AML/CTF · TCSP

The TCSP Typology AUSTRAC Is Most Concerned About — Shell Companies, Layering and Enhanced CDD Australia 2026

Published 7 June 2026Last reviewed June 20265 min readBy Paul Wise

Among all the Tranche 2 sectors, trust and company service providers sit closest to the mechanism criminals actually use. When AUSTRAC talks about gatekeepers, this is the gate it's most worried about — because professional service providers can, often unknowingly, build the very structures that hide dirty money.

The typology: shell companies and layering

The pattern to understand is layering through shell companies. It works like this:

  • A client asks you to set up one or more companies or trusts.
  • Those entities are stacked — companies owning companies, trusts holding shares, nominees inserted as directors or shareholders.
  • The resulting structure is complex enough that the real beneficial owner is buried several layers down.
  • Funds are moved through the structure ("layering") so their origin becomes almost impossible to trace.

Each individual step looks like ordinary corporate work. That's what makes professional service providers so useful to launderers — and why a TCSP can facilitate serious crime without ever intending to.

The red flags that should trigger a closer look

You're not expected to be an investigator, but you are expected to notice when a structure doesn't make commercial sense. Warning signs include:

  • Unnecessary complexity — layered entities or offshore links with no genuine business rationale.
  • Nominee arrangements that appear designed to obscure who's really in control.
  • Reluctance to disclose beneficial owners, or vague answers about the purpose of the structure.
  • Speed and secrecy — pressure to set things up fast with minimal questions.
  • A mismatch between the client's profile and the scale or sophistication of what they're asking you to build.

When to escalate to enhanced due diligence

These signals are enhanced customer due diligence (ECDD) triggers. The reformed CDD framework is explicitly risk-based: where the money-laundering risk is higher — high-complexity structures, opaque ownership, higher-risk jurisdictions, or a politically exposed person (PEP) involved — standard checks aren't enough.

ECDD means digging deeper: more verification, closer scrutiny of source of funds and source of wealth, and senior sign-off before you proceed. Your AML/CTF policies (s 26F) must set out the circumstances in which ECDD applies, informed by your ML/TF risk assessment (s 26C).

The practical problem is consistency. Whether a structure gets flagged for ECDD shouldn't depend on which staff member happened to onboard it or how busy the week was.

Make the risk call automatically

Veriqua's Customer Risk module uses AI-assisted risk scoring to flag high-complexity structures for ECDD automatically. Instead of relying on individual judgement to catch the layered, opaque, nominee-laden structures that warrant extra scrutiny, the platform scores each customer and surfaces the ones that need enhanced due diligence — consistently, on every engagement, with the reasoning recorded.

That protects your practice two ways: it raises the structures that genuinely deserve a second look, and it gives you a defensible, timestamped record showing you applied a risk-based approach — exactly what AUSTRAC expects from the sector it watches most closely. See AI risk scoring in two minutes, no login: demo.veriqua.com.au/start.

Frequently Asked Questions

What is the shell company typology AUSTRAC is most concerned about for TCSPs?
The primary concern is layering through shell companies: a client requests one or more companies or trusts, which are stacked (companies owning companies, trusts holding shares, nominees as directors), creating a structure complex enough to bury the real beneficial owner several layers down. Funds are then moved through this structure to obscure their origin — a process called layering. TCSPs are uniquely exposed because each individual step appears to be ordinary corporate work.
When does enhanced customer due diligence (ECDD) apply for a TCSP?
ECDD applies when the money-laundering risk is elevated. Triggers include: high-complexity or multi-layer structures; opaque or layered ownership that makes beneficial ownership hard to trace; involvement of offshore entities or higher-risk jurisdictions; a politically exposed person (PEP) as a beneficial owner or client; reluctance to disclose ownership information; or pressure to proceed quickly with minimal due diligence.
What are the red flags that a corporate structure may be used for money laundering?
Key red flags include: unnecessary complexity (layered entities or offshore links with no genuine business rationale), nominee arrangements that appear designed to obscure control, reluctance to identify beneficial owners, pressure to set up quickly with minimal questions, and a mismatch between the client's apparent profile and the scale or sophistication of the structure requested. Any of these should prompt a closer look and potentially trigger ECDD.
How does a risk-based approach work for TCSP AML/CTF compliance?
A risk-based approach means calibrating the intensity of your due diligence to the level of money-laundering risk the client and engagement present. Lower-risk clients receive standard CDD; higher-risk clients (complex structures, opaque ownership, PEPs, offshore links) require enhanced CDD with more verification, source-of-funds scrutiny and senior sign-off. Your AML/CTF policies must document the risk factors that trigger each level, and your ML/TF risk assessment must inform those policies.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at June 2026. It reflects our understanding of the AML/CTF reforms and AUSTRAC guidance as at that date, which may change. It is not legal, financial or compliance advice and must not be relied on as such. Whether ECDD applies to a specific client or engagement depends on your risk assessment and the facts. Obtain advice from a qualified professional and refer to current AUSTRAC guidance at austrac.gov.au before acting.