Australia’s Tranche 2 AML/CTF reforms bring accountants under AUSTRAC’s regulatory oversight, and with that comes a set of accountant KYC requirements that most practices have never had to deal with formally. If you’re an accountant or practice manager trying to figure out exactly what’s expected of you, client identification, verification, ongoing due diligence, you’re in the right place.
The obligations aren’t optional, and the penalties for getting them wrong are significant. But the requirements themselves aren’t as overwhelming as they first appear. What matters is understanding what you need to verify, when you need to do it, and how to build a process that doesn’t grind your practice to a halt. That’s where having the right systems in place makes a real difference.
At StackGo, we built IdentityCheck specifically for this problem, running KYC and identity verification directly inside your existing CRM, so your team doesn’t need to juggle separate platforms or re-key data. This guide walks you through the full scope of your obligations under Tranche 2, with practical steps you can implement now to stay compliant from day one.
What changes in 2026 and who must comply
Australia’s AML/CTF Act has been expanded through the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, and Tranche 2 brings accountants, lawyers, real estate agents, and other professional service providers into the regulated sector for the first time. If you run an accounting practice in Australia, this is one of the most significant regulatory shifts your profession has faced. Previously, AUSTRAC oversight applied mainly to banks and financial institutions. From 1 July 2026, that changes.
The Tranche 2 reforms explained
The original AML/CTF Act passed in 2006 covered what regulators called "Tranche 1" entities, primarily financial institutions, casinos, and remittance dealers. Tranche 2 extends those same anti-money laundering obligations to designated non-financial businesses and professions (DNFBPs), a category that includes accounting firms when they provide certain services. Australia was one of the last FATF member countries to implement these reforms, and AUSTRAC has signalled it expects full compliance by the July 2026 commencement date.
The reforms align Australia with international Financial Action Task Force (FATF) standards that most comparable economies adopted years ago.
Your accountant KYC requirements under Tranche 2 are not a vague best-practice recommendation. They are legal obligations enforced by AUSTRAC, with civil penalty provisions reaching into the tens of millions of dollars for serious or repeated non-compliance.
Which accounting services trigger compliance
Not every service an accounting firm provides will bring you under the regime. AUSTRAC’s framework targets specific designated services, which are the activities considered higher risk for money laundering and terrorism financing.
The following services trigger compliance obligations for your practice:
- Buying or selling real property on behalf of a client
- Managing client funds, accounts, or securities
- Organising contributions for the creation, operation, or management of companies or trusts
- Acting as a nominee shareholder or director for a client
- Providing a registered office address or business address for a client
If your practice regularly handles any of these services, you need to register with AUSTRAC as a reporting entity and build out your compliance framework before 1 July 2026. Standard tax preparation and audit services are not currently listed as designated services, but you should review AUSTRAC’s published guidance directly as the final rules are confirmed.
When your obligations begin
The commencement date for Tranche 2 is 1 July 2026. From that date, any reporting entity providing designated services must have a compliant AML/CTF program in place, be enrolled with AUSTRAC, and be conducting customer due diligence on new and existing clients. AUSTRAC has indicated it will take a risk-based approach to early enforcement, focusing first on firms that show no effort toward compliance.
Waiting until June 2026 to start is a real risk. Building your program, identifying your beneficial ownership chains, and verifying existing clients takes time, and rushing that process introduces errors that create compliance gaps. Starting your preparation now gives you the space to get it right before the deadline arrives.
Step 1. Map your services and client types to KYC
Before you verify a single client, you need a clear picture of which services you provide and which client relationships bring you under AUSTRAC’s regime. Skipping this step means you’ll either over-invest in verification processes for services that don’t require it, or miss obligations that do apply. Start by listing every service your practice offers and checking it against AUSTRAC’s designated services list.
Identify your designated services
Not all accounting work triggers accountant KYC requirements, but the services that do tend to be common in mid-to-large practices. Go through your current service list and mark anything that matches AUSTRAC’s designated services categories. The clearest triggers are services where your firm controls, manages, or moves client assets, or where you help set up legal structures.
If you provide even one designated service to a single client, your entire practice must enrol with AUSTRAC and maintain a compliant AML/CTF program.
Use this checklist to identify which of your services fall in scope:
| Service | In scope? |
|---|---|
| Managing client funds or bank accounts | Yes |
| Buying or selling real property on behalf of a client | Yes |
| Creating or managing companies, trusts, or partnerships | Yes |
| Acting as nominee director or shareholder | Yes |
| Providing a registered office address for a client | Yes |
| Preparing tax returns | No |
| Conducting audits | No |
| Providing general financial advice | Confirm against final AUSTRAC guidance |
Categorise your client types
Once you know which services are in scope, the next step is to categorise the clients who receive those services. AUSTRAC’s risk-based framework requires you to apply different levels of due diligence depending on who the client is and what they’re asking you to do. At a minimum, split your clients into three categories: individual clients, companies, and trusts or other legal structures.
Each category carries different verification requirements and different beneficial ownership considerations. A sole trader and a discretionary trust are not treated the same way under the rules. Document this mapping now, because it feeds directly into your customer due diligence risk ratings and determines how much verification work each client relationship will actually require.
Step 2. Verify clients and beneficial owners
Once you’ve mapped your services and client categories, verification is the next concrete task. Customer identification requires you to collect specific information, and customer verification means you must confirm that information against reliable, independent sources. These are two separate steps, and AUSTRAC treats them differently. Never treat a client’s word alone as sufficient verification.
What to collect from individual clients
For individual clients, your accountant KYC requirements under the AML/CTF framework are specific and non-negotiable. You need to collect their full legal name, date of birth, and residential address, then verify at least the name and date of birth against a reliable, independent document.
Acceptable verification documents include an Australian driver’s licence, passport, Medicare card, or a comparable government-issued document from an overseas jurisdiction.
Use this checklist for individual client verification:
- Full legal name: Collect and verify against a primary document such as a passport or driver’s licence
- Date of birth: Verify against the same primary document
- Residential address: Collect and verify against a secondary document such as a utility bill or bank statement dated within three months
- Occupation: Collect for risk-rating purposes, even if no further verification is required
How to verify companies and trusts
Verifying companies and trusts takes more work than verifying individual clients. For a registered company, collect the full legal name, ACN, and registered office address, then confirm the registration through a reliable source such as the Australian Securities and Investments Commission (ASIC) register.
For trust structures, collect the trust name, the trustee’s full details, and a copy of the trust deed. You also need to identify the settlor and the beneficiaries where they are identifiable from the deed. Keep copies of every document you collect.
Identifying beneficial owners
Beneficial ownership is where many practices miss obligations. A beneficial owner is any individual who ultimately owns or controls 25% or more of a client entity, and for a company that means tracing through shareholding structures to find the actual people behind the structure.
For each beneficial owner you identify, apply the same individual verification steps listed above. Document every step of the ownership chain, because AUSTRAC expects you to show your reasoning if your practice is ever reviewed. If you cannot identify a beneficial owner after taking reasonable steps, record exactly what you did and treat the relationship as higher risk.
Step 3. Apply risk-based CDD and EDD
Verifying identity is just the starting point. Risk-based customer due diligence (CDD) means you assign each client a risk rating and then apply a level of scrutiny that matches that rating. Under AUSTRAC’s framework, not every client needs the same depth of investigation, but every client does need at least standard CDD before you provide a designated service.
Standard CDD: what it covers
Standard CDD applies to lower-risk clients where there are no obvious red flags and the nature of the service is straightforward. At this level, your obligations include collecting and verifying the client’s identity information, understanding the purpose and intended nature of the business relationship, and documenting your findings.
A standard CDD checklist for an individual client looks like this:
- Collect full legal name, date of birth, and residential address
- Verify identity against a government-issued document
- Record the nature of the services being provided
- Document the source of funds where relevant to the service
- Assign an initial risk rating and note your reasoning
When to apply EDD
Enhanced due diligence (EDD) is required when your risk assessment flags a client or transaction as higher risk. This is where accountant KYC requirements go beyond basic verification and into deeper investigation.
EDD is not optional when triggers are present. Documenting your risk reasoning carefully protects your practice if AUSTRAC ever reviews your files.
Apply EDD when any of the following are true:
| Trigger | Why it raises risk |
|---|---|
| Client is a politically exposed person (PEP) | Elevated corruption and bribery risk |
| Client uses complex ownership structures with no clear business reason | Potential layering of illicit funds |
| Transactions are unusually large or structured to avoid thresholds | Classic money laundering indicator |
| Client is based in a high-risk jurisdiction | Higher exposure to financial crime |
| Client is reluctant to provide documentation | Potential concealment |
Ongoing monitoring
Assigning a risk rating at onboarding is not a one-time task. Ongoing monitoring means you review client relationships regularly, update risk ratings when circumstances change, and scrutinise any transactions that seem inconsistent with the client’s known profile and activity.
Set a review schedule based on risk level. High-risk clients need more frequent review than low-risk clients, and any significant change in the client’s business or ownership structure should trigger an immediate reassessment.
Step 4. Create your AML and CTF program
Your AML/CTF program is the documented framework that sits behind everything else in this guide. AUSTRAC requires every reporting entity to have a written program in place before providing designated services, and it must cover two distinct parts: Part A, which addresses how you manage compliance at a business level, and Part B, which covers your customer due diligence procedures specifically. Without both parts documented and operational, your practice is not compliant, regardless of how carefully you handle individual verification steps.
The five required components of your program
Building your program from scratch can feel like a large task, but AUSTRAC’s requirements follow a clear structure. Your program must address five core areas, and each one needs enough detail that a staff member, auditor, or AUSTRAC reviewer can follow your reasoning and processes without needing to ask questions.
Use this framework as your starting template:
| Component | What to include |
|---|---|
| ML/TF risk assessment | Identify the money laundering and terrorism financing risks specific to your services, client types, and geographic exposure |
| Controls and procedures | Document how you mitigate each identified risk, including CDD, EDD, and transaction monitoring steps |
| Employee training | Detail how and when staff are trained on AML/CTF obligations and how you record completion |
| Independent review | Set out a schedule for reviewing your program’s effectiveness, using an independent reviewer where possible |
| Record-keeping | Specify what records you keep, in what format, and for how long |
Your program is a living document. Update it whenever your services change, your risk profile shifts, or AUSTRAC publishes new guidance.
Assign your AML/CTF compliance officer
Every reporting entity must appoint a compliance officer who is responsible for the AML/CTF program day to day. This person does not need a specialist qualification, but they must understand your program in full and have the authority to act when issues arise. In a small practice, this role typically falls to the principal or practice manager.
Fulfilling your accountant KYC requirements properly depends on this person holding everything together, from onboarding new clients through to lodging suspicious matter reports with AUSTRAC when needed. Document the role clearly, and name a backup for when your primary officer is unavailable, because AUSTRAC expects continuity regardless of staffing changes.
Step 5. Report, record, and protect KYC data
Collecting and verifying client information is only part of your obligation. Reporting suspicious activity, maintaining records for the required period, and protecting the personal data you hold are three distinct legal requirements under the AML/CTF framework, and each one carries its own consequences if you get it wrong.
When and how to file suspicious matter reports
You must submit a Suspicious Matter Report (SMR) to AUSTRAC any time you form a suspicion that a client is using your services to launder money, finance terrorism, or otherwise commit a financial crime. The threshold is suspicion, not certainty. If something feels wrong about a client’s instructions, their source of funds, or their ownership structure, that is enough to trigger your reporting obligation.
You must lodge your SMR with AUSTRAC within 24 hours if the suspicion relates to terrorism financing, or within three business days for all other suspicious matters.
Submit SMRs through AUSTRAC Online, the regulator’s reporting portal. Do not tell the client that you have filed a report, because doing so is itself an offence under the AML/CTF Act.
Your record-keeping obligations
Your accountant KYC requirements include retaining verification records for seven years from the date the client relationship ends. This applies to identification documents, risk assessments, transaction records, and any SMRs you lodge. AUSTRAC can request these records at any time, so you must store them in a format that allows quick, accurate retrieval.
Use this checklist to confirm your records are complete for each client:
- Identity documents: Copies of all documents used to verify the client
- Beneficial ownership chain: Full documentation showing how you traced ownership
- Risk assessment: Your initial rating and any subsequent updates
- Transaction records: Details of any transactions conducted as part of a designated service
- SMRs lodged: Date, nature of suspicion, and AUSTRAC reference number
How to protect client data
KYC data contains sensitive personal information, and you have obligations under both the AML/CTF Act and the Privacy Act 1988 to store it securely. Limit access to verification records to staff who need them for compliance purposes, and enforce multi-factor authentication on any system that holds this data. Review access permissions regularly and revoke them immediately when a staff member leaves or changes role.
Your next steps for a compliant workflow
The July 2026 deadline is close, and your practice needs a working compliance framework in place before it arrives. Start by confirming which of your services are designated under AUSTRAC’s rules, then build your AML/CTF program around the five components covered in this guide. Treat your accountant KYC requirements as a phased project with clear owners and deadlines, not a last-minute compliance scramble.
Running verification manually across disconnected tools creates gaps and slows your team down. IdentityCheck lets you verify client identities and beneficial owners directly inside your existing CRM, with outcomes written back automatically and PII protected behind multi-factor authentication. Your team works from one system, reduces re-keying errors, and keeps a clean audit trail for every client file.
See how IdentityCheck handles Tranche 2 compliance inside your existing software and create a free account to test whether it fits your practice before July 2026.
