Beyond Xero, QuickBooks, and MYOB: The Seven AML/CTF Obligations Your Accounting Software Doesn't Cover

The single most common misconception we encounter in conversations with Australian accounting principals is that "our accounting software handles this". It is an understandable position. Xero, QuickBooks, and MYOB market themselves as the operating system of a modern practice, and each has identity-verification add-ons in its app store. But identity verification is one slice of one obligation under the AML/CTF Act 2006 — and with 49 days remaining until the Tranche 2 reforms take effect on 1 July 2026, conflating eKYC with AML/CTF compliance has become an active enforcement risk. This article walks through the seven obligations in full, with notes on why no accounting platform — current or in development — covers them end-to-end.

The framing: AUSTRAC, not the ATO

Accounting firms are accustomed to compliance regimes administered by the Australian Taxation Office and the Australian Securities and Investments Commission. The AML/CTF Act 2006 is a different beast: administered by AUSTRAC, focused on detecting the misuse of legitimate businesses to move illicit funds, and structured around seven core obligations rather than periodic lodgement deadlines. "Compliance" in the AUSTRAC sense is operational and continuous — a programme, a methodology, a workflow, and a paper trail — not a quarterly return.

Obligation 1 — Enrol your firm with AUSTRAC

Every Tranche 2 reporting entity must enrol with AUSTRAC via the AUSTRAC Online portal. Enrolment captures information about your firm's services, customer base, and the AMLCO. It is the gateway to every other obligation: until you are enrolled, AUSTRAC does not formally recognise you as a regulated entity.

Xero, QuickBooks, and MYOB do not perform this step on your behalf. There is no integration, no automation, no "file with AUSTRAC" button in any accounting platform. Your firm must enrol directly, and that enrolment must remain current — material changes (new partners, new service lines, AMLCO changes) trigger update obligations.

Obligation 2 — Appoint an AML/CTF Compliance Officer

The AML/CTF Programme must designate a named AMLCO, who must be a fit and proper person at senior management level with documented responsibilities and an appropriate reporting line. In a sole-practitioner firm, the principal is typically the AMLCO. In multi-partner firms, a partner takes the role; in larger firms, a senior employee may serve under partner oversight.

Appointment is not a one-time task. The AMLCO's responsibilities include drafting and maintaining the programme, overseeing CDD and EDD outcomes, reviewing alerts and SMR drafts, delivering or commissioning training, and acting as the firm's primary AUSTRAC contact. None of those responsibilities is performed by accounting software.

Obligation 3 — Adopt and maintain a written AML/CTF Programme

Part 2 of the AML/CTF Act 2006 requires every reporting entity to adopt and maintain an AML/CTF Programme. The programme has two parts:

• Part A — governance: policies for ML/TF risk identification, customer acceptance, CDD and EDD, ongoing monitoring, transaction reporting, AMLCO oversight, training, independent review, and record-keeping. Part A must be approved at the senior level (board, principal, or equivalent) and reviewed at a stated cadence.
• Part B — procedures: the operational how of identifying and verifying customers, including which documents are accepted, which data sources are used for electronic verification, and how beneficial ownership is mapped for entity clients.

A Part A and Part B document is a substantial piece of work — typically 25 to 60 pages for an accounting firm — and it must reflect the firm's actual operations, not be lifted unchanged from a template. AUSTRAC has indicated it will pay close attention to whether a programme is being operated, not just stored. Accounting software does not draft, customise, version-control, or evidence operation of this document.

Obligation 4 — Conduct an ML/TF risk assessment

Before — and continuously after — adopting the programme, the firm must perform a documented ML/TF risk assessment across four dimensions:

1. Customer types — sole traders, SMEs with discretionary trusts, corporate structures, foreign-owned entities, non-resident clients, politically exposed persons.
2. Services provided — bookkeeping, tax agent services, company secretarial work, trustee services, real-property-related services, services involving the management of client funds.
3. Delivery channels — face-to-face onboarding versus non-face-to-face, document-based versus electronic identity verification.
4. Jurisdictions — domestic-only versus exposure to foreign owners, foreign payments, or clients with operations in jurisdictions assessed as high-risk by FATF.

The methodology must be documented. The outcome must be a defensible risk rating that drives the depth of CDD applied to each client type. Accounting platforms do not produce this assessment; their data model is built around financial accounts, not money-laundering risk indicators.

Obligation 5 — Apply customer due diligence

CDD is the obligation that accounting-software identity-verification add-ons partially address. "Partially" matters. Standard CDD has five components:

1. Identify the customer — collect legal name, date of birth, address (and ACN/ABN for entities).
2. Verify identity — through reliable, independent documents or data sources.
3. Identify beneficial owners — including layered trust and company structures with the 25% ownership-or-control threshold.
4. Verify beneficial owners' identities — applying the same standard of evidence.
5. Understand the nature and purpose of the relationship — and document it.

eKYC add-ons in the Xero App Store, QuickBooks marketplace, and MYOB partner network typically address steps 1 and 2 well, sometimes step 4 partially. They rarely build out step 3 for layered structures, and they do not document step 5 in a way that survives an AUSTRAC review. Enhanced due diligence — applied to PEPs, high-risk jurisdictions, complex structures, and unexplained wealth — adds source-of-funds enquiries and senior-management sign-off, neither of which is automated by eKYC tools.

Obligation 6 — Conduct ongoing monitoring and lodge AUSTRAC reports

Onboarding correctly is the start. Ongoing monitoring is continuous and includes:

• Re-screening clients against PEP and sanctions lists at a cadence that reflects their risk rating — typically monthly for high-risk, quarterly or annually for low-risk.
• Activity monitoring — reviewing whether the services provided and the financial activity observed remain consistent with the customer's documented risk profile.
• Trigger-based reviews — refreshing CDD when material circumstances change (new directors, new beneficial owners, jurisdictional shifts, unusual transactions).

Where monitoring or any other source raises a suspicion that funds may be the proceeds of crime or related to terrorism financing, the firm must lodge a Suspicious Matter Report with AUSTRAC within three business days (24 hours for suspected terrorism financing). Where applicable, Threshold Transaction Reports for cash transactions of A$10,000 or more must be lodged within 10 business days. Both reports are lodged via AUSTRAC Online. No accounting platform performs the lodgement, drafts the narrative, or maintains the audit trail of an SMR decision.

Obligation 7 — Train staff, keep records for seven years, and review independently every two years

The final obligation is operational sustainability. It has three components:

1. Annual AML/CTF training for all relevant staff — including the AMLCO, partners, client-facing accountants, and onboarding administrators. Training must be appropriate to the role and currency must be tracked.
2. Seven-year record retention for CDD files, beneficial-ownership records, transaction reports, SMR decisions and supporting evidence, training records, and programme versions. Records must be retrievable on request from AUSTRAC.
3. Independent review every two years — assessing the programme's design and operational effectiveness. Findings must be reported to senior management with remediation owners and dates.

Accounting platforms can store training certificates and documents, but they do not deliver training, track currency against role-appropriate content, structure records to the AUSTRAC retention standard, or produce an independent review methodology. Each of these is a separate enforceable obligation under the AML/CTF Act 2006.

Why no accounting platform meets the seven obligations end-to-end

The structural reason is straightforward: accounting platforms and AML/CTF platforms have different data models. Accounting software is organised around financial accounts, transactions, and reporting periods. AML/CTF software is organised around customer risk profiles, screening events, programme provisions, and statutory reporting events. The two systems serve adjacent businesses, but their internal logic does not overlap. Xero, QuickBooks, and MYOB have sensibly chosen to remain best-in-class at accounting rather than build a parallel compliance product inside the same database.

The practical implication is that AML/CTF compliance is delivered alongside the accounting platform, not inside it. A dedicated platform like AMLify handles the seven obligations in one place — programme drafting, risk assessment, CDD and EDD workflows, ongoing monitoring, SMR lodgement, training delivery, and seven-year retention — while integrating at the client-record level with whichever accounting platform the firm uses.

Key Takeaways

• The AML/CTF regime has seven core obligations. Identity verification is one component of one obligation (CDD), not the whole regime.
• Xero, QuickBooks, and MYOB do not cover the seven obligations end-to-end — and their roadmaps do not signal that they will. Accounting platforms and AML/CTF platforms have different data models.
• "Compliance" in accounting software typically means tax compliance. AUSTRAC compliance is a separate regime administered under a separate statute.
• From 1 July 2026, every Tranche 2 reporting entity must satisfy all seven obligations — enrolment, AMLCO, programme, risk assessment, CDD, reporting, and training/records/review.
• The pragmatic answer is to add a dedicated AML/CTF platform alongside your accounting software. They should integrate, not compete.

Frequently Asked Questions

Q: We've used Xero/QuickBooks/MYOB for ten years. Do we really need a separate platform?

Yes, if your firm provides Tranche 2 designated services. The duration or quality of your accounting-software relationship does not affect AML/CTF obligations. The seven obligations apply equally to firms that have just adopted cloud accounting and to firms that have run the same MYOB AccountRight installation since 2010. The AML/CTF Act 2006 is service-based, not technology-based.

Q: Could one of the accounting platforms acquire an AML compliance product before 1 July 2026?

Possibly, over time. Acquisitions and partnerships are part of the Australian compliance technology landscape, and the major accounting platforms have a history of acquiring adjacent tools. However, even an immediate acquisition typically takes 12 to 24 months to integrate into a primary product, and 1 July 2026 is 49 days away. Firms preparing for the deadline should plan on the assumption that the dedicated AML/CTF platform will be a separate product for the foreseeable future.

Q: What's the bare minimum a small firm needs?

A small firm — including sole practitioners — still needs all seven obligations covered. The minimum stack is typically: (1) an enrolled firm with a registered AMLCO; (2) a Part A and Part B AML/CTF Programme, scaled to the firm's services; (3) a CDD workflow that includes beneficial ownership and PEP/sanctions screening; (4) an ongoing-monitoring routine; (5) an SMR lodgement workflow; (6) annual staff training; (7) a record-retention system; and (8) a scheduled independent review. AMLify's plans are designed so the smaller a firm is, the lighter the operational burden — but the obligation set itself does not shrink.

Q: How long does it take to stand up the seven obligations from scratch?

Most firms moving deliberately can stand up the full AML/CTF stack — platform configured, programme drafted and signed off, initial client base risk-rated, AMLCO appointed and trained — in two to three weeks. Firms that try to do this in the final week before the deadline tend to encounter programme-drafting bottlenecks and discover gaps in their existing client records that require remediation. The earlier the work begins, the smaller the operational cost.

Q: Where does AMLify fit alongside our accounting software?

AMLify operates alongside Xero, QuickBooks Online, and MYOB as the AML/CTF system of record. The accounting platform continues to run bookkeeping, payroll, BAS, and practice workflow. AMLify handles enrolment guidance, programme drafting, ML/TF risk assessment, CDD and EDD workflows, ongoing monitoring, SMR lodgement, training delivery, and seven-year record retention. Client records reconcile between systems so the data is entered once and is visible everywhere. To see the configuration end-to-end, watch the AMLify demo.

This is general information only and not a substitute for legal advice.

Related articles