AML/CTF Rules 2025: AML/CTF programs for accounting

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Understanding AML/CTF Rules 2025 Part 5: AML/CTF programs, and what it means for accounting practices

From July 2026, accounting practices that provide designated services (such as setting up companies, managing client money, or trust services) will need a compliant AML/CTF program. This isn’t just red tape – it’s a legal requirement to show your practice can detect and prevent money laundering and terrorism financing (ML/TF).

Useful terms

• ML/TF risk: the risk your practice could be used for money laundering or terrorism financing.
• KYC information: the identity and verification checks you must collect on your clients.
• Source of wealth (SoW) and source of funds (SoF): where a client’s money or wealth comes from.
• Politically exposed person (PEP): a high-profile public official, in Australia or overseas.
• Designated services: the regulated services under the Act, such as company formation, trust services, or managing client money.
• Governing body: the individual or group in your practice responsible for AML/CTF oversight.
• Independent evaluation report: a written review of your AML/CTF program by an external expert.

Risk assessments (Division 1)

Your AML/CTF program starts with a risk assessment. You need to understand where and how your practice could be exploited for ML/TF.

If an independent review finds problems with your risk assessment, you must fix them promptly – your governing body (internal oversight group) is responsible for ensuring this happens.

Policies for managing ML/TF risks (Division 2)

Your written policies must cover how your practice will reduce ML/TF risks. This includes:

1. Customer due diligence (CDD)

You need clear rules for:

• Initial CDD: verifying a client before acting.
  Example: A client engages you to provide bookkeeping services for a newly incorporated company. You must verify the directors and beneficial owners, not just the person signing the engagement letter.
• Ongoing CDD: re-checking if circumstances change.
  Example: A client you’ve managed for years, who usually provides straightforward annual tax returns, suddenly asks you to facilitate a series of large international transfers through their self-managed superannuation fund (SMSF). This change in behaviour requires you to re-verify their identity, confirm the beneficial owners of the SMSF, and check the legitimacy of the overseas counterparties and funds.

2. Targeted financial sanctions

Your policies must make sure that, when providing designated services, you:

• do not provide services to any individual or entity on a sanctions list
• do not use or handle assets that belong to or are controlled by any individual or entity on a sanctions list

3. Updating policies

If an independent review shows gaps, your policies must explain how you will update them.

4. Senior manager approval

Certain high-risk situations need senior manager (likely a Partner, Director, or CEO) approval before proceeding, such as:

• Acting for a foreign PEP.
  Special case example: A new client, who is a senior government official from Malaysia, asks your practice to structure a series of family trusts in Australia. Because they are a foreign PEP, you must assess source of wealth and funds carefully and obtain senior manager approval before accepting the engagement.
• Acting for a domestic or international PEP who poses a high ML/TF risk.
• Using “nested services”.
  Example: A practice manages payroll for a multinational client. To pay overseas staff, it uses a third-party payroll platform, which in turn channels funds through an international remittance provider and then a global bank. Because the transaction flows through multiple layers (practice → payroll provider → remittance service → bank), this is a nested service arrangement and requires senior manager approval before the payments are processed.
• Relying on another party’s KYC checks.

AML/CTF policies related to governance and compliance, management (Division 3)

Reporting to the governing body (i.e. your internal oversight individual or group)

Your policies must set out how AML/CTF information flows up to your governing body.

Reports from the AMLCO

Your AMLCO must provide at least annual reports on:

• Whether policies are being followed.
• Whether risks are being managed effectively.
• Whether the practice is complying with the law.

Personnel due diligence

Staff working on AML must be checked for skills, honesty, and integrity – both when hired and during their employment.

Training

Staff must receive tailored AML training.

• Example: A junior staff member preparing BAS notices should understand why a client splitting income across multiple personal and business accounts without a clear business purpose could be a red flag for money laundering or tax evasion.
• Example: A partner must know when to escalate if a long-standing client suddenly begins funnelling large sums through a high-risk jurisdiction even though their historic activity has been low risk.

Independent evaluations

Every AML/CTF program must be independently reviewed at least every three years. The evaluator will test whether your policies are adequate, whether your practice is following them, and whether risks are being managed properly.

Quality of reports

Your AML/CTF policies must ensure reports to AUSTRAC are accurate, complete, and untampered with. This includes:

• Suspicious matter reports (SMRs)
• Threshold transaction reports (TTRs)
• International value transfer reports

Your AML/CTF policies must give you time and processes to review information that could trigger a suspicious matter report (SMR).

Your AML/CTF policies must stop staff or contractors from warning clients that an SMR might be, or has been, lodged.

AML Compliance Officers (AMLCOs) (Division 4)

Your AMLCO must be “fit and proper.” This means they have the right skills, integrity, and no disqualifying history (e.g. bankruptcy, serious convictions, regulatory bans).

In accounting practices, the AMLCO function is usually taken on by a Partner, Director, or senior manager with compliance or client money expertise - often someone already responsible for risk management, audit quality, or trust account oversight.

AML program documentation (Division 5)

Your AML/CTF program must be written down – including risk assessments and policies – before you start offering designated services. Updates must be documented within 14 days.

Policies related to lead entities (in reporting groups) (Division 6)

If your practice is part of a reporting group (for example, a national accounting network), the lead entity must keep accurate and updated membership records.

Accounting services (Division 8)
For services like company formation, trust management, or handling client funds, your AML/CTF policies must explain how you will verify your customer’s identity before providing services.

Exception – reliance clause
In some cases, your practice can rely on another reporting entity (such as another accounting practice in the group or a law firm) to complete client verification. But it must be covered by a written agreement, done within 15 days of engagement (or before services are provided, whichever comes first), and your practice still carries ultimate responsibility.

Accounting services (Division 8)

For services like company formation, trust management, or handling client funds, your AML/CTF policies must explain how you will verify your customer’s identity before providing services.

Exception – reliance clause

In some cases, your practice can rely on another reporting entity (such as another accounting practice in the group or a law firm) to complete client verification. But it must be covered by a written agreement, done within 15 days of engagement (or before services are provided, whichever comes first), and your practice still carries ultimate responsibility.

What doesn’t apply (Division 7)

Rules for “transfers of value” (like banks processing payments) generally don’t apply to accounting practices. The only time they might is if you step into financial services territory (e.g. moving money through fintech platforms). In that case, extra approval processes apply.

Why this matters for accounting practices

Accountants are often gatekeepers for money flows and business structures. This makes the profession highly attractive to criminals seeking to disguise funds. A strong AML/CTF program protects your practice, ensures compliance with AUSTRAC rules, and reassures clients and regulators that your services aren’t being misused to clean dirty money.