Most accounting firms we’ve spoken to have read the Tranche 2 legislation. The ones who’ve read it carefully come back with a sensible-sounding interpretation: “We only need to do AML checks on clients who receive designated services.” It’s a logical reading. It’s also the interpretation that will leave a significant portion of their client book unscreened — and it will not hold up in an AUSTRAC review.
The trap — and why it’s a natural reading
The Tranche 2 framework introduces AML/CTF obligations specifically for providers of “designated services.” Section 6 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act) sets out that list in detail: accounting work, tax advice, bookkeeping, SMSF administration, company secretarial services, and certain trust and entity administration services. Chapter 4 of the AML/CTF Rules then defines the Customer Due Diligence (CDD) framework that applies once you are providing any of those services.
It is entirely rational, reading that list, to conclude: “My obligation is to verify the clients who receive those services. If a client only receives something outside that list — say, a general advisory relationship — they’re outside the scope.”
That reading feels rigorous. It’s the kind of reading a careful partner does when she sits down with the draft legislation and maps it to her firm’s service list. She’s not cutting corners. She’s trying to be precise about where the obligation begins and ends.
The problem is that the reading conflates two different questions.
Question 1: Which services create a reporting-entity obligation for the firm? (s 6 of the AML/CTF Act answers this.)
Question 2: Once you’re a reporting entity, which clients require Customer Due Diligence under the AML/CTF Rules Chapter 4 framework?
The legislation answers Question 1 clearly: designated services trigger the obligation. But the answer to Question 2 is broader than most firms realise. Under AUSTRAC’s risk-based approach — the framework that governs how all reporting entities manage their AML/CTF obligations — a firm is expected to understand the risk each client represents. You cannot understand that risk if you have not screened them.
The practical consequence: a firm that screens only the clients currently receiving designated services is operating with a partial picture of its own risk exposure. Every unscreened client is an unknown. AUSTRAC’s question, when they review your program, is not “did you screen the right clients?” It is “can you demonstrate that you understand the risk your client base represents?” An incomplete screening record does not answer that question.
What AUSTRAC actually expects
AUSTRAC’s AML/CTF framework is built on a risk-based approach. That phrase appears throughout the guidance, and it means something specific: the intensity of your compliance activity should be proportional to the risk each client represents.
Higher-risk clients — those with complex ownership structures, those operating in higher-risk geographies or sectors, Politically Exposed Persons (PEPs) — warrant deeper scrutiny. Lower-risk clients require less intensive monitoring. But to make that determination at all, you need baseline information on every client.
The obligation to screen sits in the Act itself. Section 35 of the AML/CTF Act requires a reporting entity to have in place systems and controls to identify, mitigate, and manage its money laundering and terrorism financing risks — the screening obligation is the practical implementation of that requirement. Section 36 sets the verification standard: a reporting entity must not rely on a customer’s claim as to their identity; it must verify identity through a reliable, independent source. AUSTRAC’s Risk-Based Approach guidance — published under the title Risk-Based Approach to AML/CTF Compliance — makes clear that the scope of verification and ongoing monitoring should reflect the assessed risk of each customer relationship, not just whether a designated service is currently being provided.
Chapter 4 of the AML/CTF Rules builds the CDD framework on that base: a firm’s Customer Due Diligence program should support its ability to identify, assess, and manage ML/TF risk across its customer base. That is not a designated-services-specific obligation. It is a whole-of-customer-base obligation.
The guidance also notes that the nature and extent of CDD measures should reflect the risk the customer presents — not just the service currently being delivered. A client who looks low-risk today may become higher-risk as the relationship evolves. A client receiving only a general advisory service today may receive SMSF administration tomorrow. If you have no baseline CDD record on them, you are starting from zero at the point when the designated service begins — which is exactly when you need that information most urgently.
The honest framing: screening every client does not mean treating every client as high-risk. It means collecting the information you need to make a risk determination. For most clients, the outcome of baseline screening is “low risk, standard monitoring.” That determination is the compliance outcome. You need it on record.
There is also a practical audit-readiness dimension. AUSTRAC’s approach to enforcement in new regulatory contexts typically begins with supervision and guidance before escalating to formal enforcement action. But supervision reviews ask questions. “Show me how you assessed the risk of client X.” If client X was never screened because they weren’t receiving a designated service at the time of onboarding, you have no answer to that question. The gap in your records is the finding.
The hidden cost of partial screening
The designated-services reading doesn’t just create a regulatory gap. It creates three specific operational problems that surface at the worst possible times.
Section 32 of the AML/CTF Act is the audit-consequence anchor: a reporting entity must not provide a designated service to a customer it has not identified and verified. In practice, when AUSTRAC reviews a firm’s program, an unverified client who later receives a designated service is a section 32 exposure — regardless of whether the firm’s initial determination was that the client sat outside scope. The gap in the screening record is the problem.
Problem 1: The service relationship changes mid-engagement.
A client comes on board for general business advisory. Not a designated service. Under the narrow reading, no AML screening is required. Two years later, the firm takes on SMSF administration for the same client. Now a designated service is being provided. The firm now needs to run AML screening — but the onboarding window has passed, the client relationship is established, and the screening happens reactively, under time pressure, without the baseline information that would have made the risk assessment straightforward.
Compare that to a firm that screened the client at onboarding, regardless of the initial service scope. When SMSF administration begins, the compliance record exists. The risk assessment is an update, not a starting-from-zero exercise. If anything has changed — new entities, new directorships, changed beneficial ownership — it is visible against a known baseline.
Problem 2: Beneficial ownership flies under the radar.
A client who is not currently receiving a designated service may still have a corporate structure with complex beneficial ownership. Under the narrow screening approach, that structure is never examined. If the same client later receives a designated service, the firm discovers the ownership complexity at the point where it is most operationally disruptive to deal with.
Worse: if the client has beneficial ownership connections to a PEP or a sanctioned entity, the firm has been providing services — even general advisory services — without knowing. The regulatory risk of that position is not zero, even if the general advisory work sits outside the designated-services list. Knowing that a client has a high-risk ownership structure is information that affects how a firm manages the whole relationship, not just the compliance-triggering portion of it.
Problem 3: The audit question you can’t answer.
“Show me your risk assessment for client X.”
If client X was never screened because they were not receiving designated services at the point of onboarding, there is no risk assessment. The firm’s answer is, in effect: “We determined this client was outside scope.” That is not a risk assessment. That is a scope determination, and a debatable one. AUSTRAC’s supervision team will want to know how the firm reached that determination, what information they had, and how they would have detected a change in risk profile.
For a firm that screened every client at onboarding — even the lower-risk ones — the answer is straightforward. “Here is the baseline screening result. Here is the risk rating assigned. Here is the monitoring frequency set. Here is the record.”
The smarter approach: screen all, monitor by risk
The firms that handle Tranche 2 well are not the ones who drew the tightest possible reading of their obligations. They are the ones who set a simple default: screen every client at onboarding, then tier your monitoring intensity based on what you find.
This approach is cheaper in practice than it sounds, and far cheaper than the alternative.
Here is what it looks like operationally.
Baseline screening at onboarding — every client.
When a new client comes on, they complete identity verification and AML screening as a standard step. Not a step that triggers when the first designated service is invoiced. A step built into the onboarding workflow, the same way a fee agreement is built into the onboarding workflow. Every client. Every time.
The cost of that baseline check is low. A standard ID verification plus AML screening — PEP and sanctions — runs at $4.50 for the ID check and $1.80 for the AML screen at IdentityCheck’s Pro tier. That is $6.30 per client. For a 200-client firm, that is $1,260 across your full onboarding book. The baseline is inexpensive because most clients are low-risk and the checks are fast.
Risk-score gating for deeper work.
Once you have a baseline screening result, you have a risk score. Low-risk clients — the majority of a standard accounting practice’s book — go into standard annual monitoring. You are not running expensive beneficial ownership (UBO) reports on every client. You are reserving that work for the clients where the risk score or the service relationship warrants it.
Higher-risk clients, corporate clients with complex structures, and clients providing SMSF or entity administration services get deeper CDD: a beneficial ownership report sourced by ACN, recursively compiled, returning the ownership structure and screening results for each beneficial owner above the 25% threshold.
The cost of that UBO work is real but bounded. For Pro plan subscribers ($200/month), UBO onboarding is included. For Starter customers, UBO onboarding submissions are $50 per report at rate card. CreditorWatch credit reports — available across all tiers if needed for entity risk assessment — run $29-$35 per report. You are not spending that on every client. You are spending it where the baseline screening tells you it is warranted.
Ongoing monitoring tied to risk tier.
Every client in the system is enrolled in ongoing AML screening — PEP, sanctions, and adverse media — at the frequency their risk tier requires. Low-risk clients receive standard monitoring. Higher-risk clients receive more frequent checks. When a client’s status changes — a new adverse media hit, a sanctions match, a change in beneficial ownership — the monitoring surfaces it. The firm is not relying on manual periodic reviews or remembering to re-run a check.
Where Karbon fits.
For firms running on Karbon, this workflow is operational today. When a new client is created in Karbon, the AML compliance task is part of the onboarding job template. The task appears in the practitioner’s queue with status “Awaiting Verification.” The practitioner opens it, clicks “Send Verification” — a 5-second confirmation window prevents accidental sends — and the client receives a branded email and SMS to complete biometric ID verification and AML screening on their phone. The result writes back into the Karbon task: AML status, risk score, next review date, and a link to the full compliance record. The task closes. The onboarding job continues.
The compliance step is not something the practitioner remembers to do separately. It is part of the job. The practice manager sets it up once in the job template; it runs for every new client from that point forward, regardless of which services the engagement begins with.
For XPM users, the note-based integration trigger achieves the same outcome through a different mechanism. The workflow differs; the screening logic does not.
What it costs — and what it costs not to
The pricing question comes up in every demo. The answer is more straightforward than most firms expect.
For a 100-client accounting practice running at IdentityCheck’s Pro tier ($200/month, which includes the Karbon Task integration), baseline onboarding screening — ID verification plus AML screening — runs at approximately $6.30 per client. Across 100 new and existing client onboardings, the screening cost is approximately $630. The monthly platform cost brings the annualised total to around $3,030 for the year.
Split across 100 clients, that is $30.30 per client per year for a fully maintained, audit-ready compliance record.
For clients with corporate entity structures requiring beneficial ownership work: UBO onboarding is included at the Pro tier. For Starter-tier firms, UBO submissions are $50 each — apply that cost to the 10-20% of a typical book that warrants it, not the full book.
For comparison: a manual per-client process — collecting and scanning documents, chasing responses, filing records, re-running searches — takes 30 to 60 minutes per client at onboarding. For a 100-client book, that is 50 to 100 hours of admin time. At a fully-loaded admin cost of $50 per hour, the manual alternative costs $2,500 to $5,000 for the initial onboarding pass alone — before any ongoing monitoring, before any audit preparation, before any client re-verification.
The comparison is not between a software cost and zero cost. The manual process has a real cost. It is just paid in staff time rather than invoiced as a line item. And unlike the software, it does not produce audit-ready records, does not run automatic AML screening, and does not maintain an ongoing monitoring cycle.
The cost of getting partial screening wrong is harder to quantify, but the components are real: professional time spent responding to a supervision review, reputational cost with clients if a compliance gap is surfaced, and the operational disruption of backfilling records for clients who were never screened.
1 July is closer than it looks
The 1 July 2026 deadline is fixed. AUSTRAC has confirmed it. The compliance officer notification deadline — 30 May — is less than a month away as of this writing.
The Tranche 2 reform was enacted through the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) (No. 110, 2024 — Royal Assent 10 December 2024), which brought accountants, lawyers, real estate professionals, trust and company service providers, and dealers in precious metals and stones into the AML/CTF regime for the first time. That legislation is not a draft. The obligations are live, the deadline is set, and the question for firms is no longer whether to comply but how quickly they can build a program that will hold under review.
The firms that are screening every client now are building a compliance record that will be there when AUSTRAC asks for it. The firms waiting to narrow their obligation to the precise clients receiving designated services are making a bet that the narrower reading will hold under review — and that bet is harder to defend than it looks when you are sitting across from a supervision team.
The operational change is not difficult. The workflow exists. The integration with Karbon is live. The baseline screening cost is manageable. What takes time is the decision to start, and the setup work that follows.
Firms that act in May have enough runway to onboard their existing client book before the deadline, run re-verifications where records are missing, and build the ongoing monitoring cycle that keeps the program current after July 1. Firms that act in late June do not have that runway.
The smarter approach to Tranche 2 is not the one that screens the fewest clients you can justify. It is the one that screens all of them, costs less than the alternative, and produces records that answer AUSTRAC’s questions before they’re asked.
What IdentityCheck covers — and what it doesn’t
IdentityCheck handles identity verification, AML/CTF screening (PEP, sanctions, adverse media), risk assessment, 7-year record retention, and ongoing monitoring. It does not replace your AML/CTF Program document, your registered compliance officer, or legal advice on which of your services qualify as designated. The software gathers the evidence. The compliance officer makes the call.
If your firm reads any of this differently — particularly the section 6 / Question 1 vs Question 2 interpretation — we want to know. Tranche 2 is new for accountants and the working interpretations will sharpen across the industry over the next few months. Email [email protected] with disagreements; I’d rather correct course in print than hold a wrong reading.
Related reading
- IdentityCheck + Karbon integration — how the task-layer integration works inside your Karbon job templates
- IdentityCheck pricing — Pro tier, Starter tier, and per-report costs across all plans
- Your team is already doing AML — just not in a way that survives an audit — the cost of the manual approach
- AUSTRAC Tranche 2: what Australian accounting firms must do before 1 July 2026 — the full obligation picture
