AML/CTF Tranche 2: Frequently Asked Questions for Accounting Practices

Basic Requirements

When do these requirements take effect?

From 1 July 2026, Australian accounting practices providing designated services must comply with AML/CTF Tranche 2 requirements.

Does this apply to my practice?

If you provide any of these services, you become a reporting entity:

• Buying and selling real estate

• Managing client money, securities, or other assets

• Managing bank, savings, or securities accounts

• Organising contributions for company formation, operation, or management

• Creating, operating, or managing trusts and companies

Standard tax return preparation and bookkeeping services alone typically don't trigger these requirements.

How many practices does this affect?

Over 25,000 accounting practices across Australia will need to comply with these new requirements.

TPB Compliance vs AML/CTF

I already follow TPB Practice Note 5/2022. Is that enough?

Not quite. TPB compliance provides an excellent foundation, but AML/CTF adds specific requirements:

• Formal risk classification systems (low/medium/high)

• Beneficial ownership mapping beyond client representatives

• PEP and sanctions screening

• Source of wealth/funds verification for high-risk clients

• Ongoing transaction monitoring

• Mandatory reporting to AUSTRAC (SMRs and TTRs)

What's the key difference between TPB and AML/CTF requirements?

TPB focuses on professional conduct and fraud prevention. AML/CTF specifically targets money laundering and terrorism financing through structured risk assessment, enhanced due diligence, and reporting to AUSTRAC.

Can I leverage my existing TPB verification work?

Yes! Your TPB verification satisfies many AML/CTF requirements when:

• Your DVS verification meets identity confirmation standards

• Authority documentation covers representative verification

• Record-keeping provides audit trail foundation

• Risk assessment aligns with AML/CTF methodology

You'll need to add: formal risk classification, PEP/sanctions screening, enhanced due diligence procedures, broader beneficial ownership mapping, ongoing monitoring systems, and reporting capabilities.

Customer Due Diligence (CDD)

What is Customer Due Diligence?

CDD is the process of identifying and verifying your client's identity, understanding their ownership structure, assessing their money laundering/terrorism financing risk, and monitoring the relationship throughout its duration.

What's the difference between standard CDD and Enhanced Due Diligence (EDD)?

Standard CDD applies to low and medium-risk clients and includes identity verification, risk assessment, and basic screening. EDD applies to high-risk clients and adds source of wealth documentation, source of funds verification, enhanced ongoing monitoring, and senior management approval.

What triggers Enhanced Due Diligence?

EDD is required when:

• A customer is rated medium or high-risk

• There's Foreign PEP involvement (always high-risk)

• Connections to high-risk jurisdictions exist

• Unusual transaction patterns emerge

• Complex structures lack clear commercial purpose

• Significant cash transactions occur

What is beneficial ownership and why does it matter?

Beneficial ownership identifies the natural persons who ultimately own or control 25% or more of a legal entity. AML/CTF requires you to map and verify these individuals, going beyond just the client representative or company director.

Politically Exposed Persons (PEPs)

What is a Politically Exposed Person?

A PEP is an individual who holds or has held a prominent public function. This includes heads of state, senior politicians, senior government officials, judicial or military officials, senior executives of state-owned corporations, and important political party officials.

Are all PEPs high-risk?

Foreign PEPs are always high-risk and require enhanced measures including source of wealth/funds documentation and ongoing monitoring. Domestic PEPs require enhanced measures only when your risk assessment indicates additional high-risk factors.

Do I need to screen all clients for PEPs?

Yes. PEP and sanctions screening is mandatory for all clients providing designated services, regardless of their initial risk classification.

Ongoing Monitoring

What is ongoing monitoring?

Ongoing monitoring means continuously watching for patterns that don't align with your client's expected profile throughout the entire relationship. This includes changes in transaction structures, inconsistent funding sources, multiple properties in short periods, complex arrangements without clear purpose, or attempts to obscure ownership.

How often do I need to monitor clients?

Monitoring is continuous throughout the relationship. High-risk clients require more frequent and detailed monitoring, while low-risk clients may have less intensive monitoring protocols. Your AML/CTF program should define specific monitoring frequencies based on risk levels.

Reporting Obligations

What reports do I need to file with AUSTRAC?

Three main reports:

1. Suspicious Matter Reports (SMRs): When you suspect money laundering, terrorism financing, sanctions breaches, fraud, or unusual transactions

2. Threshold Transaction Reports (TTRs): When you receive AUD $10,000 or more in cash or cash equivalent in a single transaction

3. Annual AML/CTF Compliance Report: Due 31 March annually, covering the previous calendar year

When do I file a Suspicious Matter Report?

File an SMR when you have reasonable grounds to suspect a client or transaction is linked to money laundering, terrorism financing, sanctions breaches, serious offences, identity fraud, or transactions with no clear business purpose.

What if a legitimate client pays me $15,000 in cash?

You must file a Threshold Transaction Report even if the transaction appears completely legitimate. The $10,000 threshold applies to any cash or cash equivalent received.

What information goes in the Annual Compliance Report?

The report demonstrates how you're meeting obligations including: status of AML/CTF policies, staff training completion, record-keeping practices, compliance reporting activities, and independent reviews undertaken.

Practical Implementation

Do I need to re-verify all my existing clients?

Not necessarily. If your existing TPB verification meets AML/CTF standards, you can leverage that work. However, you'll need to add risk classification, PEP/sanctions screening, and beneficial ownership mapping for clients receiving designated services.

Can I delay verification for new clients?

Yes, but only under specific conditions: you must document a low money laundering/terrorism financing risk assessment, no money can move until verification is complete, and you have maximum timeframes (20 business days for standard services, 15 days or settlement for real estate).

What happens if I don't comply?

Non-compliance can result in significant penalties from AUSTRAC, including substantial fines, enforcement actions, and potential criminal liability for serious breaches.

How do I classify clients as low, medium, or high-risk?

Your AML/CTF program must define risk classification methodology considering factors like: customer type, service type, delivery channel, geographic risk, transaction patterns, and industry sector. You'll need documented procedures for assessment and escalation.

Client Experience

Will this slow down client onboarding?

It can add steps, but with the right technology it shouldn't significantly impact turnaround time. Solutions like VerifiMe's shareable identity wallet allow one-time verification that works across multiple service providers, actually speeding up onboarding for clients working with multiple professionals.

Do my clients need to verify themselves multiple times with different advisors?

Not with shareable credentials. Suppose your client's identity is verified once through a compliant system like VerifiMe. In that case, those verified credentials can be securely shared with their accountant, lawyer, mortgage broker, and financial advisor—eliminating duplicate verification.

How do I explain these new requirements to clients?

Focus on the regulatory framework: "Australian law now requires all accounting practices providing certain services to implement anti-money laundering measures. This means we need to verify some additional information about beneficial ownership and conduct screening. This is standard across all professional services and helps protect the integrity of the financial system."

Technology and Systems

Do I need new software to comply?

While you could manage compliance manually, most practices will benefit from dedicated AML/CTF compliance software that automates risk assessment, PEP/sanctions screening, ongoing monitoring, and reporting.

Can AML/CTF systems integrate with my practice management software?

Yes. Quality compliance platforms like VerifiMe offer API integration with major accounting software systems, allowing seamless data flow and reducing duplicate data entry.

What is DVS and do I need it?

Document Verification Service (DVS) is a government service that verifies identity documents against official databases. While not mandatory, DVS provides the most reliable verification method and is strongly recommended for AML/CTF compliance.

VerifiMe-Specific Questions

How does VerifiMe help with the TPB to AML/CTF transition?

VerifiMe automatically maps your existing TPB verification to AML/CTF requirements, adds the additional screening and risk assessment needed, and creates audit-ready documentation for both frameworks—all without re-verifying clients.

What is a shareable identity wallet?

It's a secure digital credential system where clients verify their identity once, and those verified credentials can be securely shared with multiple professional service providers. This eliminates duplicate verification across accountants, lawyers, brokers, and advisors.

Does VerifiMe handle ongoing monitoring automatically?

Yes. VerifiMe's continuous monitoring automatically alerts you to changes in client risk profiles, unusual transaction patterns, or PEP status changes without requiring manual checks.

Can VerifiMe generate SMRs and TTRs?

VerifiMe provides the documentation and risk indicators that support SMR decisions and tracks threshold transactions, but the reporting entity (your practice) makes the final determination to lodge reports with AUSTRAC.

How long does implementation take?

Most practices can implement VerifiMe within 2-4 weeks, including system integration, staff training, and migration of existing client data. We provide dedicated support throughout the transition period.

Still have questions? Contact VerifiMe at hello@verifime.com for a consultation to discuss your specific practice requirements and how we can support your AML/CTF Tranche 2 compliance journey.

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.