AML/CTF Program for Accountants
Complete Guide

What Is an AML/CTF Program?

An AML/CTF program is a formal, written document that sets out how your accounting practice will identify, assess, mitigate, and manage the risks of money laundering and terrorism financing (ML/TF). It is the central pillar of your compliance obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act).

The legislative basis for AML/CTF programs sits within Part 7A of the Act (sections 81 to 83). Section 81 requires every reporting entity that provides designated services to have, and comply with, an AML/CTF program. Section 82 prescribes the requirements for Part A of the program — your risk-based systems and controls — and section 83 prescribes the requirements for Part B — your employee due diligence programme. The AML/CTF Rules 2024 provide further operational detail on what your program must contain and how it must be implemented.

An AML/CTF program is not a static policy document that sits in a drawer or a shared drive. It is a living operational framework that governs every aspect of how your practice interacts with the AML/CTF regime: how you onboard clients, how you verify their identity, how you monitor ongoing relationships, how you identify and report suspicious activity, how you train your staff, and how you maintain records. It must be approved by senior management (or the principal of the practice), reviewed at least annually, and updated whenever there is a material change to your business, your client base, or the regulatory environment.

The Financial Action Task Force (FATF) has long identified accountants as “gatekeepers” who may be unwittingly exploited by criminals seeking to launder the proceeds of crime or finance terrorism. Through services such as company formation, trust creation, financial advisory, and the management of client money, accountants sit at critical control points in the financial system. Australia's Tranche 2 reforms, enacted through the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, bring the country into alignment with FATF Recommendations 22 and 23, which require countries to subject designated non-financial businesses and professions (DNFBPs), including accountants, to AML/CTF obligations. The programme commences on 1 July 2026, and AUSTRAC enrolment opens on 31 March 2026.

Do Accountants Need an AML/CTF Program?

The short answer is: if you provide any designated service as defined under s6AA of the AML/CTF Act 2006, you must have a written AML/CTF program. This applies regardless of the size of your practice — sole practitioners, small partnerships, and large firms are all equally subject to the obligation. The proportionality principle means you can scale the complexity of your program to match the size and risk profile of your practice, but the core components are mandatory for every reporting entity.

Designated services for accountants under s6AA include:

• Financial advisory services: Providing advice on the structuring of financial arrangements, investments, or asset portfolios
• Tax advisory services: Advising on tax planning, tax structuring, or the tax implications of transactions, particularly where the advice involves international arrangements or complex structures
• Trust creation and management: Preparing for or carrying out transactions involving the creation, operation, or management of trusts, including discretionary trusts, unit trusts, and self-managed superannuation fund trusts
• Company formation and management: Services relating to the creation, operation, or management of companies or other legal structures, including acting as a registered agent or providing nominee directors or shareholders
• Managing client money or assets: Holding, managing, or transferring client funds through trust accounts or managing investment portfolios on behalf of clients

It is important to note that not all services provided by an accounting practice are designated services. Standard bookkeeping, routine individual tax return preparation, and basic BAS lodgement may not, on their own, trigger the obligation — although you should conduct a careful analysis of your service offerings against the s6AA definitions. If you provide any designated service, even alongside non-designated services, you are a reporting entity and your AML/CTF program must cover those designated services.

The obligation applies to all entity structures: sole practitioners, partnerships, incorporated practices, and multidisciplinary firms. For practices with multiple partners or directors, the program must be approved at the governance level — meaning the partnership or the board — not merely by an individual practitioner. AUSTRAC expects that senior management takes ownership of AML/CTF compliance, and the program must reflect that governance structure.

Part A: Your Compliance Procedures

Part A of your AML/CTF program, prescribed by s82 of the Act and further detailed in the AML/CTF Rules 2024, sets out your risk-based systems and controls. This is the substantive operational core of your program. Part A must be informed by your ML/TF risk assessment and must address each of the following areas in detail.

Customer Identification Procedures (s28–35)

Customer due diligence (CDD) is the cornerstone of your AML/CTF program. Under sections 28 to 35 of the Act, you must verify the identity of every client before providing a designated service. Your Part A must document precisely how you will perform this verification, including:

• When CDD is triggered: Before providing any designated service, and at the point of establishing a new business relationship. CDD must also be performed where there is a suspicion of ML/TF or where you doubt the veracity or adequacy of previously obtained identification information
• Identification of individuals: Collect the client's full legal name, date of birth, and residential address. Verify using reliable and independent documentation (e.g., a current Australian driver's licence or passport) or through electronic verification using a service that meets the requirements of the AML/CTF Rules. You must verify from at least one reliable and independent source
• Identification of companies: Obtain the full legal name, ABN or ACN, registered office address, and principal place of business. Verify the company's existence through ASIC records. Identify all directors and all beneficial owners who hold 25% or more of the voting rights or shares. Where no individual meets the 25% threshold, identify the individuals who exercise effective control over the company
• Identification of trusts: Obtain the full name of the trust, the type of trust (discretionary, unit, hybrid, testamentary), and the country of establishment. Identify all trustees, the settlor, any appointor, and the beneficiaries. For discretionary trusts where individual beneficiaries cannot be identified, identify the classes of beneficiaries. Verify information using the trust deed and, where applicable, ASIC records for the trustee entity
• Identification of partnerships: Obtain the full name of the partnership, the ABN, the registered address, and identify all partners. Verify using the partnership agreement and relevant government records
• Beneficial ownership: For all entity types, you must look through the immediate legal structure to identify the natural persons who ultimately own or control the client. Apply the 25% ownership threshold and the control test. Where beneficial ownership cannot be determined through ownership alone, identify the individuals who exercise control through other means (such as through a shareholders' agreement, voting rights, or the ability to appoint or remove directors)

For a comprehensive walkthrough of all CDD obligations, see our Customer Due Diligence Guide.

Ongoing Customer Due Diligence (s36)

CDD is not a one-off exercise performed at onboarding. Section 36 of the Act requires ongoing customer due diligence throughout the life of the business relationship. Your Part A must document:

• How you will keep client identification information current and accurate, including procedures for requesting updated identification when information becomes stale or when you become aware of changes
• Specific triggers for re-verification: changes in ownership or control, changes in the nature of the business relationship, unusual or unexpected activity, a change in the client's risk profile, or the passage of a defined period since the last verification (e.g., every 12 months for high-risk clients, every 24 months for medium-risk, every 36 months for low-risk)
• Your approach to monitoring client transactions and activities for consistency with your knowledge of the client, their business, and their risk profile
• How you will handle clients who refuse or are unable to provide updated identification information, including the circumstances in which you would decline to continue the relationship and whether this triggers a suspicious matter report

Transaction Monitoring

Your Part A must describe how you will monitor the transactions and activities of your clients for indicators of ML/TF. For accounting practices, transaction monitoring should be tailored to the types of designated services you provide. Consider including:

• Monitoring of trust account activity for unusual patterns, including unexplained deposits, rapid movement of funds, payments to or from unrelated parties, and payments involving high-risk jurisdictions
• Scrutiny of transactions that appear inconsistent with the client's known financial position, business activities, or stated purpose of the engagement
• Identification of structuring behaviour: clients who appear to deliberately split transactions to avoid the $10,000 threshold transaction reporting requirement
• Awareness of ML/TF typologies specific to the accounting profession, such as the misuse of trusts to obscure beneficial ownership, round-tripping of funds through professional trust accounts, layering of transactions through multiple entities created by the practice, and the use of nominee structures without legitimate commercial rationale
• Regular comparison of client activity against the client's risk rating, with escalation to the compliance officer where activity exceeds expected parameters

Risk-Based Approach

The AML/CTF Act mandates a risk-based approach. This means your Part A systems and controls must be calibrated to the level of ML/TF risk your practice faces, rather than applying a uniform set of procedures to all clients and all services. The risk-based approach requires you to:

• Apply enhanced measures where the ML/TF risk is higher (e.g., PEPs, clients with complex structures, clients from high-risk jurisdictions)
• Apply simplified or standard measures where the risk is demonstrably lower (e.g., Australian-listed companies, government entities, regulated financial institutions)
• Document the rationale for your risk ratings and the measures applied, so that you can demonstrate to AUSTRAC that your approach is genuinely risk-based

Enhanced CDD for High-Risk Clients

Where your risk assessment identifies a client, a relationship, or a transaction as high risk, you must apply enhanced customer due diligence (ECDD). Your Part A should specify what additional measures you will take, which may include:

• Obtaining senior management approval before establishing or continuing the business relationship
• Establishing the source of wealth and the source of funds for the specific transaction or engagement
• Conducting more frequent ongoing due diligence reviews (e.g., every 6 months rather than every 12 months)
• Obtaining additional identification documentation beyond the minimum requirements
• Conducting open-source intelligence checks, adverse media screening, and enhanced PEP and sanctions screening
• For politically exposed persons (PEPs): identifying the PEP's role, establishing the source of wealth and funds, and obtaining senior management approval. PEPs include domestic and foreign heads of state, senior government officials, senior judiciary, military officers, and their close associates and family members

Simplified CDD for Low-Risk Clients

Where the ML/TF risk is demonstrably low, you may apply simplified CDD measures. The AML/CTF Rules 2024 permit simplified CDD for certain categories of clients, including:

• Australian-listed companies (ASX-listed entities whose identity and ownership is a matter of public record)
• Commonwealth, state, and territory government entities
• Regulated financial institutions that are themselves reporting entities under the AML/CTF Act
• Entities regulated by APRA, ASIC, or equivalent overseas regulators in jurisdictions with adequate AML/CTF frameworks

Even where simplified CDD is applied, you must still verify the client's identity and retain records. Simplified CDD reduces the depth of verification but does not eliminate the obligation entirely. You must also remain alert to any change in circumstances that would require you to upgrade the client to standard or enhanced CDD.

Beneficial Ownership for Trusts and Companies

Beneficial ownership identification is one of the most challenging aspects of CDD for accounting practices, given the prevalence of trusts and corporate structures in the Australian accounting context. Your Part A should include detailed procedures for:

• Companies: Identifying all natural persons who hold 25% or more of the issued capital or voting rights, either directly or indirectly. Where no individual meets this threshold, identify the individuals who exercise control through directorships, shareholder agreements, or other mechanisms. Use ASIC current and historical company extracts, annual returns, and share registers
• Discretionary trusts: Identify the trustee (and verify the identity of the individuals behind a corporate trustee), the settlor, any appointor or guardian, and the classes of beneficiaries. Where the trust deed confers broad discretionary powers on the trustee, document your assessment of who has effective control over the trust assets
• Unit trusts: Identify all unitholders who hold 25% or more of the units, the trustee, and any person who has the power to control the trustee. For widely held unit trusts, document your reasonable steps to identify significant unitholders
• Multi-layered structures: Where the client entity is owned or controlled through a chain of entities (e.g., a company owned by a trust, the trustee of which is another company), you must look through each layer to identify the ultimate natural person or persons who own or control the arrangement

Part B: Employee Due Diligence

Part B of your AML/CTF program, prescribed by s83 of the Act, addresses the people within your practice. The purpose of Part B is to minimise the risk that your employees, partners, contractors, or agents could facilitate, participate in, or fail to detect ML/TF activity. Part B applies to all persons with AML/CTF-related duties, including staff who perform CDD, staff who handle trust account transactions, the compliance officer, and anyone who may come into contact with information relevant to suspicious matter identification.

Pre-Employment Screening

Before assigning AML/CTF responsibilities to any person, you must conduct appropriate screening. Your Part B should specify:

• Verification of identity and right to work in Australia
• Criminal history checks (national police check), with particular attention to offences related to fraud, dishonesty, financial crime, money laundering, or terrorism financing
• Reference checks with previous employers, focusing on the candidate's integrity and any compliance-related performance issues
• Verification of professional qualifications and current registrations (e.g., CA ANZ, CPA Australia, IPA membership, TPB registration)
• For the designated compliance officer: enhanced checks including confirmation of any disciplinary history with professional bodies, regulatory authorities, or courts
• ASIC banned and disqualified persons checks where the individual will have financial responsibilities

Ongoing Employee Monitoring

Screening at the point of hire is necessary but not sufficient. Your Part B must also include procedures for ongoing monitoring, including:

• Periodic reassessment of suitability for AML/CTF-related roles, including updated criminal history checks at defined intervals (e.g., every two years)
• Monitoring for indicators that an employee may have been compromised or co-opted, such as unexplained lifestyle changes, reluctance to take leave, resistance to audit or oversight, or frequent unexplained alterations to client records
• Procedures for managing conflicts of interest, particularly where staff have personal, family, or financial relationships with clients
• Mandatory leave policies that allow other staff to review the work of each team member, reducing the risk of undetected misconduct

AML/CTF Training Requirements

Training is a critical component of Part B. You must provide AML/CTF training to all staff who are involved in providing designated services or who have any AML/CTF responsibilities. Training must be provided before staff commence those duties and must be refreshed on a regular basis. Your training programme should cover:

• An overview of the AML/CTF Act 2006 and its application to your accounting practice, including what constitutes a designated service
• Your practice's specific AML/CTF program, including CDD procedures, SMR procedures, and record-keeping requirements
• How to identify suspicious matters, including common ML/TF typologies and red flags relevant to accounting services
• The tipping-off prohibition under s123 and its consequences (including imprisonment)
• The role of the compliance officer and how staff should escalate concerns
• Sanctions and PEP screening obligations
• Practical case studies and scenario exercises drawn from AUSTRAC typology reports

Training frequency should include: initial training before staff commence duties; annual refresher training covering updates to legislation, rules, AUSTRAC guidance, and your program; and ad hoc training when there are significant regulatory changes or when new ML/TF typologies are identified. All training must be documented, including the date, attendees, content covered, and who delivered the training. Training records must be retained for a minimum of 7 years under Part 10.

Role-Based Access Controls and Separation of Duties

Your Part B should implement the principle of least privilege: staff should only have access to client data and compliance systems that are necessary for their role. Restrict access to SMR records and suspicious matter investigations to the compliance officer and authorised personnel only. Where the size of your practice permits, implement separation of duties so that no single person controls the entire compliance process. In a sole practice where separation is not possible, document this limitation and consider compensating controls such as external periodic review.

Risk Assessment: The Foundation of Your Program

Before you write a single paragraph of your AML/CTF program, you must conduct a money laundering and terrorism financing (ML/TF) risk assessment. This is often referred to as an enterprise-wide risk assessment (EWRA). Your risk assessment is the foundation upon which your entire program is built. Without it, you cannot demonstrate that your program is risk-based, and AUSTRAC will view your program as non-compliant. The AML/CTF Rules 2024 require that your Part A systems and controls are directly informed by your documented risk assessment.

Your risk assessment should evaluate risk across four key dimensions:

Client Risk

Different client types carry different levels of ML/TF risk. Your risk assessment should categorise and rate each client type:

• Individuals: Generally lower risk, but consider factors such as source of wealth, occupation, residency status, and whether the individual is a PEP or a close associate of a PEP
• Companies: Risk varies by ownership transparency, industry, age of the entity, and whether the company has complex or layered ownership. Shell companies, recently formed companies, and companies with nominee directors carry higher risk
• Trusts: Discretionary trusts and complex trust structures can be used to obscure beneficial ownership. The identity of settlors, trustees, appointors, and beneficiaries must be established. Trusts with foreign beneficiaries, broad classes of beneficiaries, or complex distribution provisions carry elevated risk
• Foreign entities: Clients based in or connected to jurisdictions identified by the FATF as high-risk (the “black list”) or under increased monitoring (the “grey list”) carry inherently higher risk
• Cash-intensive businesses: Clients operating in industries with high volumes of cash transactions (e.g., hospitality, retail, construction) present elevated ML/TF risk
• Partnerships and joint ventures: Consider the transparency of ownership, the number of parties, and the nature of the business activity

Service Risk

Not all accounting services carry the same ML/TF risk. Your risk assessment should rate each designated service you provide:

• Higher risk: Trust creation and management, company formation, complex tax structuring (particularly involving international arrangements), managing client money or assets, providing nominee directors or shareholders, preparing or carrying out transactions involving the transfer of real property
• Moderate risk: Tax advisory services, financial advisory services, superannuation advisory services
• Lower risk: Standard tax return preparation, bookkeeping, BAS lodgement (noting these may not be designated services at all, depending on the specific circumstances)

Geographic Risk

Assess the geographic exposure of your client base:

• Countries identified by the FATF as high-risk or under increased monitoring
• Countries subject to Australian autonomous sanctions or UN Security Council sanctions
• Countries with weak AML/CTF regulatory frameworks or known for high levels of corruption, as measured by indices such as Transparency International's Corruption Perceptions Index
• Tax haven jurisdictions commonly associated with profit-shifting, shell company formation, or secretive banking
• Domestic geographic risk factors, such as regions with known drug trafficking activity or organised crime exposure

Delivery Channel Risk

How you deliver your services affects ML/TF risk:

• Non-face-to-face relationships: Clients you have never met in person carry higher risk due to the increased difficulty of verifying identity and detecting deceptive behaviour
• Referral arrangements: Clients referred by third parties, particularly from overseas or from intermediaries you have not independently assessed, may require enhanced due diligence
• Digital service delivery: Online portals and remote onboarding increase convenience but also increase the risk of impersonation, identity fraud, or the use of synthetic identities
• Intermediated relationships: Where you provide services through or on behalf of another professional (e.g., a lawyer or financial planner), consider the ML/TF risk introduced by the intermediary

Building Your AML/CTF Program: Step by Step

The following practical implementation guide walks you through the process of building a compliant AML/CTF program from the ground up. These steps are sequential — each one builds on the previous.

Suspicious Matter Reporting for Accountants

Under sections 41 to 49 of the AML/CTF Act, you must report suspicious matters to AUSTRAC. A suspicious matter arises when you form a suspicion on reasonable grounds that a matter relating to a designated service may be relevant to an offence against a Commonwealth, state, or territory law, the proceeds of crime, terrorism financing, or tax evasion. The obligation to report is triggered by suspicion, not certainty. You are not required to prove that money laundering or terrorism financing is occurring — only that you have reasonable grounds for your suspicion.

When to Report

Your program must specify reporting timeframes in accordance with the Act:

• Within 24 hours: Where the suspicious matter relates to terrorism financing
• Within 3 business days: For all other suspicious matters

These timeframes run from the point at which the suspicion is formed, not from the point of the transaction or event that gave rise to the suspicion. Late filing is a compliance failure that AUSTRAC takes seriously.

How to Report

Suspicious matter reports (SMRs) are filed with AUSTRAC through AUSTRAC Online. Your program should document the internal process leading up to filing:

• The staff member who identifies the suspicious activity raises it with the compliance officer (or, in a sole practice, documents the suspicion in writing)
• The compliance officer reviews the matter, conducts any necessary additional inquiry (without tipping off the client), and makes the determination on whether to file an SMR
• If the decision is to file, the SMR is lodged through AUSTRAC Online within the prescribed timeframe
• If the decision is not to file, the reasons are documented in writing and retained for 7 years
• A copy of the SMR and all supporting documentation is retained securely with restricted access

Common Red Flags for Accounting Practices

While every practice is different, AUSTRAC and FATF have identified the following ML/TF red flags that are particularly relevant to accounting services:

• Clients who are reluctant to provide identification or who provide inconsistent or contradictory information
• Requests to structure transactions to avoid reporting thresholds or to break a single transaction into multiple smaller transactions
• Unexplained or disproportionate sources of wealth or income that is inconsistent with the client's known profile, occupation, or business
• Frequent changes to trust deeds, company constitutions, or ownership structures without clear commercial rationale
• Payments to or from high-risk jurisdictions, particularly where the payments have no apparent connection to the client's business
• Cash-intensive businesses with turnover inconsistent with the size, industry, or location of the business
• Requests to use your trust account as a conduit for funds that are unrelated to the designated services you are providing
• Clients who instruct you to act urgently, or who pressure you to bypass normal procedures, without adequate explanation
• Clients who use multiple bank accounts, companies, or trusts without clear commercial rationale, potentially indicating layering
• Clients who express an unusual interest in your AML/CTF procedures or who ask questions about reporting thresholds
• Instructions to make payments to third parties who have no apparent connection to the transaction
• Back-to-back transactions or round-tripping of funds through professional trust accounts or multiple entities

Tipping-Off Prohibition (s123)

Section 123 of the AML/CTF Act makes it a criminal offence to disclose (“tip off”) a client or any other person that an SMR has been, is being, or will be filed. The penalty includes imprisonment for up to 2 years. Your program must include clear guidance for all staff on the tipping-off prohibition:

• What constitutes tipping off (both direct and indirect disclosure)
• Practical examples of inadvertent disclosure, such as telling a client you cannot proceed with a transaction “for compliance reasons,” suddenly changing your behaviour towards a client after forming a suspicion, or asking the client questions that reveal the nature of your concern
• How to manage client communications when a suspicious matter has been identified, including scripts and pre-approved language for declining transactions without disclosing the reason
• That the prohibition applies to all staff, not just the compliance officer, and that a breach can result in personal criminal liability

For a comprehensive guide to suspicious matter reporting, see our Suspicious Matter Reporting Guide.

Record Keeping Requirements

Part 10 of the AML/CTF Act imposes detailed record-keeping obligations on all reporting entities. For accountants, this means retaining comprehensive records of all your AML/CTF activities for a minimum of 7 years from the date the record is made, or 7 years after the end of the relevant business relationship or transaction, whichever is later.

What to Keep

Your record-keeping framework must cover:

• CDD records: All client identification and verification documents, including copies of identification documents, electronic verification results, beneficial ownership assessments, risk ratings assigned, and records of enhanced or simplified CDD applied
• Transaction records: Records of all designated services provided, including the nature of the service, the parties involved, the amounts (if applicable), and the dates
• SMR records: Copies of all suspicious matter reports filed with AUSTRAC, supporting documentation, records of matters considered but not reported (with documented reasons), and records of internal escalation decisions
• TTR records: Records of any Threshold Transaction Reports filed for cash transactions of $10,000 or more
• Training records: Evidence of all AML/CTF training delivered, including dates, attendees, content covered, who delivered the training, and completion acknowledgements
• Programme records: All versions of your AML/CTF program (current and historical), amendment records, risk assessments, review reports, and independent review findings
• Employee due diligence records: Pre-employment screening results, criminal history check outcomes, and ongoing monitoring records
• Correspondence with AUSTRAC: All communications with AUSTRAC, including requests for information, examination notices, and your responses

How Long to Keep Records

The minimum retention period under Part 10 is 7 years. However, you should be aware that some records may need to be retained for longer if they are subject to other regulatory requirements. For example, trust account records may need to be retained for longer under state or territory trust account legislation, and TPB-related records may have separate retention requirements under the Tax Agent Services Act 2009. Where there is an overlap, retain records for the longest applicable period.

Format Requirements

Records must be stored in a way that allows them to be retrieved and produced to AUSTRAC upon request. They must be:

• Secure and protected from unauthorised access, modification, or destruction
• Accessible and retrievable within a reasonable timeframe (AUSTRAC may request production at short notice)
• Legible and in a format that AUSTRAC can review (electronic records are acceptable provided they can be printed or displayed on screen)
• Backed up and protected against data loss, corruption, or hardware failure
• Subject to access controls so that only authorised personnel can view or modify compliance records

For more detail on record-keeping requirements, see our blog post on record keeping requirements under Tranche 2.

TPB Integration: How AML/CTF Interacts with Your Tax Practitioner Obligations

Accountants registered with the Tax Practitioners Board (TPB) face a dual regulatory landscape from 1 July 2026. Your AML/CTF obligations under the AML/CTF Act 2006 sit alongside your existing obligations under the Tax Agent Services Act 2009 (TASA) and the Code of Professional Conduct. Understanding how these two regimes interact is essential for building a programme that satisfies both regulators.

The TPB has indicated that compliance with AML/CTF obligations will be relevant to assessing whether a tax practitioner is a fit and proper person to remain registered. A failure to comply with AUSTRAC requirements could constitute a breach of the Code of Professional Conduct under TASA, particularly:

• Item 1 — Honesty and integrity: Facilitating or turning a blind eye to money laundering could constitute a failure to act honestly
• Item 4 — Acting lawfully: A breach of the AML/CTF Act is, by definition, a failure to act lawfully
• Item 6 — Professional reputation: A prosecution or civil penalty action by AUSTRAC would bring the profession into disrepute
• Item 9 — Practice management: An inadequate AML/CTF program could be evidence that you do not have adequate arrangements for managing the affairs of your practice

This means that AML/CTF non-compliance could result in consequences from both AUSTRAC (civil and criminal penalties) and the TPB (registration conditions, suspension, or cancellation). The consequences are cumulative, not alternative.

To manage this dual regulatory exposure, your AML/CTF program should be integrated with your broader practice management and compliance framework. Practical integration steps include:

• Aligning your AML/CTF program review cycle with your TPB continuing professional education (CPE) cycle and your practice quality assurance processes
• Including AML/CTF compliance as a standing item on your practice management agenda
• Maintaining compliance records that can be produced to both AUSTRAC and the TPB upon request, using a single integrated compliance file per client where practicable
• Incorporating AML/CTF training into your broader CPE programme so that training hours count towards both TPB CPE requirements and your Part B training obligations
• Considering whether your professional indemnity insurance covers AML/CTF-related claims, regulatory investigations, or defence costs

Common Mistakes to Avoid

Based on AUSTRAC enforcement actions against Tranche 1 reporting entities and international precedent from comparable jurisdictions, the following are the most common mistakes that accounting practices should avoid:

How ComplyAU Assists

Building and maintaining an AML/CTF program is a significant undertaking for any accounting practice, particularly those without dedicated compliance resources. ComplyAU is designed to support you through each step of the process:

• Programme generation: ComplyAU's programme generator helps you create a tailored Part A and Part B programme based on your specific designated services, client base, and risk profile. Rather than starting from a blank page, you answer structured questions about your practice and receive a draft programme that you can refine and adopt.
• Risk assessment support: The platform guides you through the ML/TF risk assessment process with profession-specific risk factors and scoring matrices designed for accounting practices, covering client risk, service risk, geographic risk, and delivery channel risk.
• CDD workflows: Structured client onboarding workflows with identity verification checklists, beneficial ownership identification tools, PEP and sanctions screening, and automated risk scoring that aligns with your programme's risk categories.
• SMR management: A guided suspicious matter reporting workflow with AUSTRAC-aligned fields, internal escalation tracking, deadline monitoring, and a complete audit trail for every report filed and every matter considered but not reported.
• Record keeping: Automated 7-year record retention with encrypted storage, access controls, version history, and the ability to produce records for AUSTRAC examination on demand.
• Training management: AML/CTF training modules with completion tracking, certificates, and automated reminders for annual refresher training. Training records are stored as part of your compliance file.
• Review and audit: Programme review scheduling, compliance dashboards, and exportable reports that support both internal annual reviews and independent three-year reviews.

ComplyAU does not replace the need for professional judgement or legal advice. It is a compliance management tool that assists you in meeting your obligations efficiently and maintaining audit-ready evidence of your compliance activities. For more information, visit our accountants page.