Introduction
Anti-money laundering (AML) compliance is now a critical obligation for Australian accountants under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth). This legislation designates accounting firms as “Tranche 2” entities, subjecting them to stringent new regulatory requirements overseen by the Australian Transaction Reports and Analysis Centre (AUSTRAC).
With these obligations commencing on 1 July 2026, firms face heightened scrutiny during AML audits, where common mistakes can lead to severe penalties and reputational damage. This guide outlines the most frequent compliance errors to help accountants navigate the complexities of Tranche 2 and avoid costly pitfalls.
Flawed Risk Assessments & Program Governance
Using Generic or Outdated Risk Assessments
A primary mistake for an auditor is an AML risk assessment treated as a “one and done” or “set and forget” task. Many accounting firms make the mistake of using generic templates that are not tailored to their specific operations, a practice that fails to meet regulatory expectations for a dynamic and customised compliance framework.
An effective AML risk assessment must be a living document, continuously reviewed and updated to reflect changes. Auditors expect to see an assessment that is specifically tailored to the risks your firm faces. This involves a detailed analysis of your:
| Component | Required Analysis |
|---|---|
| Client base | The types of customers you serve, including their industries and geographic locations. |
| Services offered | The specific risks associated with your services, such as company formation or complex trust advice, compared to lower-risk work like standard tax returns. |
| Delivery channels | How you provide services, whether face-to-face or online. |
| Jurisdictional exposure | Any involvement with foreign jurisdictions, particularly those considered high-risk. |
Failing to keep the risk assessment current is a significant error. It must be updated when:
- New services are introduced
- The firm takes on new types of clients
- Regulators like AUSTRAC issue new guidance
Lacking Senior Oversight & A Dedicated Compliance Officer
Effective program governance begins with genuine engagement from the top. An Anti-Money Laundering/Counter-Terrorism Financing (AML/CTF) program, including its foundational risk assessment, requires explicit approval and ongoing oversight from the firm’s board and senior management. Auditors will look beyond a simple signature to find evidence of active involvement.
This “ongoing oversight” is a critical compliance component and involves regular, demonstrable actions. Senior management must show they are not just passively rubber-stamping documents but are actively engaged in the AML compliance process. Evidence of this includes:
- Reviewing compliance reports and updates from the AML/CTF Compliance Officer
- Discussing AML/CTF matters in board or management meetings, with actions recorded in minutes
- Making informed decisions based on audit findings and risk assessments
- Allocating sufficient resources to support the firm’s compliance efforts
Furthermore, every reporting entity is required to appoint an AML/CTF Compliance Officer at a management level. A common mistake is appointing a part-time employee to this role, which does not meet regulatory requirements. The position must be held by a full-time staff member who has the authority and independence to enforce the compliance program, although they are permitted to have other responsibilities.
Get Your Free Initial Consultation
Request a Free Consultation with one of our experienced AML Lawyers today.
Deficiencies in Customer Due Diligence & Verification
Failing to Identify & Verify Ultimate Beneficial Owners (UBOs)
A significant mistake for auditors is the failure of an accounting firm to look past surface-level company structures to identify the true individuals in control. A common mistake is stopping the due diligence process after identifying a director or accepting a client’s declaration about their ownership structure without independent verification.
Under Australian AML regulations, accountants must take reasonable measures to identify and verify the “ultimate” beneficial owner (UBO), which is the natural person who ultimately owns or controls an entity, typically defined as holding 25% or more.
Criminals often use complex ownership structures, such as trusts or layered companies, to obscure their involvement and move illicit funds. Therefore, auditors expect to see a thorough investigation into these arrangements.
Key failures in this area include:
- Relying on client-provided information without seeking independent verification from sources like corporate registers or trust deeds
- Failing to investigate the ownership of corporate shareholders to trace the chain to the ultimate natural person
- Lacking a documented procedure for identifying the settlor, trustee, and all potential beneficiaries of any trust structure
- Having client files that are missing crucial documentation, such as certified identity documents for the UBO or clear diagrams of the ownership structure
Inadequate or One-Off Customer Due Diligence
Another critical deficiency is treating customer due diligence (CDD) as a static, one-off task that is completed only when a new client is onboarded. AML compliance requires an ongoing process to ensure you understand your clients throughout the entire lifecycle of your relationship.
A “set and forget” approach to CDD is a major mistake that leaves a firm exposed to significant risk and regulatory penalties. Effective compliance involves implementing ongoing customer due diligence (OCDD) systems and controls. This means you must continuously monitor client activity and ensure their information is regularly reviewed and kept up to date.
An auditor will look for evidence that your firm’s processes are dynamic and responsive to changes in a client’s risk profile. Treating CDD as a point-in-time process means you are likely to miss suspicious transactions or important shifts in client behaviour.
Your ongoing monitoring program should be designed to detect and scrutinise activity that is inconsistent with a client’s known history and risk profile. This includes having documented procedures for refreshing customer information when certain triggers occur, such as:
- A significant change in the volume, value, or pattern of transactions
- A client undertaking a major change to their legal or ownership structure
- The emergence of new information, such as adverse media reports or a change in a client’s Politically Exposed Person (PEP) status
Weaknesses in Monitoring & Reporting Processes
Ineffective Transaction Monitoring & Ignoring Red Flags
A risk-based transaction monitoring program is essential for identifying suspicious activities that could indicate money laundering or terrorism financing. Auditors apply a “follow the money” approach, looking for patterns and connections to a client’s overall risk profile rather than just isolated events.
One common mistake is having a monitoring system that operates separately from CDD information, which prevents a holistic view of potential risks. This separation creates significant blind spots in your compliance framework.
An ineffective transaction monitoring program raises immediate red flags for auditors. The most common weaknesses include:
| Weakness | Description |
|---|---|
| Over-reliance on manual processes | Using spreadsheets and emails for monitoring is prone to human error and cannot effectively detect complex schemes like structuring, where transactions are split to avoid reporting thresholds. |
| Failing to investigate alerts | Not having a clear, documented process for escalating, investigating, and resolving alerts generated by the system. |
| Ignoring key indicators | Overlooking red flags such as transactions inconsistent with a client’s known activities, payments involving high-risk jurisdictions, or unusual patterns that have no apparent commercial reason. |
Firms must ensure their monitoring systems, whether manual or automated, are fit for purpose and consistently applied. Furthermore, the inability to demonstrate how transaction alerts are managed and linked back to the customer’s risk profile points to a critical failure in the AML compliance framework.
Submitting Delayed or Incomplete Suspicious Matter Reports
A crucial obligation for any Australian accounting firm is the timely and accurate submission of Suspicious Matter Reports (SMRs) to AUSTRAC. Firms must file an SMR when there are reasonable grounds to suspect a matter is linked to criminal activity.
These reports should typically be submitted within 24 hours of forming that suspicion. Consequently, delayed or incomplete SMRs constitute a serious compliance breach and a clear red flag during an audit.
Common errors in this area include:
| Error | Description / Common Cause |
|---|---|
| Late filing | Delays are often caused by unclear internal escalation paths, where staff are unsure who to report a red flag to, or a general lack of urgency in the compliance culture. |
| Insufficient detail | Submitting reports with vague or incomplete information hinders AUSTRAC’s ability to analyse the potential threat, rendering the report less effective. |
| Failure to report | This can occur when staff are not adequately trained to recognise red flags or when a firm investigates a suspicious matter but decides against reporting without proper documentation. |
If a firm investigates an issue and concludes that an SMR is not required, that decision-making process must be meticulously documented. An auditor will expect to see a defensible audit trail explaining the factors considered and the rationale for not reporting, demonstrating a thoughtful and compliant approach.
Get Your Free Initial Consultation
Request a Free Consultation with one of our experienced AML Lawyers today.
Inadequate Internal Controls & Staff Preparedness
Insufficient or Generic Staff Training
An AML program is only as effective as the people who implement it, making staff training a critical legal requirement under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). A common mistake many accounting firms make is providing generic, “tick-a-box” training that fails to prepare employees for real-world scenarios.
Auditors will often look beyond simple attendance sheets and may interview staff to assess their practical understanding of their compliance obligations. They will identify several red flags related to insufficient staff preparedness, including:
- A lack of role-specific training, where junior accountants who onboard clients are unaware of what constitutes a SMR
- Staff who can recite a policy but cannot explain the reason behind it or what to do when a red flag appears
An effective AML/CTF risk awareness training program is mandatory for all employees in roles that pose a money laundering or terrorism financing risk. This training must be tailored to your firm’s specific risks and operational realities.
Key areas that must be covered include:
- The firm’s specific obligations under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth)
- The potential consequences of non-compliance for both the firm and individual employees
- How to recognise and escalate red flags relevant to your clients and services
- The internal processes for reporting suspicious matters and the role of the AML/CTF Compliance Officer
Maintaining Poor Financial Records & Audit Trails
Meticulous and organised record-keeping is a fundamental pillar of AML compliance, serving as your primary defence during an audit. Regulators operate on the principle that “if it’s not written down, it didn’t happen,” making the absence of a clear audit trail a significant red flag.
Disorganised or incomplete documentation makes it impossible to demonstrate that your firm has followed its own policies and met its regulatory duties. Common mistakes include using fragmented systems of spreadsheets and emails, which creates documentation gaps and an incoherent audit trail.
Under Australian law, all AML/CTF-related records must be retained for a minimum of seven years. These records must be stored securely, protected from unauthorised access, and be easily retrievable for an audit. Auditors need to see a clear history of actions and decisions.
A complete and defensible audit trail must include several types of documentation:
| Record Type | Required Content |
|---|---|
| AML/CTF Program Documents | Every version of your program, along with evidence of senior management approval and records of all independent reviews. |
| Customer Due Diligence Records | All information collected during the CDD process, including identity verification documents, beneficial ownership analysis, risk assessments, and records of ongoing monitoring. |
| Transaction Records | Sufficient information to reconstruct every transaction, including dates, amounts, parties involved, and any supporting documentation. |
| Staff Training Records | A central register detailing training dates, attendees, topics covered, and any assessments of comprehension. |
| Decision Logs | Documentation of significant AML-related judgments, especially the rationale for investigating but ultimately not filing an SMR. |
Get Your Free Initial Consultation
Request a Free Consultation with one of our experienced AML Lawyers today.
Conclusion
Navigating Tranche 2 AML compliance requires Australian accountants to avoid critical errors, from flawed risk assessments and inadequate due diligence to weak transaction monitoring and poor record-keeping. Proactively addressing these common red flags is essential to prevent severe financial penalties and reputational damage during an AUSTRAC audit.
To ensure your accounting firm is prepared for these changes, contact the experts at AML House today for specialised guidance on AML compliance for accountants. Our tailored compliance solutions can help you navigate the complexities of the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) and safeguard your practice.
