The 31 October cut-off, the BAS quarters, the lodgement crush in May. These dates run your year, but here's a date that isn't in your calendar yet. From the 1st of July, a fair chunk of what your practice does every week falls under a federal regime you've never had to think about before, run by a regulator most accountants couldn't even name.
Somewhere on your server right now, there's a folder full of scanned client passports and licences and other identity documents. It felt like the responsible thing to do at the time, but that folder is about to stop being good practice and start being a liability. And it's at the tame end of much bigger changes.
The regulator is AUSTRAC. If the name rings a bell at all, it's probably something vague to do with banks. Westpac copped a 1.3 billion dollar penalty in 2020 for 23 million breaches of the money laundering rules, the biggest corporate penalty this country has ever dished out. That's the company AUSTRAC has kept until now: banks, casinos, and the big end of town. From next month tho, accounting practices are on that same list. You'll start hearing about "reporting entities," and accountants are about to become one.
It isn't every accountant, and it isn't every job
Australia is one of the last developed countries to do this. The Financial Action Task Force sets the international rules, and has been nagging about the gap for years. The reason? Accountants, lawyers and real estate agents all handle the sort of work money launderers like. The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act closed the gap in December 2024, and the new obligations for "Tranche 2" businesses start on 1 July 2026. Enrolment with AUSTRAC opened on the 31st of March, with around 90,000 businesses caught up in it. Most have done nothing yet.
But don't reach for the panic button yet, the rules target particular "designated services", not accounting in general. A shop doing tax returns, BAS and a bit of bookkeeping might be exempt, but the minute you help a client buy or sell property, hold or move client money, set up or run companies and trusts, or act as a trustee or director, you're in their sights. Plenty of "small" practices do at least some of that, especially the SMSF and trust side, and that's all it takes. So the first job isn't buying anything or filling in a form. It's working out honestly which of your services are the "designated" ones, and figuring out if you need to take action.
What being caught actually means
If you're in, the list is real, but it won't sink you. You enrol with AUSTRAC. You write an AML/CTF program, a document setting out how your practice spots and manages the risk of being used for nefarious purposes, and you put someone's name down as the compliance officer. Then, for the designated services, you do your due diligence before you act.
Customer due diligence is the part commonly referred to as KYC, or "know your customer," and it's where the legal side turns into a data problem. You verify who the client is, and where the client is a company or a trust, who's pulling the strings behind it. You run them against the sanctions lists and check whether anyone's a "politically exposed person" and keep a record of the lot for seven years after you've finished with them. And if something doesn't sit right, you lodge a suspicious matter report, without tipping off the client.
Which brings us back to that folder of passports. Until the 31st of March already regulated entities were allowed to keep copies of a client's ID on file, and nearly everyone did. AUSTRAC has since turned that on its head, and now wants you recording the details (the document, the number, the expiry, the fact that you sighted it) rather than hoarding the image. A drawer full of scanned passports used to look like good practice. Today it's the kind of forgotten-data problem we wrote about in When the Hostage Is Your Staff.
What this means for your IT team
Most of this is process and legislation, and a decent compliance consultant is the right first call, but underneath it all sits a real tech job. That's where we come in. Verifying identity properly needs the right tool, and seven years of records have to live somewhere they can't be altered later, and won't disappear at the first sign of some ransomware. The sanctions and PEP screenings have to be done, and you have to be able to prove that they were. And all of it is some of the most sensitive personal information your company will ever hold, so it needs to be locked down, and kept on Australian soil.
None of this is hard if you start now, and we've got you covered. We've been looking after Sydney businesses, accountants among them, for over 20 years. If you want a straight up conversation about how this impacts you, and what the tech side would involve, get in touch. No sales pitch.
Call Now 