First, the honest reality check
If you're a small to mid-size accounting firm with no compliance team, you've probably been putting off the AML/CTF project because it's hard to know where to start. This guide skips the regulatory background — our main AML/CTF guide covers that — and focuses on the practical question: what do you actually need to do, in what order, and how long does each step take?
The short version: it's achievable before 1 July 2026, but only if you start now. Firms leaving this to May or June will be doing it under pressure.
What most small accounting firms are walking in with
- No formal ML/TF risk assessment (ever)
- No documented CDD methodology. Client knowledge sits in partners' heads
- No systematic screening process for PEPs or sanctions
- No designated AMLCO or assigned compliance roles
- Client files spread across multiple systems and/or softwares with inconsistent data
- A vague awareness that something needs to happen before July
If that list describes your firm, you are not behind. You are exactly where most small firms are right now. The question is what you do about it in the time available.
What you actually need to have in place
Strip away the regulatory language and there are five things AUSTRAC requires every reporting entity to have documented and operational by 1 July 2026:
A firm-level ML/TF risk assessment: a written document assessing the money laundering and terrorism financing risks your firm faces
A written AML/CTF program: covering governance (Part A) and customer due diligence (Part B)
A CDD process for your client base: including how existing clients have been categorised and how new ones will be onboarded
Assigned roles and trained staff: at minimum, a nominated AMLCO and basic staff awareness training
Reporting workflows: documented processes for Suspicious Matter Reports (SMRs) and Threshold Transaction Reports (TTRs)
A note on scope: Whether your firm is caught depends on the services you provide. Firms offering tax agent services involving client funds, company or trust formation, or SMSF administration are almost certainly reporting entities. If your situation is less clear, it's worth a quick conversation with an AML/CTF specialist to confirm.
The thing that trips up small firms most
It's not the program documentation. It's the existing client base.
Small accounting firms typically have long-standing client bases built up over years or decades, with no consistent standard for CDD or risk assessment. The partners know their clients — that judgement is real. It's just entirely informal and undocumented.
AUSTRAC now requires that judgement to be formalised. Every client needs to sit in a risk tier (low, medium, or high) with a documented rationale. For a firm with 800+ clients, doing this manually isn't realistic.
The pre-commencement exception exists precisely to address this — it lets firms meet their initial CDD obligations without re-verifying every client from scratch, provided the risk categorisation is defensible and documented. Our main guide unpacks the exception and the documentation requirements in detail.
What matters practically is this: the firms handling it well are using their existing client data to apply a consistent risk methodology in bulk. The firms that struggle try to do it client by client.
This is exactly what ComplianceLink was built for.
We use a bulk import and risk categorisation process to handle your existing client base without manual re-verification. Book a free 15-minute walk-through to see how it works for a firm like yours.
The Practical Path Forward, Step by Step
Here is the order of operations that works for a small firm starting from scratch with limited internal resource:
Confirm your scope
Before anything else, confirm which of your services are designated services under the AML/CTF Act. This determines your obligations. Most small accounting firms providing tax, company formation, trust, SMSF, or bookkeeping services will be caught. If you're unsure, this is worth a brief conversation with an AML/CTF-specialist lawyer.
Nominate your AMLCO
You need a designated Anti-Money Laundering Compliance Officer. For a small firm, this is almost always a senior partner. It doesn't require specialist qualifications. It requires accountability and awareness. Nominating someone gets you a named owner for every subsequent step.
Complete your firm-level ML/TF risk assessment
This is the document most small firms have never produced. It assesses the risk your firm faces, not your clients' risk, across the services you provide, the client types you serve, your delivery channels, and the geographies you operate in. For most small firms, this assessment will conclude that risk is low to medium. That's fine. What matters is that the assessment exists and is documented.
Risk-categorise your existing client base
Export your client list from whatever system you use: your practice management software, your CRM, a spreadsheet. Apply a consistent risk categorisation methodology across the whole base: low, medium, high. Flag clients requiring enhanced review. Document the rationale. This is central to your Part A compliance and the thing that protects you if AUSTRAC ever reviews your program.
Document your CDD process for new clients
Once your existing base is categorised, you need a documented process for how you'll onboard new clients going forward. This covers identity verification, risk assessment, and the ongoing monitoring triggers that would prompt a review. For most small firms, this process already exists informally, it just needs to be written down and developed into a consistent process.
Write your AML/CTF program
The AML/CTF program is the document that ties everything together: your risk assessment, your CDD approach, your reporting workflows, your staff training framework. AUSTRAC's starter kit provides a template. For a small firm, this document does not need to be 80 pages. It needs to be accurate, specific to your firm, and approved by your senior management team.
Set up your reporting workflows
Document how your firm will handle Suspicious Matter Reports and Threshold Transaction Reports: who identifies, who escalates, who approves, and what the deadlines are. For most small firms this is a one-page process document. What matters is that it exists and that your AMLCO maintains it.
Enrol with AUSTRAC and train your staff
Enrolment via AUSTRAC Online takes about an hour once your AMLCO and program details are ready. Staff training is the bigger piece — cover the red flags your team should recognise, the escalation pathway, and who the AMLCO is. Keep records of what was covered, when, and who attended.
How long does this actually take?
For a small firm starting from scratch, working with a structured framework, the realistic timeline is:
- Scope confirmation and AMLCO nomination: 1–2 hours
- Firm-level risk assessment: 2–4 hours with a guided tool
- Existing client base risk categorisation: 1–2 days depending on data quality and volume
- CDD process documentation: half a day
- AML/CTF program: 1–2 days if built from a structured framework
- Reporting workflows and staff training: half a day each
Total: roughly one focused week of work, spread across a few weeks if you're managing it alongside a normal workload. That is achievable before 1 July, but only if you start now. Firms that leave this to May or June will be doing it under pressure.
The honest caveat: These timelines assume your client data is reasonably organised and your firm has a clear picture of the services it provides. If your data is scattered across multiple systems or your service scope is genuinely unclear, add time accordingly. A 15-minute diagnostic call is the fastest way to get a realistic picture of where your firm actually stands.
Can you do this without outside help?
Yes, if you have a partner with the time and inclination to work through AUSTRAC's starter kit methodically. The guidance is publicly available, the obligations are clear, and a small firm with a straightforward client base is not dealing with an insurmountably complex compliance challenge.
The practical problem for most small firms is not capability. It's time. Partners are billing. Staff are busy. The compliance project keeps getting pushed to next week.
That is the real risk. Not that you can't do it, but that you won't get to it in time.
The firms that are finding this most manageable are using a structured platform to work through the requirements systematically rather than starting from a blank document. The framework is the same as AUSTRAC's starter kit, but the guided workflow streamlines the process.
See how ComplianceLink fits a firm like yours.
Free 15-minute walk-through. No commitment. We'll map your firm's current position and show you exactly what's involved.
The bottom line
Small firms don't have the compliance teams big practices do — that's exactly what ComplianceLink is built for. The platform guides you through the risk assessment, CDD workflows, and program documentation as you go, so you're not assembling a compliance program from scratch on a deadline.
What you can't afford to do is wait. Firms that leave this to the last eight weeks will be building their compliance programs under real pressure: less time to get the client base categorisation right, less time to train staff, and less margin for the inevitable complications.
The first step is getting a clear picture of where your firm actually stands. Everything else follows from that.
Keep in mind: Small firms are at a real disadvantage here — they don't have the compliance teams or legal budgets big practices do. ComplianceLink is built to close that gap. The risk assessment, CDD workflows, and program documentation are structured and guided, so small firms move at the same pace as firms with full compliance functions.
until 1 July 2026 deadline
Is your firm ready for July 2026?
Book a free 15-minute readiness walk-through with our founder. We'll map your firm's current position against AUSTRAC's requirements — no commitment required.
ComplianceLink provides workflow tooling, not legal advice.