Does Xero Handle AML/CTF Compliance? What the App Store Add-Ons Actually Cover

Xero is the cloud accounting platform of choice for the majority of Australian accounting and bookkeeping practices, and with 46 days remaining until 1 July 2026, principals are reasonably asking whether their existing Xero subscription — perhaps with an App Store identity-verification add-on — already meets the Tranche 2 obligations under the AML/CTF Act 2006. This article walks through what Xero actually covers, what its identity-verification partners add, and where the gap to AUSTRAC compliance still sits.

What Xero is built for

Xero is an accounting platform. Its core capabilities cover invoicing, accounts payable, bank reconciliation, payroll, fixed-asset registers, GST and BAS reporting, and the management of trust accounts under state-based regulatory frameworks. Practice editions add workflow, document storage, engagement letters, and job tracking. Xero is excellent at this work, and the AUSTRAC reforms do not change that.

AUSTRAC does not regulate Xero. Xero is not a reporting entity under the AML/CTF Act 2006 and has no obligation to perform customer due diligence on your firm's clients, lodge Suspicious Matter Reports on your behalf, or maintain an AML/CTF Programme that satisfies Part 2 of the Act. None of that is a criticism — it is simply not what the platform is built to do.

What the Xero App Store eKYC integrations cover

The Xero App Store hosts a small number of third-party identity-verification partners. The most commonly used in Australia are:

• APLYiD — an Australian eKYC provider that verifies driver licences, passports, and Medicare cards against credit-bureau data (illion and Equifax), with optional biometric face match. Widely used in Australian accounting and conveyancing.
• FirstAML — a New Zealand-headquartered AML platform with Australian coverage, offering identity verification, beneficial-ownership prompts, and a basic client-record portal.
• annature — primarily a digital-signing platform with identity-verification add-ons useful at engagement-letter signing.
• VerifyID and other regional providers — typically document-recognition-based verification with watchlist screening modules.

These integrations perform a subset of customer due diligence: they verify that an individual's identity document is genuine and that the person presenting it is the rightful holder. Some include initial PEP and sanctions screening against global watchlists. Where they integrate with Xero, the verification result is typically written back to the contact record so the practice can demonstrate that identity was confirmed.

What no Xero integration covers under the AML/CTF Act 2006

Identity verification is one component of one obligation in a regime that has seven. The following are not addressed by Xero or by any current App Store integration:

1. AUSTRAC enrolment — your firm must enrol directly with AUSTRAC. There is no Xero workflow for this.
2. AMLCO appointment — a named senior officer with documented responsibilities must be designated and recorded.
3. AML/CTF Programme (Part A and Part B documents) — a board- or partner-approved document covering governance, customer acceptance, CDD procedures, training, and review. No App Store integration produces or maintains this document.
4. ML/TF risk assessment — a documented assessment of your firm's exposure across customers, services, delivery channels, and jurisdictions. Identity-verification tools do not produce a firm-level risk assessment.
5. Beneficial-ownership mapping for layered structures — eKYC tools verify individuals, but they do not map a discretionary trust to a corporate trustee to an underlying operating company to the ultimate natural persons.
6. Ongoing monitoring against an ML/TF risk profile — Xero monitors bank feeds for ledger reconciliation, not transaction patterns against a client's expected behaviour for AML purposes.
7. Suspicious Matter Reports and Threshold Transaction Reports — submitted to AUSTRAC Online, not via Xero.
8. Annual training delivery and tracking — engagement letters and document storage are not training delivery systems.
9. Independent review every two years — required under the AML/CTF Act 2006 and not produced by any Xero workflow.

A simple test: ask these five questions of your current Xero setup

Before assuming your existing Xero subscription handles the new regime, sit with your AMLCO (or the partner who will become one) and answer these five questions in writing:

1. Where is our firm's Part A and Part B AML/CTF Programme stored, and who signed it off?
2. What is our ML/TF risk methodology, and when was the last risk assessment dated?
3. For each new client onboarded in the last 30 days, can we produce the CDD file in under five minutes — including beneficial-owner mapping, PEP and sanctions check, and risk rating?
4. If we identified a suspicious matter today, what is the workflow to lodge an SMR with AUSTRAC within three business days, and who is accountable for it?
5. When is our next independent review scheduled, and which provider will perform it?

If any of those questions does not have a clear, evidenced answer, the firm has a gap to close before 1 July 2026.

What an AML/CTF-compliant stack looks like alongside Xero

The Australian firms moving fastest on Tranche 2 typically keep Xero exactly where it is and bolt a dedicated AML/CTF platform alongside it. AMLify was designed for this configuration: Xero remains the system of record for accounting; AMLify becomes the system of record for AML/CTF decisions. Identity verification can flow through AMLify's built-in eKYC or through your existing Xero App Store partner, with client identifiers reconciled across both systems.

The result is that Xero continues to do what it does well, and AML/CTF compliance — the programme, the CDD workflow, the ongoing monitoring, the SMR lodgement, the training register, the audit trail — is handled by a system actually built for the task. Practices interested in seeing this configuration end-to-end can watch the AMLify demo or read the accountants industry guide.

Key Takeaways

• Xero is an accounting platform, not an AML/CTF compliance product. Its App Store eKYC integrations cover identity verification — a subset of customer due diligence — and nothing else.
• Seven core AML/CTF obligations apply from 1 July 2026: enrolment, AMLCO appointment, programme, risk assessment, CDD, reporting, and training/records/review. Xero covers none of them end-to-end.
• "AML-ready" in the Xero App Store means the integration is compatible with a compliance programme — it does not provide one.
• The practical configuration is Xero plus a dedicated AML/CTF platform. They should integrate, not compete.
• The 1 July 2026 deadline is fixed. Civil penalties for systemic failures can reach into the tens of millions of dollars.

Frequently Asked Questions

Q: Does Xero have plans to launch an AML/CTF module before 1 July 2026?

Xero has not announced an AML/CTF compliance module as part of its Australian product roadmap. The platform's strategy has consistently focused on the App Store ecosystem for adjacent capabilities, allowing specialised vendors to provide compliance, payments, lending, and identity products that integrate with the core accounting platform. Firms should plan on the assumption that AML/CTF will be delivered by a dedicated partner, not by Xero itself.

Q: Will my Xero subscription cost go up because of Tranche 2?

No direct change to Xero pricing is connected to the Tranche 2 reforms. The cost increase for your firm comes from the additional tooling and personnel required: a dedicated AML/CTF platform subscription, eKYC charges per client, the time of an appointed AMLCO, training delivery, and the cost of biennial independent reviews. Most Australian practices we work with budget between $200 and $800 per month for the AML/CTF technology layer, depending on firm size and client volume.

Q: My Xero App Store eKYC partner is FirstAML. Doesn't FirstAML cover everything?

FirstAML provides identity verification, basic beneficial-ownership prompts, and a client record portal — useful capabilities that cover part of CDD. It is not, however, a full AML/CTF programme platform with a Part A document builder, ML/TF risk assessment engine, ongoing transaction monitoring against client risk profiles, in-platform SMR workflows aligned with AUSTRAC Online, training delivery and tracking, or independent review documentation tools at the standard Australian regulators expect. Some firms combine FirstAML with a dedicated programme platform; others adopt a single integrated platform that includes eKYC.

Q: We're a sole-practitioner accounting firm using Xero. Do we still need all of this?

Yes. The AML/CTF Act 2006 applies to reporting entities by reference to the designated services they provide, not by reference to their size. A sole practitioner providing services that fall within Tranche 2 has the same seven obligations as a large multi-partner firm. The way you discharge those obligations may be simpler — a slimmer risk assessment, fewer staff to train, one person serving as AMLCO — but the obligations themselves are the same. Purpose-built platforms typically scale pricing down for smaller firms, making compliance proportionate rather than prohibitive.

Q: Where does AMLify fit alongside Xero?

AMLify sits parallel to Xero. Xero continues to run your bookkeeping, payroll, BAS, and practice workflows. AMLify is where your AML/CTF programme is drafted and version-controlled, where CDD and EDD workflows live, where ongoing monitoring runs, where SMRs are prepared and lodged with AUSTRAC, where training is delivered and tracked, and where the records of every AML decision are retained for the seven-year statutory period. Client identifiers can be reconciled between systems so that data is captured once and reused everywhere.

This is general information only and not a substitute for legal advice.

Related articles