AML/CTF obligations for professional services firms in 2026 are more demanding than most firms realise — not just who must comply, but what the reformed regime structurally requires. The AML/CTF Amendment Act 2024 introduces 8 changes to the framework alongside 6 mandatory obligations.
Table of Contents
What changes, and what stays the same
Understanding the AML/CTF obligations that take effect from 1 July 2026 means understanding what has structurally changed in Australia’s regime — not just who is newly captured. The reforms do not simply extend existing rules to new sectors. In several important respects, the framework is being restructured. The following table maps every area of material change:
Area | Before 1 July 2026 | From 1 July 2026 |
Who must comply | Banks, fintechs, remittance providers, casinos, bullion dealers | All of the above PLUS accountants, lawyers, real estate agents, TCSPs, and select financial advisers |
Program structure | Two-part: Part A + Part B documents | Single integrated, risk-based AML/CTF program |
Customer due diligence | Required at onboarding only | Onboarding PLUS mandatory ongoing refresh when risk profile changes |
Beneficial ownership | Banks and financial institutions only | ALL reporting entities — identify persons with 25%+ control of any corporate or trust client |
PEP obligations | Foreign PEPs only | Domestic AND foreign PEPs — both require enhanced CDD |
AUSTRAC registration | Existing entities only | Mandatory for all Tranche 2 entities before providing designated services |
Tipping-off | Banks and existing entities | ALL reporting entities — now directly applies to lawyers and accountants |
Record retention | 7 years (existing entities) | 7 years — same standard, newly applied to professional services |
Enforcement exposure | Primarily financial institutions | All reporting entities including newly regulated professional services firms |
8 Changes defining the new AML/CTF obligations
Every newly designated professional services firm must understand these 8 structural changes before building its compliance program. They are not administrative updates — they define the legal standard against which AUSTRAC will assess your firm.
01 Sector expansion — 10,000 new reporting entities
AUSTRAC estimates the reforms will bring approximately 10,000 new reporting entities into the regime — the largest single-cohort addition since the Act passed in 2006. For the legal and accounting professions, this change in professional obligations has no modern precedent.
02 Single integrated program — end of Part A / Part B
The old two-document structure is replaced by a single risk-based AML/CTF program. The flexibility this affords requires genuine risk assessment capability — not template-filling. AUSTRAC’s supervisory focus is on evidence of execution, not document existence.
Many professional services firms have established client relationships built on entity-level identification only. The Tranche 2 obligation requires revisiting those relationships to identify the natural persons who ultimately control the entity. For clients with complex structures, this is not a form-filling exercise — it requires genuine understanding and, in some cases, frank conversations.
03 Beneficial ownership — looking through the structure to the real person
All reporting entities must now identify any natural person with 25% or more ownership or control of any corporate or trust client — at onboarding, not when a transaction is flagged. This means mapping through holding companies, discretionary trust deeds, and nominee arrangements to identify real individuals.
04 Domestic PEPs — closing the loophole
Enhanced CDD was previously mandatory only for foreign Politically Exposed Persons. Domestic PEPs — Australian politicians, senior public servants, senior judiciary members, and their close associates — require the same enhanced CDD. For firms that advise government clients or individuals connected to public office, this change has immediate client-by-client implications.
05 Ongoing CDD — from event-based to relationship-based compliance
Customer due diligence is no longer triggered by transactions alone. It is an ongoing obligation tied to the client relationship itself. Risk profiles must be monitored and refreshed when circumstances change or when program-defined periods have elapsed. For a firm with hundreds of established clients, this is a fundamental operating change that requires systematic scheduling, not ad hoc review.
06 Tipping-off now applies to lawyers and accountants
The criminal prohibition on informing a client that a Suspicious Matter Report has been or may be lodged now directly applies to professional services firms. Its intersection with legal professional privilege is genuinely complex for legal practitioners.
The Law Council has been actively engaged with the Attorney-General’s Department on the tension between the tipping-off prohibition and lawyers’ duties of confidentiality and legal professional privilege. Firms should not wait for final guidance before establishing internal SMR escalation protocols — the obligation applies regardless.
07 Single customer identification procedure
Multiple identification pathways are replaced by a single standard: identity collection, verification, and beneficial ownership analysis in one coherent process. Known-client exemptions and informal identification practices no longer satisfy the obligation.
08 Proactive supervision — AUSTRAC is not waiting
AUSTRAC has signalled a proactive supervisory model for Tranche 2 entities from day one of commencement. Its published guidance explicitly states an expectation of operationalised programs — not programs in development.
AUSTRAC has been building supervisory capacity specifically to apply it to newly regulated entities from commencement.
6 AML/CTF obligations every firm must implement
The 8 changes above describe what has structurally shifted. The 6 AML/CTF obligations below describe what every newly designated firm must actually build and operate.
1. Register with AUSTRAC — on or before 30 June 2026
Register via AUSTRAC Online before providing designated services. Disclosures required: ownership structure, key management personnel, and the designated service categories being offered. Operating unregistered after 1 July 2026 is a civil penalty offence.
2. Write and adopt a single integrated AML/CTF program
A single, written, risk-based document — not Part A and Part B — covering: ML/TF risk assessment; KYC procedures; beneficial ownership identification; ongoing CDD triggers; staff training requirements; a designated compliance officer; an independent review mechanism; and 7-year record-keeping procedures.
3. Know Your Customer (KYC) and customer due diligence
Standard CDD for most clients: legal name, date of birth, address, and beneficial ownership information, verified against independent sources. Enhanced CDD for domestic and foreign PEPs, clients from FATF high-risk jurisdictions, unusual transaction structures, and clients unable to provide satisfactory identification.
4. Ongoing monitoring and CDD refresh
Monitor client relationships continuously. Refresh CDD when risk profiles change materially, when transactions are inconsistent with known profiles, when new information emerges, or when program-defined periods have elapsed (typically 1–3 years for standard-risk clients).
5. Lodge Suspicious Matter Reports when required
Where reasonable grounds exist to suspect money laundering, terrorism financing, or related offences: lodge an SMR with AUSTRAC within 3 business days of forming a suspicion, or 24 hours where terrorism financing is suspected. Establish internal escalation protocols that comply with the tipping-off prohibition.
6. Retain all records for a minimum of 7 years
Customer identification documents, transaction records, CDD file notes, training logs, and SMR decisions — all must be retained and producible to AUSTRAC at any time.
AML/CTF obligations require operational discipline, not paperwork
The AML/CTF obligations are not a checklist to complete once. They are a framework to embed into how your firm operates: how it onboards clients, monitors relationships, escalates concerns, and documents decisions.
AUSTRAC’s standard is evidence of practice — transaction records, training logs, CDD file notes, documented SMR decisions. A program document alone will not satisfy a supervisory review. The firms that build genuine operational compliance will be in a materially different position to those that build documentation compliance.
Paper compliance will not withstand scrutiny. Operational compliance will.
How DBA Advisory supports
DBA Advisory works with professional services firms, financial businesses, and private enterprises across Australia to build AML/CTF programs that are genuinely defensible — tailored to your firm’s specific risk profile, embedded in your operating procedures, and built to withstand AUSTRAC scrutiny. All engagements are delivered on a fixed-fee basis — so the cost of compliance is certain before the work begins.
Frequently Asked Questions (FAQs)
The AML/CTF obligations for professional services firms are: (1) register with AUSTRAC before providing designated services; (2) maintain a single integrated risk-based AML/CTF program; (3) conduct KYC and customer due diligence at onboarding and on an ongoing basis; (4) monitor client relationships and refresh CDD when risk profiles change; (5) lodge Suspicious Matter Reports within 3 business days of forming a suspicion (or 24 hours for terrorism financing); and (6) retain all AML/CTF records for a minimum of 7 years. AUSTRAC’s supervisory focus is on evidence that these obligations are actually followed in practice.
An AML/CTF program is a single, written, risk-based document that every designated reporting entity must maintain and operate. Under the reformed framework, it replaces the old Part A / Part B two-document structure. The program must cover: a documented ML/TF risk assessment; customer identification and KYC procedures; beneficial ownership identification procedures; ongoing CDD triggers; staff training requirements; a designated compliance officer; an independent review mechanism; and 7-year record-keeping procedures. The key standard is that the program must be operationalised — embedded in how the firm actually works, not just documented in a folder.
Beneficial ownership refers to the natural person or persons who ultimately own or control a legal entity — specifically, any individual with 25% or more ownership or control rights. Professional services firms must now identify beneficial owners of corporate and trust clients at onboarding — not just when a transaction is flagged. This means mapping through holding company structures, discretionary trust deeds, and nominee arrangements to identify real individuals. Collecting a certificate of incorporation alone is not sufficient. AUSTRAC’s standard is genuine understanding of who controls the entity, documented at the time of onboarding.
Standard customer due diligence (CDD) applies to most clients and requires collection and verification of full legal name, date of birth, and address for individuals; or ABN/ACN, registered address, and beneficial ownership information for entities — verified against reliable independent sources. Enhanced CDD applies to higher-risk clients: domestic and foreign Politically Exposed Persons, clients from FATF high-risk jurisdictions, clients with unusual or complex transaction structures, and clients who are reluctant to provide satisfactory identification. Enhanced CDD requires deeper investigation into source of wealth and the commercial purpose of the transaction, plus more frequent ongoing monitoring.
Yes. Under the Tranche 2 reforms, both domestic and foreign Politically Exposed Persons require enhanced customer due diligence from 1 July 2026. Domestic PEPs include Australian politicians (federal and state), senior public servants, senior judiciary members, senior military officers, and their immediate family members and close associates. This is a significant change from the previous framework, which required enhanced CDD only for foreign PEPs. Professional services firms that advise government clients or individuals connected to public office must review their existing client base and update their onboarding procedures accordingly.
Disclaimer
© DBA Advisory 2026. This article is intended as general information only and does not constitute legal or compliance advice. Businesses should seek qualified advice specific to their circumstances before acting on any information contained in this article.
Related content
What to Expect Next
We build the resilient operational foundations
empowering you to
scale your business with absolute certainty
Get in touch
Alquin Dagamina
Manager Business Transformation and Technology Services Division
- Alquin.Dagamina@dbaadvisory.com
- 09158918379
