Most accountants I talk to right now have the same question. Not “what are the rules?” The rules are out there. AUSTRAC has published the starter kit. The Forum series has covered the obligations from every angle.
The question is “what does this actually look like with a real client in front of me?”
That’s what we did at the last AML Accountants Forum. Less theory. Two real client scenarios, walked end to end. Same intake form. Completely different work.
Here’s the seven-step process every client onboarding runs through under the new rules, with two clients, Sarah and Marcus, used to show what it looks like in practice.
Two leads. Same form. Different files.
Two new leads come into your firm on the same day.
Sarah Wilson is in Melbourne. She’s filled in your website form. She wants a new Pty Ltd set up.
Marcus Reid is referred by one of your partners. Played golf with him for years, sound bloke, just put him through. He wants a corporate restructure plus a discretionary trust.
That’s all you know on day one. What follows is the same process applied to both of them. Same intake form. Same firm. Same staff doing the work. Two completely different outcomes.
The seven-step framework
Every client onboarding under the new AML/CTF rules runs through the same seven steps:
- Inquiry
- Designated service check
- Identity and beneficial ownership
- Country risk
- Risk rating
- Customer due diligence (Standard or Enhanced)
- Decision
Doesn’t matter if they’re low risk or high risk. The steps are the same. What changes is the depth at each step.
The fork is at step 6. Standard CDD or Enhanced CDD. The trigger isn’t the client type. It’s not “individuals are easy, companies are hard.” The fork is decided by the rating from step 5.
That’s the bit most firms get wrong. Let’s walk it.
Step 1: Inquiry
Both clients land on the firm’s intake. New leads, captured, logged.
Nothing complicated here for either of them. The point is that you’re capturing what triggers the AML obligations downstream. Channel, services requested, who referred them. It all feeds the risk framework later.
Sarah: website form, Pty Ltd formation requested.
Marcus: partner referral, restructure plus trust setup, substantial fees.
Worth noting that the source of a lead can itself be a risk factor in some firms’ frameworks. Cold web enquiries from unknown clients in unusual industries can warrant a closer look. Long-trusted partner referrals can lull a firm into doing less work than they should. Both are real patterns, and your risk framework should anticipate them.
Step 2: Designated service check
This is the gate check. If what the client is asking for isn’t a designated service, the AML obligations don’t apply.
Most firms think AML applies the moment a client walks in the door. It doesn’t. It applies when you provide a designated service. Tax returns alone are not a designated service. Company formation is. Trust formation is. Acting as registered office is.
Sarah: company formation (item 6) plus registered office (item 9). Two designated services.
Marcus: company restructure (item 6), trust formation (item 7), registered address (item 9). Three designated services.
Both clients are now in the AML pipe. Same outcome at this step.
A practical note: many firms provide ongoing designated services without realising it. Acting as registered office is a designated service that quietly continues for years. So is providing trustee services or beneficial owner registers. If you’re providing one of those on an ongoing basis, the AML obligations don’t end when the client is onboarded. They continue, and they trigger periodic reviews and trigger-event reviews for as long as the service is being provided.
Step 3: Identity and beneficial ownership
Now we start to see them diverge.
For Sarah, this is clean. She’s the sole director and 100% shareholder. She’s an Australian resident, passport and address verified. The beneficial owner is Sarah. One human, one entity, no layering. Identity and BO verified, low risk.
For Marcus, this is where the work multiplies. He’s the sole director of three interlinked companies. One of those companies is registered in the British Virgin Islands. The trust beneficial ownership chain isn’t immediately clear. Discretionary trusts have multiple BO candidates: settlor, trustee, beneficiaries with 25% or more, and anyone with control like the appointor.
Marcus’ BO mapping isn’t a straight line. It’s an opaque chain through interlinked entities, and you’ve got to delve into each layer.
This is where AML actually gets hard. As Ags from LYRA Risk and Compliance put it on the day, AML doesn’t fail on Sarah. It fails on Marcus. The 90 percent of clients you onboard cleanly aren’t where the risk lives. The risk lives in the 1 to 5 percent that catches firms out.
There’s a related point that came up several times in the Q&A. The cultural shift this represents for accountants is genuine. “I’ve known him for years, he’s a great guy, just put him through” is exactly the attitude that doesn’t fly anymore. It doesn’t matter how long you’ve known the client. It doesn’t matter that they’re a partner referral. The work has to be done, the evidence has to be on file, and the assessment has to be documented. AUSTRAC will not accept “I knew him” as your control.
Step 4: Country risk
For Sarah, this is a one-line check. Australia, Basel AML Index 0.9, no foreign jurisdictions involved. Country risk: low.
For Marcus, this step changes the engagement. Singapore is a medium-risk jurisdiction on Basel. But the BVI is FATF-monitored, which forces the rating to high regardless of where the client lives. The foreign jurisdiction overrides the Basel rating.
This is one of those bits where you genuinely need to know what to look for. Most accountants haven’t memorised which jurisdictions trigger automatic high. That’s where partnering with someone like Ags, or using a tool that flags it for you, earns its keep.
A question that came up in the Q&A: how do you even know a client has foreign exposure if they don’t volunteer it? You ask. Your intake form needs questions about beneficial ownership in foreign jurisdictions, foreign tax residency, and foreign source of funds. If they answer no and it later turns out they had a BVI entity all along, the responsibility shifts. You did the work. You asked the question. The client misled you. That’s a different situation than not asking at all.
Step 5: Risk rating
Step 5 is where the rating gets fixed. From here the path forks.
Sarah: PEP screening clear, sanctions clear, no elevated factors. Overall rating: low.
Marcus: one high-risk factor (BVI exposure) is enough to land the whole engagement at high. There’s also a foreign PEP connected to one of the entities. That alone forces Enhanced CDD.
A useful thing to remember: a single high-risk factor lands the whole engagement at high. You don’t average it out. You don’t wait for two or three. One is enough.
Worth flagging here that this is a risk-based approach, not a checklist. The Act gives you discretion in big chunks of how the rating is built. You’re the one applying the lens. Two firms with the same client could legitimately land on different ratings if their risk frameworks weight things differently. What AUSTRAC will look for is whether you’ve thought about it, documented your reasoning, and applied your framework consistently. Not whether you got the same number as the firm down the road.
Step 6: CDD
This is the fork. Sarah goes one way. Marcus goes the other.
Sarah’s path: Standard CDD
Sarah gets Standard CDD. ID documents verified. ASIC search clear. Nature and purpose of the engagement confirmed. This is the path 80 percent of your clients will follow. Done in a day, file the docs, move on.
The work at this step for a low-risk client is quick. The point isn’t to over-engineer it. The point is that you’ve done it consistently, applied your framework, and have the evidence on file.
Marcus’ path: Enhanced CDD
Marcus gets Enhanced CDD. That means:
- Source of funds (where is the money for this transaction coming from)
- Source of wealth (how did the client accumulate the wealth in the first place)
- Adverse media screening
- Senior manager approval before onboarding
- Enhanced ongoing monitoring throughout the engagement
Source of funds and source of wealth is the heaviest piece. You’re asking for bank statements, tax returns, sometimes sworn statements. Clients push back on this. The honest answer is that it’s been standard practice in financial services since 2006. The banking world has been doing it for nearly 20 years. The accounting world is just catching up.
A point Ags made on the day is worth repeating here: banks have spent billions on AML systems and still get it wrong. The expectation isn’t that small accounting firms run bank-grade controls. The expectation is that you do enough, consistently, with documentation that a reasonable assessor can follow.
Senior manager approval is the bit small firms ask about most. In a five-person practice, who is the senior manager? It can be the AML Compliance Officer, who in many small firms is also the principal. The point is that one person, with the right authority, signs off before the client is onboarded. Document who, when, and on what basis.
Adverse media is the step firms most often skip without realising they shouldn’t. For low-risk clients, you can usually rely on PEP and sanctions screening alone. For high-risk clients, adverse media screening is part of Enhanced CDD. That means a structured search for media coverage that might indicate criminal involvement, regulatory action, or reputational risk. Tools do this for you. If you don’t have a tool, you do it manually, and you document what you searched and what you found.
Step 7: Decision
This is the step nobody talks about until they get to it.
For Sarah it’s straightforward. Accept, onboard, file the engagement letter and ID docs, schedule a review in three years (LOW risk default, you can always do it more often based on your firm’s risk appetite).
For Marcus, there are three real options:
- Continue with enhanced controls (annual reviews, ongoing monitoring, Enhanced CDD applied at every cycle)
- Decline the engagement (some clients aren’t worth the risk-adjusted return)
- Onboard with conditions and a defined exit clause
The decline option is real. If a client is outside your risk appetite, document the assessment and don’t take them on. AUSTRAC doesn’t punish you for declining. They punish you for onboarding without doing the work.
A point on documenting the decision. Whatever you decide, the evidence trail needs to capture not just what you decided but the policy version that governed the decision. Risk frameworks change over time. AUSTRAC guidance changes over time. If you’re audited in 2028 on a decision made in 2026, you want to be able to show “this is the framework we were operating under at the time, this is the rating it produced, and this is the decision that flowed from it.”
What this looks like once they’re onboarded
Onboarding is one piece. Ongoing monitoring is the other.
For Sarah, ongoing monitoring is light. She’s on a three-year review cycle. That review can be triggered earlier by what AUSTRAC calls trigger events: changes in the client’s circumstances, changes in the services you’re providing, or red flags in the day-to-day work. If nothing changes, it’s a periodic review every three years.
For Marcus, ongoing monitoring is enhanced and continuous. Annual reviews at minimum. Every transaction or event watched. Adverse media screening run periodically. Source of funds reverified if circumstances suggest the picture has changed.
It’s worth being clear about what ongoing monitoring is and isn’t. For accountants, ongoing monitoring is not bank-style transaction surveillance. You’re not watching every transaction in real time. You’re checking in periodically, watching for trigger events, and reassessing the risk rating on a defined cycle. Some competitors will try to sell you continuous transaction surveillance. That’s not what the regime requires for accounting firms.
Suspicious matters and the offence most firms don’t realise exists
One topic from the Q&A worth pulling out into its own section: Suspicious Matter Reports.
If you form a suspicion during the course of providing a designated service, you have an obligation to lodge a Suspicious Matter Report with AUSTRAC. The bar for “suspicion” is lower than “reasonable belief” but higher than “passing thought.” If you’ve got concrete reasons to think something’s off, you lodge.
Here’s the bit firms don’t always know. Once you’ve decided to lodge an SMR, telling the client that you’re doing it is a criminal offence. It’s called tipping off. It carries serious penalties. You can’t tell them, you can’t hint, and you can’t engineer the engagement in a way that effectively reveals it. You proceed normally with the engagement to the extent the law allows, and you let AUSTRAC do their work.
This is one of those areas where small firms can stumble badly without meaning to. A staff member trying to be helpful saying “we just need a bit more info from you, we’ve got some concerns” can be the offence. Train your team. Make sure everyone who interacts with the client knows what to say and what not to say once an SMR has been raised internally.
What this means in practice
A few things stand out from running both scenarios side by side.
The seven-step process is the same regardless of risk. What changes is the depth at each step. Sarah’s onboarding takes a day. Marcus’ takes about a week.
The risk rating drives the fork, not the client type. Don’t get caught thinking individuals are easy and companies are hard. Sarah was a company. Marcus had an individual at the top of his structure. The rating is what matters.
Most of your work will look like Sarah. Build your firm’s process so the low-risk path is fast and clean. Reserve the heavy lifting for the cases that actually need it.
And the bit that came up most in the Q&A: this is a risk-based approach, not a yes/no checklist. AUSTRAC wants you to think, not just follow a process. The Act gives you discretion in big chunks of how the assessment is built. You’re the one applying the lens. Document your decisions, document the policy version that governed them, and you’ll be fine.
What’s next
If you’d like to watch the full session, including the 30-plus minutes of Q&A on trusts, crypto, cash transactions, registered office reviews and more, it’s up on YouTube here:
The next AML Accountants Forum is on the last Thursday of the month at 12pm Sydney time. We’re doing a deep dive on trusts, which came up repeatedly in the Q&A and deserves its own session. Register here: [link to next forum].
If you want to try Seamlss for client onboarding, ID verification, engagement letters and document management, there’s a free trial at app.seamlss.com.au. The AML module is in build and we’ll have more to show in the coming weeks.
If you want hands-on help getting your AML/CTF program audit-ready before 1 July 2026, Ags’ team at LYRA does that work directly: lyrariskcompliance.com.au.
Questions from the session
Some of the live questions and a few that came in via the registration form. The full Q&A is in the recording.
If I onboarded a client a few months ago and ID’d them then, do I have to do it all again when they engage me for a new designated service?
If the information is still valid and recent (within about three months), no, you don’t need to re-verify. If it’s been a year, you should run the checks again. Pre-commencement clients don’t need to be re-ID’d until they engage in a designated service post 1 July 2026. The whole approach is risk-based, not a fixed re-verification cycle.
What triggers a review for ongoing registered office services?
Two things. First, your defined periodic review cycle (every three years for low risk by default, more often if your firm wants it). Second, a trigger event: the client changes their address, changes a director, or anything else that itself constitutes a designated service. When that happens, the review cycle restarts.
If a client is investing in crypto, does that automatically make them high-risk?
No. An individual buying and selling crypto on the side is not your concern. The crypto exposure becomes relevant if it links to structures you’re setting up: an SMSF that holds crypto, a crypto trading company, or similar. In those cases the customer profile may shift up the risk scale, but personal investment in crypto by itself doesn’t drive an accounting client into high risk.
Do we need to monitor all cash transactions in and out of a client’s bank account?
No. That’s the bank’s job, and they get fined billions when they get it wrong. Your concern is cash that comes directly to you, in payment for your services. You’re not running surveillance on your clients’ bank accounts unless you spot suspicious behaviour.
How do I know if a client has foreign exposure if they don’t tell me?
You ask. Your intake form needs questions about foreign tax residency, foreign beneficial ownership, foreign source of funds, and any international entities in their structure. “They didn’t tell me” is not a defence. “I asked, they said no, I documented it, and it later turned out they lied” is a different situation, and that’s grounds for an SMR.
Beneficial ownership in a discretionary trust where someone listed 20 family members 20 years ago. Who do I check?
The 25% threshold applies to anyone who actually stands to benefit. For discretionary trusts, the people you check are the ones with control (the trustee, the appointor) and the actual beneficial owners (anyone with a 25% or greater interest in distributions). You don’t ID 20 distant relatives who once received small distributions. You ID the people the structure is actually built around.
When can I raise a Suspicious Matter Report?
Any time you form a suspicion during the course of providing a designated service. The bar is “suspicion,” which is lower than “reasonable belief” but more than a passing thought. SMRs can cover money laundering, terrorist financing, fraud, scams, sanctions evasion, and tax evasion. There are no wrong answers when raising one. AUSTRAC has been clear that under-reporting is the bigger problem.
Can I tell my client I’m raising an SMR?
No. Telling a client you’re raising an SMR is a criminal offence. It’s called tipping off, and it carries serious penalties. Don’t tell them, don’t hint, don’t engineer the engagement in a way that effectively reveals it. The SMR sits between you and AUSTRAC.
Questions we didn’t get to
A few questions came in via the registration form that we didn’t get to in the live Q&A. Worth answering here.
Which should come first: the engagement letter or KYC?
Practical order: KYC first, engagement letter second, conditional on KYC passing. Otherwise you’ve signed up to a client you may have to refuse to act for. Some firms run the KYC process under a separate “KYC engagement” or scoping letter that authorises the checks, then the full engagement letter is issued only if the client passes. That structure protects you both ways: you’ve got authority to run the checks, and you haven’t committed to acting.
If you’ve already issued the engagement letter and KYC subsequently fails, document the issue, decline to proceed with the engagement, and refer to your firm’s risk framework on what notice (if any) you give the client. Be careful here, because the reason for refusal may be something you can’t disclose under the tipping-off rules.
What is the bare minimum a sole practitioner needs to do to be compliant?
The minimum is the same as for any other firm. The seven steps still apply. The work scales with the risk profile of your client base, not the size of your practice.
In practical terms, for a sole practitioner with a domestic, low-risk client base:
- Documented AML/CTF program (one document)
- Documented risk assessment (one document)
- Onboarding process that captures designated services, runs ID and PEP/sanctions checks, and assesses risk
- Periodic reviews on a defined cycle (three years for low risk by default)
- Trigger event reviews when something changes
- Records kept for seven years
You are also the AML Compliance Officer in a sole practitioner firm. That’s not a problem, it just means you’re the one who signs off on enhanced cases when they come up.
Does Item 6 “restructuring” cover routine ASIC agent work?
Item 6 covers company formation and restructure of an existing company. Routine ASIC agent updates (change of officeholder, change of address, registration or cancellation of a business name, deregistration) are not in themselves “restructuring” in the AML/CTF sense. Restructuring implies a material change to the entity structure: changes in beneficial ownership, share class structure, parent company arrangements, or similar.
That said, those routine ASIC services may still constitute Item 9 (registered office or address services) on an ongoing basis. So the AML obligations attach via Item 9, not Item 6. The trigger event for the periodic review is when the client makes the change, not when you file it for them.
Do we need to do anything for existing clients?
Not until 1 July 2026. Pre-commencement clients are grandfathered in the sense that you don’t need to retrospectively run AML checks on them just because the new regime starts. But the moment a pre-commencement client engages you for a designated service after 1 July, the AML process kicks in for that engagement, and that’s when you do the checks.
If I’ve decided not to provide any designated services from 1 July, should I still register with AUSTRAC?
If you genuinely don’t provide any designated services, you don’t need to enrol. There’s no requirement to “register and declare yourself out.” But be careful here: tax services alone aren’t a designated service, but if you act as a registered office, prepare or assist with company formation, set up a trust, or hold yourself out to provide any of the nine designated services, you’re in scope. If in doubt, run your service list against the designated service list (Item 1 to Item 9) and document your conclusion. That document itself is part of your governance.