AML/CTF Obligations for Accounting Firms: Tranche 2 Guidance
A comprehensive guide to understanding your AML/CTF obligations under Tranche 2, including key dates, implementation steps, and practical considerations for accounting firms.
Quick reality check
If Tranche 2 applies to your firm, this is not a tick box exercise.
AML/CTF compliance is a system of controls across onboarding, service delivery, staff behaviour, record keeping, and reporting. It touches partners, managers, admin, and client facing staff. AUSTRAC expects you to be able to explain what you did, when you did it, and why.
---
Key dates you need to plan around - End of January 2026: AUSTRAC has indicated sector specific guidance for tranche 2 entities will be released around this time. - 31 March 2026: Enrolment opens for newly regulated tranche 2 industries. - 1 July 2026: AML/CTF obligations start for tranche 2 entities. - 29 July 2026: If you provide designated services on 1 July 2026, you have until this date to enrol.
---
Step 1: Confirm if you are in scope
You may have AML/CTF obligations if both are true: - You provide a designated service under the reforms - You have a geographical link to Australia
This is the first complexity trap. Many firms assume all accounting work becomes regulated. In reality, obligations apply when you provide designated services. Start by mapping what you actually do, service by service, not by client type.
---
Step 2: What firms need to do
1. Enrol with AUSTRAC - Plan enrolment early so you are not scrambling after 31 March 2026 - Ensure you are enrolled by 29 July 2026 if you provide designated services on 1 July 2026
2. Implement an AML/CTF program
Your program is your operating system for compliance. It should reflect your risks and how you manage them. AUSTRAC guidance for newly regulated entities highlights the need for an AML/CTF program, a compliance officer, and staff training.
At a practical level, your program needs to cover: - Governance and oversight - Risk based controls and escalation - Customer due diligence procedures - Staff training and awareness - Record keeping and evidence standards - Reporting decision pathways
3. Appoint an AML/CTF compliance officer
You need clear accountability. Someone must own the program, train the team, and ensure the controls are running.
4. Train staff and make it repeatable
This fails when it lives in one person's head. Staff must be trained on: - The firm's program and internal steps - What higher risk looks like in your client base - When to escalate concerns
5. Customer due diligence and ongoing due diligence
This is where most of the work is.
You need a consistent approach to: - Identify the customer and verify identity - Understand the nature and purpose of the engagement - Identify beneficial owners when dealing with entities - Identify PEP involvement and apply the right controls - Apply ongoing due diligence, not just an onboarding check
6. Enhanced due diligence when risk is higher
You need clear triggers and actions when risk is higher. This is not optional. It needs to be built into how staff work, and it needs to be recorded.
7. Suspicious matter reporting support
Even if you do not lodge reports through software, your firm must be able to identify, escalate, decide, and document suspicious matters.
Timing matters: - Submit an SMR within 24 hours if the suspicion relates to terrorism financing - Submit an SMR within 3 business days for other suspicions such as money laundering
---
Why this is complex in practice
These are the areas that usually break firms, even when they have good intentions. - Designated services are not always obvious. You need service scoping rules that staff can apply consistently. - Entity clients introduce beneficial ownership complexity and inconsistent evidence. - Risk based decisions must be documented. If you cannot show why you rated something low risk, it effectively did not happen. - Ongoing due diligence is operationally hard. It needs reminders, ownership, and a cadence. - Reporting decisions need a clear internal pathway and defensible records, especially given strict SMR timeframes.
---
A simple implementation roadmap
Now to March 2026 - Map services and confirm if you provide designated services - Decide who will own AML internally - Draft your AML/CTF program structure and choose your workflow approach - Identify how you will do identity verification, including entities and beneficial ownership
March 2026 to July 2026 - Enrol from 31 March 2026 - Finalise and implement your AML/CTF program - Train staff and run pilot files through the workflow - Ensure you can produce evidence packs and audit trails - Be ready for go live on 1 July 2026
July 2026 onwards - Maintain ongoing due diligence and periodic reviews - Operate your escalation and SMR workflow to meet timeframes - Review and improve the program based on real cases and near misses
---
AUSTRAC resources
Use these pages as your source of truth: - Summary of obligations (Reform) - New industries and services to be regulated (Reform) - Check if you may be regulated (Reform) - Find out when to enrol and register (Reform) - Enrol or register - Suspicious matter reports (SMRs)
---
Important note
This guidance is general information to help you understand obligations and plan implementation. It is not legal advice. Requirements depend on the services you provide and your circumstances.