AML/CTF compliance for Australian accountants — what AUSTRAC and the OAIC expect

A primary-source briefing for accounting and bookkeeping practices that become reporting entities under AML/CTF Tranche 2. Quotes are verbatim from AUSTRAC's January 2026 sector starter kit and the OAIC's CC BY 4.0 templates.

Published 14 May 2026 · privacycovered.com.au

What AUSTRAC says about accountants

"Australian authorities identify accountants as key facilitators in money laundering. Accountants can facilitate money laundering schemes by: creating and using complex and multi-layered corporate structures and registered companies to layer illicit funds; moving large volumes of money rapidly through multiple company accounts; obscuring and falsifying the source of structured cash deposits; obscuring parties to a transaction where trust accounts are used."

— AUSTRAC, Accountants — Risk assessment — January 2026, "Money laundering: Inherent risk" section.

"Australia's 2024 money laundering national risk assessment assesses: accountants as posing a high and stable vulnerability to money laundering; trust and company service providers as posing a medium and stable vulnerability to money laundering."

— AUSTRAC, Accountants — Risk assessment — January 2026, "Money laundering: Inherent risk".

"Accountants can assist in crimes such as tax evasion and fraud that create illicit funds, as well as enabling the laundering of these proceeds. This is because accountants and tax agents don't have the same obligations as legal professionals to audit and reconcile client-trust accounts."

— AUSTRAC, Accountants — Risk assessment — January 2026, "Money laundering: Inherent risk".

Your designated services (Table 6)

AUSTRAC describes the Table 6 designated services that bring an accounting practice into scope as follows:

"Assisting a person in the planning or execution of a transaction to buy, sell or transfer a body corporate or legal arrangement. This includes acting on their behalf in a transaction. This only applies where the sale, purchase or transfer relates to a controlling interest in the body corporate or legal arrangement. (Item 2 of table 6 of the AML/CTF Act)"

"Receiving, holding, controlling or managing a person's money, accounts, securities or securities accounts, virtual assets, or other property as part of assisting the person in the planning or execution of a transaction. (Item 3 of table 6 of the AML/CTF Act)"

"Assisting in planning or executing in the creation or restructuring of a body corporate or legal arrangement. (Item 6 of table 6 of the AML/CTF Act)"

"Acting as a director or secretary of a company, a power of attorney of a body corporate or legal arrangement, a partner in a partnership, a trustee of an express trust, or any other functionally equivalent position on behalf of a person. (Item 7 of table 6 of the AML/CTF Act)"

"Providing a registered office address or principal place of business address, of a body corporate or legal arrangement. (Item 9 of table 6 of the AML/CTF Act)"

— AUSTRAC, Accountants — Risk assessment — January 2026, "Designated services: Inherent risk" table.

If you provide any of these services in the course of your business, you are a reporting entity. The full list of Table 6 items appears in s.6 of the AML/CTF Act.

Risk factors AUSTRAC tells accountants to watch for

"Accountants often facilitate high value transactions on behalf of their clients, making them attractive for laundering significant amounts of illicit funds without drawing attention from law enforcement. Some transactions can occur very quickly, including those in commercial matters. This speed of transactions, along with their high value, can allow criminals to move significant amounts of illicit funds in a single transaction."

— AUSTRAC, Accountants — Risk assessment — January 2026, "Designated services: Risk factors — High value transactions".

"Accountants can help their clients create legal structures which make it hard to determine who owns or controls their property or money. This often involves creating layers of companies, trusts and other entities between the individual and the property or money they're trying to hide."

— AUSTRAC, Accountants — Risk assessment — January 2026, "Designated services: Risk factors — Effective anonymity".

Single-employee practices

AUSTRAC explicitly addresses the small-firm reality: the obligations don't get smaller, but the person doing them is the same person across every role.

"If you're a single employee practice, you will do all these roles… If you're a single employee practice, you will have all these responsibilities."

— AUSTRAC, Accountants — Customise guide — January 2026, "Personnel — Step 1: Identify all AML/CTF-related roles".

The Privacy Act overlay — what the OAIC expects

Becoming a reporting entity removes the Privacy Act small-business exemption for your AML/CTF data handling. The OAIC's Privacy Management Plan template (CC BY 4.0) sets out the framework you are expected to implement under APP 1.2:

"The Office of the Australian Information Commissioner's (OAIC) Privacy management framework outlines steps to take to meet your ongoing compliance obligations under Australian Privacy Principle (APP) 1.2. A key tool to help you meet these requirements is to develop and implement a privacy management plan."

— OAIC, Privacy management plan template, distributed under CC BY 4.0.

"Step 1 — Embed: a culture of privacy that enables compliance. Step 2 — Establish: robust and effective privacy practices, procedures and systems. Step 3 — Evaluate: your privacy practices, procedures and systems to ensure continued effectiveness. Step 4 — Enhance: your response to privacy issues."

— OAIC, Privacy management plan template, Step headings.

The OAIC also publishes a verbatim collection notice for AML/CTF reporting entities, used at customer onboarding to explain why you are now collecting identity documents:

"We collect your personal information to comply with the 'Customer Due Diligence' requirements in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). This includes to: establish and verify your identity before providing certain services… make reports required by law under the AML/CTF Act; meet record keeping obligations under the AML/CTF Act."

— OAIC, Template privacy collection notice for reporting entities under the AML/CTF Act, distributed under CC BY 4.0.

What this means in practice

For an accounting practice with even one Table 6 designated service, the 1 July 2026 minimum surface is:

• Enrolment with AUSTRAC and an appointed AML/CTF Compliance Officer (single-employee practices: that's you).
• A documented Customer Due Diligence pipeline — initial CDD, enhanced CDD for higher-risk clients, periodic and trigger-event reviews, PEP and sanctions screening.
• A 7-year record retention scheme covering transaction records (s.107), CDD records (s.113) and program records (s.116).
• An AML/CTF program approved by the governing body (your sole director in a small Pty Ltd) and reviewed at least annually under s.26F.
• An OAIC-compliant privacy program: APP 1.3 policy, APP 5 collection notice at onboarding, APP 8 cross-border disclosure record if your KYC vendor sends data overseas, APP 11 security, APP 12 access with the s.123 tipping-off carve-out, and a Notifiable Data Breach response procedure under Part IIIC of the Privacy Act.

For the full statutory framework and a 6-week countdown plan, see the Tranche 2 explainer.

This page reproduces verbatim passages from AUSTRAC's January 2026 sector starter kits (used under AUSTRAC's published licence) and the OAIC's Privacy Management Plan template and AML/CTF Privacy Collection Notice template (used under CC BY 4.0). It is not legal advice. The OAIC and AUSTRAC have not endorsed privacycovered.com.au or any product or service offered through it. Engage qualified Australian counsel to confirm the obligations and documents fit your practice's circumstances.