AML/CTF Programme for Accounting Firms: 2026 Guide

From 1 July 2026, every Australian accounting firm providing a designated service under the AML/CTF Act 2006 must have an adopted, approved AML/CTF Programme in writing. With 41 days until the deadline, the programme — a two-part document covering governance and customer due diligence procedures — is the centrepiece of the compliance regime AUSTRAC will assess when reviewing whether a firm has met its obligations.

What Is an AML/CTF Programme for an Accounting Firm?

An AML/CTF Programme is the written framework a reporting entity uses to identify, assess, and manage its money laundering and terrorism financing risks. Under Part 2 of the AML/CTF Act 2006, every accounting firm that provides a designated service must adopt and maintain one before it begins providing that service. The programme is not a one-time registration — it is a living document that must reflect how the firm actually operates, be approved by senior management, and be updated whenever material circumstances change.

Which Accounting Services Make a Programme Mandatory?

The obligation applies to any accounting firm that provides a designated service. For accountants, the most common triggers are: - Managing client funds or assets — holding money in a trust account, operating a client's bank account, or directing asset transfers on a client's behalf - Creating or managing legal persons or arrangements — forming companies, trusts, or partnerships for clients, acting as company secretary or ongoing trust administrator - Real property transactions — facilitating or settling a property purchase or sale on a client's behalf - Business acquisitions and disposals — acting on behalf of a client in buying or selling a business or a significant business interest Tax return preparation, financial statement compilation, and general advisory work are not designated services. Firms providing both designated and non-designated services need a programme that specifically addresses the designated services — the entire client base does not need to be brought within scope.

What Must Part A of the Programme Contain?

Part A covers governance and risk management methodology. A compliant Part A for an Australian accounting firm must address: - ML/TF risk assessment — a documented analysis of the firm's exposure across client types, designated services, delivery channels, and jurisdictions, which drives all CDD and monitoring decisions - Customer acceptance policy — criteria applied when deciding whether to onboard or continue a client relationship, including any categories the firm will not accept - AMLCO appointment — the named Compliance Officer, their documented responsibilities, and their reporting line to senior management - Senior management oversight — evidence that the principal, partnership, or board has approved the programme and receives regular updates on its operation - Ongoing monitoring policy — how the firm reviews active relationships, including trigger-based CDD refresh and periodic re-screening against PEP and sanctions lists - SMR procedures — how suspicions are identified, escalated, documented, and lodged with AUSTRAC within three business days, with guidance on the tipping-off prohibition - Training policy — content, frequency, and record-keeping for AML/CTF training across all relevant roles - Independent review schedule — the biennial review obligation and how findings are reported to senior management - Record retention — the firm's approach to retaining CDD files, SMR decisions, programme versions, and training records for seven years

What Must Part B of the Programme Contain?

Part B covers operational procedures for identifying and verifying clients and beneficial owners. For each designated service the accounting firm provides, Part B must address: - Client identification — what information is collected from individual clients and entity clients such as companies, trusts, and partnerships - Identity verification — the specific documents or electronic data sources accepted to verify each client category - Beneficial ownership — how the firm maps and verifies the natural persons who ultimately own or control an entity client, including layered trust and company structures common in Australian SME engagements - PEP and sanctions screening — procedures for screening at onboarding and at defined intervals thereafter - Simplified CDD — which lower-risk client categories qualify for reduced verification steps, and the criteria that must be met - Enhanced due diligence (EDD) — additional procedures for high-risk clients including politically exposed persons and clients connected to high-risk jurisdictions, with senior-management approval requirements - Non-face-to-face procedures — any additional measures where the firm cannot verify a client in person

How Should an Accounting Firm Calibrate Its Programme?

The programme must reflect your firm's actual services and client mix, not simply replicate a generic template. AUSTRAC expects the risk assessment to drive the procedures: a firm that manages trust accounts and settles property transactions for a large SME client base operates differently from a sole practitioner who only occasionally assists with company formation. Common calibration decisions for accounting firms include: - More intensive beneficial-ownership mapping for clients with discretionary trust structures, particularly where corporate trustees are involved - Heightened source-of-funds scrutiny for clients whose transactions involve offshore counterparties or unexplained wealth - Trigger-based CDD refresh whenever a client's beneficial ownership changes — a common event in SME restructuring - Simplified procedures for ASX-listed entity clients where ownership is publicly disclosed on a regulated exchange A programme that does not reflect these decisions is unlikely to satisfy AUSTRAC scrutiny, even if it formally addresses every required topic.

Who Must Approve the AML/CTF Programme?

The programme must be approved by a senior officer with authority to bind the firm — typically the principal, the managing partner, the partnership collectively, or the board of the incorporated practice. Approval must be documented through a resolution, a signed cover page, or formal meeting minutes. A version history should be maintained so AUSTRAC can trace when each version was adopted, who approved it, and what changed. An unapproved draft does not satisfy the obligation. The AMLify accountants module includes a guided programme builder with version control and approval tracking calibrated to AUSTRAC's expectations.

What Happens to a Firm Without a Programme From 1 July 2026?

Providing a designated service without an adopted AML/CTF Programme is a contravention of the AML/CTF Act 2006 that can attract civil penalties of up to $18.5 million per contravention for a corporate entity. Operating without a programme also means operating without any compliant CDD or SMR workflow — each client onboarded and each reportable matter missed becomes a separate potential contravention. Accounting firms that have not yet begun should treat programme drafting as the immediate priority above all other Tranche 2 workstreams.

Key Takeaways

• Part A covers governance — risk assessment methodology, customer acceptance policy, AMLCO appointment, senior management oversight, ongoing monitoring, SMR procedures, training, independent review, and record retention
• Part B covers CDD procedures — client identification, identity verification, beneficial ownership mapping, PEP and sanctions screening, and simplified or enhanced due diligence for each designated service
• The programme must be approved by senior management, version-controlled, and reviewed whenever material circumstances change — an unapproved draft does not satisfy the obligation
• Calibration to your firm's actual operations is essential — a programme that does not reflect your client mix, designated services, and delivery channels is unlikely to satisfy AUSTRAC scrutiny
• 41 days remain — most accounting firms can draft, review, and approve a compliant Part A and Part B within two to three weeks of focused effort

Frequently Asked Questions

Q: Does a sole-practitioner accounting firm need a full AML/CTF Programme?

Yes. The AML/CTF Act 2006 applies by reference to the designated services a firm provides, not by firm size. A sole practitioner who manages client trust accounts or assists with company formation has the same programme obligation as a multi-partner practice. The programme can be proportionate in length — a smaller firm with a narrower service range does not need a 60-page document — but Part A and Part B must both be present, approved, and operational from 1 July 2026.

Q: Can we use an industry association template for our programme?

Templates produced by CPA Australia, Chartered Accountants ANZ, or other professional bodies are a useful structural reference. However, the programme must reflect your firm's specific client base, service mix, and delivery channels. An unmodified template that does not describe your actual operations does not satisfy the obligation. Customise the template to your firm, have the customised version reviewed by the AMLCO, and obtain written approval from the responsible principal or partner before the deadline.

Q: How often must the programme be reviewed?

The AML/CTF Act 2006 requires the programme to be reviewed at a stated cadence and whenever material circumstances change. For accounting firms, material triggers include adding or exiting a designated service, a significant shift in client mix or jurisdictional exposure, a new AMLCO appointment, an AUSTRAC inquiry or SMR that reveals a programme gap, and any change in FATF risk classifications affecting jurisdictions relevant to your clients. Beyond trigger-based reviews, best practice is an annual desktop review by the AMLCO with written sign-off by the responsible principal.

Q: What is the difference between the ML/TF risk assessment and the AML/CTF Programme?

The ML/TF risk assessment is an input to the programme — it is the documented analysis of the firm's exposure across clients, services, delivery channels, and jurisdictions. The AML/CTF Programme is the output: the policies and procedures the firm adopts in response to that exposure. Both documents must exist separately. AUSTRAC will read them together to assess whether the programme's CDD procedures are genuinely calibrated to the risk the assessment identified.

Q: What if we add a new designated service after adopting the programme?

You do not need a new programme — but you must update the existing one. Adding a service triggers both a risk assessment review, to capture the new exposure, and a Part B update, to specify the CDD procedures that apply to the new service type. Senior management must approve the updated programme before the new service is offered to clients. Operating a designated service before the programme is updated to cover it creates an unaddressed compliance gap under the AML/CTF Act 2006.

This is general information only and not a substitute for legal advice.

Related articles