What Happens If an Accounting Firm Does Not Comply with AML/CTF Obligations
From 1 July 2026, AML/CTF obligations apply to accountants providing designated services. Learn about the enforcement tools AUSTRAC can use, penalty frameworks, and how to frame compliance risk for your firm.
From 1 July 2026, AML and CTF obligations will apply to accountants who provide certain designated services. Whether your firm is captured depends on the services you provide and whether there is a geographical link to Australia.
---
Key dates for accounting firms - 31 March 2026: Enrolment opens for newly regulated tranche 2 entities. - 1 July 2026: Obligations start for tranche 2 designated services, including certain accounting services. - 29 July 2026: If you provide tranche 2 designated services that start on 1 July 2026, you must be enrolled by this date.
By 1 July 2026, AUSTRAC expects newly regulated entities to have an AML and CTF program, an AML and CTF compliance officer, staff training completed, and to be ready to engage with customers and report suspicious matters.
---
The enforcement and penalty tools AUSTRAC can use
AUSTRAC lists the enforcement actions available to it as: civil penalty orders, enforceable undertakings, infringement notices, and remedial directions.
AUSTRAC can also issue written notices requiring you to appoint an external auditor or undertake a money laundering and terrorism financing risk assessment.
---
Scenario 1: The firm is captured but is not enrolled with AUSTRAC
If your accounting firm provides a designated service, you must enrol. For tranche 2 accounting firms, AUSTRAC states enrolment opens on 31 March 2026 and you must be enrolled by 29 July 2026.
What can happen if you are not enrolled: - Daily accruing penalties can apply for each day you remain unenrolled, expressed in penalty units. AUSTRAC has stated this can be up to 12 penalty units per day for an individual and 60 penalty units per day for a body corporate. - AUSTRAC can escalate to formal enforcement action, including civil penalty proceedings. - AUSTRAC has stated that after 1 July 2026 it will focus enforcement efforts against entities that wilfully ignore the obligation to enrol, or are complicit with or wilfully blind to money laundering or terrorism financing in their business.
What this means in practice:
If an incident occurs and you were not enrolled, it is harder to argue it was a one off mistake because the starting position is already non compliance.
---
Scenario 2: The firm is enrolled but does not have policies, procedures, or training in place
AUSTRAC expects that by 1 July 2026 newly regulated firms will have an AML and CTF program, an AML and CTF compliance officer, and staff trained on the program and internal processes.
If you are enrolled but do not have the foundations, the risk is that AUSTRAC views the issue as systemic rather than accidental.
What AUSTRAC can do: - Issue an infringement notice for breaches relating to KYC procedures, reporting, enrolment, providing information to AUSTRAC, or record keeping. - Issue a remedial direction requiring specific actions to comply and to prevent repeat breaches, including requiring you to submit a report you should have lodged. - Issue a written notice requiring you to appoint an external auditor to review your ML and TF risk management or AML and CTF compliance. - Issue a written notice requiring you to carry out a ML and TF risk assessment if AUSTRAC is not satisfied you have done one, or considers it inadequate or not current. - Accept an enforceable undertaking, which can impose a structured remediation plan and can be enforced through the Federal Court if breached.
What this means in practice:
If you cannot show an implemented program and training, a later failure to identify and escalate suspicious activity is more likely to be treated as a failure of systems and controls, not just human error.
---
Scenario 3: The firm has a program and procedures but accidentally breaches an obligation
This is the most common real world scenario: you have a framework, but something goes wrong on a file or an edge case.
Common examples: - Initial customer due diligence not completed before providing a designated service - A suspicious matter not escalated or reported when it should have been - Risk rating and enhanced due diligence not applied when triggers were present - Record keeping gaps that mean you cannot evidence what checks were performed
What usually matters most is what the breach reveals: - If the incident looks isolated and you can demonstrate your program is working overall, outcomes are more likely to focus on remediation and uplift. - If the incident suggests your controls are not effective in practice, AUSTRAC can escalate to stronger enforcement tools, including infringement notices, remedial directions, external audit notices, enforceable undertakings, and civil penalty action.
---
Scenario 4: The firm has documents but cannot prove they were implemented
In AML and CTF, evidence is critical. If you cannot demonstrate what you did, when you did it, and why it was sufficient, it will often be treated as not done.
What this looks like: - Training is claimed, but there are no records of attendance, content, dates, or completion - Policies exist, but staff cannot explain them and files show inconsistent application - Customer files do not show how identity, ownership, and risk decisions were made - There is no audit trail for escalation decisions
Why this increases regulatory risk:
AUSTRAC states it can issue infringement notices for breaches relating to record keeping and KYC procedures, and it can require an external auditor or a new risk assessment where it suspects inadequate action or non compliance.
---
What the fines can look like
AUSTRAC explains that the Federal Court can impose civil penalties that can be up to 20,000 penalty units, or up to 100,000 penalty units for a body corporate.
AUSTRAC also lists the Commonwealth penalty unit value as $330 for contraventions on or after 7 November 2024, noting the value depends on the date of the offence or contravention.
Using $330 as an example only: - 100,000 penalty units can equate to $33,000,000 for a body corporate - 20,000 penalty units can equate to $6,600,000 for an individual
For non enrolment, AUSTRAC has stated daily penalties can be up to 60 penalty units per day for bodies corporate and 12 penalty units per day for individuals.
At $330 per unit, that equates to $19,800 per day (body corporate) and $3,960 per day (individual), noting the penalty unit value depends on the contravention date.
---
A practical way to frame risk for an accounting firm
Highest risk scenario:
Not enrolled, no program, no training records, and an incident occurs.
Medium risk scenario:
Enrolled and has documents, but weak implementation and weak evidence.
Lower risk scenario:
Enrolled, program implemented, staff trained, records maintained, and an isolated mistake occurs that is identified and remediated quickly.
---
Important note
This article provides general information only and is not legal advice.