What Happens If an Accounting Firm Does Not Comply with AML/CTF Obligations
From 1 July 2026, AML/CTF obligations apply to accountants providing designated services. Learn about the enforcement tools AUSTRAC can use, penalty frameworks, and how to frame compliance risk for your firm.
This article reflects guidance published by AUSTRAC current as at January 2026.
From 1 July 2026, AML and CTF obligations will apply to accountants who provide certain designated services. Whether your firm is captured depends on the services you provide and whether there is a geographical link to Australia.
---
Key dates for accounting firms - 31 March 2026: Enrolment opens for newly regulated tranche 2 entities. - 1 July 2026: Obligations start for tranche 2 designated services, including certain accounting services. - 29 July 2026: If you provide tranche 2 designated services that start on 1 July 2026, you must ensure your business is enrolled by this date. - 29 July 2026: Deadline for newly regulated tranche 2 entities to notify AUSTRAC of their AML and CTF compliance officer.
By 1 July 2026, AUSTRAC expects newly regulated entities to have an AML and CTF program, an AML and CTF compliance officer, staff training completed, and to be ready to engage with customers and report suspicious matters.
AUSTRAC has also made it clear it does not expect perfection on day one. It expects genuine preparation, realistic plans, and proactive efforts to manage money laundering and terrorism financing risk.
---
The enforcement and penalty tools AUSTRAC can use
AUSTRAC lists the enforcement actions available to it as: - civil penalty orders - enforceable undertakings - infringement notices - remedial directions
AUSTRAC can also issue written notices requiring you to appoint an external auditor or undertake a money laundering and terrorism financing risk assessment.
---
Scenario 1: The firm is captured but is not enrolled with AUSTRAC
If your accounting firm provides a designated service, you must enrol. For tranche 2 accounting firms, AUSTRAC states enrolment opens on 31 March 2026 and you must ensure your business is enrolled by 29 July 2026.
What can happen if you are not enrolled - Daily accruing penalties can apply for each day you remain unenrolled, expressed in penalty units. AUSTRAC has stated this can be up to 12 penalty units per day for an individual and 60 penalty units per day for a body corporate. - AUSTRAC can escalate to formal enforcement action, including civil penalty proceedings. - AUSTRAC has stated that after 1 July 2026 it will focus enforcement efforts against entities that wilfully ignore the obligation to enrol, or are complicit with or wilfully blind to money laundering or terrorism financing in their business.
Penalty unit note
Penalty amounts are expressed in penalty units. The dollar value of a penalty unit changes over time and depends on the date of the contravention. Penalty units should be used to understand scale, with the applicable dollar value confirmed for the relevant date.
What this means in practice
If an incident occurs and you were not enrolled, it is harder to argue the issue was a one-off mistake, because the firm is already in a state of non-compliance.
---
Scenario 2: The firm is enrolled but does not have policies, procedures, or training in place
AUSTRAC expects that by 1 July 2026 newly regulated firms will have an AML and CTF program, an AML and CTF compliance officer, and staff trained on the program and internal processes.
If you are enrolled but do not have these foundations in place, the risk is that AUSTRAC views the issue as systemic rather than accidental.
What AUSTRAC can do
AUSTRAC may: - issue an infringement notice for breaches relating to KYC procedures, reporting, enrolment, providing information to AUSTRAC, or record keeping - issue a remedial direction requiring specific actions to comply and to prevent repeat breaches, including requiring you to submit a report you should have lodged - issue a written notice requiring you to appoint an external auditor to review your ML and TF risk management or AML and CTF compliance - issue a written notice requiring you to carry out a ML and TF risk assessment if AUSTRAC is not satisfied you have done one, or considers it inadequate or not current - accept an enforceable undertaking, which can impose a structured remediation plan and can be enforced through the Federal Court if breached
What this means in practice
If you cannot show an implemented program and staff training, a later failure to identify and escalate suspicious activity is more likely to be treated as a failure of systems and controls, not just human error.
---
Scenario 3: The firm has a program and procedures but accidentally breaches an obligation
This is the most common real-world scenario. The firm has a framework, but something goes wrong on a file or an edge case.
Common examples - Initial customer due diligence not completed before providing a designated service - A suspicious matter not escalated or reported when it should have been - Risk rating and enhanced due diligence not applied when triggers were present - Record-keeping gaps that mean you cannot evidence what checks were performed
What usually matters most is what the breach reveals - If the incident appears isolated and you can demonstrate your program is working overall, outcomes are more likely to focus on remediation and uplift. - If the incident suggests your controls are not effective in practice, AUSTRAC can escalate to stronger enforcement tools, including infringement notices, remedial directions, external audit notices, enforceable undertakings, and civil penalty action.
---
Scenario 4: The firm has documents but cannot prove they were implemented
In AML and CTF, evidence is critical. If you cannot demonstrate what you did, when you did it, and why it was sufficient, it will often be treated as not done.
What this looks like - Training is claimed, but there are no records of attendance, content, dates, or completion - Policies exist, but staff cannot explain them and files show inconsistent application - Customer files do not show how identity, ownership, and risk decisions were made - There is no audit trail for escalation decisions
Why this increases regulatory risk
AUSTRAC states it can issue infringement notices for breaches relating to record keeping and KYC procedures, and it can require an external auditor or a new risk assessment where it suspects inadequate action or non-compliance.
---
What the fines can look like
AUSTRAC explains that the Federal Court can impose civil penalties of up to: - 20,000 penalty units for an individual - 100,000 penalty units for a body corporate
For non-enrolment, AUSTRAC has also stated that daily penalties can apply for each day the business remains unenrolled.
Because penalty unit values change over time and depend on the date of the contravention, firms should always confirm the applicable Commonwealth penalty unit value when assessing exposure.
---
A practical way to frame risk for an accounting firm
Highest risk scenario Not enrolled, no program, no training records, and an incident occurs.
Medium risk scenario Enrolled and has documents, but weak implementation and weak evidence.
Lower risk scenario Enrolled, program implemented, staff trained, records maintained, and an isolated mistake occurs that is identified and remediated quickly.
---
Additional reading - AUSTRAC: Preparing for changes if you are newly regulated - AUSTRAC: Consequences of not complying - AUSTRAC: Summary of obligations (Reform) - AUSTRAC: Find out when to enrol and register (Reform)
---
Important note
This article provides general information only and is not legal advice. Each firm is responsible for ensuring its AML and CTF arrangements are appropriate, implemented, and maintained in line with applicable legislation and AUSTRAC guidance.