AML/CTF Obligations for Accountants: Everything Your Firm Needs to Know

If you're a small to mid-size accounting practice with one to four partners, a broader team behind them, and no dedicated compliance officer and you've just received a notification that AUSTRAC enrolment is open, you're probably feeling one of two things: mildly overwhelmed, or quietly hoping it doesn't really apply to you.

It almost certainly applies to you. And the overwhelm is understandable, but it shouldn't last past this article.

Here's the thing: the AML/CTF framework that accounting firms are now required to implement was designed with proportionality in mind. A small firm with a straightforward client base does not need to build the compliance infrastructure of a major bank. What you need is a documented, defensible program that reflects how your firm actually operates.

That is achievable. But it requires understanding what you're actually being asked to do.

Your firm is likely caught if it provides any of the following designated services:

• Tax agent services involving management of client funds or financial transactions
• Company formation, registration, or administration services
• Trust formation or management services
• Conveyancing or real estate transaction services
• Bookkeeping services involving management of client accounts
• Preparation of financial statements for third-party use
• SMSF administration or establishment

If you are unsure whether your firm provides a designated service, the starting point is AUSTRAC's published guidance on the definition of designated services under the AML/CTF Act.

Customer Due Diligence is likely the largest practical workload for most accounting firms — particularly those with established client bases built up over many years.

Initial CDD

For new clients, you must complete initial CDD before or as soon as practicable after commencing a designated service. This involves verifying the client's identity, understanding the nature of the relationship, and assessing their ML/TF risk level.

The Pre-Commencement Exception - What It Actually Means

For clients your firm was already servicing before 1 July 2026, AUSTRAC's guidance provides a pre-commencement exception. In broad terms, you are not required to re-verify identity for every existing client from scratch — provided you can demonstrate a reasonable basis for your risk assessment.

In practice, this means your firm needs:

• A documented risk categorisation methodology applied consistently across your client base
• A clear record of how each client (or client segment) has been risk-rated and why
• A process for identifying which existing clients require enhanced review before services continue
• A baseline from which ongoing risk changes can be measured

This is not an exemption from CDD — it is a structured way of meeting CDD obligations for an existing client base without manually re-verifying thousands of clients individually. The documentation requirement is real and must be in place from commencement.

Ongoing Monitoring

Once initial CDD is complete, firms must monitor ongoing client relationships for changes in risk profile, unusual transactions or activity, and trigger events requiring re-verification. This monitoring must be documented and systematic — informal partner knowledge is not sufficient.

Enhanced Due Diligence (EDD)

For high-risk clients — including Politically Exposed Persons (PEPs), clients from high-risk jurisdictions, and clients with complex ownership structures — enhanced due diligence is required. This includes additional verification steps, source of funds/wealth enquiries, and more frequent ongoing monitoring.

‍

Before providing a designated service, firms must take reasonable steps to establish that a client is not subject to targeted financial sanctions. For clients who are (or are connected to) Politically Exposed Persons, additional obligations apply including:

• Identifying PEP status at onboarding and on an ongoing basis
• For foreign PEPs: establishing source of funds and source of wealth on reasonable grounds where the client presents high ML/TF risk
• Applying enhanced ongoing monitoring where PEP status is identified

Practically, this means firms need a systematic screening process that is documented and repeatable.

For most established accounting firms, the hardest part of AML/CTF compliance is not understanding the obligations — it is operationalising them across an existing client base that may number in the thousands.

Consider a firm with 2,500 clients in scope. Manual re-verification of every client is not realistic. But doing nothing is not an option either. The pre-commencement exception exists precisely to address this — but it requires a defensible, documented approach to risk categorisation across the whole client base.

The practical pathway that most firms are finding workable involves:

All AML/CTF records must be retained for a minimum of seven years. This includes:

• CDD records and identity verification documents
• Risk assessments and risk categorisation decisions
• Transaction records for designated services
• Suspicious Matter Reports and supporting documentation
• Staff training records
• Copies of your AML/CTF program and any revisions

Records must be stored in a way that allows them to be retrieved promptly if requested by AUSTRAC. A folder of PDFs on a shared drive may technically satisfy the retention requirement — but it will not satisfy the retrieval requirement if AUSTRAC comes knocking.

AUSTRAC has broad enforcement powers under the AML/CTF Act. Firms that fail to meet their obligations from 1 July 2026 are exposed to:

• Civil penalty orders for failure to have a compliant AML/CTF program
• Enforceable undertakings requiring remediation at the firm's cost
• Ongoing compliance obligations imposed by court order
• Reputational damage from public enforcement action

It is worth noting that AUSTRAC has historically been a firm regulator. The banking sector learned this at significant cost. Accounting firms would be well advised not to repeat that lesson.

The firms that are finding this most manageable are the ones that started early and treated it as an operational project rather than a compliance exercise. The framework is structured — AUSTRAC's own starter kit provides the skeleton — and the workload, while real, is finite.

The practical starting point for most firms is a clear-eyed assessment of where they currently stand against each of the five obligations listed above. From there, the gaps are usually predictable: most firms have no documented ML/TF risk assessment, no formal CDD methodology, and no systematic screening process.

None of those gaps are insurmountable. But they do take time to close properly — time that is running out.