AUSTRAC's expanded AML/CTF reforms are live. If you manage 50+ entities on spreadsheets, your compliance posture has a problem. Here's what the new regime requires — and how purpose-built entity management software closes the gap before the 1 July 2026 deadline.
For years, Australia's AML/CTF framework applied mainly to financial institutions, remittance providers, and casinos. That era is over.
AUSTRAC's reforms — rolling out across 2025 and 2026 — now extend AML/CTF obligations to a much broader group of "designated services" providers. The newly regulated sectors include:
This last category — TCSPs — is where it gets directly relevant to EntityFlo's clients. If your organisation provides corporate administration services, manages entities on behalf of clients, or handles the formation and maintenance of companies and trusts, you are now in scope.
You can find the full list of newly regulated businesses at AUSTRAC's designated services register.
The compliance deadline is 1 July 2026. That's 82 days away. And the obligations aren't light.
This is where most governance teams underestimate the lift. AML/CTF compliance isn't just a policy document exercise. It creates direct, operational requirements around your entity data — the same data that lives (or should live) in your entity register.
Here's what you're now expected to have:
You must have a written AML/CTF program that covers your risk assessment methodology, your customer due diligence procedures, your suspicious matter reporting process, and your staff training requirements.
That program needs to reflect your actual entity structure. It has to map risk across your portfolio — not just your business as a whole, but across the entities you manage or administer.
For each entity in scope, you need to capture and maintain:
This is not a one-time exercise. CDD records must be kept current. Ownership structures change. Directors change. Beneficial owners change. If your entity register doesn't capture these changes with timestamps and audit trails, your CDD program has gaps.
UBO identification is now a hard requirement for regulated entities. You need to know — and document — who sits at the top of every ownership chain.
For a company with a simple cap table, that's straightforward. For a mid-market corporate group with 50-200 entities, holding companies, cross-holdings, and trust structures layered across multiple jurisdictions? It's a project.
Manual UBO mapping on spreadsheets is not a durable compliance approach. It breaks every time an ownership change happens and you miss updating row 147 in a workbook that five different people edit.
If your team identifies a transaction or behaviour that might indicate money laundering or terrorism financing, you are required to report it to AUSTRAC. That process requires you to know exactly which entities are involved, who controls them, and what the ownership chain looks like — immediately.
You cannot be scrambling through spreadsheets at that moment.
AML/CTF obligations aren't a set-and-forget exercise. You need to monitor customer relationships, keep records for at least seven years, and update your risk assessment as your entity portfolio evolves.
That means your entity register needs to be a living system — not a static spreadsheet that gets updated when someone remembers.
Let me be direct: a spreadsheet-based entity register is not an AML/CTF compliance tool. It never was. But under the old regime, you could get away with it because the regulatory stakes were lower.
Under the expanded AUSTRAC framework, running your entity register on spreadsheets creates specific, auditable compliance risks:
No version control. When an ownership structure changes, how do you prove what it looked like on a specific date? AUSTRAC requires historical records. Spreadsheets don't do that without manual version management — which nobody actually does.
No audit trail. Who updated the beneficial ownership for Trust 23 on March 14? What did it say before? Spreadsheets don't answer that question. A purpose-built entity register does.
No automated alerts. When a director's appointment changes or a share transfer occurs, does your spreadsheet flag that it needs a CDD review? Of course not. The manual process relies on someone remembering. People don't always remember.
No cross-entity UBO mapping. Calculating beneficial ownership across a portfolio with holding structures requires logic that spreadsheets can technically perform but that breaks the moment you add complexity. One formula error and your UBO report is wrong — without you knowing it.
No role-based access. Who has access to your entity register? In a spreadsheet model, it's usually "everyone who has the link." That's not a compliance-grade access control posture.
A purpose-built entity management platform treats compliance as a core function, not an afterthought. Here's what that looks like in practice for AML/CTF obligations:
Centralised entity register. Every entity, in every jurisdiction, with its current and historical data — directors, shareholders, beneficial owners, key dates — in one system. Not across six files on a shared drive.
Beneficial ownership mapping. A platform that understands corporate structures can calculate and visualise UBO chains automatically. When an ownership change is recorded, the UBO calculation updates. You're not relying on a formula in column R of a spreadsheet.
Immutable audit trail. Every change is timestamped and attributed. You know who made it, when, and what it replaced. This is not just useful for AML/CTF — it's the foundation of any defensible compliance position.
Document management with version control. Constitutions, trust deeds, ASIC-lodged documents, CDD records — stored against the entity they belong to, with version history intact.
ASIC data integration. For Australian entities, the underlying ASIC register is the source of truth. A platform that syncs directly with ASIC means your entity data stays accurate without manual maintenance.
Alerts and review triggers. When a director appointment changes or an entity milestone approaches, the system flags it for review. Compliance doesn't rely on institutional memory.
This is the infrastructure that makes AML/CTF compliance operationally sustainable — not just a policy on paper.
If there's one place where governance teams are going to get caught out under the new AUSTRAC regime, it's beneficial ownership.
UBO mapping is hard because ownership structures are genuinely complex. A mid-market Australian corporate group with 100 entities might have:
Getting this right requires a system that understands ownership relationships — not just a list of entities. You need to be able to traverse the ownership chain upward, identify control thresholds (typically 25% voting rights or economic interest), and document what you found at a specific point in time.
That's an entity management problem. And it's one that only purpose-built software can solve at scale.
One more thing worth keeping in mind: the AUSTRAC reforms don't reduce your ASIC obligations. They add to them.
Annual reviews, director consent management, share register maintenance, substantial holder notifications, ASIC form lodgements — these don't pause while you build your AML/CTF program. In fact, the same entity data that underpins your ASIC compliance is exactly what you need for AML/CTF compliance.
The right entity management platform serves both. One register. One source of truth. ASIC compliance and AML/CTF compliance running off the same data foundation.
For more on ASIC's current regulatory priorities, see ASIC's regulatory guide library — particularly RG 78 (related party transactions) and guidance on proper governance recordkeeping.
If you're reading this as a CFO or Company Secretary at an Australian mid-market business with a multi-entity portfolio, here's the honest priority list:
AUSTRAC's expanded AML/CTF regime is not a theoretical future obligation. It's live. For newly regulated sectors — including TCSPs, law firms, accounting firms, and real estate — the compliance clock started ticking in 2025, with a hard deadline of 1 July 2026.
The organisations that will handle this well are the ones who treat their entity register as compliance infrastructure, not an administrative afterthought. That means purpose-built software, not spreadsheets. Immutable audit trails, not version-history files saved as "entity register FINAL v3".
At EntityFlo, we built the platform specifically for this: Australian mid-market businesses managing complex entity portfolios who need governance that actually holds up under scrutiny. If you want to see how EntityFlo maps your entity portfolio to your AML/CTF obligations, book a demo.
The 1 July deadline doesn't move. Your entity register should.
Nathan Carroll is the founder and CEO of EntityFlo, a corporate governance and entity management platform built for Australian mid-market businesses. With a background across multiple exits and entity-heavy portfolio companies, he writes on governance, compliance, and the operational realities of managing complex corporate structures.
Tags: AML/CTF compliance, entity management software Australia, AUSTRAC AML/CTF reforms, beneficial ownership tracking, company secretary software, corporate governance software Australia, UBO compliance, AUSTRAC Tranche 2
We use cookies to improve your experience. Essential cookies are always active. You can accept all cookies or choose essential only.