AML/CTF compliance for Australian trust and company service providers — what AUSTRAC and the OAIC expect
A primary-source briefing for trust and company service providers (TCSPs) — practices that form companies, act as nominee directors or trustees, or provide registered office services. Quotes are verbatim from AUSTRAC's January 2026 sector starter kit and the OAIC's CC BY 4.0 templates.
TL;DR
From 1 July 2026, trust and company service providers come into scope under Items 5, 7, 8 and 9 of Table 6 of section 6 of the AML/CTF Act — covering shelf-company sales, acting as a director / trustee / nominee, acting as a nominee shareholder, and providing a registered office or principal-place-of-business address. AUSTRAC's 2024 national risk assessment specifically calls out TCSPs and rates them as medium and stable vulnerability to money laundering. Most TCSP activity in Australia sits inside accounting and legal practices, so the AUSTRAC Accountants starter kit covers the sector. The Privacy Act small-business exemption no longer applies to your AML/CTF data, so the OAIC framework applies on top.
What AUSTRAC says about trust and company service providers
"Trust and company service providers are often exploited by criminals due to their expertise in wealth protection and the administration of trust and company structures. Whether they're complicit or non-complicit, they create further distance between a criminal and their illicit proceeds."
— AUSTRAC, Accountants — Risk assessment — January 2026, "Money laundering: Inherent risk — Trust and company service providers".
"Although companies can generally be set up without a trust and company service provider, the creation of more complex legal structures, including trusts, often requires the expertise of trust and company service providers. These structures are highly attractive to criminals as they: make it hard to determine beneficial ownership; conceal the origin and purpose of financial transactions; move significant volumes of funds domestically and offshore."
— AUSTRAC, Accountants — Risk assessment — January 2026, "Money laundering: Inherent risk — Trust and company service providers".
"Many of the established methodologies used to conceal wealth, circumvent financial obligations and ultimately launder money are enhanced by a trust and company service provider. Key methodologies include: establishing corporate structures in jurisdictions with lax regulatory and legislative frameworks, including secrecy jurisdictions; creating complex chains of companies across multiple jurisdictions; appointing dummy directors and shareholders; acting as trustees on behalf of a client; providing loans secured by client funds."
— AUSTRAC, Accountants — Risk assessment — January 2026, "Money laundering: Inherent risk — Trust and company service providers".
Your designated services (Table 6 — TCSP items)
"Selling or transferring a shelf company. (Item 5 of table 6 of the AML/CTF Act)"
"Acting as a director or secretary of a company, a power of attorney of a body corporate or legal arrangement, a partner in a partnership, a trustee of an express trust, or any other functionally equivalent position on behalf of a person. This includes arranging for another person to act in these roles… This doesn't include persons acting in either a: fiduciary capacity because of an order of a court or tribunal; trustee of a regulated debtor's estate due to bankruptcy. (Item 7 of table 6 of the AML/CTF Act)"
"Acting as a nominee shareholder of a body corporate, or legal arrangement, on behalf of a person. This includes arranging for another person to act in these roles. (Item 8 of table 6 of the AML/CTF Act)"
"Providing a registered office address or principal place of business address, of a body corporate or legal arrangement. (Item 9 of table 6 of the AML/CTF Act)"
— AUSTRAC, Accountants — Risk assessment — January 2026, "Designated services: Inherent risk".
How AUSTRAC describes the exploitation of each service
"Criminals often prefer purchasing shelf companies as opposed to forming new companies, particularly where the registration date is earlier than when it was used for any purpose (legitimate or illegitimate). Shelf companies are commonly used by criminals in the same way as 'shell companies', which are companies with no real assets or business operations. However, shelf companies registered in the past may seem more legitimate than a newly formed company when trying to open a bank account or send proceeds of crime overseas."
— AUSTRAC, Accountants — Risk assessment — January 2026, "Designated services: Inherent risk — Selling or transferring a shelf company".
"Criminals can exploit accountants acting as a nominee shareholder in several ways, including to: obscure ownership behind the nominees; integrate illegal funds into the economy by moving the funds through additional entities to obscure the origin."
— AUSTRAC, Accountants — Risk assessment — January 2026, "Designated services: Inherent risk — Acting as a nominee shareholder (Item 8)".
"When a practice provides a body corporate with a registered office address or principal place of business address instead of the address the person operates their business from… Criminals can use this service to appear legitimate and make it seem like the business is operating in a different location to where it's located. This allows them to distance themselves from illicit activities, making it difficult to identify beneficial ownership. The service can facilitate the use of complex legal structures with ties to overseas jurisdictions."
— AUSTRAC, Accountants — Risk assessment — January 2026, "Designated services: Inherent risk — Providing a registered office address (Item 9)".
Trusts as money-laundering vehicles
"Trusts are attractive vehicles for money laundering as they separate the legal owner of the assets (the trustee) from the beneficiary. This helps hide the beneficiary's interests. Trusts may also use a shell company with dummy directors as trustee to make it harder to identify who's controlling the trust… Lack of transparency for trusts in Australia hinders the detection of criminal use, making it harder to identify and seize illicit assets."
— AUSTRAC, Accountants — Risk assessment — January 2026, "Clients: Inherent risk — Trusts".
The Privacy Act overlay — what the OAIC expects
Once you are a reporting entity, the personal information you collect to verify the identity of beneficial owners, settlors, appointors and beneficiaries is governed by the Privacy Act 1988 regardless of your practice's turnover. The OAIC publishes the framework:
"The Office of the Australian Information Commissioner's (OAIC) Privacy management framework outlines steps to take to meet your ongoing compliance obligations under Australian Privacy Principle (APP) 1.2. A key tool to help you meet these requirements is to develop and implement a privacy management plan."
— OAIC, Privacy management plan template, distributed under CC BY 4.0.
"We collect your personal information to comply with the 'Customer Due Diligence' requirements in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). This includes to: establish and verify your identity before providing certain services to you or the person you are acting on behalf of; assess and manage potential money laundering, terrorism financing, proliferation financing risks or related compliance risks associated with the provision of our services; make reports required by law under the AML/CTF Act; meet record keeping obligations under the AML/CTF Act."
— OAIC, Template privacy collection notice for reporting entities under the AML/CTF Act, distributed under CC BY 4.0.
What this means in practice
For a TCSP, the 1 July 2026 minimum surface is:
- Enrolment with AUSTRAC and an appointed AML/CTF Compliance Officer.
- Customer Due Diligence on the customer AND on all beneficial owners, controllers, settlors, appointors and beneficiaries — TCSP CDD is intentionally deeper than other sectors.
- Enhanced CDD for high-risk structures: secrecy jurisdictions, nominee arrangements, complex chains of companies.
- PEP and sanctions screening across the full ownership tree.
- A 7-year record retention scheme (s.107 transactions, s.113 CDD, s.116 program).
- A documented AML/CTF program approved by the governing body under s.26F.
- An OAIC-compliant privacy program: APP 1.3 policy, APP 5 collection notice at onboarding (issued to every controller / beneficial owner whose ID is verified), APP 8 cross-border disclosure record, and a Notifiable Data Breach response procedure under Part IIIC.
For the full statutory framework and a 6-week countdown plan, see the Tranche 2 explainer.
TCSP pack — AUD $99 flat
70+ pre-filled documents tailored to your practice and the Table 6 designated services you provide. AUSTRAC starter-kit forms reproduced verbatim. OAIC templates bundled under CC BY 4.0. Delivered as DOCX.
Get your pack →This page reproduces verbatim passages from AUSTRAC's January 2026 sector starter kits (used under AUSTRAC's published licence) and the OAIC's Privacy Management Plan template and AML/CTF Privacy Collection Notice template (used under CC BY 4.0). It is not legal advice. The OAIC and AUSTRAC have not endorsed privacycovered.com.au or any product or service offered through it. Engage qualified Australian counsel to confirm the obligations and documents fit your practice's circumstances.