Rules Mate
PlaybooksBottom-funnel persona playbook

AML/CTF playbook for registered tax agents and accounting firms

Everything a registered tax agent, BAS agent or accounting practice has to do under AML/CTF Tranche 2 from 1 July 2026 — enrolment, AMLCO, Part A and Part B program, customer due diligence, suspicious matter reports, threshold transaction reports, the annual ACR, tipping-off, record-keeping and training.

19 obligations3 deadlines10 cross-linked articles

Key deadlines — next 12 months

  • 29 July 2026AUSTRAC enrolment deadline (Tranche 2)
  • 31 March 2027First AUSTRAC Compliance Report (ACR)
  • Within 3 business daysLodge any SMR after suspicion formed
  • Within 10 business daysLodge any TTR (cash ≥$10,000) or IFTI

Does this apply to me?

Answer yes to any of the below and the obligations in this playbook are likely relevant.

  • 1Are you a registered tax agent, BAS agent, accountant or bookkeeper providing services in or from Australia?
  • 2Do you provide any designated service under Schedule 1, Part 2 of the AML/CTF Act 2006 — for example: business or trust formation, assisting with the sale or transfer of a business, acting as a nominee director, managing client money, acting as a registered office, or providing trust and company service provider (TCSP) services?
  • 3Do you handle client trust money or directors' loan accounts?
  • 4Do you provide bookkeeping plus payments, or BAS lodgement that involves moving funds on behalf of the client?

Plain English summary

Tranche 2 of the AML/CTF Act commenced on 1 July 2026. Accountants are now reporting entities in the same regulatory regime that has applied to banks and casinos since 2006. Tax-only and BAS-only services are not designated services — but the moment a firm sets up a company, helps sell a business, manages client money, acts as a nominee director or trustee, or does TCSP work, it is captured.

The compliance load is real but proportionate. The AML/CTF Act is principles-based and risk-based: a sole-practitioner doing one business formation a month and a Top-100 firm doing thousands face the same rules but very different programs. AUSTRAC has signalled an "education-first" posture for the first 12 months of Tranche 2, but enrolment, AMLCO designation, and SMR reporting are not negotiable from day one.

This playbook lists every obligation that applies to a Tranche 2 accounting firm, the section of the AML/CTF Act it sits under, who in the firm is accountable, the frequency, the maximum penalty, and a regulator-direct source. It assumes the standard tax-and-business-services firm — not financial planning (separately AFSL-regulated), not custodial services. Cross-link to the AML Tranche 2 scope checker and beneficial owner identifier for the practical pieces.

The cost of getting this wrong is not just the penalty (up to $33M per civil contravention for body corporates). It is loss of registration with the Tax Practitioners Board (TPB) — a Tranche 2 contravention is a "Code of Professional Conduct" breach that the TPB can act on independently of AUSTRAC.

Obligation checklist

Every obligation cites the Act and section. Source URLs link to the regulator's portal — Rules Mate does not republish statutory text.

  1. 1

    AML/CTF Act 2006, s 51B (enrolment)

    Enrol the firm with AUSTRAC as a reporting entity within 28 days of first providing a designated service. New Tranche 2 entities have until 29 July 2026.

    Who's responsible
    Managing partner / sole practitioner
    Frequency
    One-off (plus updates within 14 days of material change)
    Penalty
    $19,800 per day continuing offence (60 penalty units per day, body corporate).
    Full obligation page →
  2. 2

    AML/CTF Act 2006, Part 7 + AML/CTF Rules Part 8 (Part A program)

    Adopt and maintain a written Part A AML/CTF program — risk assessment of the firm's ML/TF risk by customer type, channel, jurisdiction and product. Approved by the board or principal of the firm.

    Who's responsible
    Board / managing partner
    Frequency
    Ongoing, reviewed at least annually
    Penalty
    Civil penalty up to $33M per contravention (body corporate); criminal liability for senior officers in serious cases.
    Full obligation page →
  3. 3

    AML/CTF Rules Part 8.4 (Part B program — KYC procedures)

    Document Part B procedures: customer identification (individuals, companies, trusts, partnerships), beneficial owner identification (≥25% control or ownership), source-of-wealth + source-of-funds checks for higher risk, ongoing customer due diligence, transaction monitoring rules.

    Who's responsible
    AMLCO + client onboarding partners
    Frequency
    Ongoing
    Penalty
    Each unverified customer can be a separate civil penalty contravention; up to $33M per breach.
    Full obligation page →
  4. 4

    AML/CTF Rules Part 4.13 (PEPs)

    Screen every customer + beneficial owner against politically exposed persons (foreign, domestic, international organisation) lists. PEPs trigger Enhanced Customer Due Diligence: senior-management approval, source-of-wealth, source-of-funds and ongoing review.

    Who's responsible
    AMLCO
    Frequency
    At onboarding + on customer-risk change
    Penalty
    Civil penalty regime to AML/CTF Act maximum.
    Full obligation page →
  5. 5

    Charter of the United Nations Act 1945 + Autonomous Sanctions Act 2011

    Screen every customer + beneficial owner against the DFAT Consolidated List of sanctioned persons and entities before providing a designated service.

    Who's responsible
    AMLCO
    Frequency
    At onboarding + ongoing (DFAT list updated weekly)
    Penalty
    Criminal — up to 10 years imprisonment; strict liability for the conduct.
    Full obligation page →
  6. 6

    AML/CTF Act 2006, ss 41-42 (SMR — suspicious matter reports)

    Lodge an SMR via AUSTRAC Online within 3 business days of forming a suspicion (24 hours for terrorism financing). Document the suspicion-formation reasoning in a file note before lodging.

    Who's responsible
    AMLCO (with input from engagement partner)
    Frequency
    Event-driven
    Penalty
    Failure to report: civil penalty up to $33M. Tipping off the customer about the report: 2 years imprisonment.
    Full obligation page →
  7. 7

    AML/CTF Act 2006, s 43 (TTR — threshold transaction reports)

    Lodge a TTR within 10 business days for any cash transaction of AUD 10,000 or more (including the foreign currency equivalent). Note: tax agents handling client money in trust accounts will trigger TTR obligations.

    Who's responsible
    AMLCO
    Frequency
    Event-driven
    Penalty
    Civil penalty up to $33M per contravention.
    Full obligation page →
  8. 8

    AML/CTF Act 2006, ss 45-46 (IFTI — international funds transfer instructions)

    Lodge an IFTI report within 10 business days of instructing or receiving an international funds transfer on behalf of a client. Most accountants do not directly handle IFTIs, but trust-account remittances overseas do trigger this.

    Who's responsible
    AMLCO
    Frequency
    Event-driven
    Penalty
    Civil penalty up to $33M per contravention.
  9. 9

    AML/CTF Act 2006, s 47 (ACR — annual compliance report)

    Lodge the AUSTRAC Compliance Report (ACR) covering the prior calendar year by 31 March each year. The ACR self-attests to enrolment, program, training, independent review and CDD posture.

    Who's responsible
    AMLCO
    Frequency
    Annual — calendar-year basis, lodged by 31 March
    Penalty
    Failure to lodge: civil penalty + AUSTRAC remediation directions.
  10. 10

    AML/CTF Act 2006, s 36 (ongoing customer due diligence)

    Apply ongoing customer due diligence including transaction monitoring, periodic re-verification, and trigger-based review (PEP status change, change of beneficial owners, suspicious activity).

    Who's responsible
    AMLCO + client engagement partner
    Frequency
    Ongoing
    Penalty
    Civil penalty regime to AML/CTF Act maximum.
  11. 11

    AML/CTF Act 2006, s 36 + AML/CTF Rules Part 15 (Enhanced Customer Due Diligence)

    Apply Enhanced CDD for higher-risk customers: PEPs, complex ownership structures, high-risk jurisdictions, customers refusing to provide information. Document senior-approval decisions.

    Who's responsible
    AMLCO
    Frequency
    Event-driven (on identification of higher risk)
    Penalty
    Civil penalty regime to AML/CTF Act maximum.
  12. 12

    AML/CTF Act 2006, s 123 (tipping-off offence)

    Do not disclose to the customer or any other person that an SMR has been lodged or is being prepared, that AUSTRAC has been notified, or that information has been requested by AUSTRAC.

    Who's responsible
    Every employee + partner
    Frequency
    Continuous
    Penalty
    2 years imprisonment and/or 120 penalty units ($39,600).
  13. 13

    AML/CTF Act 2006, Part 10 (record-keeping)

    Keep KYC records, transaction records, SMR working papers, training records and program documents for 7 years after the customer relationship ends or the transaction occurred.

    Who's responsible
    AMLCO + practice manager
    Frequency
    Continuous (7-year retention)
    Penalty
    Civil penalty up to $33M per contravention.
  14. 14

    AML/CTF Rules Part 8.6 (independent review)

    Arrange an independent review of the Part A program at appropriate intervals — risk-based; for lower-risk small firms, every 2 to 3 years is acceptable. Higher-risk firms: annually. Reviewer must be independent of the people who wrote the program.

    Who's responsible
    Board / managing partner (commission), AMLCO (manage delivery)
    Frequency
    Risk-based; minimum recommended every 2 years
    Penalty
    Same regime as AML/CTF Act breaches; informs AUSTRAC enforcement posture.
    Full obligation page →
  15. 15

    AML/CTF Rules Part 8.2 (AML/CTF Compliance Officer)

    Designate a senior employee as AML/CTF Compliance Officer (AMLCO) with seniority, authority and resources to discharge the function. Cannot be outsourced. Sole practitioners are the AMLCO by default.

    Who's responsible
    Board / managing partner
    Frequency
    Continuous; reappoint on departure
    Penalty
    Civil penalty regime to AML/CTF Act maximum; AUSTRAC remediation.
    Full obligation page →
  16. 16

    AML/CTF Rules Part 8.5 (employee due diligence)

    Screen employees who will perform AML/CTF functions or have access to customer data. Police checks where the role warrants. Document the EDD framework.

    Who's responsible
    AMLCO + HR
    Frequency
    Pre-employment + role change
    Penalty
    Civil penalty regime to AML/CTF Act maximum.
  17. 17

    AML/CTF Rules Part 8.3 (AML/CTF training)

    Deliver AML/CTF training to every employee in a customer-facing role + every partner + AMLCO. Annual refresher. Record attendance and content.

    Who's responsible
    AMLCO
    Frequency
    On hire, then annual
    Penalty
    Civil penalty regime to AML/CTF Act maximum.
  18. 18

    AML/CTF Act 2006, s 41A (beneficial owner identification)

    Identify and verify every beneficial owner — natural persons with ≥25% ownership or control of a non-individual customer. For complex structures, identify the ultimate natural-person controllers.

    Who's responsible
    AMLCO + onboarding partner
    Frequency
    At onboarding + on structural change
    Penalty
    Each unverified beneficial owner is a separate breach.
  19. 19

    Tax Agent Services Act 2009, Code of Professional Conduct (TPB)

    Comply with the Code of Professional Conduct: act honestly and with integrity, comply with taxation laws, exercise reasonable care. The TPB treats serious AML/CTF breaches as Code breaches.

    Who's responsible
    Every registered tax agent + BAS agent
    Frequency
    Continuous
    Penalty
    Termination of registration; civil penalties up to $1,650,000 for body corporates (TPB).

Deadlines

Pulled from the Rules Mate compliance calendar. Click through for the full deadline page.

Forms and regulator portals

Direct links to the lodgement forms and regulator portals. Rules Mate does not host copies — we link to the official source.

  • AUSTRAC Online enrolment form

    Web-based enrolment for reporting entities. Required within 28 days of first designated service.

    Open portal →

  • Suspicious Matter Report (SMR)

    Lodged via AUSTRAC Online. 3 business days from suspicion formation (24 hours terrorism financing).

    Open portal →

  • Threshold Transaction Report (TTR)

    Lodged via AUSTRAC Online. 10 business days for cash transactions ≥AUD 10,000.

    Open portal →

  • International Funds Transfer Instruction (IFTI)

    Lodged via AUSTRAC Online. 10 business days from instruction or receipt.

    Open portal →

  • AUSTRAC Compliance Report (ACR)

    Annual self-attestation. Due 31 March each year, covering the prior calendar year.

    Open portal →

Free tools that help

Interactive Rules Mate tools matched to this persona.

AML Tranche 2 scope checker

Use tool →

Beneficial owner identifier

Use tool →

Compliance calendar builder

Use tool →

Penalty estimator

Use tool →

What changes 2025–2026

31 March 2026 — AUSTRAC enrolment opens

Tranche 2 entities can enrol on AUSTRAC Online from 31 March 2026. Early enrolment is encouraged; AUSTRAC has signalled that early enrolees get prioritised AMLCO support.

1 July 2026 — Tranche 2 commences

The AML/CTF Amendment Act 2024 extends the regime to accountants, lawyers, conveyancers, real estate agents, TCSPs and precious-metals dealers. Designated services must have an AML/CTF program in place from day one.

29 July 2026 — Enrolment deadline

Any Tranche 2 entity that provided a designated service between 1 July and 29 July 2026 must be enrolled by 29 July. Continuing offences accrue $19,800 per day after that.

31 March 2027 — First ACR

The first AUSTRAC Compliance Report for Tranche 2 entities covers H2 2026 and is due 31 March 2027.

2027 — First independent review expected

AUSTRAC has indicated it expects most small-firm independent reviews to be completed within 18 months of enrolment.

In-depth reading

10 Rules Mate articles tagged to this playbook.

Frequently asked

Are tax-only and BAS-only services captured by Tranche 2?

No. Pure tax compliance (preparation and lodgement of returns) and pure BAS lodgement are not designated services under Schedule 1, Part 2 of the AML/CTF Act 2006. The moment a firm sets up a company, helps sell or transfer a business, acts as a registered office or nominee director, or manages client money, it is captured. The AUSTRAC designated services map is the definitive source.

Can a sole practitioner be their own AMLCO?

Yes. The AML/CTF Rules require the AMLCO to be a senior employee with sufficient authority. For a sole practitioner that is the sole practitioner. Document the appointment in the Part A program and put a succession plan in place for incapacity.

Do I have to verify a beneficial owner's identity even if I already know them personally?

Yes. The AML/CTF Act requires verification, not just knowledge. Reasonable measures of verification must be documented — government-issued ID is the default. The risk-based approach allows simplified verification in lower-risk cases, but only if the customer + product + delivery channel are all low-risk and the firm has documented why.

What penalty does AUSTRAC actually apply for small firms?

The statutory maximum is $33M per civil contravention for body corporates, but AUSTRAC's enforcement posture has been graduated. For first-tranche entities the first 18 months of a new regime typically saw remediation directions and infringement notices rather than civil penalty proceedings — but tipping-off and program-failure breaches have always drawn proceedings. Treat the maximum as the worst case; treat enforceable undertakings and remedial directions as the realistic baseline for early-stage non-compliance.

How does Tranche 2 interact with TPB Code of Professional Conduct obligations?

A serious AML/CTF contravention is treated by the Tax Practitioners Board as a Code of Professional Conduct breach (notably the obligation to comply with taxation laws and the obligation to act honestly). The TPB can act on a Code breach independent of any AUSTRAC enforcement. In practice, AML/CTF risk has become a TPB risk for registered tax and BAS agents.

What records does AUSTRAC actually ask for in a desk audit?

Enrolment confirmation; the Part A program with board/principal approval; Part B procedures with sample customer files; the AMLCO appointment; the most recent risk assessment; training records (attendees + content); independent review report (if due); SMR and TTR logs with redacted samples; and the ACR submission. AUSTRAC has published a Compliance Posture Guide listing the standard ask.

Are we exempt if all our clients are existing pre-1 July 2026 relationships?

No exemption — but transitional rules allow ongoing CDD on existing clients to be completed within a reasonable period based on risk. New designated services to those clients after 1 July 2026 trigger full CDD obligations. Document the transition plan in the Part A program.

Free assessment

Get a personalised obligation list

2-minute structured check tailored to your business.

AI advisor (waitlist)

Ask any compliance question

Coming Phase 2 — grounded answers with citations.

Last verified: 6 June 2026

Rules Mate provides citation-first reference material, not legal advice. Always consult a qualified professional for specific obligations.