Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- Why are these services being brought into the AML/CTF regime?
- Which businesses should be paying attention?
- What services may be captured?
- How the client relationship may change
- What onboarding documents may need to collect
- Why service terms may need updating
- How privacy policies and collection notices should change
- What internal processes may need updating?
- Common risk scenarios for trust and company service providers
- What should businesses do before 1 July 2026?
- Key takeaway
If your business helps clients set up companies or trusts, provides registered office services, or arranges nominee directors or shareholders, Australia’s new AML/CTF laws may affect your client onboarding from 1 July 2026.
These services are commonly used for legitimate commercial reasons. However, they can also be misused to obscure who ultimately owns, controls or benefits from a structure. That is why the reforms will bring certain trust and company service provider activities into AUSTRAC’s regulatory regime.
The key question is not what your business calls itself, but whether it provides a designated service. For businesses in this space, that means reviewing the actual services offered, including company formation, trust establishment, nominee arrangements, registered office services, and acting as - or arranging for someone to act as - a director, secretary, trustee, partner or nominee shareholder.
Why are these services being brought into the AML/CTF regime?
Australia’s AML/CTF laws are being expanded to cover certain “Tranche 2” services. The reforms are intended to modernise Australia’s AML/CTF regime and bring it closer to international standards set by the Financial Action Task Force.
For trust and company service providers, the focus is on transparency. A company can create a separate legal identity. A trust can separate legal ownership from beneficial enjoyment. In this context, a “legal arrangement” will often include trust structures and similar arrangements where legal ownership and beneficial enjoyment may sit with different people.
A nominee shareholder or director can place someone else’s name on public records. A registered office address can give a structure an official point of contact or local presence.
In many cases, these arrangements are legitimate. But in higher-risk cases, they can make it harder to identify the person who ultimately owns, controls or benefits from the structure. That is why AML/CTF compliance for these businesses is likely to focus heavily on identity, beneficial ownership, control and the purpose of the arrangement.
Which businesses should be paying attention?
This article is relevant to businesses that help clients incorporate companies, establish trusts, arrange nominee directors or shareholders, provide registered office or principal place of business addresses, or act as, or arrange for someone to act as, a director, secretary, trustee, partner or nominee shareholder.
This may include company registration agents, corporate secretarial providers, virtual office providers, trust deed providers, business setup consultants, accounting firms, legal document platforms and advisory firms that package entity establishment with ongoing administration services.
However, not every business that works with companies or trusts will automatically be regulated. The AML/CTF regime is based on designated services, so the issue is whether the business provides a specific service covered by the legislation and AUSTRAC guidance. Home Affairs has also noted that new AML/CTF obligations for Tranche 2 entities apply to those providing new designated services from 1 July 2026.
The service must also have the required geographical link to Australia. Businesses with offshore clients, offshore staff, overseas structures or cross-border delivery models should get advice on how the rules apply to their circumstances.
What services may be captured?
For trust and company service providers, the key question is whether the business helps clients create, structure or administer companies, trusts or similar arrangements.
AUSTRAC’s guidance identifies several relevant designated services, including assisting with the creation or restructuring of a company or legal arrangement, selling or transferring a shelf company, acting as or arranging for someone to act as a director, secretary, trustee, partner or nominee shareholder, and providing a registered office or principal place of business address.
In practice, this means businesses should review services such as company incorporation, trust establishment, nominee arrangements, registered office services, virtual office services and corporate administration packages.
Nominee and registered office services deserve particular attention because they can make it harder to identify who ultimately owns, controls or benefits from a structure. These services may be legitimate, but they can also raise transparency concerns.
Businesses should also avoid assuming they are outside the regime because the service is only occasional, secondary or bundled with another offering. AUSTRAC’s guidance indicates that a service can still be provided “in the course of carrying on a business” even if it is not the provider’s main service.
How the client relationship may change
For many affected businesses, the biggest practical change will be at the start of the client relationship.
A client who previously expected a fast company registration, same-day trust deed or simple registered office setup may now need to provide more information before the provider can proceed. That information may include identity details, beneficial ownership information, the reason for the structure, the jurisdictions involved and whether anyone is acting on behalf of someone else.
This may feel like extra friction, particularly for businesses that market themselves on speed and convenience. However, for captured businesses, onboarding will no longer be only about collecting enough information to deliver the service. It will also be about collecting enough information to understand and manage AML/CTF risk.
These client-facing changes sit within a broader compliance framework. If a business is captured, it will generally need to enrol with AUSTRAC, develop and maintain an AML/CTF program, appoint an AML/CTF compliance officer, conduct initial and ongoing customer due diligence, report certain matters and keep required records. AUSTRAC’s Tranche 2 obligations factsheet summarises these obligations for newly regulated reporting entities.
For small businesses, the compliance framework should be proportionate to the nature, size and complexity of the business. A small provider offering straightforward local company setup services may have a different risk profile from a provider offering nominee arrangements, offshore structures or ongoing resident director services.
What onboarding documents may need to collect
Onboarding documents will likely need to move beyond basic contact details, billing information and ASIC-related fields.
Providers may need to collect and verify information about the client, the people behind the client, and the purpose of the structure being created. For companies, this may include directors, shareholders, beneficial owners and controllers. For trusts, it may include trustees, appointors, beneficiaries and anyone with effective control.
The level of enquiry should depend on the risk profile of the client and service. A simple local company setup may require less information than a structure involving nominee arrangements, offshore parties, complex ownership chains or instructions from an intermediary.
Where higher-risk features are present, providers may need to ask further questions about why the structure is being used, who ultimately owns or controls it, and whether the explanation matches the documents and circumstances.
Why service terms may need updating
Service terms should support the provider’s AML/CTF obligations. If a provider needs to verify a client, assess risk or collect beneficial ownership information before providing a service, its terms should give it the right to request that information and delay, refuse or suspend services where appropriate.
The terms should also require clients to provide accurate and up-to-date information about identity, ownership, control and the purpose of the requested service. For ongoing services, such as registered office, nominee shareholder, resident director, company secretary or trustee services, clients should be required to notify the provider if relevant details change.
This is particularly important for services that clients expect to be delivered quickly, such as company registrations or trust deed establishment. The terms should make clear that compliance checks may affect timing, and that the provider may not always be able to explain every compliance-related decision, particularly where suspicious matter reporting obligations are involved.
How privacy policies and collection notices should change
AML/CTF compliance may require providers to collect more personal information than they have collected in the past. This could include identity documents, dates of birth, residential addresses, beneficial ownership information, screening results and details about the purpose of a structure.
Importantly, this information may relate to people who are not the direct client, such as directors, shareholders, trustees, appointors, beneficiaries, nominees, controllers and beneficial owners.
Privacy policies and collection notices should explain why this information is collected, how it will be used, who it may be disclosed to and how long it may be retained. They should also cover disclosures to verification providers, screening vendors, regulators, professional advisers, cloud software providers and related entities where relevant.
What internal processes may need updating?
Document updates will only go so far. Businesses will also need internal processes to help staff identify when a matter is routine, when more information is needed and when concerns should be escalated.
This should start with service mapping. Before updating forms or adopting verification software, a business should identify which services it provides and assess whether they may be designated services. This should include both one-off services, such as company or trust setup, and ongoing services, such as registered office, nominee shareholder, director, secretary or corporate administration services.
Businesses should also develop a risk assessment process. A simple local company setup with clear ownership may carry a different risk profile from a foreign-owned structure involving nominee shareholders, a registered office service and complex trust arrangements.
Staff should be trained to recognise red flags, such as clients refusing to disclose beneficial owners, using nominee arrangements without a clear commercial reason, providing inconsistent information or pressuring staff to avoid normal checks. There should also be a clear process for deciding who reviews higher-risk matters and when the business may need to decline or exit a service.
Common risk scenarios for trust and company service providers
Some scenarios are likely to require closer review.
For example, a client may ask for a company to be incorporated using a nominee shareholder and registered office address, while providing limited information about who will actually control the company. Another client may ask for a trust to be established with offshore beneficiaries or an appointor whose role is unclear. A foreign client may request a local director service but resist explaining the business activity or commercial reason for the arrangement.
These scenarios do not automatically mean the provider must refuse the work. However, they may indicate that further questions are needed. The provider may need to understand who the real client is, who owns or controls the structure, why the arrangement is being used and whether the explanation matches the documents and circumstances.
What should businesses do before 1 July 2026?
For trust and company service providers, preparation should start with service mapping. Businesses should identify the services they provide, assess which services may be captured, and then update their onboarding documents, service terms, privacy documents and internal procedures in a coordinated way.
The key is to build AML/CTF compliance into the client journey, rather than treating it as a standalone policy. Staff need to know what to ask, clients need to understand why information is being requested, contracts need to support the process and privacy documents need to explain how information will be handled.
Because the regime is service-specific, businesses should get advice on whether their actual service lines are captured before assuming they need to build a full AML/CTF compliance program.
Key takeaway
The AML/CTF reforms may change how trust and company service providers onboard clients, collect information and manage higher-risk services. If your business offers company setup, trust establishment, nominee, registered office or corporate administration services, now is a good time to review your service lines and client documents.
If you would like help with legal advice and updates to your service terms, privacy policy, onboarding forms and other key business documents, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
Alex SoloCo-Founder
