The starting point is this: accountants already operate under a client-identification regime. The Tax Practitioners Board (TPB) has, since 2022, required registered tax and BAS agents to verify the identity of every new and ongoing client through TPB(PN) 5/2022. That obligation does not go away on 1 July 2026. Nor is it replaced. What Tranche 2 does is add a second, risk-based regime that activates only when the practice provides a specific kind of service — what AUSTRAC calls a "designated service."

The practical implication is that accountants will operate two overlapping identity workflows. One applies to every client. The other applies only to a subset, and goes deeper. Knowing which is which is the heart of getting Tranche 2 right.

What you already do: TPB proof of identity for every client

Under TPB(PN) 5/2022, registered tax practitioners must take appropriate proof-of-identity (POI) steps before providing any tax agent or BAS service to a new client, and on an ongoing basis for existing clients where appropriate. The TPB anchors this in Code items 1, 7 and 9 of the Code of Professional Conduct and the civil penalty provisions of the Tax Agent Services Act 2009. Failure to verify identity is treated as a competence and integrity issue — not a minor administrative oversight.

The minimum information varies by client type, but for individuals it typically includes verifying full name and date of birth or residential address against a primary photographic document. For non-individual clients, the practitioner must also verify the authority of any individual representative who instructs them. The TPB recommends a checklist-based contemporaneous record rather than retaining copies of identity documents.

This regime captures the universe of accountancy services. It applies whether you are preparing a basic individual tax return, lodging quarterly BAS, doing the books for a small café, or compiling annual financial statements. None of those services is a designated service under the AML/CTF Act — but every one of them still requires you to know your client.

What changes on 1 July 2026: designated services trigger AML/CTF obligations

The AML/CTF regime does not regulate "accountants" as a profession. It regulates a defined list of services, and only when a practice provides one of those services does it become a "reporting entity" with corresponding obligations.

For professional services firms — including accountants — those services are listed in Table 6 of subsection 6(5B) of the AML/CTF Act. AUSTRAC's Professional designated services guidance summarises them as:

• assisting in the planning or execution of a transaction to sell, buy or transfer real estate
• assisting in the planning or execution of a transaction to sell, buy or transfer a body corporate or legal arrangement
• receiving, holding, controlling or managing a person's property to help in the planning or execution of a transaction
• assisting in organising, planning, or executing a transaction for equity or debt financing relating to a body corporate or legal arrangement
• creating, restructuring or managing a body corporate or legal arrangement (such as a trust)
• acting as, or arranging for someone else to act as, a director, secretary, trustee, partner or similar role for a non-natural person
• acting as, or arranging for someone else to act as, a nominee shareholder
• providing a registered office address or principal place of business address for an entity.

If a practice provides one of these services with a geographical link to Australia, it must enrol with AUSTRAC, appoint an AML/CTF compliance officer, conduct a risk assessment, and have an AML/CTF program in place before delivering the service.

What is not a designated service

This is where many accountants will find unexpected breathing room.

Routine tax lodgement, BAS preparation, bookkeeping, payroll processing, financial statement preparation, management reporting, tax planning advice, and general business advisory — the bread-and-butter of most practices — are not in Table 6. AUSTRAC's accounting program starter kit makes the same point: the kit is built specifically for practices that also provide one or more designated services, on top of their existing accounting work.

AUSTRAC has been explicit that general or hypothetical advice, simple referrals, and ancillary services that merely influence a transaction (rather than directly advance it) sit outside the regime. An accountant who advises a client on the tax implications of a possible company sale, but is not engaged to execute that sale, is not providing a designated service. The same accountant becomes a reporting entity if and when they are instructed to act for the client to bring the sale about — preparing transaction documents, negotiating terms, lodging ASIC filings to give effect to the transfer.

This is the practical reality every accountancy practice should sit with: the bulk of your client work most likely sits outside the AML/CTF regime, while the clients themselves still need to be identified under TPB rules. Tranche 2 is not a re-papering of every engagement. It is a targeted overlay.

When AML/CTF customer due diligence kicks in: the four risk factors

When you do provide a designated service, identification alone is no longer enough. The AML/CTF regime is risk-based, which means the depth of customer due diligence (CDD) you must conduct is calibrated to the money laundering and terrorism financing (ML/TF) risk associated with that particular client and that particular service.

AUSTRAC's accounting program starter kit and the broader AML/CTF Rules require practices to assess each designated-service client against four mandatory risk categories:

1. Customer type — whether the customer is a natural person, sole trader, company, partnership, regulated trust, unregulated/discretionary trust, SMSF, association, charity, or government body. Discretionary and family trusts, complex multi-layered structures, and entities with opaque beneficial ownership are inherently higher-risk than salaried individuals or simple Australian companies.
2. The designated service itself — different services carry different inherent ML/TF risk. Setting up a new company or trust, acting as a registered office address, or facilitating equity-and-debt financing transactions are typically higher-risk than, for example, transferring an SMSF trustee role between known family members.
3. Delivery channel — face-to-face engagement, fully remote onboarding, third-party introductions, online client portals, and the technology stack used to verify identity all affect risk. Non-face-to-face channels generally raise inherent risk because of the increased scope for impersonation.
4. Country/jurisdiction — the countries connected to the client, the beneficial owners, the source of funds, and the destination of any transaction. Practices need to consider the country of residence for individuals and the country of formation for entities, and assess each against the Basel AML Index, FATF high-risk lists, and DFAT sanctions lists.

These four factors combine to produce an inherent risk rating for each designated-service client, which in turn drives the level of CDD: simplified for clearly low-risk clients, standard for most, and enhanced (with senior manager approval) for high-risk clients or those connected to politically exposed persons, prescribed jurisdictions, or sanctions concerns.

Importantly, this risk-rating exercise applies only to clients receiving a designated service. Your tax-only clients — even the ones with international holdings or complex structures — do not need to be put through an AML/CTF risk assessment. They need TPB-standard identification, kept current.

A practical view of the dual regime

Picture a typical mid-sized accountancy practice. Of 800 active clients, perhaps 600 are individuals and SMEs receiving only tax, BAS and bookkeeping services. None of them is a designated-service client. All 800 still need TPB-compliant POI on file, refreshed when circumstances change.

Of the remaining 200, perhaps 50 will, in any given year, instruct the practice to set up a new company, restructure a trust, sit as a corporate trustee, or hold client funds in a transactional context. Those 50 are the AML/CTF cohort. They need full CDD against the four risk factors, ongoing monitoring proportionate to their risk rating, and they sit inside the practice's AML/CTF program from the moment the designated service is requested.

The same client can also move between regimes over time. A long-standing tax client whom you've identified for years under TPB rules suddenly asks you to set up a new discretionary trust to hold a property. From that moment, AML/CTF obligations attach — and the existing TPB identity record is the foundation you build on, not a substitute for, the additional CDD you now need to perform.

What this means in practice

Three things follow from this dual structure.

First, do not re-do your entire client base. AUSTRAC and the relevant professional bodies have been clear that existing clients receiving only non-designated services do not need to be re-onboarded under AML/CTF. Your TPB POI process already covers them. Strengthen and standardise that process — but do not panic about it.

Second, identify your designated-service activities now, before 1 July 2026. Map the parts of your practice that fall within Table 6, decide which engagement types trigger them, and build a clear internal trigger so that staff know when to escalate from "TPB POI" to "AML/CTF CDD." For most practices this will be a relatively small subset of work — but it must be reliably identified at the point of engagement, not after the fact.

Third, treat identity verification as the foundation that serves both regimes. A well-designed identity workflow can satisfy TPB's POI requirements for every client and form the verified base layer for AML/CTF CDD when a designated service is later provided. Re-asking the same client for the same documents twice — once for TPB, again for AML/CTF — is exactly the kind of friction that erodes client relationships without improving compliance outcomes.

This last point is where platforms like VerifiMe earn their place: a single, reusable identity record that the client controls, that meets TPB's standards by default, and that can be enhanced with the additional collection — beneficial ownership, source of funds, PEP/sanctions screening, country risk — that the AML/CTF regime requires when a designated service brings the client into scope. One verified identity, two regulatory regimes, one client relationship preserved.

Tranche 2 is a meaningful change. It is not, for most accountancy practices, the wholesale upheaval it can sometimes be made out to be. The work is to draw the line cleanly between what every client needs (TPB-grade identification) and what some clients need on top (AML/CTF risk-based CDD) — and to design the workflow so the second never duplicates the first.

This article is general information only and is not legal or compliance advice. AUSTRAC's sector-specific guidance for accountants and the TPB's TPB(PN) 5/2022 should be referred to directly when designing your practice's identity and AML/CTF processes.