Tranche 2 for Accountants: Your 70-Day Action Plan

Australian accountants providing certain designated services become reporting entities under the AML/CTF Act 2006 from 1 July 2026 — just 70 days away. Tranche 2 of Australia's landmark anti-money laundering reforms will impose obligations previously limited to banks and financial institutions, including enrolment with AUSTRAC, customer due diligence, and suspicious matter reporting. If your accounting firm has not yet started preparing, this is a practical roadmap for exactly what to do before the deadline.

Which Accounting Services Are Captured Under Tranche 2?

Not every service your firm provides will trigger AML/CTF obligations — only 'designated services' as defined under the amended AML/CTF Act 2006 are captured. Understanding your scope is the essential first step, and it is not always straightforward.

For most accounting firms, the designated services most likely to apply include:

• Receiving, holding, or managing client funds or accounts on a client's behalf
• Establishing or managing legal arrangements such as companies, trusts, or partnerships for clients
• Buying or selling business interests, real estate, or other assets on behalf of a client
• Managing financial transactions directed by clients, including moving money between accounts
• Structuring advice tied to significant financial transactions or asset transfers

Services that are purely advisory — such as preparing a standard tax return or compiling financial statements with no transactional element — are generally less likely to be captured. Firms should seek their own legal advice to confirm scope for their specific circumstances.

Why Are Accountants in AUSTRAC's Sights?

AUSTRAC and the Financial Action Task Force (FATF) have long identified accountants as a key vulnerability in Australia's financial crime framework. The reason is straightforward: accountants occupy a trusted position while routinely handling complex financial structures that can be exploited by those seeking to launder money or obscure the origins of funds.

Common risk vectors that make accounting services attractive to bad actors include:

• Complex ownership structures — companies layered within trusts can obscure the true beneficial owner of assets
• High-value transactions — property and business sales conducted through client accounts attract significant funds flows
• International exposure — clients from high-risk jurisdictions seeking Australian structuring or tax advice
• Politically Exposed Persons (PEPs) — individuals in positions of public trust who require enhanced scrutiny
• Cash-intensive businesses — clients whose revenue is difficult to verify, presenting inflated income for structuring purposes

FATF's 2015 mutual evaluation of Australia specifically cited deficiencies in DNFBP supervision as a significant gap in the national framework. Tranche 2 is Australia's direct response to that finding — and AUSTRAC has made clear it intends to supervise the new sector actively from day one.

What Are the Core AML/CTF Obligations for Accounting Firms?

Once your firm determines it provides designated services, the following obligations apply under the AML/CTF Act 2006. These are statutory requirements and cannot be delegated to clients or outsourced away:

1. Enrol with AUSTRAC — Register on the AUSTRAC Reporting Entities Register before providing designated services on or after 1 July 2026.
2. Conduct an ML/TF risk assessment — Identify and document money laundering and terrorism financing risks specific to your firm, client base, and services.
3. Develop an AML/CTF programme — Create a documented two-part programme addressing how your firm will manage identified risks.
4. Apply customer due diligence (CDD) — Verify client identity and understand beneficial ownership before providing designated services.
5. Conduct ongoing monitoring — Continuously monitor client relationships and transactions for unusual or suspicious activity.
6. Lodge Suspicious Matter Reports (SMRs) — Report to AUSTRAC when you have reasonable grounds to suspect a client's activity is connected to money laundering or another serious offence.
7. Submit annual compliance reports — Confirm to AUSTRAC each year that your programme remains appropriate and effective.
8. Maintain records — Keep CDD records, transaction records, and programme documentation for at least seven years.
9. Train staff — Ensure all staff delivering designated services understand their AML/CTF obligations and your firm's internal procedures.

What Does an AML/CTF Programme for an Accounting Firm Look Like?

An AML/CTF programme under the Act has two mandatory parts. Part A covers your firm's internal controls — the governance, risk management policies, and procedures your firm uses to identify and manage ML/TF risk. This includes your risk assessment methodology, senior management oversight arrangements, and how your programme will be reviewed and updated over time.

Part B covers customer due diligence. It sets out how your firm identifies and verifies clients, what documentation you collect, how you handle high-risk clients, and when you will apply enhanced due diligence (EDD) versus simplified due diligence (SDD).

Critically, your programme must be tailored to your firm. A generic template downloaded from the internet is unlikely to satisfy AUSTRAC's requirements — the programme must reflect your actual risk assessment and the specific designated services you provide. AMLify is built specifically for Tranche 2 DNFBPs like accounting firms, guiding you through risk assessment, programme documentation, and client onboarding in a single structured workflow. See how AMLify works for accountants.

What Should Accounting Firms Do in the Next 70 Days?

With the 1 July 2026 deadline 70 days away, here is a practical sequence to follow:

1. Scope review (Weeks 1–2) — Map every service your firm provides and confirm which are designated services. Involve your legal adviser if scope is uncertain.
2. ML/TF risk assessment (Weeks 2–4) — Document your firm's inherent risks across client types, service lines, geographies, and delivery channels.
3. Programme development (Weeks 3–6) — Draft your Part A and Part B AML/CTF programme, informed directly by your risk assessment findings.
4. AUSTRAC enrolment (Week 4) — Enrol on the AUSTRAC Reporting Entities Register as soon as your scope is confirmed. Do not leave this to the last week.
5. Staff training (Weeks 5–8) — Train all relevant staff on your programme, AML/CTF red flags, and SMR obligations before 1 July.
6. CDD implementation (Weeks 6–8) — Implement your client identification and verification process, beginning with new clients and high-risk existing relationships.
7. Programme review (Weeks 8–10) — Walk through your programme against a sample of client files to confirm it operates as intended before the deadline arrives.

Compliance platforms designed for Tranche 2 entities can significantly compress this timeline by providing guided workflows for each step. Explore AMLify's features to see how accounting firms are getting compliance-ready quickly.

What Are the Penalties for Non-Compliance?

The consequences of failing to meet AML/CTF obligations are serious. Under the AML/CTF Act 2006, civil penalties for serious contraventions can reach $22.2 million for corporations. Criminal liability for the most serious breaches can result in up to 10 years imprisonment for individuals. AUSTRAC also holds broad remedial powers, including the ability to appoint external auditors at a firm's expense and issue enforceable undertakings.

Beyond direct financial exposure, AUSTRAC publishes enforcement outcomes publicly — meaning reputational damage is a real and lasting consequence. AUSTRAC has confirmed it will actively supervise Tranche 2 entities from the outset of the new regime, so non-compliance is not a low-probability risk that firms can quietly ignore.

Key Takeaways

• Scope your services first — not every accounting service is captured under Tranche 2; only 'designated services' as defined in the AML/CTF Act 2006 trigger reporting entity obligations.
• Nine core obligations apply once in scope, including AUSTRAC enrolment, a firm-specific ML/TF risk assessment, a two-part AML/CTF programme, customer due diligence, and suspicious matter reporting.
• 70 days is workable but tight — firms that begin immediately can complete required steps before 1 July 2026, but there is no buffer for delay.
• Generic templates are insufficient — your AML/CTF programme must reflect your actual services and risk profile to satisfy AUSTRAC's requirements.
• Penalties are severe — civil penalties of up to $22.2 million and AUSTRAC's stated intention to supervise the sector actively make non-compliance a significant business risk.

Frequently Asked Questions

Q: Do all accountants need to comply with Tranche 2?

No. Only accountants providing 'designated services' as defined under the AML/CTF Act 2006 become reporting entities. Services like preparing tax returns or compiling financial statements without any transactional element are generally not captured. The primary triggers are services involving managing client funds, establishing corporate structures, or transacting on a client's behalf. Firms should review their full service offering carefully and seek legal advice to confirm whether and to what extent they are in scope before 1 July 2026.

Q: When must accounting firms enrol with AUSTRAC?

Accounting firms providing designated services must enrol with AUSTRAC before they commence providing those services under the new regime — meaning before 1 July 2026. AUSTRAC recommends completing enrolment ahead of the deadline rather than on commencement day, particularly as the register may experience high demand during peak periods. Enrolment itself is relatively straightforward, but it cannot be done retrospectively.

Q: How long does it take to build an AML/CTF programme for an accounting firm?

For a small-to-medium accounting practice with senior staff actively engaged, building a compliant AML/CTF programme typically takes four to eight weeks. The actual timeline depends on the complexity of your services, the diversity of your client base, and available internal resources. Compliance platforms built specifically for Tranche 2 entities can significantly reduce this timeline by guiding firms through each required step with structured workflows and pre-built frameworks tailored to accounting practices.

Q: Do existing clients need to be re-verified when Tranche 2 commences?

Accounting firms are not automatically required to re-verify every existing client from 1 July 2026, but customer due diligence must be applied to all clients to whom you continue providing designated services. For higher-risk existing clients — such as those with complex ownership structures, PEP exposure, or connections to high-risk jurisdictions — enhanced due diligence may be required. A practical approach is a risk-based review of your existing client base, prioritising re-verification for the highest-risk relationships first.

Q: What is a Suspicious Matter Report and when does an accountant need to file one?

A Suspicious Matter Report (SMR) must be submitted to AUSTRAC when an accountant has reasonable grounds to suspect that a matter relates to money laundering, the financing of terrorism, or another serious offence. The threshold is reasonable suspicion — not proof. SMRs must generally be submitted within three business days of forming the suspicion, or within 24 hours where the matter relates to terrorism financing. Accountants are also legally prohibited from tipping off a client that an SMR has been, or will be, lodged.

This is general information only and not a substitute for legal advice.