AML/CTF Tranche 2: The Access Control Gap Australian Accounting Firms Need to Close Before 1 July 2026

4 min read | Regulatory Compliance | AML/CTF Tranche 2 | Access Control 

From 1 July 2026, accounting firms providing designated services become reporting entities under Australia’s expanded AML/CTF regime. For many practices, preparation is already underway — AML programs are being drafted, risk assessments are in progress, and compliance roles are being assigned. That is the right work. 

But there is one layer that consistently sits at the back of the queue: access control. 

Not because firms think it does not matter. Because it tends to live in the background — spread across disconnected systems, managed informally, and rarely questioned until something goes wrong. 

If your firm is in scope for Tranche 2, the question is not only whether your policies exist. It is whether you can show — with evidence — that access to your systems and client records is controlled, appropriate, and visible in practice. 

AUSTRAC has been clear. Documentation alone is not enough. Controls need to be real, and they need to be demonstrable. 

Does AML/CTF Tranche 2 apply to your accounting firm? 

Scope comes first. 

Tranche 2 obligations commence on 1 July 2026 for accounting firms providing designated services. The trigger is not firm size. It is the type of work you provide. 

Designated services can include: assisting with entity or real estate transactions, managing client funds, working with trust and company structures, or acting in a fiduciary capacity. 

Standard tax preparation, bookkeeping, BAS lodgement, and audit services are generally not designated services unless they form part of a broader higher-risk transaction. Bookkeeping-only firms are not currently captured. 

The practical step: Confirm your position using AUSTRAC’s designated services tool at austrac.gov.au before 1 July. It is the clearest way to check whether the services your firm provides trigger reporting entity obligations. 

Disclaimer: This article does not constitute legal advice. For AML/CTF obligations specific to your firm, consult your legal or compliance adviser. 

What most firms are already doing right 

Most practices preparing for Tranche 2 are not starting from zero. 

Across the profession, there is solid progress. Firms are developing AML/CTF programs, completing risk assessments, appointing compliance officers, and documenting customer due diligence processes. Staff training is being planned. Suspicious matter reporting workflows are being defined. 

This work is important and it reflects the seriousness with which firm owners are approaching the change. 

The risk is that this progress creates a false sense of completeness. 

A program can look sound on paper — policies drafted, responsibilities assigned, workflows documented — while still having weak control over who can actually access key systems and client information. If access is broad, shared, poorly monitored, or slow to revoke, your control environment is harder to defend than it looks — even if the documentation is clean. 

What AUSTRAC expects from access controls — and where the gap usually sits 

AUSTRAC has flagged consistently that insider activity — intentional or accidental — is one of the most common ways AML/CTF controls fail in practice. 

In accounting firms, the access problems are rarely dramatic. They tend to be ordinary by-products of busy practices and disconnected systems: 

• A shared login that was meant to be temporary and was never changed 
• A team member who still has access to client records they no longer work on 
• A contractor whose credentials remain active weeks after the engagement ended 
• A former staff member whose access to Xero, your document management system, and your ATO portal was never fully revoked 

These are not unusual failures. They are common patterns in practices with no dedicated IT function — which describes the majority of Australian accounting firms. 

But they matter for AML/CTF compliance. If your firm cannot answer the following questions with confidence, your control environment has a gap worth closing before 1 July: 

• Who has access to which systems right now? 
• Which client records can they see, and is that access appropriate to their role? 
• When was that access last reviewed? 
• If someone left today, how quickly could you remove their access — and could you produce a record showing when it happened? 

These are not complex questions. But for many firms, answering them requires manual investigation across multiple disconnected systems. That is the access control gap. 

What good access control looks like for AML compliance

Good access control for accounting firms does not need to be complex. It needs to be clear, consistent, and easy to evidence when AUSTRAC, the TPB, or the OAIC asks. 

Unique credentials for every team member. Shared logins make accountability difficult and investigations impossible. If multiple people use the same credentials for your practice management system or ATO portal, you cannot show who accessed what — or when. 

MFA enforced across all core systems. Multi-factor authentication across email, document management, practice management tools, and any application holding sensitive client data is now an explicit requirement under the amended Privacy Act (APP 11) — as well as an access control expectation under AML/CTF. MFA is one of the most impactful single controls a firm can implement. 

Role-based access that matches actual responsibilities. Broad access granted “just in case” is easy to justify in the moment and hard to defend in an audit. Access should be tied to roles, reviewed regularly, and adjusted when responsibilities change. 

Prompt, documented offboarding. When someone leaves, changes roles, or finishes a contract, their access should be removed across all relevant systems — and there should be a timestamped record showing when that happened and who actioned it. This is relevant not just for AML compliance, but for Privacy Act obligations and TPB Code requirements simultaneously. 

Audit logs you can produce on demand. Evidence is only useful if it can be retrieved without friction. If access data exists but is spread across disconnected admin consoles, it is difficult to rely on under regulatory time pressure. 

The compliance confidence your firm needs — not just the controls 

Here is the distinction that matters for accounting firms navigating overlapping regulatory obligations in 2026. 

Most practices focus on implementing controls. Fewer focus on being able to demonstrate them. 

The TPB Code (Item 17, effective 1 July 2025) requires a documented security system — not just one that exists, but one you can produce. The Privacy Act’s APP 11 requires demonstrable ‘technical and organisational measures.’ AUSTRAC expects firms to show that access controls are operating as intended. 

Documentation and evidence are not afterthoughts. They are what turns a well-run firm into a defensible one. 

This is where the distinction between a security tool and a compliance platform matters. Practice Protect Core™ was built specifically for accounting firms — providing SSO and enforced MFA across the apps your firm actually uses (Xero, MYOB, XPM, ATO Online Services, and 6,000+ integrations), one-click offboarding with timestamped audit records, and the Compliance Hub: a done-for-you documentation suite that includes a Documented Security System, Risk Assessment Matrix, Risk Mitigation Plan, and Incident Response Plan — all built to the standard the TPB, Privacy Act, and ATO explicitly require. 

It is not an AML/CTF program. It is the access infrastructure that your AML program — and your TPB compliance, and your Privacy Act posture — all depend on. 

A practical pre-1 July checklist for accounting firms 

Before 1 July, review your firm’s access controls against these five questions: 

1. Does every team member have unique credentials across your practice management, document management, and ATO portal systems — or are any shared logins still in use? 
2. Is MFA enforced firm-wide — not just recommended, but required — across all systems holding client data? 
3. Is access aligned to roles — can you confirm that each person can only see what they need to do their job? 
4. Do you have a documented offboarding process — with a record of when access was removed and who actioned it — or is offboarding currently manual and ad hoc? 
5. Can you produce an access audit log on demand — or would answering AUSTRAC’s questions require manual investigation across multiple disconnected systems? 

If the answer to any of these is unclear, that is the gap worth addressing before 1 July — not after. 

Know exactly where your firm stands across every compliance obligation 

AML/CTF Tranche 2 is one of six regulatory frameworks now placing explicit cyber security and access control obligations on Australian accounting firms. The others — the TPB Code, Privacy Act reforms, Cyber Security Act 2024, ATO access security requirements, and the OAIC’s NDB scheme — all overlap, and all require different controls and different evidence. 

Practice Protect has mapped every obligation across all six frameworks — showing exactly which control is required, which Practice Protect feature delivers it, and what evidence your firm can produce on demand. 

The 2026 Accounting Regulatory Compliance Map is free to download. 

→ Download the 2026 Regulatory Compliance Map 

It is the fastest way to see where your firm’s access controls stand against every obligation — and what the gaps are worth closing before they become enforcement events. 

→ Or speak with a Practice Protect specialist if you would like a firm-specific review before 1 July. 

Frequently asked questions

Does AML/CTF Tranche 2 apply to all accounting firms? 

No. Tranche 2 applies to accounting firms providing designated services — including trust and company work, managing client funds, and certain fiduciary services. Standard tax preparation, BAS lodgement, bookkeeping, and audit services are generally not captured. Use AUSTRAC’s designated services tool to confirm your firm’s position. 

When do AML/CTF Tranche 2 obligations start?

1 July 2026 for accounting firms that provide designated services. Enrolment with AUSTRAC, AML/CTF program development, and customer due diligence procedures should be in place before that date. 

What access controls does AUSTRAC expect from accounting firms? 

AUSTRAC expects firms to be able to demonstrate that access to systems and client records is controlled, appropriate, and monitored. In practice, this means unique credentials per staff member, MFA across core systems, role-based access management, documented offboarding procedures, and audit logs showing who accessed what and when. 

Does the Privacy Act also require access controls? 

Yes. The amended Privacy Act (APP 11, effective December 2024) now explicitly names MFA, access privilege management, and deactivating accounts on staff departure as required technical and organisational measures. Civil penalties for serious breaches can reach $3.3 million per event for companies. 

What is one-click offboarding and why does it matter for compliance? 

One-click offboarding is the ability to revoke a departing staff member’s access across all connected systems — Xero, MYOB, email, document management, ATO portal — in a single action, with a timestamped audit record. This directly addresses Privacy Act offboarding requirements, TPB Code obligations, and AML/CTF access governance expectations simultaneously. 

What is the Regulatory Compliance Map? 

It is a free Practice Protect resource that maps every major cybersecurity and access control obligation facing Australian accounting firms in 2026 — TPB Code, Privacy Act, Cyber Security Act, ATO access requirements, NDB scheme, and AML/CTF — to the specific control required, the Practice Protect feature that delivers it, and the evidence your firm can produce on demand. Download it here. 

Practice Protect is the only cybersecurity platform built exclusively for Australian accounting firms — giving every practice the compliance confidence, client protection, and operational simplicity that running a modern firm now demands. Trusted by 28,000+ accounting professionals. 

Disclaimer: This article does not constitute legal advice. For AML/CTF obligations specific to your firm, consult your legal or compliance adviser.