AML-Proof Your Practice: Getting Ahead of Tranche 2
The Anti-Money-Laundering / Counter-Terrorism-Financing (AML/CTF) net is widening. From 1 July 2026, Australia’s long-promised “Tranche 2” laws will draw accountants, bookkeepers, lawyers, and other advisers into the regime that banks have lived with for years.
At the recent Growth Club Summit by The Firm, compliance-specialist duo Corey Cacic (founder of Annature) and Stacie Shaw (FCA, Partner at PKF Sydney & Newcastle) explained why firms that wait for the final regulations will be racing the clock—and why the humble ID check is the first building block of a bullet-proof AML programme.
Below you’ll find a practical roadmap distilled from their session: why today’s TPB/ATO rules already matter, what Tranche 2 adds, and how a purpose-built workflow can keep auditors (and fraudsters) at bay.
“If you aren’t verifying photo ID now, you’re already non-compliant.” — Corey Cacic
ID Checks: Compliance You Can’t Postpone
Before Tranche 2 even arrives, the Tax Practitioners Board (TPB Practice Note 2022/2) and the ATO already expect you to:
• Sight a government photo ID (passport or driver’s licence) for every new client.
• Record what you saw, when you saw it, and who confirmed it.
• Retain the log—not the scan of the licence itself.
Skip those steps and you risk suspension. Cacic cited a Sydney agent who dutifully lodged three years of “clean” tax returns—only to learn his “clients” were impostors. The TPB didn’t fine him for fraud; they suspended him for failing to identify who he was acting for.
Why Email and Zoom Won’t Save You
• Email: asking for licence photos over email invites interception, leaks, and uncontrolled backups across shared inboxes and CRMs.
• Zoom hold-ups: technically tick the TPB box, but produce no audit trail and fail to confirm the person behind the webcam is the document holder.
Shaw’s rule of thumb: no licence scans over email, ever. If you wouldn’t ask for a TFN in an open inbox, don’t ask for ID.
Tranche 2: What Really Changes in 2026?
Under draft legislation, firms that offer any designated service—think company formations, trust setups, managing client funds, even some advisory on transactions—must register with AUSTRAC between 31 March and 1 July 2026. Once registered you’ll need to:
• Know Your Client (KYC) 2.0: Verify ID and screen for risk: sanctions lists, politically-exposed persons (PEPs), adverse media.
• Ongoing monitoring & suspicious-matter reporting: Spot red flags (e.g. sudden transfers to tax havens) and lodge reports—without “tipping off” the client.
• Know Your Employee (KYE): New hires handling designated services must undergo the same rigour.
• Appoint a Compliance Officer & document a programme: Policies, training, audits—the lot.
“Accountants are the new gatekeepers; AUSTRAC wants you closing the door before crooks walk in.” — Stacie Shaw
Build a Workflow, Not a Spreadsheet
Shaw’s team tested a simple question: Could we prove, in five minutes, that every client onboarded since 1 July is fully verified?
The answer, via shared inbox searches and half-filled checklists, was ‘no’. Enter purpose-built platforms such as Annature.
What a Good KYC Platform Does
• One-click requests straight from XPM, FYI, MYOB PM, etc.
• Biometric selfie match—the licence holder must blink for the camera.
• Global screening (sanctions, PEPs, adverse media) baked in.
• Audit-ready dashboard: verified / pending / flagged / missed—live.
• Data minimisation: stores the result, not the ID image, aligning with ATO storage expectations.
The clincher is reconciliation. Annature’s AML dashboard cross-checks your practice database against completed verifications, so the only names you see are the ones that need action. Manual lists disappear; exceptions drive the workflow.
“A central dashboard turns compliance from guesswork into a daily habit.” — Corey Cacic
Four Myths That Stall Progress
• “We’ll sort it next year.” You already need photo-ID logs today. Starting now means you only retrofit old files later.
• “Email plus Zoom is fine.” Regulators accept it on paper, but any breach spills across countless inboxes. Purpose-built portals close the leak.
• “Risk screening is overkill.” Sanctions and PEP checks aren’t optional from July 2026. Embedding them early means one process, not two.
• “Small firms will fly under the radar.” AUSTRAC’s model is registration-based, not size-based. A sole practitioner forming one company still counts.
Roll-out Plan: From July 2024 to July 2026
Phase 1 – Clean Up the Front Door (Q3 2024)
• Map the client base: tag everyone without documented ID.
• Select a secure KYC tool; run it on every July onboard.
• Ban email ID scans; train staff on the new portal.
Phase 2 – Retrofit & Document (Q4 2024 – Q2 2025)
• Work through legacy clients in tranches (start with high-risk industries).
• Draft an AML/CTF programme template—update when AUSTRAC’s final guidance lands late 2025.
• Nominate a Compliance Officer; agree on a “no-tipping-off” script.
Phase 3 – Stress-Test (Q3 2025)
• Quarterly desk audits: pull 10 files at random; trace ID-check, screening, risk decision.
• Run tabletop scenarios: suspicious transfer, staff whistle-blower, cyber leak.
Phase 4 – Go Live (Q1 2026)
• Register with AUSTRAC (opens 31 March).
• Launch firm-wide training; log completion.
• Flip monitoring to ‘steady-state’—exceptions drive alerts, not spreadsheets.
Corey Cacic and Stacie Shaw at the Growth Club Summit showed that AML compliance is no longer a bank-only sport.
Firms that embed secure ID checks, risk screening, and live dashboards today will glide into 2026 audit-ready, while those who wait may face a last-minute scramble. Choose which side of that line you want to be on, and start with the next new client who walks through your door. Your future self will thank you.