Am I a reporting entity under the AML/CTF Tranche 2 reforms?

You may be, if you provide designated services. These include company and trust formation, nominee shareholder or director services, and SMSF-related services in some interpretations. Check the AUSTRAC designated services list and seek advice if your service scope is borderline.

Do Privacy Act reforms affect how I store client tax records?

Yes. Enhanced obligations around data minimisation, right to erasure requests, and breach notification timelines now apply to personal information in client financial records. You need a documented process for handling erasure requests, noting which records are subject to statutory retention obligations that override the erasure right.

What does the TPB now require around cyber security?

Registered tax and BAS agents are expected to have reasonable controls protecting their practice management software and client portals. The TPB has published guidance on multi-factor authentication, password management, and incident response planning. Failure to meet these standards is a code of conduct risk.

What is the biggest cyber threat to accounting practices right now?

Business email compromise targeting ATO and myGov portals and practice management software. Attackers use stolen or phished credentials to redirect tax refunds, access client data, or submit fraudulent returns. The primary entry point is compromised staff credentials, not malware.

Compliance Readiness 2026

Accountants & Bookkeepers: 2026 Compliance Readiness in Australia

Accountants and bookkeepers face converging obligations in 2026: AML/CTF Tranche 2 for those providing designated services, Privacy Act reforms affecting client data, TPB cyber obligations, and growing credential theft targeting BAS portals.

What is changing for accountants in 2026?

AML/CTF Tranche 2: Accountants providing designated services (company/trust formation, nominee services) are now reporting entities.
Privacy Act reforms: Enhanced client data obligations, right to erasure, privacy impact assessments for new systems (effective 10 December 2026).
TPB Code: Expanded obligations around cyber security and data protection for registered tax and BAS agents.
BAS portal threats: The ATO has flagged credential theft targeting practice management software (Xero, MYOB, Reckon) as a priority risk.

Accountants & Bookkeepers

Common blind spots

Check your readiness

Use our free self-assessment tool to identify gaps in your AML/CTF, privacy, and cyber controls.

Accountants Compliance Quiz

Written by Tim Jones, Founder & Principal Consultant, Nifty Computing

Published 28 April 2026 · Last reviewed 5 May 2026

Applies to: Australia (all states and territories)

Sources: AUSTRAC AML/CTF Act 2006, Privacy Act 1988 (Cth), Tax Practitioners Board, ATO

Not sure where your practice stands?

Book a free walkthrough with Nifty Computing - we'll review your AML/CTF, privacy, and cyber posture and prioritise the gaps that matter most.