Xero vs QuickBooks vs MYOB for AML/CTF Compliance: A 2026 Reality Check

With 45 days remaining until 1 July 2026, the most common question we hear from Australian accounting principals is: "Doesn't Xero (or QuickBooks, or MYOB) already handle this?" It is an understandable assumption. Each of these platforms now markets itself as the central operating system for a modern practice, and each has identity-verification add-ons in its app store. But none of them is an AML/CTF compliance product — and from 1 July 2026, that distinction matters a great deal.

This guide compares what Xero, QuickBooks Online, and MYOB AccountRight/Business actually cover against the obligations in the AML/CTF Act 2006 as amended by the Tranche 2 reforms. The short answer: each platform helps you run your firm, but none of them satisfies the seven obligations AUSTRAC will measure you against.

The misconception that's putting Australian firms at risk

Accounting software platforms are not AUSTRAC-regulated reporting entities. Their compliance certifications — SOC 2, ISO 27001, and similar — relate to information security, not money laundering and terrorism financing controls. Xero, QuickBooks, and MYOB are excellent at the work they were built for: bookkeeping, payroll, BAS, financial reporting, and bank feeds. They are not built to enrol you with AUSTRAC, produce a Part A and Part B programme, screen clients against sanctions lists, or lodge suspicious matter reports.

The risk is that principals confuse the existence of an identity-verification add-on (one small slice of customer due diligence) with full AML/CTF compliance. Under Tranche 2, that mistake is now an enforcement exposure.

What each platform actually does

Xero

Xero is Australia's most-installed cloud accounting platform, with strong adoption among small and mid-sized firms. Its core capabilities cover invoicing, bank reconciliation, payroll, fixed assets, and BAS reporting. The Xero App Store hosts a small number of third-party identity-verification integrations — APLYiD, FirstAML, annature, and VerifyID being the most common — that allow electronic verification (eKYC) of an individual's driver licence or passport against credit-bureau data or document-recognition technology. These integrations are partners, not Xero products, and the contract for compliance services sits with the third party.

QuickBooks Online

QuickBooks Online is Intuit's cloud accounting product, with a smaller but established Australian footprint. Its bookkeeping, invoicing, and BAS features are competitive with Xero. The QuickBooks Australian app marketplace has fewer dedicated AUSTRAC-aligned identity-verification partners than Xero, but firms can typically integrate a stand-alone eKYC provider via Zapier or a direct API. Like Xero, QuickBooks itself does not market an AML/CTF compliance product.

MYOB

MYOB AccountRight and MYOB Business remain widely used among long-established Australian practices, especially those serving SMEs with desktop or hybrid setups. MYOB Practice modules cover workflow, document storage, and engagement letters — but again, the platform itself does not perform CDD, write AML/CTF programmes, or interface with AUSTRAC. MYOB Practice integrates with several Australian eKYC providers for client onboarding.

The side-by-side: what each platform covers under the AML/CTF Act 2006

Mapped against the obligations under Part 2 of the AML/CTF Act 2006:

• AUSTRAC enrolment — None of the three. Enrolment is your firm's responsibility, lodged directly with AUSTRAC.
• AML/CTF Programme (Part A and Part B documents) — None of the three. Each platform may host the finished document in its file storage, but none drafts, customises, or version-controls it.
• ML/TF risk assessment — None of the three. You must perform and document the assessment against your firm's services, customers, channels, and jurisdictions.
• Customer identity verification (eKYC) — Available via third-party add-on on all three (APLYiD, FirstAML, and similar). This is one component of CDD, not the whole obligation.
• Beneficial ownership mapping — Partial at best. Some add-ons capture beneficial-owner data; none of the accounting platforms maps layered trust or company structures end-to-end.
• PEP and sanctions screening — Available via the same third-party eKYC partners on initial onboarding. Ongoing re-screening at the cadence AUSTRAC expects (monthly or more for high-risk clients) is not standard.
• Ongoing monitoring of activity — None of the three monitor against an ML/TF risk profile. They monitor bank feeds against general ledger codes — a different task entirely.
• Suspicious Matter Reports (SMRs) to AUSTRAC — None of the three. SMRs are submitted to AUSTRAC Online; none of the accounting platforms has an SMR workflow or template.
• Threshold Transaction Reports (TTRs) — None of the three.
• Training records and AMLCO appointment — None of the three. Practice-management modules can store training certificates, but they do not deliver training, track currency, or appoint an officer.
• Independent review (every two years) — None of the three.
• Record retention (seven years) — All three retain accounting records, but not in a form structured against AUSTRAC's record-keeping rules for CDD files and AML decisions.

The seven obligations none of them cover

AUSTRAC measures a regulated entity against seven core obligations. Even accountants with Xero, an eKYC add-on, and a practice-management subscription still need to satisfy each of these from 1 July 2026:

1. Enrol your firm with AUSTRAC — a separate administrative step lodged through the AUSTRAC Online portal.
2. Appoint an AML/CTF Compliance Officer (AMLCO) — a named person at senior management level with documented responsibilities.
3. Adopt and maintain a Part A and Part B AML/CTF Programme — a written, board- or partner-approved document covering governance, risk assessment, customer due diligence, and ongoing monitoring.
4. Conduct an ML/TF risk assessment — methodology-led assessment of your firm's exposure across customers, services, delivery channels, and jurisdictions, refreshed at a defined cadence.
5. Apply customer due diligence to new and existing clients — including beneficial-owner identification, PEP and sanctions screening, simplified or enhanced procedures based on risk, and ongoing monitoring.
6. Lodge Suspicious Matter Reports and Threshold Transaction Reports with AUSTRAC within statutory timeframes — three business days for SMRs (or 24 hours where terrorism financing is suspected) and 10 business days for TTRs.
7. Train staff annually, maintain records for seven years, and obtain an independent review every two years — covering programme effectiveness and statutory compliance.

Why the gap exists

Accounting platforms are designed to record the financial life of a business: invoices in, payments out, payroll, GST. AML/CTF compliance is a parallel — and quite different — discipline focused on detecting the misuse of legitimate businesses to move illicit funds. The data model, workflows, and reporting requirements do not overlap meaningfully. Xero, QuickBooks, and MYOB have sensibly chosen to remain best-in-class at accounting rather than build a second product inside the first. Closing the AML/CTF gap means bolting a purpose-built compliance platform alongside your accounting stack — not waiting for the bookkeeping tool to grow into the role.

How accounting firms are closing the gap before 1 July 2026

The firms we work with at AMLify typically follow the same four-step pattern:

1. Keep Xero, QuickBooks, or MYOB for what they do best — bookkeeping, BAS, payroll, client billing — and do not try to retrofit AML/CTF workflows into them.
2. Add a dedicated AML/CTF compliance platform that handles enrolment guidance, programme drafting, risk assessment, CDD and EDD workflows, ongoing monitoring, SMR lodgement, training, and record retention against AUSTRAC's standards.
3. Integrate identity verification — either through the AML platform's built-in eKYC or through a Xero/QBO/MYOB App Store partner, so client identity data flows once and is reused everywhere.
4. Appoint an AMLCO and run a desktop dry-run of the programme three to four weeks before 1 July 2026, so policy gaps are surfaced before AUSTRAC's enrolment window opens in earnest.

AMLify was built specifically to be the AML/CTF layer alongside Australian accounting software — the workflows assume your bookkeeping lives in Xero, QuickBooks, or MYOB, and the customer due diligence engine is structured around the way Australian accounting firms actually onboard clients. You can watch the AMLify demo to see the full workflow against your existing stack — it runs end-to-end in under 30 minutes.

Key Takeaways

• Xero, QuickBooks, and MYOB are accounting platforms, not AML/CTF compliance products. Their app stores include identity-verification add-ons, but eKYC is one slice of one obligation, not the whole regime.
• Seven core obligations apply under the AML/CTF Act 2006 from 1 July 2026 — enrolment, AMLCO appointment, programme, risk assessment, CDD, reporting, and training/records/review. None of the three accounting platforms cover any of them end-to-end.
• The gap is structural, not incidental. Bookkeeping data models and AML/CTF workflows do not overlap, and the major accounting vendors have not built compliance products inside their core platforms.
• The pragmatic answer is to bolt on a dedicated AML/CTF platform and keep using your accounting software for what it does best. The two should integrate, not compete.
• The 1 July 2026 deadline is firm. AUSTRAC has not signalled any extension, and civil penalties for systemic non-compliance can reach into the tens of millions of dollars.

Frequently Asked Questions

Q: My Xero App Store integration says it is "AML-ready" — isn't that enough?

Most Xero App Store integrations described as "AML-ready" are electronic identity verification tools — they verify a driver licence, passport, or Medicare card against a data source or document-recognition model. That is a useful component of customer due diligence, but CDD itself is broader: it includes beneficial-ownership mapping, PEP and sanctions screening, source-of-funds enquiries for enhanced due diligence, ongoing monitoring, and decisions about whether to accept, decline, or exit a client. Outside CDD, you still need the six other obligations the eKYC tool does not touch. "AML-ready" describes the integration's compatibility with a compliance programme; it does not provide one.

Q: Does QuickBooks Online have an AUSTRAC integration?

No. QuickBooks Online does not offer a direct integration with AUSTRAC Online for enrolment, SMR lodgement, or TTR lodgement. Firms using QuickBooks lodge directly with AUSTRAC via the AUSTRAC Online portal, typically through their AML/CTF compliance platform. The same is true of Xero and MYOB.

Q: MYOB Practice includes "compliance" modules — don't they cover AML/CTF?

MYOB Practice's compliance modules cover tax and BAS lodgement compliance — meeting your statutory obligations to the ATO. They do not address AML/CTF obligations, which are administered by AUSTRAC under a separate statute. The terminology overlap is unfortunate but understandable: "compliance" in accounting historically meant tax compliance, and most practice-management vendors have used the term that way for decades.

Q: Can I just use a Word document for my AML/CTF Programme and store it in Xero or MYOB?

A Word document is a legitimate format for an AML/CTF Programme — AUSTRAC does not mandate a particular software tool. However, the programme must be more than a static document. It needs version control, board or senior-management approval records, evidence that staff have been trained on it, and a clear link between the procedures it describes and the operational steps actually performed during client onboarding and ongoing monitoring. A purpose-built platform produces and maintains the document, demonstrates operational adherence, and creates the audit trail AUSTRAC will look for. A Word file in a folder will not.

Q: What is the realistic minimum tech stack for an accounting firm under Tranche 2?

Most Australian accounting firms will need: (1) their existing accounting platform — Xero, QuickBooks Online, or MYOB — for bookkeeping and BAS work; (2) a dedicated AML/CTF compliance platform such as AMLify for programme, CDD, ongoing monitoring, SMR lodgement, and training; (3) an eKYC provider, either bundled inside the compliance platform or via an App Store integration; and (4) a defined relationship with AUSTRAC Online for enrolment and statutory reporting. The compliance platform should be the system of record for AML/CTF decisions; the accounting platform should remain the system of record for the firm's financials.

This is general information only and not a substitute for legal advice.

Related articles