Secure your spot today for the AML/CTF Tranche 2 for Accounting Firms: FREE Masterclass! Limited spots available, don’t miss out! 👈🏻
About Speaker Work With Me Success Stories Blogs Book
GET GUIDE

AML/CTF

The Scope Creep Problem: How a Routine Tax Return Becomes an AML/CTF Compliance Failure

May 22, 2026

The most dangerous AML/CTF compliance failure in an accounting firm is not a dramatic event.

It does not involve a suspicious client, an obvious red flag, or a deliberate decision to ignore the law.

It happens quietly, in the middle of an ordinary engagement, when a routine piece of work expands into something that carries AML/CTF obligations, and nobody applies the trigger check.

It is called scope creep. And it is happening in accounting firms across Australia every single week.


How it happens in practice

Consider a scenario that will feel familiar to most accounting firm principals.

A long-standing client, a family-owned construction business operating through a discretionary trust, asks the firm to prepare the annual trust tax return. Standard work. Straightforward engagement. The firm has acted for this client for years.

During the engagement, the client mentions they want to "clean up the structure a bit." They ask whether the firm can help add a corporate trustee, shift some assets into a new holding company, and change the appointor to a new family member.

The manager says yes. Because the firm has always done this sort of thing.

No scope check is completed. No customer due diligence review is initiated. No beneficial ownership verification is conducted for the new appointor or the new corporate trustee. No risk rating is completed. No engagement letter is updated to reflect the expanded scope and the AML/CTF obligations that now attach to it.

Three weeks later the restructure is complete. The file contains a few emails, a trust deed variation, and an ASIC form.

From 1 July 2026, that file is a compliance failure.


Why this is a designated service engagement

The work described above is not a tax return. It is a collection of designated service engagements bundled together and delivered informally alongside a compliance job.

Creating or arranging the creation of a company, the new corporate trustee, is a designated service.

Restructuring a trust in a way that changes ownership or control, the asset transfers and the holding company interposition, is a designated service.

Facilitating a change of appointor, the person who ultimately controls the trust, is a designated service.

Each of those steps triggers the AML/CTF workflow. The firm must verify the identity of the new corporate trustee's directors and shareholders. It must verify the identity of the new appointor. It must document the commercial rationale for the restructure. It must complete a risk rating and obtain the appropriate level of approval before work commences. It must update the engagement letter to reflect the expanded scope and the firm's AML/CTF obligations.

None of that happened. And the reason it did not happen is the most common compliance failure in the profession: nobody was watching for the trigger.


The trigger check problem

Most accounting firms do not have a consistent, firm-wide process for identifying when an engagement crosses into designated service territory.

Partners and managers make informal judgements based on experience and familiarity. Long-standing clients are assumed to be lower risk. Work that has always been done a certain way continues to be done that way.

That approach was acceptable when accounting firms were unregulated for AML/CTF purposes. It is not acceptable from 1 July 2026.

The AML/CTF framework does not care how long the firm has known the client. It does not care that the work feels routine. It does not care that no red flags are visible.

What it cares about is whether the engagement involves a designated service. If it does, the workflow is mandatory, regardless of relationship history, fee size, or time pressure.


The firm rule that prevents scope creep failures

The solution is not complicated. It requires discipline, not sophistication.

Every time an engagement changes in scope, the designated service trigger check is repeated.

Not once at onboarding and never again. Every time the scope changes.

A tax return that becomes a restructure. An advisory conversation that becomes entity creation. A CFO engagement that becomes transaction facilitation. At each of these transition points, someone in the firm must ask the question: does this work now involve a designated service?

If the answer is yes, or if it is unclear, the AML/CTF workflow applies.

That trigger check must be embedded in the firm's workflow as a standard step, not left to the discretion of whoever happens to be running the engagement.


What needs to be on file

For every designated service engagement, the file must contain evidence that the workflow was followed.

A completed scope and trigger check. Customer due diligence documents for all relevant individuals and entities. Beneficial ownership verification traced to natural persons. A risk rating with a documented rationale. An approval record at the appropriate level. An updated engagement letter with AML/CTF clauses. A monitoring cadence set and recorded.

If those items are not on file, the engagement does not have an AML/CTF compliance record. And as far as AUSTRAC is concerned, if it is not documented, it did not happen.


The cost of getting this wrong

The cost of a scope creep failure is not just regulatory.

A firm that completes a restructure for an unverified beneficial owner with undocumented source of funds has potentially facilitated the movement of money it should not have. That is not a compliance oversight. That is professional enablement, and it is precisely the risk that Tranche 2 is designed to prevent.

The firms that build a consistent, disciplined trigger check into every engagement workflow are the firms that will be protected.

The firms that rely on informal judgement and relationship familiarity will find that the law does not make exceptions for either.


Best Practice Group delivers a turnkey AML/CTF Tranche 2 Training and Certification Program designed specifically for public accounting firms. It includes a complete compliance playbook, two live implementation sessions across three rounds in May, June, and July, 16 operational templates, mandatory compliance assessments, and two certificates per participant issued by Best Practice Group.


If your firm needs to get operational before 1 July 2026, the time to enrol is now.

👉 Register for the AML/CTF Tranche 2 Training Program
👉 Get the AML Playbook

 

Or contact us directly:

📧 [email protected]
📞 1300 274 636

This article is general guidance only and does not constitute legal advice. Firms should confirm their specific obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and seek independent legal advice where required.

John Peterson

ABOUT JOHN

John Peterson, founder of Best Practice Group, offers 30+ years of consulting expertise. With a background as a Fortune 500 management consultant, he specialises in strategy, leadership, and M&A, providing practical insights that enable businesses to overcome challenges, accelerate growth, and secure long-term success. His tailored approach empowers leaders to achieve measurable results and sustainable transformations.

GET IN TOUCH
John Peterson

Get your guide to business mastery today!

GRAB A COPY

Recent Posts

AML/CTF

Beneficial Ownership: The AML/CTF Gap That Will Catch Most Accounting Firms Off Guard
aml/ctf
May 22, 2026

AML/CTF

The Scope Creep Problem: How a Routine Tax Return Becomes an AML/CTF Compliance Failure
aml/ctf
May 22, 2026

AML/CTF

Why the AUSTRAC Starter Kit Is Not Enough for Most Accounting Firms

aml/ctf
May 22, 2026

Categories

All Categories aml/ctf business innovation lifestyle podcast