Compliance · Finance, advisers, accountants
Tax Practitioners Board obligations, ASIC cyber-resilience expectations, AFSL data handling, AML reporting from 2026. Financial-services compliance pressures stack. The firms who handle them without heroics have the right IT discipline in place before the regulator asks.
Live right now · finance, advisers, accountants
Active regulatory pressures we're already working through with clients in your sector. Each card links to the detailed guide.
Captures accounting practices providing designated services (corporate appointments, nominee, company and trust formation, client-money handling). AML/CTF programme due 30 June 2026, enrolment closes 29 July 2026.
Read the full guideWhat we do · compliance practice
What we do for a finance practice varies with the authorisations the firm holds. An AFSL-authorised adviser has ASIC's cyber-resilience expectations baked into their licensing obligations. A registered tax agent has Tax Practitioners Board record-keeping and client-data obligations. An accountant providing designated services (trust account, payroll, company formation) becomes an AUSTRAC reporting entity from 1 July 2026. Different obligations, overlapping technical controls. We map the overlap so a single well-designed stack covers the full obligation surface without ten separate implementations.
The practical work sits around client-data handling. Where client files live, who can access them, what happens when a staff member leaves, how the firm would prove to an auditor that an unauthorised access never happened. Most mid-size practices we onboard have good intentions on all of this and uneven evidence. We close the evidence gap with identity controls, logging, retention policy and document-management configuration, then keep the record current month by month.
We do not provide financial services advice or compliance sign-off. The CA ANZ, CPA Australia, or FASEA-flavoured interpretations remain the responsibility of the firm's principals and its compliance officer. We build the systems those interpretations rely on to be honest.
Where it fits · managed IT engagement
The Client Security Baseline covers the baseline financial-services controls (MFA, application control, backups, offboarding, vulnerability management) for every CCP client. Where a practice is captured by a specific additional regime (AUSTRAC enrolment, ASIC market-participant obligations, an APRA-regulated parent), we layer the extra controls on per engagement. Compliance obligations are not a plan tier, they are an overlay.
Next step · start with the evidence
The Essential Eight self-assessment takes about ten minutes and gives you a branded PDF report you can hand to your compliance officer, your insurer, or your board the same day. If you want to confirm we're the right shop for the work, the fit check comes next.
