3 AML/CTF workflows for accountants: Guide for practice managers and compliance officers 

Most firms still think AML compliance is task-based. In reality, adequate compliance is determined by the AML procedures accountants have in place: how different tasks connect, the order in which to do them, and how decisions are documented. In this guide, we look at the three core AML workflows for accounting firms, how they connect, and how automation can support professional judgement. 

Key takeaways

• Accounting firms must implement three core AML workflows by 1 July: onboarding (practice managers), oversight (compliance officer), and firm-wide training workflows. 

• Order of operations is critical: Completing any workflow out of sequence jeopardises the integrity of checks and presents serious compliance risks. 

• Practice managers, compliance officers, and partners must work together: each workflow is complex and interacts with the other. Clear understanding of each workflow and how they connect is imperative for adequate compliance. 

• Manual processes don’t scale. Automation is key: Purpose-built AML compliance tools can help firms develop, enforce, and standardise AML workflows to reduce admin burden while maintaining human oversight. 

 

Under the AML/CTF Act, compliance is assessed along the entire journey of a client relationship, including before official engagement. So, conducting individual checks in isolation isn’t enough. What every firm needs is a complete AML workflow built into how they already do business.  

The three AML workflow Australian accountants must embed into their ways of working include:  

• An account manager’s workflow covering onboarding and engagement. 

• A compliance officer workflow covering oversight and AUSTRAC interactions. 

• A firm-wide workflow for training, record-keeping, and suspicious matter escalation.  

For an overview of AML compliance for accountants, read our complete guide: AML compliance for accountants: Avoid fines, penalties, and practice risks under Tranche 2. 

  

Practice manager AML workflow: Onboarding and engagement 

This first workflow gets the ball rolling for AML compliance. If done wrong, it starts a domino effect of non-compliance that puts the entire firm at risk.  

AML in accounting practices presents a major shift in day-to-day operations, adding several critical steps to the pre-engagement process that must be done in sequence, as prescribed by AUSTRAC

  

Step 1: Client classification 

The AML/CTF Act outlines three distinct client categories, each with different obligations. The classification helps firms determine what checks to do.  

The two main categories are clients who were engaged before 1 July 2026, described as ‘pre-commencement’, and new clients engaged after that date. Pre-commencement clients are further divided into those adding a new service and those who aren’t. 

Pre-commencement No new services	Pre-commencement New service added	New client From 1 July 2026
Monitoring only No initial CDD required until a trigger occurs; suspicious activity, new designated service requested, or risk rises to medium/high.	Full CDD required Once you add a new designated service, the client re-enters the full onboarding workflow; KYB, CDD, KYC, and updated engagement letter.	Full workflow Complete AML workflow including risk rating, initial CDD, and ongoing monitoring.

Client classification checklist: 

1. For every client, confirm whether they are pre-commencement or new.
2. For pre-commencement clients, confirm if new designated services are added.
3. Begin ongoing monitoring for all pre-commencement clients from 1 July 2026, regardless of CDD status.
4. Document the classification decision and its basis for each client in your records.

Remember, do not conduct initial CDD on pre-commencement clients who did not request a new designated service. Otherwise, you will permanently lose the monitoring-only carve-out for that client. 

  

Step 2: Confirm designated services 

AUSTRAC lists nine designated services under subsection 6(5B) of the AML/CTF Act. For accountants, these can include:  

• General business advice 
• Change of company details 
• Share transfer and allotments 
• SMSF works 
• Estate planning services  

 

This is not an exhaustive list. We’ve broken down AUSTRAC’s nine designated services into different accounting services that fall in scope.  

Download our designated services checklist for the full list.

Once firms have identified and determined a request for designated services, they must document the scope and fee for the services requested. Here, firms must select from the 172 service descriptions from the Tax Agents Services Act (TASA) and decide if TASA or the Tax Practitioners Board (TPB) governs them. 

IMPORTANT: AML/CTF obligations do not replace TASA or TPB obligations. Though some processes and requirements overlap, accountants are still responsible for ensuring compliance with all relevant rules and regulations. 

  

Step 3: Conduct KYB (Know Your Business) 

KYB is the foundation of the CDD process for non-individual clients. 

This step uncovers the actual persons who must be assessed and verified before any designated services can be provided.  

KYB checklist:  

1. Review legal and operating structures.
2. Find evidence of existence (ASIC, ABN, trust deeds, etc).
3. Identify all ultimate beneficial owners (UBOs) and controllers.

If a company is named as a trustee, accountants must also identify the beneficial owners of that company. Essentially, follow through the layers until one or more natural persons are identified.  

This process results in a complete list of people on whom you must conduct due diligence checks.  

  
Step 4: Assign client risk rating 

Once you’ve identified every person who needs to be verified, you must assign them an ML/TF risk rating. 

IMPORTANT: The risk rating system must be determined by the firm and documented in its AML/CTF program/policy.  

Risk rating steps:  

1. Collect customer-specific information: KYB information, how and where your service will be provided.
2. Identify and assess relevant risk factors: consider nature, scale, likelihood and impact of each factor.
3. Assign client risk rating: as outlined in your AML/CTF program.

 

A client’s risk rating will inform the level of due diligence that should apply to each person. For example, high-risk clients may require enhanced CDD. This must be determined and resolved before a firm starts providing the service.  

  

Step 5: PEP and sanctions screening 

Before engagement, firms must also screen all identified persons, not just the primary client, against the Department of Foreign Affairs and Trade (DFAT) Consolidated List and Politically Exposed Persons (PEP) registers.  

This is a critical step in the AML procedure for accountants, which must be applied to all pre-commencement clients and to anyone rated as high risk. 

PEP and sanctions screening checklist: 

1. PEP screening: check registers and run a general internet search to identify foreign or domestic PEPs, considering both current and former positions that may pose risk.
2. Sanctions screening: check sanction lists for individuals and entities.
3. Review and record results: carefully assess search results to weed out false positives and document the process.

 

Firms can still engage a client that has been identified as a PEP. It just means applying extra measures, such as enhanced CDD, and increasing the levels of ongoing monitoring.  

However, firms are legally prohibited from providing financial services to sanctioned entities and individuals. Under the AML/CTF Act, if firms suspect an attempted contravention of sanctions, they must submit a suspicious matter report.  

  
Step 6: KYC (Know Your Client) checks 

This is a key step in the AML workflow for accountants. Following a risk-based approach as mandated by AML/CTF Act, firms must conduct KYC checks after a risk rating has been assigned.  

KYC based on risk rating:  

• Simplified CDD: for customers with low ML/TF risk. Collect and verify enough basic KYC information from reliable sources (ASIC, ABN), and apply standard monitoring.
• Standard CDD: for customers with medium ML/TF risk. Full identity verification, beneficial owners, source of wealth information, and routing transaction monitoring.
• Enhanced CDD: for customers with high ML/TF risk. Requires senior manager or partner approval, source of wealth verification, increased ongoing monitoring, PEP and sanctions screening data.

 

Each KYC check will reveal a clear outcome. Either the verification is successful, and onboarding can proceed, or it failed. Failed or inconclusive verification doesn’t mean immediate rejection. It just means further checks and risk mitigation may be necessary before service can commence. 

This is where the compliance officer’s workflow interacts with the practice manager. 

  
Step 7: Onboarding form 

Once KYC is complete, firms must document everything in an onboarding form, completing every AUSTRAC-required field. This serves as evidence that the firm has performed CDD correctly.   

The information collected in an onboarding form differs slightly across client types.  

Information needed for all client types in an onboarding form includes: 

• Date of onboarding.
• Compliance officer sign-off.
• Evidence links such as search references.
• Risk rating and supporting documentation.
• Ongoing CDD triggers.
• All CDD and KYC results.
• Purpose and nature of the service requested.

 

The onboarding form should contain enough information for an independent reviewer to get a full picture of what was done and when. It is the definitive AML record a firm can produce for a client relationship.  

  
Step 8: Review and approve 

This marks the final control point for AML in an accounting practice before a client relationship formally begins. The firm’s risk or compliance officer must review the onboarding outcome and confirm that all required AML compliance steps have been completed correctly. 

Approval at this stage means firms are taking accountability for accepting this client. If the risk officer finds that information is incomplete or inconsistent, they must pause the onboarding until everything is resolved.  

Once completed, it is passed along to a partner for approval.  

The partner must consider the following: 

1. 1. • Alignment of client risk profile with the firm’s risk appetite. 
   2. • Understand the elevated risks and associated controls to mitigate those risks. 
   3. • Approving the engagement scope and fees.  

 

If approved, this signals the firm’s willingness to proceed with the onboarding. However, partners may reject the client for various reasons:  

1. 1. • Inability to adequately verify identity. 
   2. • Unacceptable ownership or control structures. 
   3. • High risk without enough mitigating controls. 
   4. • Client risk level exceeds firm’s risk appetite. 

Whatever the decision, both the Risk Officer’s and the partner’s outcomes must be documented in detail.  

Importantly, partner approval does not mean the engagement is good to go. There is one more step before an engagement becomes official. 

Step 9: TASA compliant engagement letter

AML/CTF Act doesn’t mandate an engagement letter, but it is a TASA requirement.  

The engagement letter marks the start of the client relationship. It is when services can lawfully start to be rendered.  

Engagement letter checklist:  

1. 1. • Parties and contact details 
   2. • Scope of services 
   3. • Fees and terms 
   4. • Responsibilities of each party 
   5. • AML/CTF confirmation 
   6. • Termination terms 
   7. • Signature and date 

Under both TASA and AML/CTF Act, an engagement letter can only be issued after onboarding and approval requirements have been completed for designated services.  

The order of operations is critical. 

1. 1. • KYB must come before CDD: you cannot assess the risk of people you have not identified. 
   2. • CDD must come before KYC: risk rating determines the level of verification required. 
   3. • Compliance before engagement: AML/CTF Act prohibits the provision of designated services before CDD is complete. 

  

Compliance officer workflow: Ongoing oversight 

As the central risk steward, compliance officers (CO) provide a control layer to ensure practice-wide compliance with AML/CTF Act and Rules. These are ongoing responsibilities that require active oversight across policy, decision-making, and regulatory interactions.  

The responsibilities of a compliance officer, as prescribed by AUSTRAC include:

1. 1. • AML program: Oversee and coordinate the firm’s compliance with AML/CTF rules and regulations, including independent evaluation of the firm’s AML/CTF program at least once every three years.  
   2. • ML/TF risk management: complete new risk assessments, stay informed about ML/TF risks in the industry, escalate non-compliance or deficiencies. 
   3. • Reporting: Provide annual reports to the firm’s senior management on the firm’s compliance with in-house AML/CTF policies, the AML/CTF Act and Rules, and ML/TF risk management.  
   4. • Communication and training: Serve as the firm’s liaison with AUSTRAC on all AML/CTF matters including firm-wide staff training. 
   5. • Record keeping: Ensure firm has all AML/CTF documentation stored securely and accessible.  

Step A: Approve firm policy 

COs must ensure that the firm’s AML/CTF program reflects: 

1. 1. • ML/TF risk assessments 
   2. • Service list 
   3. • Client profiles 
   4. • Ways of working i.e onboarding, monitoring, reporting, training 

COs must also update the AML/CTF program when the firm’s risk profile or service mix changes. Other triggers for a program review include changes in service delivery models and regulatory updates.  

Approvals must be recorded and dated to show clear accountability.  

  

Step B: Review failed KYC actions 

All KYC checks will be channeled to the CO for review. For successful KYC checks, the CO must check that: 

1. 1. • Designated services are correctly identified 
   2. • KYB captures all relevant beneficial owners and controllers 
   3. • Risk rating is reasonable and supported by evidence 
   4. • PEP and sanctions screening are completed 
   5. • KYC verification outcomes are completed 

Failed or inconclusive KYC must be reviewed for:  

1. 1. • The reason for failure 
   2. • Potential alternative verification methods 
   3. • Whether additional information can be reasonably obtained 

All CO decisions must be documented, including the rationale and whether the CO escalated the issue to the firm’s partners for further action and decision. 

  

Step C: Review SMR Alerts  

During client work or KYC checks, an accountant may raise a suspicious matter alert. The CO is responsible for reviewing each alert and determining an appropriate response.  

Suspicious matter report (SMR) checklist:  

1. 1. • Investigate: Examine the existing client information, engagement history, and activity patterns. 
   2. • Assess: Determine whether the matter meets the threshold for reporting to AUSTRAC. Use discretion, as unusual activity may not automatically be reportable, but genuine suspicion cannot be ignored.  
   3. • Document: Record the steps taken during the investigation and reasoning behind the decision reached.  
   4. • Outcome: If an SMR is warranted, you must lodge it within 24 to 72 hours of forming the suspicion, depending on what it’s about. You may decide not to lodge a report but prescribe further monitoring. Either way, the outcome but be supported by documentation.  

  

Step D: Lodge SMR if required 

If the compliance officer determines that the reporting threshold is met, the SMR must be lodged with AUSTRAC immediately.  

Suspicions of terrorism financing must be reported within 24 hours. All other matters, such as money laundering or identity fraud, must be reported within 3 days.  

COs can file SMRs on the AUSTRAC Online portal using the provided form. Once submitted, COs should document the AUSTRAC reference number for the report. Critically, the client cannot be informed about SMR.  

  

Step E: Lodge annual compliance report 

The CO must file a compliance report to AUSTRAC by 31 March each year. This is to show how the firm has met its AML/CTF obligations. It must be done regardless of whether an SMR was lodged in that year.  

The report is submitted via the AUSTRAC Online portal using the provided form, and COs must keep the confirmation of the annual report lodgement in the firm’s compliance records. This responsibility in the overall AML procedures that accountants are tasked with serves as evidence that the firm has met its obligations.  

  

Firm-wide workflow: AML/CTF staff training  

AML/CTF compliance involves everyone in the practice knowing what their obligations are and recognising the risks in day-to-day practice. AUSTRAC mandates training for staff who perform AML/CTF functions. That can mean almost every single team member in a firm, from permanent and contract employees to offshore and outsourced staff who support client work. 

The CO is responsible for overseeing and coordinating personnel training, which must be tailored to each role and updated when necessary.  

Training should cover the following areas: 

1. 1. • ML/TF awareness 
   2. • The firm’s AML/CTF programme 
   3. • CDD process 
   4. • SMR reporting 
   5. • Record-keeping 
   6. • Escalation procedures 
   7. • Re-training 

As expected, the firm’s training program must be well-documented, including attendance records, assessment scores, training dates and topics, trainer details, and individual staff training histories.  

AUSTRAC may request training logs during audits, and these details must be included in the firm’s annual compliance report submission.  

  

Manual vs automated AML/CTF workflows 

Accounting firms may still meet their AML/CTF obligations via manual workflows, but it can quickly become unsustainable as the firm’s client base expands. Not to mention the added responsibilities that may come with future regulatory changes or updates.  

  

The challenge of manual workflows 

Manual AML/CTF processes for accounting firms will rely heavily on spreadsheets, email chains, and disconnected tools. 

This can lead to:  

1. 1. • Sequence risk: steps completed out of order and difficulty enforce legally required sequencing. 
   2. • Inconsistency: different standards applied by different staff to similar clients, inconsistent risk rating and verification levels. 
   3. • Administrative burden: senior staff spend more time on admin with manual training and approvals, and repeated data entry across systems. 
   4. • Compromised audit trail: due to incomplete and scattered records that rely on personal inboxes and local files. 

Manual processes fail because they do not scale. It’s a systems problem.  

How automation helps AML/CTF workflows 

Automation supports compliance by enforcing a structure that reduces reliance on memory or individual judgment for routine tasks.  

What automation helps with:  

1. 1. • Workflow enforcement: mandatory sequence of KYB, CDD, KYC, and approval, and prevents premature engagement. 
   2. • Consistency: quality of work is consistent, and risk assessments can be standardised. 
   3. • Efficiency: lower administrative burden on practice managers and partners, and a streamlined onboarding process that’s also easier for clients. 
   4. • Audit readiness: centralised records and clear audit trails. 

Nevertheless, certain parts of the AML processes in accounting firms can be automated but must remain human-led. Professional judgment isn’t replaceable.  

Critical areas that require human oversight: 

1. Final client acceptance/rejection decision.
2. Assessing suspicious matters and SMR reporting thresholds.
3. Setting and reviewing the firm's risk appetite.
4. Interpreting complex ownership or control structures.
5. Managing client relationships throughout the process.

  

How EngageAML by ChangeGPS supports your AML workflows 

An AML compliance platform that brings structure, automation, and intelligent control to every stage of your process is a no-brainer. What’s crucial here is a tool that considers the day-to-day business of an accounting firm while supporting TASA, TPB, and AML compliance. 

EngageAML does exactly that. 

End-to-end automation for practice managers	Dashboard and tools for compliance officers	Firm-wide training automation
172 TASA services Auto-classification Deed Reader CDD questionnaire KYC automation Engagement integration Enforced sequence	Risk radar Failed KYC queue SMR investigation workspace AUSTRAC lodgment Audit trail automation	Training tracking Assessment score recording Log generation Annual re-training reminders

You can calculate the cost of manual processes versus using a solution like EngageAML with our AML Comparison Calculator. 

Automating the administrative weight of AML/CTF obligations frees your practice to focus on being there for your clients at every significant moment in their lives. EngageAML is built specifically for Australian accounting firms, so compliance never gets in the way of serving your clients.

Find out how EngageAML can help your firm serve clients better.

 

FAQ: AML workflow for accountants 

  

Why does workflow order matter for AML compliance? 

Anti-money laundering (AML) compliance workflow order is important because it ensures that high-risk customers are properly identified and assessed before financial services are provided. Out of order, the entire exercise is pointless and a compliance risk. 

What is the difference between KYB, CDD, and KYC? 

KYB (Know Your Business) identifies the beneficial owners and controllers of entities that must be verified. CDD (Customer Due Diligence) is a process for assessing the money-laundering and terrorism financing risk of each person. KYC (Know Your Client) verifies their identities to the level required by the risk rating. 

Do existing clients need to go through all 3 workflows? 

Some existing clients (pre-commencement) have a favourable carve-out under the law. As long as you’re not providing a new designated service to them after 1 July 2026, only monitoring is required. The full AML process is triggered when a new designated service is added. 

How long does the customer onboarding workflow take? 

Manually, client onboarding can take up to 3 hours by an experienced accountant. With the help of automation like EngageAML by ChangeGPS, the process can be completed in 30 minutes per client, even by junior staff.  

 What is the "Risk Radar" in ChangeGPS Engage AML? 

Risk Radar is a firm-wide risk dashboard that shows monitoring alerts, suspicious matter flags, and KYC status across all clients. Alerts are routed automatically to the appointed compliance officer for further action.