Australia’s AML/CTF Tranche 2 reforms have brought accounting firms squarely into AUSTRAC’s regulatory scope. What was once a concern limited to banks and financial institutions now applies to accountants, and the accounting firm AML compliance burden is real. From client identification and verification to ongoing monitoring and suspicious matter reporting, the list of obligations is long, and the penalties for getting it wrong are severe, reaching up to $31.5 million for serious breaches.
For most practices, this isn’t a question of willingness. It’s a question of capacity. Compliance demands time, documentation, and consistent processes across every client engagement. Bolt on a new standalone platform, and you’re asking your team to learn unfamiliar software while juggling existing workflows. Stick with manual checks, and you’re inviting the kind of human error that regulators won’t overlook. Neither option scales well, and both chip away at the billable hours that keep your firm profitable.
This guide breaks down the practical steps to reduce your AML compliance workload without cutting corners. We’ll cover what the regulations actually require, where firms lose the most time, and how to streamline identity verification (KYC) directly inside your existing tech stack. That last part is where StackGo fits in, our IdentityCheck integration lets you verify client identities from your CRM, with results written back automatically and PII kept out of systems where it doesn’t belong. No new software to learn, no tab-switching, no gaps in your audit trail.
What changed for accountants by July 2026
The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 expanded Australia’s AML/CTF framework to cover tranche 2 entities, a category that now includes accounting firms. Before this reform, AUSTRAC’s reach stopped at banks, remittance dealers, and similar financial businesses. From July 2026, your firm is a reporting entity if you provide any of the designated accounting services listed under the updated legislation, and that classification comes with a full set of compliance obligations.
The designated services that trigger your obligations
Not every service your firm provides will bring you into scope, but the list is broader than most accountants expect. Designated services under the AML/CTF Act include activities such as managing client money or accounts, providing advice that involves client assets, and assisting with the formation or management of companies and trusts. If your firm regularly handles any of these on behalf of clients, you are a reporting entity and must comply accordingly.
AUSTRAC defines "designated services" precisely, so review the current schedule to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 to confirm which of your services fall in scope.
Mapping your service catalogue against the legislative definition is the first concrete step every firm needs to take. Even smaller practices offering bookkeeping combined with company secretarial work will likely meet the threshold, so do not assume your size keeps you outside the framework.
Your core obligations from July 2026
Once you are classified as a reporting entity, the accounting firm AML compliance burden becomes concrete and non-negotiable. You must enrol with AUSTRAC, develop and maintain a written AML/CTF program, apply customer due diligence (CDD) procedures before providing designated services, and report suspicious matters and threshold transactions. Each obligation carries its own documentation requirements and internal process standards.
Here is a summary of the key obligations and what they require in practice:
| Obligation | What it means for your firm |
|---|---|
| AUSTRAC enrolment | Register your firm as a reporting entity before providing designated services |
| AML/CTF program | Write and maintain a risk-based compliance program tailored to your firm |
| Customer due diligence | Verify client identity and beneficial ownership before onboarding |
| Ongoing monitoring | Continuously review client transactions and relationships for red flags |
| Suspicious matter reporting | Submit an SMR to AUSTRAC when you suspect money laundering or terrorism financing |
| Record keeping | Retain CDD and transaction records for seven years |
Penalties that make non-compliance costly
AUSTRAC does not treat non-compliance as a paperwork issue. Civil penalties for serious breaches can reach $31.5 million per contravention for a body corporate, and criminal liability applies where deliberate non-compliance or facilitation of money laundering is proven. Beyond financial penalties, AUSTRAC has the authority to apply for court-ordered enforceable undertakings, which can fundamentally disrupt how your firm operates.
Enforcement actions taken against financial services businesses in recent years signal that AUSTRAC will bring the same scrutiny to newly regulated tranche 2 entities. Building a solid compliance framework from the outset costs a fraction of managing a formal investigation, and it protects both your firm and your clients.
Map where you provide designated services
Before you build any compliance process, you need a clear picture of what your firm actually does and where those activities intersect with the legislative definition of designated services. Mapping your service catalogue is not a one-time exercise; it is the foundation of every compliance decision you make from here. Get this wrong and your AML/CTF program will have gaps that AUSTRAC will notice.
Pull together your full service list
Start by compiling every service your firm delivers to clients, not just the headline offerings. Include advisory work, company secretarial tasks, bookkeeping, trust administration, and any activity where you handle or move client funds. Do not rely on your engagement letters alone; those often lag behind what your team actually does day to day. Interview your practice managers and senior accountants to surface services that have evolved or expanded without a formal record.
Use this template to structure your service inventory:
| Service | Involves client funds or assets? | Involves entity formation or management? | Designated service? |
|---|---|---|---|
| Tax return preparation | No | No | No |
| Company secretarial | No | Yes | Review required |
| Trust administration | Yes | Yes | Likely yes |
| Bookkeeping with payment authority | Yes | No | Likely yes |
| Business advisory only | No | No | Likely no |
Confirm scope against the legislation
Once you have your full list, check each service against the current schedule to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. AUSTRAC also publishes guidance for tranche 2 entities that walks through common accounting activities and whether they fall in scope. Taking this step removes ambiguity before you register and reduces the accounting firm AML compliance burden of having to revisit your program after enrolment.
If you are unsure whether a specific service qualifies as designated, seek written legal advice before providing it, as delivering an unregistered designated service carries the same penalties as failing to maintain a compliant program.
Document your conclusions and the reasoning behind each decision in writing. This written record forms a core part of your AML/CTF program and demonstrates to AUSTRAC that your firm approached scope identification methodically and in good faith.
Build a risk-based AML and CTF program
Your AML/CTF program is the central compliance document that AUSTRAC will assess if your firm comes under review. It must be written, current, and tailored to your specific risks, not a generic template downloaded from the internet. The accounting firm AML compliance burden sits heavily on firms that skip this step or produce a program that does not reflect how they actually operate. Get the program right and every other obligation, from onboarding to reporting, becomes easier to execute consistently.
Identify and rate your client risk
Your program needs to define how you assess risk for each client relationship before you provide designated services. AUSTRAC expects a risk-based approach, meaning you allocate more scrutiny to higher-risk clients and streamline processes for lower-risk ones. The factors you use to rate risk should include the client’s business type, the nature of the services they need, their jurisdiction, and whether they are a politically exposed person (PEP) or associated with one.
A risk-based approach does not mean ignoring lower-risk clients. It means your controls are proportionate, which is exactly what AUSTRAC expects to see documented in your program.
Use this framework as a starting point for rating each client relationship:
| Risk factor | Low | Medium | High |
|---|---|---|---|
| Business type | Individual, salaried | Small private company | Trust, complex structure |
| Service requested | Tax return only | Bookkeeping with payments | Trust or company formation |
| Jurisdiction | Australia | FATF member country | High-risk or non-cooperative country |
| PEP status | No | Indirect association | Confirmed PEP |
| Transaction volume | Low, predictable | Moderate | High or irregular |
Document your program in writing
Once you have your risk ratings defined, write them into your program alongside the specific controls that apply at each tier. AUSTRAC requires your program to cover your governance structure, risk assessment methodology, CDD procedures, staff training obligations, and record-keeping approach. A single document that addresses each of these areas is far easier to audit, update, and hand to a new practice manager than a folder of disconnected policies.
Review and update your program at least annually, or whenever your firm adds a new designated service or enters a new client segment.
Streamline client onboarding and identity checks
Client onboarding is where the accounting firm AML compliance burden hits hardest in terms of daily time spent. Every new client relationship involving a designated service requires identity verification, beneficial ownership checks, and a documented risk assessment before work begins. Without a standardised process, these steps fall to whoever is available, get done inconsistently, and create gaps in your audit trail that you will need to explain to AUSTRAC.
Standardise your onboarding workflow
Build a repeatable sequence that your team follows for every new client in scope. The checklist below gives you a working template to adapt for your practice:
- Confirm whether the engagement involves a designated service
- Collect government-issued identity documents from each individual client or beneficial owner
- Verify the documents against a reliable and independent source
- Record the risk rating assigned to the client based on your program criteria
- Obtain and document beneficial ownership information for companies and trusts
- Store verification outcomes with a clear date, method, and staff member recorded on file
Completing these steps before you begin any billable work protects your firm from inadvertently delivering an unregistered designated service, which carries the same penalties as failing to maintain a compliant program.
Running this checklist consistently also means any staff member can handle onboarding to the same standard, which reduces dependence on one or two senior people and cuts the time spent chasing missing documentation after the fact.
Run identity checks inside your CRM
Switching between your CRM, a standalone verification platform, and your document management system multiplies the time each onboarding takes and introduces transcription errors that undermine your compliance records. A better approach is to run identity checks directly inside the tools your team already uses every day.
StackGo’s IdentityCheck integration connects to your existing CRM, reads the contact’s details, verifies their identity across global data sources covering more than 200 countries, and writes the verified result back to the contact record automatically. Your team never leaves the system they already work in, PII is not stored in the CRM itself, and every check produces a timestamped audit entry that satisfies AUSTRAC’s record-keeping requirements without any additional manual steps or tab-switching.
Set up monitoring, reporting, and records
Verification at onboarding is just the start. Ongoing monitoring is a core obligation under AUSTRAC’s framework, and it requires your firm to review client relationships continuously throughout each engagement, not just at the point of sign-up. For most practices, this is where the accounting firm AML compliance burden compounds, because monitoring lacks the clear, once-off trigger that onboarding provides. Building a simple structure for monitoring, reporting, and record-keeping reduces the daily friction of staying compliant.
Monitor ongoing client relationships
Your AML/CTF program must define what you are watching for and how often you review existing clients. Red flags include unusual transaction volumes, requests to structure payments in ways that avoid reporting thresholds, and clients who become evasive about the source of funds. Set a scheduled review cycle, at minimum annually for standard-risk clients and quarterly for high-risk relationships, and document each review with a date and recorded outcome.
| Client risk tier | Minimum review frequency | Focus areas |
|---|---|---|
| Low | Annually | Confirm details unchanged, no PEP change |
| Medium | Every six months | Transaction patterns, ownership changes |
| High | Quarterly | Source of funds, beneficial ownership, PEP status |
Submit suspicious matter reports on time
If you identify activity that raises a reasonable suspicion of money laundering or terrorism financing, you must submit a Suspicious Matter Report (SMR) to AUSTRAC. You do not need certainty to act; suspicion alone triggers the obligation. File the SMR before providing the relevant service where possible, or as soon as practicable after suspicion forms.
Tipping off a client that you have filed an SMR is a criminal offence under the AML/CTF Act, so treat all SMR activity as strictly confidential within your firm.
Keep records for seven years
AUSTRAC requires you to retain all CDD records and transaction documents for a minimum of seven years from the date the record was made or the transaction occurred. This includes identity verification outcomes, risk assessments, beneficial ownership documentation, and SMR records. Store these in a format that allows you to retrieve and produce them quickly if AUSTRAC requests them during a review.
Assign a designated staff member to own the records function and run a quarterly check that files are complete and stored correctly. A clear folder structure in your document management system, organised by client name and date, significantly cuts the time spent locating records under pressure.
Next steps to keep the workload down
The accounting firm AML compliance burden is manageable when you break it into the right sequence: map your designated services, write a risk-based program, standardise your onboarding, and build monitoring into your regular client review cycle. Each step builds on the last, so starting with a clear service inventory saves you from rewriting your program later.
Reducing daily friction matters as much as meeting the regulatory minimum. Manual identity checks, tab-switching, and transcription errors cost your team time on every new client engagement. Running verification inside your CRM eliminates most of that overhead and keeps your audit trail clean without adding a separate system to manage.
If you want to see how that works in practice before committing, try IdentityCheck for AUSTRAC Tranche 2 compliance to see how it fits your existing tech stack, or create a free account and run a test check today.
