Skip to content
Seamlss logo
Start For Free
Log in

How to Implement AUSTRAC’s 30 AML Documents Before the July 1 Deadline

February 11, 2026

With just 140 days until the July 1 deadline, 75% of Australian accounting firms haven’t started their AML compliance implementation. That’s not because firms don’t care. It’s because the information wasn’t there, and now that it is, it’s overwhelming.

On February 11, the third AML Accountants Forum webinar tackled the question every practitioner is asking: where do I actually start? Clayton from Seamlss and Agnieszka Szczepanik from Lyra Risk & Compliance broke down AUSTRAC’s recently released Accounting Program Starter Kit into practical, actionable steps.

The Starter Kit: An Unexpected Gift

When AUSTRAC dropped 30 documents on January 29, the collective groan from the accounting profession was audible. But according to Agnieszka, who has worked across AML regimes globally for 20 years, this kit is exceptional.

“I’ve worked in seven banks across multiple AML regimes globally. I’ve never seen anything that’s come to this level of detail,” she explained. “I was quite taken aback at the practical nature of what they’ve done and the comprehensiveness.”

The kit includes policies, risk assessments, onboarding forms, customer due diligence procedures, personnel forms, and maintenance documents. It’s pragmatic, comprehensive, and designed specifically for small accounting firms with 10 employees or fewer (though firms up to 20-25 people can use it with appropriate customization).

But here’s the critical point: you can’t just download the documents, drop them in a folder, and call it done. The kit is a foundation, not a fill-in-the-blanks solution.

The Four Layers You Need to Understand

The starter kit is organized into four distinct layers, and understanding the hierarchy matters:

1. Core Documents (Start Here)

The AML/CTF Program (policy document) and the Risk Assessment are your foundation. These two documents define what is considered risky and explain to your team and regulators what your firm is doing about it.

Agnieszka emphasized approaching implementation top-down: “You need to look at it top down first before you can go bottom up. Your policy document and your risk assessment are the two core foundational frameworks that will impact what you do and how you think.”

The policy document is the “what and why.” It translates the legislation into your firm’s specific approach, covering personnel roles, due diligence requirements, reporting obligations, and record-keeping procedures.

The risk assessment is the methodology for evaluating clients. AUSTRAC provided a simpler approach than expected: assign high, medium, or low ratings to customer characteristics (who they are, where they operate, how they conduct business), then sum these up for an overall risk rating per customer. Higher risk equals more checks.

2. Personnel Forms

These cover employee due diligence, AML compliance officer appointments, role assignments, and training documentation. Even sole practitioners need to train themselves and maintain records.

The compliance officer must be someone senior enough to be accountable to the regulator. For most small firms, that’s a partner, owner, or manager. While operational work can be delegated to junior staff, the ultimate accountability and decision-making authority must stay with the senior compliance officer.

3. Client Forms

This is where the onboarding happens: identity verification, customer due diligence questionnaires, beneficial ownership checks, and risk ratings. If you’re already using structured onboarding software like Seamlss, you’re likely collecting 70-90% of the required data already.

The additional AML layers include beneficial owner identification (anyone with 25% or more control), PEP screening, sanctions checks, and applying that different lens to make informed risk decisions.

4. Maintenance Forms

Ongoing monitoring, periodic reviews, trigger event assessments, effectiveness testing, and annual compliance reporting. The compliance work doesn’t stop on July 1. It becomes part of your firm’s operating model.

The Pre-Commencement Relief That Changes Everything

One of the biggest anxiety-killers from the session: existing clients don’t need ID checks before July 1.

Pre-commencement customers can continue being serviced without new identity verification unless you provide them with a new designated service or key information changes (like their ASIC registered office address for company office holder services).

This significantly reduces the implementation burden. You’re not retrofitting your entire client base. You’re building the framework for new clients and triggered events going forward.

The Implementation Roadmap

Here’s the practical timeline that emerged from the session:

February 2026:

  • Appoint your AML compliance officer
  • Download and start customizing the starter kit
  • Map which of the nine designated services your firm actually provides

March 2026:

  • Complete your risk assessment framework
  • Finalize your policy document
  • Prepare for AUSTRAC enrollment (opens March 31)
  • Begin staff awareness and communication

April-May 2026:

  • Implement the framework with pilot clients
  • Train staff on procedures
  • Test workflows and identify gaps

June 2026:

  • Conduct end-to-end testing
  • Document everything
  • Ensure systems are ready

July 1, 2026:

  • Go live
  • Enroll with AUSTRAC by July 29

The regulators won’t be knocking on doors on July 1. They’ll start checking compliance after firms submit their first annual compliance reports in Q1 2027. But that doesn’t mean you can procrastinate. Daily non-compliance fines start at around $18,000, and they compound quickly.

What’s Not in the Kit

The starter kit covers the basics brilliantly, but it won’t solve everything:

  1. Technology integration – You still need systems to collect, store, and retrieve data efficiently. Record-keeping is an obligation under the AML/CTF Act.
  2. Complex structures – If you deal with international clients, intricate beneficial ownership chains, or high-risk industries, you’ll need to enhance the basic framework.
  3. Screening tools – PEP checks, sanctions screening, and adverse media monitoring require third-party providers or sophisticated platforms.
  4. Ongoing training – The kit provides the framework, but AUSTRAC-compliant training modules need to be sourced separately.

The Designated Service Questions

A question that came up repeatedly: does AML apply to every client?

No. AML requirements only apply when you provide a designated service. These include:

  • Creating or managing trusts, companies, partnerships, or associations
  • Acting as an ASIC agent (company office holder changes)
  • Managing client funds or accounts
  • Preparing or lodging documents for business structures
  • Buying or selling businesses

If you’re just doing data entry for BAS or preparing tax returns without any of the above services, you’re probably not caught. But most accountants provide at least one designated service, which means the valve on the AML pipeline opens.

The key is mapping your services against the nine designated services to clearly identify where AML procedures are required.

See more Q&A’s at the end of this blog post.

When Customisation Becomes Critical

The starter kit is designed for firms of 10 people or fewer. Larger firms up to 20-25 employees can use it with tailoring. Beyond 50 people, you’ll need significant enhancement of the policy document and risk assessment methodology.

You’ll also need more sophisticated approaches if you:

  • Provide services to regulated entities (other accountants, financial planners, remittance providers)
  • Have clients in high-risk jurisdictions
  • Manage complex entity structures
  • Deliver services primarily through online platforms

For firms struggling with complexity or simply overwhelmed by the volume of work required, Lyra Risk & Compliance offers a one-day AML immersion solution covering kit review, designated service mapping, roles and responsibilities, operating model integration, gap analysis, and practical guidance on risk assessment and customer due diligence.

The Minimum Viable Effort

What’s the absolute minimum you need to do to be compliant?

Download the starter kit, customize it for your firm’s size and services, appoint your compliance officer, implement the framework, train your staff, and test the process end-to-end before July 1.

It’s not rocket science, but it does require focused effort. Agnieszka framed it perfectly: “What they’ve given you is an MVP. You cannot go below. You can only go up.”

Doing it right the first time is always cheaper than remediation later. Banks have learned this lesson the expensive way. Accounting firms have the advantage of learning from their mistakes.

What’s Next

The next AML Accountants Forum webinar will dive deep into risk assessments and scenario planning. As firms start implementing the starter kit, the questions shift from “where do I start?” to “how do I apply this to my specific clients?”

Understanding how to evaluate client risk, what triggers enhanced due diligence, and how to document your decision-making process will be critical. The risk assessment isn’t just a compliance checkbox. It’s the engine that drives every decision about whether to take on a client, what level of verification to perform, and how often to review the relationship.

The July 1 deadline is real. There’s no grace period. But the path forward is clearer now than it’s been at any point since Tranche 2 was announced.

The AUSTRAC starter kit provides a genuine foundation. It won’t do the work for you, but it gives you the framework, the language, and the structure to build a compliant AML program without reinventing the wheel.

For most small firms, this isn’t an insurmountable challenge. It’s a systematic process that needs to be worked through methodically over the next five months. Start with the core documents, understand your designated services, build the framework, test it, and go live.

The firms that will struggle aren’t the ones who start now and work through it imperfectly. They’re the ones who wait until May and try to compress six months of work into eight weeks.

Watch the full webinar recording:

Common Questions from Practitioners

The webinar chat revealed the questions keeping accountants up at night. Here are the answers that matter:

Do I need to ID check all my existing clients before July 1?

No. Pre-commencement customers (existing clients before July 1, 2026) don’t require immediate identity verification. You only need to conduct CDD checks on existing clients if:

  • They request a new designated service you weren’t previously providing
  • There’s a significant change in their circumstances that triggers medium or high risk
  • You need to file a suspicious matter report about them

This is one of the biggest anxiety-killers in the entire framework. You’re not retrofitting your entire client base overnight.

If I’m an ASIC agent and a client’s registered office address changes, do I need to do a new ID check?

Yes, if you’re providing ASIC agent services (company office holder changes), a registered office address change is a designated service trigger. However, this doesn’t mean full identity verification from scratch. You’re conducting a risk assessment to determine if enhanced due diligence is needed based on the nature of the change.

If a client just moves their home address but you’re not updating ASIC records, that’s not a trigger.

As a sole practitioner, do I need to complete personnel due diligence and training on myself?

Yes. Even if you’re the only person in the firm, you still need to:

  • Document that you’ve completed AML/CTF training (and maintain records)
  • Confirm your fitness and propriety (though being registered with the Tax Practitioners Board already addresses much of this)
  • Appoint yourself as the compliance officer

You’re wearing all the hats, which means you need to check all the boxes, even if they feel redundant.

If I acquire an accounting firm after July 1, do I need to ID check all the inherited clients?

You need to understand which clients are receiving designated services and what information the previous firm collected. You can place reliance on previous due diligence if it’s adequate, but you must:

  • Review what CDD was performed
  • Assess whether it meets current requirements
  • Fill any gaps in documentation
  • Consider the acquired firm’s compliance practices as part of your due diligence

The compliance quality of an acquired firm should now be a key criteria. Firms with poor AML documentation represent higher risk and should be assesses accordingly.

Does this apply to bookkeepers or just accountants?

It depends on which services you provide, not your job title. If you’re a bookkeeper who only does data entry and BAS preparation, you’re likely not caught. But if you:

  • Manage client funds or accounts
  • Act as an ASIC agent
  • Prepare documents for business structures
  • Provide any of the nine designated services

Then yes, you’re subject to AML/CTF requirements regardless of whether you call yourself a bookkeeper, accountant, or business advisor.

What about changes to share structure or adding shareholders?

Yes, this falls under designated service #2 (creating or managing companies). Any change to share structure, addition of shareholders, or modification to company ownership requires you to conduct appropriate due diligence based on your risk assessment.

Will AUSTRAC provide flowcharts for complex scenarios like trust beneficiaries?

The starter kit includes process documents, which is more than regulators typically provide. However, AUSTRAC won’t give you a “if this, then that” flowchart for every scenario. The risk-based approach means your policy and risk assessment determine how deep you go.

For trust beneficiaries, you’ll need to identify beneficial owners (those with 25% or more control) and apply your risk assessment methodology. Complex structures may require external tools from providers like LexisNexis or Dun & Bradstreet.

How do I find an AML auditor for independent evaluations?

You don’t need one immediately. Independent evaluations are required every three years, with the first due by 2029. However, Agnieszka recommends considering an independent review within your first year of operation, especially if you’re writing your program from scratch, to catch any gaps early.

By the time you need an auditor, the market will have matured significantly. For now, focus on implementation.

I work in a niche, low-risk industry. Does that simplify my AML requirements?

Yes and no. A low-risk client base means simpler procedures and less frequent monitoring. But you still need:

  • The complete AML/CTF program documentation
  • Risk assessment methodology
  • Staff training
  • Enrollment with AUSTRAC
  • All the foundational compliance framework

The risk-based approach scales the operational work, not the structural requirements.

Does the kit work for firms that deliver services primarily online?

The starter kit is designed for traditional service delivery models. If your firm operates entirely online (video conferencing, digital onboarding, cloud-based workflows), you’ll need to enhance sections covering:

  • Identity verification without face-to-face contact
  • Higher risk considerations for digital channels
  • Additional fraud prevention measures
  • Enhanced monitoring for technology-facilitated services

Firms over 10 employees or with complex delivery models will need to tailor the starter kit significantly.

Tags: