AUSTRAC Tranche 2 for Accountants: a simple AML/CTF + KYC guide (2026)
A plain-English, step-by-step guide to AUSTRAC Tranche 2 AML/CTF obligations for accounting firms, plus how to implement KYC fast.
From 1 July 2026, AUSTRAC's AML/CTF regime expands to cover certain services typically provided by accountants (Tranche 2). <a href="https://www.austrac.gov.au/amlctf-reform/reforms-guidance/before-you-start/summary-obligations-reform" target="_blank" rel="nofollow noopener noreferrer">Summary of obligations (AUSTRAC)</a>
If you want the simplest way to think about it, AUSTRAC's obligations fall into six buckets:
1. Enrol 2. Build your AML/CTF program 3. Get staff ready 4. Do KYC/CDD 5. Report 6. Keep records
This guide is the "do this, then do this" version.
Key dates you should have on your radar - Enrolment opens: 31 March 2026 (and cannot be done earlier). - Tranche 2 start date (for most newly regulated designated services): 1 July 2026. - If you provide newly regulated designated services starting 1 July 2026, you must enrol by 29 July 2026.
Also: AUSTRAC's accountant guidance states you must have an AML/CTF program in place before providing the relevant designated services.
Step 0: Confirm whether you are actually captured
AUSTRAC regulates services, not job titles. If your firm provides one of the relevant services and there is a geographical link to Australia, you may have obligations. AUSTRAC has a "check if you may be regulated" tool: <a href="https://www.austrac.gov.au/amlctf-reform/check-if-you-may-be-regulated-reform" target="_blank" rel="nofollow noopener noreferrer">use it first</a>.
How Nelvo helps: Nelvo's <a href="/obligation-checker">Tranche 2 readiness flow</a> is designed to quickly triage "are we captured?" and then turn the answer into a practical task plan inside your firm.
Step 1: Enrol with AUSTRAC
Enrolment is providing basic information about your business (structure, services, key personnel, contact details) and keeping it up to date.
If you provide the newly regulated designated services starting 1 July 2026, AUSTRAC's current guidance says you must enrol by 29 July 2026.
Do this now: - Identify who owns AUSTRAC Online access in your firm. - Collect the core business details AUSTRAC expects (structure, services, key people, contacts). - Set a firm deadline and treat it like a lodgement date.
How Nelvo helps: Nelvo stores your firm profile details once and reuses them across your compliance artefacts, so you are not rebuilding "the basics" in ten different documents.
Step 2: Appoint an AML/CTF Compliance Officer (do not skip this)
Your governance must clearly identify key roles, including an AML/CTF compliance officer who manages day-to-day compliance and ensures policies and procedures are implemented.
Under AUSTRAC's reforms guidance: - You must appoint an AML/CTF compliance officer within 28 days of providing designated services. - You must notify AUSTRAC within 14 days of the appointment (via a new form).
<a href="https://www.austrac.gov.au/amlctf-reform/reforms-guidance/amlctf-program-reform/develop-your-amlctf-program-reform/step-1-establish-your-governance-framework-reform/amlctf-compliance-officer-reform" target="_blank" rel="nofollow noopener noreferrer">AUSTRAC compliance officer guidance</a>
Practical guidance (simple and safe): - Pick someone operationally strong, process-minded, and comfortable enforcing standards. - If you are small, it can be the owner or office manager, but it must be real ownership, not a title.
Training suggestion (common-sense approach): - Compliance Officer: do AUSTRAC e-learning plus internal system training. - Everyone else: role-based training focused on what they must do day-to-day.
How Nelvo helps: Nelvo assigns the compliance officer role, routes approvals, tracks training completion, and keeps the evidence trail you will need when someone asks "prove it."
Step 3: Build and maintain your AML/CTF Program (tailored to your firm)
AUSTRAC's summary is clear: your AML/CTF program must include: - a risk assessment (identify and assess ML/TF risks), and - AML/CTF policies (procedures, systems, controls to manage and mitigate those risks).
It must also be: - documented and approved by a senior manager, - kept up to date, and - independently evaluated at least once every 3 years.
Do this now (minimum viable program): 1. Write your risk assessment in plain English (what you do, where risk shows up, how you will control it). 2. Turn that into procedures (client onboarding steps, escalation rules, record keeping, reporting). 3. Set a review rhythm (quarterly light review, annual deeper review, 3-year independent evaluation).
How Nelvo helps: Nelvo turns this into a guided build: risk assessment wizard + policy library + approvals + review cadence + "audit-ready" exports.
Step 4: Get your staff ready (governance, personnel checks, training)
AUSTRAC calls out three things under staff readiness: - people are fit for role, - they understand obligations, - governance and oversight is strong.
They also explicitly expect: - personnel due diligence for people performing AML/CTF functions, and - AML/CTF training so staff understand obligations and follow your procedures.
Do this now: - Create role-based training: admin/onboarding team vs managers vs partners. - Add a simple escalation rule: "if something feels off, stop and escalate."
How Nelvo helps: Nelvo's <a href="/aml-training-records">training module</a> assigns learning by role, tracks completion, and stores evidence of training and competence.
Step 5: Do KYC properly (Customer Due Diligence: initial + ongoing)
AUSTRAC splits CDD into initial and ongoing. The depth depends on the customer's ML/TF risk profile, with enhanced CDD for high-risk scenarios and simplified CDD for low-risk scenarios.
Initial CDD (before you provide the designated service)
You must establish identity for: - the customer, - representatives, - anyone receiving the service on someone else's behalf, - and any beneficial owner.
You must also establish whether any of those people are: - subject to targeted financial sanctions, or - a politically exposed person (PEP).
Ongoing CDD (while the relationship exists)
This includes: - monitoring for suspicious behaviour, - updating the risk profile when triggers occur, - and reviewing/updating/reverifying information as needed.
How Nelvo helps: Nelvo operationalises CDD as a workflow: risk-rated onboarding, beneficial ownership mapping, PEP/sanctions capture points, evidence collection, and an ongoing review cadence. See <a href="/risk-verification-cdd-accountants">Risk and Verification (CDD)</a>.
Step 6: Reporting (what you must be ready to lodge)
AUSTRAC lists report types you may need to submit, including: - SMRs (suspicious matter reports), - TTRs (cash transactions of $10,000+), - international funds transfer reports, - cross-border movement reports, - and annual compliance reports.
Do this now: - Decide who can submit reports and who must approve. - Create an internal "suspicion escalation" process (fast, documented, consistent).
How Nelvo helps: Nelvo logs incidents, captures supporting evidence, and keeps an auditable trail of what was observed, who reviewed it, and what decision was made. See <a href="/incident-register-remediation">Incident Register</a>.
Step 7: Record keeping (the part firms underestimate)
AUSTRAC's summary: keep accurate and complete records for at least 7 years. Records include those related to: - your AML/CTF program, - CDD, - transaction records, - staff training, - audit results.
How Nelvo helps: Nelvo acts as your evidence register: centralised storage, structured artefacts, and an audit trail that makes "prove it" dramatically easier. See <a href="/evidence-audit-trail">Evidence Register and Audit Trail</a>.
A simple mapping: AUSTRAC obligation to what you need to how Nelvo helps
| Obligation | What you need | How Nelvo helps | | --- | --- | --- | | Enrol | Keep business details ready and up to date | Firm profile + compliance tasks | | AML/CTF program | Risk assessment + policies + reviews | Program builder + templates + approvals + review cadence | | Staff readiness | Governance, role clarity, training evidence | Role assignment + training tracking | | CDD/KYC | Identity, beneficial owners, PEP/sanctions, ongoing review | Workflow + evidence capture | | Reporting | Internal escalation + record of decisions | Incident register + audit trail | | Records | 7-year retention, complete artefacts | Evidence register exports |
FAQs
When do Tranche 2 obligations start for accountants? AUSTRAC's reforms guidance indicates the Tranche 2 expansion applies from 1 July 2026 for services typically provided by accountants.
When can we enrol with AUSTRAC? Enrolment opens 31 March 2026 for newly regulated industries and cannot be done earlier.
Do we need an AML/CTF compliance officer? Yes. AUSTRAC's governance framework includes an AML/CTF compliance officer role, and reforms guidance states you must appoint one within 28 days of providing designated services and notify AUSTRAC within 14 days.
What must be in an AML/CTF program? At minimum, a risk assessment plus AML/CTF policies, documented, approved by a senior manager, kept current, and independently evaluated at least once every 3 years.
How long do we need to keep AML/CTF records? AUSTRAC's summary states at least 7 years, including program, CDD, training, and audit records.
Ready to get started?
If you want a clean, accountant-friendly way to implement Tranche 2 without building a compliance machine from scratch, Nelvo turns these obligations into workflows, training, evidence capture, and audit-ready outputs.
Next step: <a href="https://calendar.app.google/BQdzbEaxtrszFGh68" target="_blank" rel="noopener noreferrer">Book a demo</a> or start with our <a href="/obligation-checker">Tranche 2 readiness checklist</a>.
Disclaimer
This article is general information only and is not legal, financial, or compliance advice. It is not tailored to your circumstances. AML/CTF obligations and regulator guidance can change. You should obtain independent professional advice and consult AUSTRAC guidance before making compliance decisions.