AML/CTF Compliance Checklist for Australian Accountants

From July 1, 2026, accounting firms that provide designated services become reporting entities under Australia’s AML/CTF regime. That means real obligations, enforceable by AUSTRAC, with serious penalties for non-compliance.

This is not a checklist you can start the week before the deadline. Some of these obligations particularly developing your AML/CTF program and training your staff take weeks to implement properly. Below is a complete, breakdown of all 9 obligations your firm must meet, what each one requires in practice, and exactly what you need to do. Each item also notes where VERA — Nex Automate’s client verification automation tool directly handles the compliance work for you.

⚠️ Penalties for Non-Compliance

Individuals: Up to $6.6 million per contravention

Businesses: Up to $33 million per contravention

AUSTRAC can also cancel your registration, publicly name your firm, and refer matters to the Australian Federal Police. Non-compliance is not a minor administrative issue — it is a serious criminal and civil liability.

At a Glance: Your 9 AML/CTF Obligations

Use this table as a quick reference. The detailed breakdown for each item follows below.

# Obligation When / Frequency
1 Enrol with AUSTRAC By July 29, 2026
2 Develop an AML/CTF Program Before July 1, 2026
3 Appoint a Compliance Officer Before July 1, 2026
4 Customer Due Diligence (CDD) Every new client — before service
5 Enhanced Due Diligence (EDD) High-risk clients — ongoing
6 Ongoing Monitoring Continuous — all clients
7 Reporting to AUSTRAC As required — no delay
8 Record Keeping 7 years minimum
9 Staff Training Before July 1, 2026 — then annually

Don’t have time to build all of this from scratch?

VERA automates the client verification, AML screening, risk scoring, and document generation steps — the most time-consuming parts of your compliance program. Book a free 30-minute demo to see it in action.

👉 Book Your Free VERA Demo

Full Checklist: 9 Obligations Explained

1

Enrol with AUSTRAC

WHY
Before you can legally provide designated services from July 1, 2026, you must be enrolled with AUSTRAC as a reporting entity. Enrolment is your formal registration as an entity subject to the AML/CTF Act.
DO

Create an AUSTRAC Online account at austrac.gov.au if you do not already have one.

Complete the enrolment form with your business details, ABN, and the designated services you provide.

Enrol by July 29, 2026 at the latest, within 28 days of July 1 — note that enrolment opened March 31, 2026.

Keep your enrolment details up to date — you must notify AUSTRAC within 14 days of any material changes.

2

Develop an AML/CTF Program

WHY
Every reporting entity must have a documented, risk-based AML/CTF program. This is the foundation of your compliance framework — it sets out how your firm identifies, manages, and mitigates money laundering and terrorism financing risks.
DO

Conduct a money laundering and terrorism financing risk assessment for your practice — covering your client base, services, delivery channels, and geographies.

Document your AML/CTF policies, procedures, and internal controls in a written program.

Ensure the program covers: customer due diligence, ongoing monitoring, reporting, record keeping, and staff training.

Appoint a senior person to own and oversee the program.

Review and update the program at least every 3 years — and whenever your business model or risk profile changes significantly.

For smaller practices, 15 or fewer staff, professional services only, AUSTRAC’s Accounting Program Starter Kit provides a template to build from.

3

Appoint an AML/CTF Compliance Officer

WHY
You must designate a specific person — or people — responsible for overseeing your firm’s AML/CTF compliance. This person is accountable to your board or senior management for the integrity of your compliance program.
DO

Nominate a compliance officer from within your firm — this can be a principal, partner, or senior manager.

Ensure they have sufficient authority, resources, and access to information to perform their role.

The compliance officer must understand the requirements of the AML/CTF Act and your firm’s specific obligations.

Document the appointment formally as part of your AML/CTF program.

In smaller practices, the principal or sole practitioner will typically serve as their own compliance officer.

4

Customer Due Diligence (CDD)

WHY
CDD is the process of verifying who your clients actually are before you provide any designated service. This is the most operationally intensive obligation for most accounting firms — and the one where manual processes will cost the most time.
DO

Verify the identity of every client before providing any designated service — not after.

For individuals: collect full name, date of birth, and residential address. Verify using a government-issued photo ID, such as a passport or driver licence, plus a Face-ID biometric check.

For companies and trusts: identify and verify the beneficial owners, being individuals who ultimately own or control 25% or more of the entity.

Conduct AML/CTF screening against sanctions lists, including OFAC, UN, Australian sanctions, and Politically Exposed Persons, PEP, databases.

Assign a risk rating to each client — low, medium, or high — based on their profile.

Existing clients who receive new designated services may need to be re-verified.

VERA handles this: VERA automates the entire CDD process — Face-ID verification, document checks, sanctions screening, PEP screening, and risk scoring — reducing 30–45 minutes of manual work to approximately 3 minutes per client.

5

Enhanced Due Diligence (EDD)

WHY
Enhanced Due Diligence applies additional scrutiny to clients or transactions that pose a higher risk of money laundering or terrorism financing. EDD is mandatory — not optional — when certain triggers are present.
DO

Apply EDD to any client identified as a Politically Exposed Person, PEP — a current or former senior government official, or their close associate or family member.

Apply EDD to clients from high-risk countries identified by FATF or AUSTRAC guidance.

Apply EDD when a client’s source of funds or wealth cannot be easily explained or verified.

Apply EDD when a transaction appears unusual, complex, or inconsistent with the client’s known profile.

Document your EDD process and the decisions made for each high-risk client in your records.

Consider whether to continue or terminate the relationship if EDD cannot be completed satisfactorily.

VERA handles this: VERA’s risk scoring module automatically flags clients for EDD based on PEP status, sanctions hits, and risk profile — ensuring no high-risk client slips through your process.

6

Ongoing Monitoring

WHY
AML/CTF compliance is not a one-time client onboarding exercise. You must continuously monitor your client relationships and the services you provide for signs of suspicious activity or changes in risk profile.
DO

Review client relationships periodically — the frequency should match their risk rating, with higher-risk clients reviewed more frequently.

Monitor transactions and instructions for patterns inconsistent with what you know about the client.

Re-verify clients when their circumstances change materially — such as new beneficial owners, change of jurisdiction, or a significant shift in transaction volume.

Keep client information up to date — outdated information means you cannot effectively monitor the relationship.

Document your monitoring activities and the outcomes of each review.

7

Reporting to AUSTRAC

WHY
As a reporting entity, you have mandatory reporting obligations to AUSTRAC. Failure to report is itself a serious breach — AUSTRAC actively monitors reporting patterns and investigates gaps.
DO

Submit a Suspicious Matter Report, SMR, as soon as practicable — and within 24 hours if terrorism financing is suspected — when you form a suspicion about a client or transaction.

Submit a Threshold Transaction Report, TTR, within 10 business days for any physical cash transaction of $10,000 or more.

Submit an International Funds Transfer Instruction, IFTI, report within 10 business days for relevant international transfers.

Never tip off a client that you have submitted or are considering submitting a report — tipping off is itself a criminal offence.

Keep records of all reports submitted and the basis for submitting them.

8

Record Keeping

WHY
Every step of your AML/CTF compliance process must be documented and retained. Records are your evidence of compliance — in an AUSTRAC audit, if it is not documented, it did not happen.
DO

Retain all identity verification documents and records, including copies of IDs, Face-ID results, and screening reports, for a minimum of 7 years from the date of the transaction or end of the client relationship.

Retain records of your AML/CTF risk assessments, due diligence decisions, and monitoring reviews.

Retain records of all AUSTRAC reports submitted.

Ensure records are stored securely and can be retrieved promptly if requested by AUSTRAC.

Records must be in English or readily convertible to English.

VERA handles this: VERA automatically stores all client verification records, screening results, and audit trails — with timestamps and document copies — in a format ready for AUSTRAC review.

9

Staff Training

WHY
Every person in your firm who interacts with clients or handles financial matters must understand your AML/CTF obligations and how to identify and respond to suspicious activity. Training is not optional — and it needs to be documented.
DO

Deliver AML/CTF training to all relevant staff before July 1, 2026.

Training must cover: what money laundering and terrorism financing look like, your firm’s obligations under the AML/CTF Act, your internal procedures and policies, and how to escalate concerns.

Repeat training at least annually — and when your program or AUSTRAC guidance changes significantly.

Keep records of all training delivered, including dates, attendees, and the content covered.

New staff must complete training before they begin working with clients on designated services.

How Long Does All of This Actually Take?

This is the question every practice principal is asking. The honest answer depends on your firm’s size and complexity but here is a realistic timeline for a mid-sized practice starting from scratch:

Task Manual effort With VERA
Develop AML/CTF Program 2–4 weeks 2–4 weeks (VERA does not replace this)
AUSTRAC Enrolment 1–2 hours 1–2 hours
Appoint Compliance Officer 1 day 1 day
Client verification (per client) 30–45 minutes ~3 minutes
100 clients verified 50–75 hours ~5 hours
Staff training 1–2 days 1–2 days
Records setup and storage Ongoing manual Automated — VERA stores all records

Be Compliance-Ready Before July 1 — Without the Admin Burden

VERA automates client verification, AML/CTF screening, risk scoring, document generation, and record keeping. What takes 45 minutes manually takes 3 minutes with VERA. Deploys in 2 weeks. No lock-in contract. Book your free demonstration today.

👉 Book Your Free VERA Demo

P.S. This checklist covers the obligations — but building your AML/CTF Program document is a separate exercise that takes weeks, not hours. If you have not started yet, start today. AUSTRAC’s Accounting Program Starter Kit, available at austrac.gov.au, is a good foundation for smaller practices. Larger firms should engage a compliance specialist.

About Nex Automate

Nex Automate is an Australian accounting automation platform built by accountants, for accountants. VERA is our AML/CTF client verification automation tool — designed specifically for accounting firms preparing for Tranche 2 compliance. VERA handles VOI checks, sanctions screening, PEP checks, risk scoring, engagement letter generation, and record keeping automatically.

Visit nexautomate.com.au