If your firm runs on Karbon, you already know that the quality of your practice management comes down to how well things connect. The moment a compliance obligation requires you to leave Karbon, open a separate portal, log into something else, and manually paste results back into a client record — that is the moment staff stop doing it consistently.
Tranche 2 AML compliance has an adoption problem for exactly this reason. The obligation is clear: identity verify your clients, screen them for AML risk, document the outcome, maintain records for seven years. The practice problem is that most of the tools built to handle this exist as standalone portals, separate logins, and parallel records that do not talk to the system your team lives in.
The short version of what this article covers: IdentityCheck integrates natively with Karbon. You trigger the compliance check from inside the client record. Your client gets a link and completes their part on their device. The result writes back to Karbon. No extra tab. No manual entry. No PDF emailed around.
Here is how it actually works — from the client record to the compliance report.
Starting from inside Karbon: the trigger point
When your team opens a client record in Karbon, they see the IdentityCheck integration as a native action alongside the rest of the client workflow. There is no separate app to switch to. The trigger is a button inside the client’s Karbon record.
For a new client engagement: the first step in the onboarding flow is triggering the IdentityCheck verification. The integration reads the client’s name and contact details from the Karbon record — your team does not re-enter data. They confirm which check type to run: a standard individual identity verification and AML screen, or a more detailed workflow that also captures beneficial ownership information for a corporate entity.
For existing clients who have not yet been verified: the workflow is identical. You open the Karbon record, trigger the check, and the process runs from there. For firms with a large book to backfill before 1 July, the integration removes the manual overhead that makes bulk backfilling feel impossible — you work through your client list inside Karbon, triggering checks as you go.
One operational note: the integration is available on the Starter plan and above. You do not need to be on an enterprise tier to connect IdentityCheck to Karbon.
What happens on the client side
Your client receives a branded email and SMS with a time-limited link. There is no app download. There is no account creation. The link takes them to a clean verification experience on their own device.
They photograph their government-issued ID — driver’s licence or passport — and take a selfie. The platform runs passive liveness detection to confirm the person holding the phone is the person in the document. It also runs authenticity checks on the ID itself: photos-of-photos are rejected, document tampering and fading are flagged. If the quality of any image is insufficient, the client gets real-time feedback and can retake it immediately. The process typically takes less than five minutes for a client who has their ID to hand.
No staff intervention is required during this step. The client completes verification independently. If they do not complete it, automated reminders are sent — your staff do not need to chase manually.
One important design choice: the client never creates an IdentityCheck account. The link is time-limited and access is scoped to their specific verification. This reduces friction — clients are more likely to complete a one-time link than to create another account. It also avoids accumulating client credentials in a system your firm does not fully control.
The AML screen runs automatically
When the identity verification step completes, the AML screen runs automatically. Your team does not trigger it separately.
What the screen covers:
- PEP (Politically Exposed Persons): screening against more than 3,000 data sources, updated daily
- Sanctions: screening against more than 70 international and domestic sanctions lists, updated every 30 minutes
- Adverse media: public news sources for the client’s verified legal name
The critical operational detail: the AML screen uses the legal name extracted from the verified ID document — not from the client’s self-declaration in the form. A client who has provided a different name than the one on their ID will have both names screened. The match logic handles nicknames, name order variations, and transliterations.
This matters for compliance quality. Self-declared names are unreliable as a matching input. Identity-verified names are not. The difference between running AML screening against what the client wrote on the form and what their government-issued ID says their name is — that is the difference between a cosmetic screen and a meaningful one.
What writes back to Karbon
When both steps complete — identity verified, AML screen run — the result writes back to the client record in Karbon automatically. Your team can see, without leaving Karbon:
- Verification status (verified / failed / pending)
- AML screening result (clear / flagged)
- Risk score
- Check completed date and time
- Which staff member triggered the check
- Link to the full compliance report in IdentityCheck
The compliance report itself is stored in IdentityCheck, not in Karbon. This is the right architecture for audit purposes: a tamper-evident, platform-held record with a provenance trail — not a PDF floating in a client folder. When AUSTRAC asks to see the compliance record for a specific client, the link from Karbon takes you directly to it.
On the audit trail: A record stored in a shared Karbon folder, emailed around as a PDF, or saved to a cloud drive without version control is not tamper-evident. If AUSTRAC audits your AML program and asks how you can demonstrate the record has not been altered after the fact, a PDF in a folder does not have an answer. A compliance report held in a purpose-built platform with a timestamped, source-attributed record does.
The staff sign-off step: risk assessment
After the automated steps complete, there is a step that requires a person: the risk assessment.
Under AUSTRAC’s framework, a reporting entity must assess the risk each client represents. The automated ID and AML screen gives you the information — PEP status, sanctions hits, adverse media flags, and the quality of the identity documents themselves. What you do with that information is a human judgment, and it needs to be documented as such.
Staff access the risk assessment step through a unique PIN — no separate login required. They review the screening outcome and assign a risk rating. The form captures their responses and stores them as part of the audit record. The assessment is timestamped to the individual who completed it.
For most clients, this step takes less than two minutes. The AML screen has returned a clear result. The risk assessment formalises the determination: standard risk, standard monitoring. That determination is on record.
For clients with a flag — a partial name match on a PEP list, adverse media that may or may not be the same person — the risk assessment step is where the investigation is documented. What did the firm look at? What did they conclude? Why? The IdentityCheck audit record captures the reasoning, not just the outcome.
Ongoing monitoring: what happens after onboarding
A compliance check run at onboarding is not permanent. Clients’ circumstances change. A director who was clear at onboarding may become a PEP twelve months later when they take a government appointment. A client company may acquire a relationship with a sanctioned entity.
IdentityCheck runs ongoing monitoring against the same PEP, sanctions, and adverse media sources used in the original screen. When a change is detected — a new match, a changed match, or a resolved flag — an alert is raised.
Monitoring alerts surface in the IdentityCheck dashboard. For Karbon users, the current workflow is: Karbon holds the compliance status from onboarding, and the IdentityCheck dashboard is where monitoring alerts are reviewed. If a monitoring alert requires action — re-running a more detailed screen, updating the risk assessment, flagging to the compliance officer — that is handled in IdentityCheck, with the result updated in the compliance record.
This is not a set-and-forget workflow. It is a set-and-watch workflow. The operational difference under Tranche 2 compared to the pre-July position is not just that you run the check once at onboarding — it is that you have a mechanism for detecting when the picture changes.
The corporate client workflow: beneficial ownership
For individual clients, the workflow above covers the full compliance requirement. For corporate clients — companies, trusts, partnerships — there is an additional step: establishing who actually controls the entity.
This is the beneficial ownership obligation. It is covered in detail in Beyond ID verification: getting UBO right under Tranche 2, but the Karbon-specific operational point is this: the beneficial ownership collection step can be added to the same workflow triggered from the Karbon client record.
The client completes a structured beneficial ownership declaration. For corporate entities with complex ownership structures, the form follows the ownership chain down through holding companies and trusts to identify the individuals who hold a significant stake or exercise control. The result is stored in the compliance record attached to the Karbon client.
The AUSTRAC standard is not “the client told us who owns the company.” It is “we established who owns the company through a documented process.” Client-completed beneficial ownership declarations, captured through a structured form and stored with the identity verification and AML screening record, meet that standard for the majority of accounting firm clients.
What IdentityCheck covers — and what it doesn’t
Covered:
- Identity verification (biometric) — photo ID + selfie, liveness detection, DVS check, real-time quality feedback
- AML screening — PEP, sanctions, adverse media — running automatically from verified legal name at onboarding
- Beneficial ownership collection — structured form, ownership chain, stored with compliance record
- Risk assessment — staff sign-off, timestamped, stored in audit record
- Ongoing monitoring — re-screening against live sources post-onboarding
- Native Karbon integration — trigger from client record, result writeback
- Seven-year record retention
Not covered (your responsibility as the reporting entity):
- Your firm-level AML/CTF Program document — the written program AUSTRAC requires every reporting entity to have
- Compliance Officer registration — a nominated officer must be registered with AUSTRAC by 30 May 2026
- Suspicious Matter Reporting (SMRs) — lodging SMRs is done through AUSTRAC Online
- Complex trust due diligence beyond standard beneficial ownership collection
Any compliance platform that claims to cover the entire AML/CTF obligation with one product is overstating what software does. IdentityCheck handles the workflow layer — verification, screening, documentation, monitoring. The program-level obligation is yours.
Related reading
- The designated-services trap: why screening every client is the smarter approach to Tranche 2 — which clients need verification, and why the narrow reading of the legislation creates audit risk
- Beyond ID verification: getting UBO right under Tranche 2 — the beneficial ownership obligation in detail
- What we’re hearing from accountants in May 2026 — twelve questions, twelve answers — the most common compliance questions, answered with specifics
Ready to see the Karbon integration in your workflow?
Start a free trial — three checks included, no credit card required.
