entities are required to retain transaction records and customer identification records for seven years after the relationship ends. This is not a guideline; it is a hard requirement under Section 106 of the Act.

What the record must contain: the customer’s identity information, the verification method used, the outcome of the verification, the date it was performed, and — for ongoing monitoring — a log of monitoring checks and any alerts generated.

What most firms currently have instead: a scan of a driver’s licence in a shared folder, an email thread where the client sent through their documents, or a note in their CRM with a date and a “verified” label. None of these constitute a compliant retention record. They cannot demonstrate what method was used, what the verification result was, or what AML screening was run.

IdentityCheck retains the full compliance record for seven years: identity verification result, biometric match score, document check result, AML screening result with source lists, risk score, next review date, and monitoring log. The record is retrievable at any point during the retention period without requiring the firm to maintain its own archival system.

When AUSTRAC conducts a supervision review and asks to see the compliance record for a specific client, a seven-year-old PDF in a drive folder and a seven-year-old structured compliance record in the platform are very different answers.

12. What does it cost, and is it worth it?

The cost question comes up in every conversation. The honest answer is: the platform cost is one line; the comparison that makes it meaningful is the cost of the alternative.

The manual alternative — collecting and scanning documents, chasing responses, filing records, re-running searches, maintaining an archival system — takes 30 to 60 minutes per client at onboarding. For a 200-client book, that is 100 to 200 hours of admin time on the initial onboarding pass alone, before any ongoing monitoring, before any audit preparation, before any client re-verification when ownership structures change. At a conservatively loaded admin cost, that time has a real dollar figure attached to it. It just does not appear as a line item.

The software cost does appear as a line item — which makes it visible in a way the manual cost is not. The risk of that asymmetry is that firms compare “software cost” against “zero” rather than against the actual cost of the manual process.

For specific per-tier pricing — including how the per-check costs and platform subscription fit together for different firm sizes and client volume profiles — the full breakdown is on the IdentityCheck pricing page. If you want to model it against your specific book (how many new clients per year, what proportion are corporate), a 15-minute conversation is a more accurate exercise than a generic calculator.

What IdentityCheck covers — and what it doesn’t

IdentityCheck handles identity verification, AML/CTF screening (PEP, sanctions, adverse media), beneficial ownership collection and verification, risk assessment, 7-year record retention, and ongoing monitoring. It does not replace your AML/CTF Program document, your registered compliance officer, or legal advice on your service-scope and designated-services determinations. The software gathers and maintains the evidence. The compliance officer owns the program.

These twelve questions are the ones that come up across conversations with accounting firms. If your firm has one that isn’t here, email [email protected] — questions that come up in real conversations are the ones worth answering in public.