AML/CTF compliance is complex, and navigating AUSTRAC’s guidelines can be confusing. This guide digs into everything you need to know about KYC and how to stay compliant with AML/CTF obligations. 

From 1 July 2026, CDD and KYC obligations will become mandatory for accounting practices that provide designated services under Australia’s AML/CTF Act. Firms falling within this scope will be classified as reporting entities and must carry out customer identification, risk assessment, ongoing monitoring and suspicious matter reporting. Essentially, anti-money laundering laws apply to accountants, and they must enrol with AUSTRAC before 1 July 2026.  

This guide for accountants covers: 

1. What KYC actually means for the accounting profession 
2. What services trigger AML/CTF obligations 
3. 5-steps of AML/CTF compliance 
4. Non-compliance penalties 
5. Compliance mistakes and how to avoid them 

KYC under Tranche 2 of AML/CTF Reforms

What is KYC for accountants?

Know Your Customer, or KYC, for accounting firms is the process of verifying clients' identities and assessing associated risk as part of a risk-based framework to prevent fraud, specifically money laundering and terrorism financing. 

It is a mandated process under the AML/CTF Act for all accountants providing designated services from 1 July 2026, not just banks.  

KYC is part of a full client due diligence (CDD) workflow and cannot be considered in isolation. In fact, KYC is one of the last steps in a CDD workflow as part of an AML/CTF program that practices must now establish. 

For accountants, KYC becomes a legal obligation once Tranche 2 changes take effect on 1 July. Accountants providing designated services must enrol with AUSTRAC and implement an AML/CTF program that includes running KYC, continuous monitoring, and reporting. 

What are designated services?

There are nine designated services listed under subsection 6 (5B) of the AML/CTF Act. Each with exceptions outlined by AUSTRAC. However, deciphering them in relation to accountants can be confusing.

This is a detailed breakdown of those designated services, outlining exactly the works that would trigger AML obligations in accounting: 

Accounting services 

• Div 7A Loan Agreement 
• Dividend statement 
• Trust Account Use for Client Monies 

Advisory services 

• Due Diligence Report for Business Purchase 
• General Business Advice 

Business Advice 

• Business Restructure + Capital Gains Tax (GST) Advice 
• Structure Advice Report 

Company 

• Appointment of Director Secretary 
• Change of Company Name 
• Director Change of Details 
• Resignation of Director or Secretary 
• Share Allotment 
• Share Transfer 
• Shareholder Change of Address 
• Voluntary Deregistration 

Estate planning 

• Loan Protection for Business 
• Business Value Protection without Upfront CGT or Stamp Duty 
• Home / Investment Property Equity Protection 
• Loan Agreement –Family Loans 

Self-Managed Superannuation Fund (SMSF) 

• Annual SMSF Work –Limited Recourse Borrowing Arrangement (LRBA) 
• LRBA Setup 
• SMSF + Company Trustee Setup 
• Setup SMSF LM Company Trustee + Appointment of Trustee Deed 
• Upgrade SMSF Deed to Leading Member SMSF Deed 
• Upgrade SMSF Trustee Co. Constitution to Leading Member SMSF Trustee Co. Constitution 
• Windup of SMSF 

Structure 

• Company incorporation with Successor Direction Solution 
• Family Protection Trust Establishment  + Company Trustee 
• Hybrid Unit Trust Establishment + Company Trustee 
• Business or Investment Entity Loan Agreement 
• Partnership Agreement  
• Shareholders Agreement 
• Successor Director Resolution + Leading Member Co. Constitution Upgrade 
• Unit Trust Establishment + Company Trustee 
• Upgrade Trust Deed to Leading Member Discretionary Trust 

Trust 

• Change of Appointer of Trust 
• Change of Trust Name 
• Change of Trustee of Trust 
• Unit Allotment 
• Unit Transfer 
• Update of Trust Deed 
• Vesting of Trust 

Others 

• ASIC Annual Company Review + Registered Office 
• M&A and Business Advice 
• Taxation advice – Capital Gains Tax Advice + Business Validation Report 

IMPORTANT NOTE: Outsourcing does not remove AML compliance obligations. Firms that have a geographical link to Australia must comply with the AML/CTF Act.  

You have a geographic link if you:  

• Provide a designated service at or through a permanent establishment in Australia, or 
• Are a resident of Australia providing designated services either at or through a permanent establishment in a foreign country, or 
• Are a subsidiary of a company that is a resident of Australia and provides designated services either at or through a permanent establishment in a foreign country 

Enrol with AUSTRAC

Accountants and practices that provide any of the listed services must enrol with AUSTRAC and comply with AML/CTF requirements.  

Enrolment checklist: 

• Create user account on the AUSTRAC website 
• Complete the AUSTRAC Business Profile Form with firm details, directors, and key personnel 
• Identify an AML/CTF Compliance Officer (CO) – a named person. A sole practitioner firm, this would be the partner.
   

Compliance officer responsibilities: 

• Approve and sign off on the firm’s AML/CTF responsibilities 
• Review failed KYC actions and determine next steps 
• Investigate suspicious matter alerts and decide whether to lodge a suspicious matter report (SMR) 
• Lodge SMRs with AUSTRAC and record reference numbers 
• Complete and submit annual compliance report (ACR) to AUSTRAC by 31 March each year 
• Trigger program review whenever the firm’s risk profile changes materially 

The cost of AML/CTF non-compliance: Penalties, fines, practice risks

AUSTRAC penalties for non-compliance

Firms that fail to meet their AML/CTF and KYC obligations will face severe penalties. These consequences apply regardless of whether non-compliance is accidental or systemic.  

AUSTRAC may take any number of the following actions against non-compliant firms:  

• Apply for a civil penalty order from the Federal Court: Up to $6.6 million (or up to $33 million for a body corporate). 
• Enforceable undertaking: A written agreement by the firm setting out how it will comply with the AML/CTF Act. Breach of the agreement will result in court-ordered penalties.  
• Issue an infringement notice 
• Issue remedial directions 
• Issue a written notice: to appoint an external auditor, undertake money laundering/terrorism financing risk assessment 
• Registration actions: suspend, cancel, or refuse new registrations 

Practice risks

Accounting practices are exposed to a range of financial and reputational risks beyond legal penalties for non-compliance with AML/CTF obligations.  

Key risks include: 

• Reputational damage: undermines a firm’s credibility and erodes client trust. 
• Increased AUSTRAC scrutiny: more frequent reviews, mandatory remediation, higher ongoing compliance costs. 
• Professional liability exposure: risk of litigation or insurance complications. 
• Operational disruption: mandated external audits, enforceable undertakings or large‑scale remediation programs. 

Proactive compliance is the best way to safeguard a practice’s reputation and long-term stability.  

Real-world enforcement examples

AUSTRAC has been firm about going after companies that breach the AML/CTF Act. The following are real cases involving Tranche 1 sectors. These cases demonstrate the scale and impact of non-compliance for professional services included in Tranche 2, such as accountants. 

SkyCity Adelaide Pty Ltd | Hotel & Tourism (2024) 

Details of non-compliance: 

• Failure to carry out appropriate ongoing customer due diligence. 
• Failure to establish an appropriate framework for oversight of AML/CTF programs 

Consequences: 

• $67 million court-ordered penalty.  
• Long-term compliance uplift costs. 
• Change in senior management 
• Lasting reputational damage. 

 

Crown Melbourne & Crown Perth | Gambling & entertainment (2023) 

Details of non-compliance: 

Serious and systemic breaches of the AML/CTF Act, including: 

• Inadequate AML/CTF programs. 
• Weak board oversight. 
• Poor transaction monitoring. 
• Continuing relationships with high-risk operators despite known red flags. 

Consequences: 

• $450 million court-ordered penalty.  
• Reputational fallout 
• License uncertainty 
• Decline in business performance. 

 

Westpac | Banking (2020)

Details of non-compliance: 

23 million breaches, including: 

• Failure to report International Funds Transfer Instructions (IFTIs) 
• Gaps in source-of-funds checks 
• Inadequate monitoring. 

Consequences: 

• $1.3 billion civil penalty settlement. 
• Lasting reputational damage 
• Drop in market confidence 
• Resignation of senior executives 
• Long-term compliance uplift costs.  

  

These cases and more show that enforcement outcomes extend far beyond financial penalties. The lessons for accountants are clear: strong governance, well-designed AML/CTF programs, thorough documentation, and constant due diligence are compulsory. AML for accountants is non-optional. 

 

AML in accounting: A 5-step guide

Set out an AML/CTF Program

AML for accountants is largely similar to other entities. Practices that have registered with AUSTRAC must have an AML/CTF program that documents how it identifies and manages money-laundering and terrorism-finance risk. This isn’t an abstraction. The program must reflect the practices’ actual services, client types, and risk profiles. 

The program must cover: 

• Customer Due Diligence (CDD) – this is where the KYC procedure comes in 
• Suspicious matter reporting procedures 
• Record-keeping methods 
• Risk assessment methodology and outline of risk ratings 
• Reporting obligations 
• Escalation procedures 
• Staff training program 
• Independent evaluation of AML/CTF program 

 

Refer to the AUSTRAC detailed guide on how to develop your AML/CTF program.  

Conduct CDD (KYB and KYC)

For pre-commencement clients (being serviced since before 1 July 2026), no initial CDD is required until a trigger occurs. However, they must be monitored. Triggers include a request for a new designated service, suspicious activity detected, or an increase in client risk. 

For pre-commencement clients requesting a new service or completely new clients, they must undergo the full CDD process. 

The step-by-step process is as follows:  

1. Know your business (KYC): identify and verify the legal entity structure, trust deeds, constitutions, and ultimate beneficial owners. 
2. Assign risk rating: as outlined in the firm’s AML/CTF program, assign a risk rating for each client to determine the dept of KYC required. 
3. Politically exposed persons (PEP) and sanctions screening: Check all individuals against the Department of Foreign Affairs and Trade (DFAT) Consolidated List and PEP registers. Run an internet search for fraud, bankruptcy, and criminal charges associated with the client. 
4. KYC identity checks: Standard or advanced KYC checks as outlined by AUSTRAC. 
5. Complete AUSTRAC-required onboarding form fields. 
6. Compliance Officer and Partner approval. 
7. Issue updated engagement letter: incorporate AML/CTF obligations. 

Ongoing monitoring & reporting

Once CDD is complete and a designated service commences, practices must continue to monitor their customers to identify and manage money-laundering and terrorism-financing risks.  

This includes: 

• Monitor for unusual transactions and behaviours that could trigger a suspicious matter report (SMR). 
• Check all clients against the Department of Foreign Affairs and Trade (DFAT) Consolidated List daily.  
• Monitor PEP registers for client individuals. 
• Run adverse media scans at appropriate frequencies (look up client name with the terms ‘fraud’, ‘bankruptcy’, ‘criminal charges’ on a search engine). 
• Review and reverify KYC information when accuracy is doubted or when risk rating changes. 
• Monitor for significant changes in the nature or purpose of the business relationship. 
• Review transaction lists at BAS time and year-end cash transactions over $10,000. 
• Lodge threshold transaction report (TTR) with AUSTRAC for physical cash transactions of $10,000 or more. 
• Lodge SMR with AUSTRAC when there is a reasonable suspicion – take down reference number. 
• Submit Annual Compliance Report (ACR) with AUSTRAC by 31 March each year. 
• Schedule an independent evaluation of the firm’s AML/CTF program every 3 years. 

Training

Practices must also provide training for existing and new personnel who perform AML/CTF functions to ensure they understand the obligations, procedures, and policies to manage and mitigate money laundering, terrorism financing, and proliferation financing risks.  

AML accountants’ training must be tailored based on: 

• The functions they perform. 
• The money laundering or terrorism financing risks relevant to their functions. 
• Their specific responsibilities under the practice’s AML/CTF policies.  

Practices must do the following and outline how they do so in their AML/CTF policy: 

• Detail how the firm developed its training. 
• Schedule of tailored training plans for different roles relevant to their ML/TF risks. 
• Include updates on AML/CTF regulatory changes and emerging risks in training materials 
• Take steps to ensure personnel are being trained 
• Maintain a training register with completion records and future training details 
• Monitor the effectiveness of training 
• Evaluate training knowledge retention and application 

Practices must ensure all client-facing staff understand CDD requirements in depth. Personal Due Diligence (PDD) must also be conducted on all staff, contractors, and offshore BPO staff who perform AML/CTF functions.  

Record-keeping

Part of a firm’s obligations is to maintain complete and accurate records of its AML/CTF obligations that are securely stored and managed. Records can be maintained in either hard copy or digitally, but must be in an accessible format. 

Record-keeping obligations include:  

• Records of AML/CTF program: ML/TF risk assessment, policies, responsibilities, compliance officers, program documentation and approvals.  
• CDD records: customer information collected, verification steps, and analysis, identification, or assessment of ML/TF risks. 
• Transaction records: enough details and supporting documents to reconstruct the transaction, including date and time, customer information, transaction type, etc. 

Records must be kept for at least 7 years, though each type of record differs in terms of when the storage requirements begin:  

Records must be kept for: 

• AML/CTF Program: 7 years after the record is no longer relevant to demonstrate compliance. 
• CDD: 7 years from the completion of an occasional transaction or the end of business relationship. 
• Transaction records: 7 years from the day the record is created, or the day you are given documentation of the transaction by a client. 

Practices may choose to have a third-party conduct CDD for them. If so, the practice must undertake additional responsibilities and record-keeping, including:  

• Maintaining a record of the CDD arrangement: scope, timelines, responsibilities 
• Assess whether the third-party is properly carrying out this responsibility: Prepared within 10 business days after completion of assessment 

 

5 Common KYC compliance mistakes (and how to avoid them)

Conducting KYC after providing services

KYC for accounting firms needs to be baked into the engagement process. Checks must be conducted before any new designated service is provided. 

Fix: 

• Update your intake process to require KYC completion before work starts 
• Enable teams to pause engagements until verification is done 

 

Inadequate beneficial ownership records

Don’t just stop at identifying only the directors. AUSTRAC specifically requires accountants to identify individuals with at least 25% beneficial ownership or control.  

Fix:  

• Trace each layer to the beneficial owners 
• Record control roles and verify the identity of beneficial owners with the same rigour 

 

Poor record keeping

Firms must record the entire CDD process, including what you did, how, when, and why. A disorganised record-keeping system will undermine a firm’s ability to demonstrate compliance.  

Fix: 

• Adopt a consistent filing system 
• Capture verification methods, data sources, dates, and staff involvement 
• Adopt an automated system to ensure consistency in your audit trails 

 

Weak ongoing monitoring

Treating KYC in accounting as a one-time event may lead to changes in client risk being missed. Ongoing monitoring is a key part of AML/CTF compliance. 

Fix: 

• Schedule periodic client reviews based on risk, including PEP and sanctions screening 
• Monitor for unusual behaviours and transactions. Submit SMRs when necessary 
• Refresh checks when a major change occurs such as change in business ownership or activity 

 

Relying on the previous accountant’s KYC checks

It may seem like a redundant exercise, but each firm is responsible for conducting its own client due diligence. Do not rely on checks from a previous accountant.  

Fix: 

• Make it a policy that every new client undergoes the same rigorous CDD process regardless of who their previous accountant was 
• Periodically review internal compliance of the firm’s AML/CTF policies 

 

Communicate KYC requirements to clients

Given the fundamental change in how clients are engaged under AML/CTF Act Tranche 2 reforms, clear communication is essential. Clients need to understand the entire process and what additional costs may apply.  

There are several ways to go about this.  

Via engagement letters 

Engagement letters help set expectations early, ensuring clients understand the legal basis for KYC and the steps required before work can commence. 

In your letter, include:  

• Explanation of AML/CTF obligations to conduct accountants’ client verification before providing a designated service. 
• List of documents needed and verification options to ensure a smooth process 
• Clear statement that service cannot begin until checks are complete. 
• Outline how client information will be protected, securely stored, and retained as per AUSTRAC’s record-keeping obligations. 

Via client communications 

Whether in emails, phone calls, or in-person communications with clients, accountants must continue to reinforce the mandatory nature of KYC and reassure clients on how they will keep the process straightforward.  

Aim to:  

• Use clear, simple language to help clients understand your firm’s obligations. 
• Provide a simple checklist of documents or link to your firm’s verification platform to ensure clients know what’s required of them in the KYC process. 
• Reassure and remind clients how they identify is kept secure and private. 

Handling resistance  

Expect some resistance from clients who are unfamiliar with AML/CTF requirements. They won’t immediately understand the process and may be reluctant to provide identity documents for a firm’s KYC checks. 

Manage resistance confidently, guided by the following principles:  

• Decline or disengage if a client refuses to provide identity documents. You cannot provide a designated service if you cannot conduct adequate CDD and KYC checks. 
• Offer reasonable alternatives, such as electronic verifications, to make it easier for clients to participate.  
• Keep an eye out for behaviours that may trigger the need for suspicious matter reporting (SMR) 

Streamlining compliance with the right tools & technologies 

If it wasn’t clear already, conducting CDD and KYC on all clients is a massive undertaking. Accountants must adapt accordingly to ensure they can remain compliant with their AML/CTF obligations. This is where technologies come in, guided by human judgment.  

These are areas in which technology and automation can help:  

1. Electronic identity verification: for matching ID documentation to authoritative databases. 
2. CDD: compliance platforms can automate identification and verification, including tracing beneficial owners. 
3. Sanctions & PEP screening: to cross-check client against DFAT and other sanctions lists, PEP databases, and watchlists. 
4. Digital document storage: to maintain a secure and clear audit trail as per legal and professional standards. 
5. Workflow automation: to streamline the entire CDD process with strict compliance measures. 
6. Training and education: platforms that allow practices to deliver training as per AUSTRAC requirements.  
7. Compliance management: systems that assist with writing, updating, and managing AML/CTF programs.  

Tranche 2: AML for accountants is the new era of compliance  

The accounting profession is about to undergo a significant shift in how it should operate. Firms that thrive will be those that adapt the fastest to modern and consistent processes for AML in accounting. For example, incorporating KYC for accounting firms as a core part of their workflow.  

It is a core function in an accounting practice that is extremely time-consuming and an unmanageable cost sink, especially at scale. Not to mention the paperwork nightmare of maintaining a clear audit trail.  

That’s why EngageAML  was built: to automate the entire compliance workflow to help accountants stay on top of their AML/CTF obligations. Find out how EngageAML can help you get compliant and stay compliant.  

 

FAQ: KYC for accountants 

What is KYC and why do accountants need it now? 

KYC or Know Your Customer, is the identification and verification of clients supported by a risk-based approach. Accountants are now required to conduct KYC before providing designated services, as stipulated in the AML/CTF Act reforms. 

When does KYC become mandatory for accountants?

KYC becomes mandatory starting 1 July 2026, as that is when the AML/CTF Act Tranche 1 reforms come into effect. Accountants and practices providing designated services must enrol with AUSTRAC; registration opens 31 March 2026.  

What documents do I need from clients for KYC? 

For individuals, you need to see a primary photo ID, such as a passport, driver’s license, or a foreign nation’s identity card, as well as supporting evidence, such as a utility bill showing the individual’s name and address.  For businesses, trusts, and other entities, you will also need documents such as business activity statements, certificates of incorporation, trust deeds, etc.  

You don’t need to keep these documents. Instead, record details of the document for verification and record-keeping.  

Can I use electronic verification? 

Yes, AUSTRAC allows electronic and digital identity verification, so long as reasonable steps are taken to verify the information.  

Do I need to refresh KYC for existing clients? 

Existing clients for whom you are not providing new designated services will not require initial CDD or KYC. They must be monitored. A refresh will be triggered if suspicious activity is detected, client risk rises, or a new designated service is requested. 

How quickly must I file a suspicious matter report? 

You must file a suspicious matter report (SMR) within 24 hours of suspicion related to terrorism financing or 3 days for money laundering or other suspicions. SMR obligations start the moment a designated service request is made, even before the service commences. You must submit an SMR for each new suspicion based on reasonable grounds.