Practitioner posture (TPB / TASA)

This page is for accounting, tax-agent, BAS-agent, planning, broking and adviser firms using the Finance Frank Practice tier. It explains where Frank fits in your practice's compliance posture under the Tax Agent Services Act 2009 (Cth) (TASA), the TPB Code of Professional Conduct (set out in section 30-10 of the TASA, as amended by the Treasury Laws Amendment (2023 Measures No. 1) Act 2023 and the supplementary determination effective 1 August 2024 / 1 January 2025), and the related TPB practice notices.

What Frank is

Finance Frank is a record-keeping and workflow tool for finance professionals (accountants, tax agents, BAS agents, financial planners, mortgage brokers, advisers) and their clients. The Service stores transactional, asset, liability, super and tax-related data; surfaces summaries and proposed actions; captures sign-offs with a tamper-evident audit trail; and produces structured exports for downstream lodgement workflows.

What Frank is not

Frank is not a registered tax agent within the meaning of section 90-5 of the TASA. Frank does not:

• Represent clients to the Commissioner of Taxation or any other government agency;
• Lodge BAS, income tax returns, FBT returns, or other documents directly with the ATO;
• Provide tax agent services or BAS services as defined in the TASA;
• Provide financial product advice within the meaning of section 766B of the Corporations Act 2001 (Cth) (whether personal advice under s766B(3) or general advice under s766B(4)).

Where the Service contains content that touches on tax positions, deductions, or other regulated subject matter, that content is informational only and intended to assist a registered practitioner, not to replace one.

Section 50-5 prohibition. Section 50-5 of the TASA prohibits a person from providing a tax agent service for fee or other reward without registration. The Practice tier subscription is paid by your firm in return for access to a record-keeping and workflow tool. Finance Frank Pty Ltd is not remunerated for the provision of tax agent services within the meaning of section 50-5: the registered practitioner in your firm performs the tax agent service; the tool is one of many inputs the practitioner uses to do so. The fact pattern is materially the same as a practice paying for accounting practice-management software or a document-storage tool.

How Frank supports your TASA / TPB Code of Conduct obligations

Several Service features are designed to make it easier for a TASA-registered practitioner to comply with: (a) the Code of Professional Conduct items at section 30-10 of the TASA (Code items 1–14); (b) the eight additional obligations under the Tax Agent Services (Code of Professional Conduct) Determination 2024 (effective 1 January 2025 for firms with > 100 employees and 1 July 2025 for firms with ≤ 100 employees), codified at sections 10–45 of that Determination; (c) the breach reporting obligation at s 30-35 of the TASA (commenced 1 July 2024 — significant breaches must be reported within 30 days); and (d) the 5-year recordkeeping obligation at section 30 of the 2024 Determination, supported by TPB(I) 47/2024 (the practice notice on record-keeping, finalising the earlier draft TPB(I) D59/2024). The mapping below references the current statutory provisions.

References to “tamper-evident audit trail” below describe the technical controls listed; they do not assert satisfaction of any specific financial-audit evidence standard (such as ASA 500). Whether the trail satisfies the practitioner's own evidence requirements in any given matter remains the practitioner's judgement.

Tamper-evident audit trail for client sign-offs (section 30 of the Tax Agent Services (Code of Professional Conduct) Determination 2024 — 5-year recordkeeping; TPB(I) 47/2024)

Every BAS sign-off and engagement letter sign-off in Frank captures, at the moment of signing:

• The signer's authenticated user identity
• Server-recorded timestamp
• IP address and user-agent of the signing device
• SHA-256 hash of the verbatim declaration text the signer was shown (tamper detection)
• Optional client-supplied request ID for idempotency

Sign-off events are retained for at least 5 years from the sign-date in accordance with section 30 of the 2024 Determination and TPB(I) 47/2024. Practitioners can view, filter and export sign-off audit logs at any time.

Engagement letters and keeping clients informed (s 30-10(1) and 30-10(2) of the TASA — honesty and integrity / acting in client's best interests; s 45 of the 2024 Determination)

Frank provides templated engagement letters with version history, expiry tracking, and a tamper-evident sign-off flow. The signed PDF is stored in the practice's document register and is reproducible from the Service at any time. The s 45 obligation to keep clients informed of relevant matters is supported by the messaging and notification surfaces.

Conflict and competence disclosure (s 30-10(3) of the TASA — conflict of interest; s 20 of the 2024 Determination)

Frank does not represent itself as competent in matters that fall under TASA registration. Where a Service feature could be construed as straying into regulated subject matter (for example, EOFY opportunity surfacing), the surface includes a disclaimer noting that the practitioner remains responsible for professional judgement.

Client confidentiality (s 30-10(5) of the TASA — confidentiality of client information; s 25 of the 2024 Determination)

Per-client data is isolated by Postgres row-level security. Practice members can only access data for clients whom the practice has been explicitly granted access to. Client-side opt-in flags govern which documents the practice can read. Data exports are logged.

Honest and reasonable basis; false or misleading statements (s 30-10(7) and 30-10(8) of the TASA — reasonable care to ascertain a client's state of affairs and to ensure tax laws are correctly applied; s 15 of the 2024 Determination)

Frank cites the Australian rates and thresholds it uses (PAYG brackets, super caps, MLS thresholds, etc.) back to the originating ATO, Services Australia, or state revenue source URL with a last-verified date. A regular automated verifier checks the publishing source for drift. Where a rate is stale or a verification has failed, the Service surfaces that to both the practitioner and the client so that decisions are not made on out-of-date inputs. Where Frank flags a discrepancy in a client's data that the practitioner identifies as a material false or misleading statement, the audit trail (and the optional practitioner-only message flag) supports the practitioner's s 15(2) “dob-in” obligation if the client refuses to correct.

Quality management systems (s 35 of the 2024 Determination)

Practice-tier features — role-based access, audit trail, document register, engagement letter version control, sign-off evidence, AML/CTF program template — provide infrastructure that practices can incorporate into their s 35 quality management systems. We can produce a downloadable PDF mapping Frank features to s 35 elements on request.

Records of competency (s 40 of the 2024 Determination)

Practitioner activity within the Service is logged (see Tamper-evident audit trail above). Practices can use this as an input to their s 40 records-of-competency obligation, but the underlying competency assessment and recordkeeping remains the practice's responsibility.

Client records (section 30 of the Tax Agent Services (Code of Professional Conduct) Determination 2024; TPB(I) 47/2024)

The Service supports the document categories most relevant to tax-time work (statements, payslips, receipts, trust deeds, building contracts, QS reports, etc.) with categorisation and retention. Documents may be flagged as practice-visible by the client, with the default being practice-invisible until opted in.

Breach reporting (s 30-35 of the TASA, commenced 1 July 2024)

Where a practitioner identifies a significant breach (their own or another practitioner's), they must report it to the TPB within 30 days. Frank's audit trail and reproducible exports are evidentially valuable for the report, but the obligation and the determination of whether a breach is “significant” remains the practitioner's.

AML/CTF Tranche 2 (from 1 July 2026)

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) extends Australia's AML/CTF regime to “Tranche 2” reporting entities, including accountants, tax agents, BAS agents, and trust and company service providers. The new obligations commence on 1 July 2026, with phased reporting requirements through 2026–27. Affected practices must enrol with AUSTRAC, adopt a board-approved AML/CTF program, perform customer due diligence (CDD), file Suspicious Matter Reports (SMRs) and Threshold Transaction Reports (TTRs), and maintain 7-year records.

Frank's role. Frank is a tool used by the practice to capture, organise and evidence the information the practice needs to discharge its AML/CTF obligations. Frank is not, and does not become, a “reporting entity” within the meaning of the AML/CTF Act 2006 or the AML/CTF Amendment Act 2024 by virtue of providing the Service. Finance Frank Pty Ltd is not remunerated for the provision of any “designated service” within the meaning of section 6 of the AML/CTF Act; the practice provides the designated service to its client, and Frank provides the workflow tool the practice uses to do so. The fact pattern is materially the same as the TASA s50-5 analysis above.

What Frank's AML/CTF feature set is designed to help a practice with (in scope for the 1 July 2026 commencement):

• Customer due diligence (CDD) — KYC capture (ID upload, address, source-of-funds declaration, occupation, FATCA/CRS questions) extending the existing client invitation flow.
• Beneficial ownership — capture of controllers and 25%+ owners for company / trust / SMSF clients, layered on the existing entity model.
• Risk rating — per-client high/medium/low classification at onboarding, with re-rating triggers.
• PEP and sanctions screening — name screening against the DFAT Consolidated List, the US OFAC SDN list and the UN Consolidated list, plus a customer self-declaration and practitioner-review workflow for politically-exposed-person identification. Integration with a commercial PEP / adverse-media screening provider is available as a paid upgrade for practices that require foreign-PEP and ongoing-monitoring coverage; the specific provider will be disclosed at the time the upgrade is offered.
• AML record register — per-client tab showing CDD documents, dates, beneficial owners, screening results, risk rating, with 7-year retention. Where the Service displays sanctions screening results, those results come from Frank's ingestion of the underlying free government / UN lists (DFAT, OFAC, UN); the Service stores and renders those results. If a paid commercial PEP / adverse-media provider is enabled in future, screening results sourced from that provider will be rendered subject to the provider's own terms — Frank stores and renders the results, the third-party provider performs the screening.
• Evidence Pack PDF generation (replacing in-Frank SMR drafting) — Frank generates a per-client Evidence Pack PDF that compiles CDD records, beneficial ownership, screening hits, risk-rating history and the AML audit trail. The practitioner writes the SMR directly in AUSTRAC Online and attaches the Evidence Pack as the supporting file. Frank does not store SMR text or any suspicion narrative — this design choice keeps Frank out of the SMR data flow, which materially reduces s 123 tipping-off exposure for the practice.
• TTR draft generation — Threshold Transaction Reports for cash transactions ≥ AUD $10,000 are drafted in Frank, pre-populated from client data and the TTR threshold monitor. TTRs are factual transaction reports, not suspicion-based, and do not engage s 123 tipping-off. Lodgement to AUSTRAC remains the practice's responsibility (manual via AUSTRAC Online); Frank does not lodge.
• Tipping-off-safe messaging — a flag on practice-side notes ensures practitioner-only content is never visible to or sent to the relevant end-client. Use this for any sensitive practitioner discussion, including AML-related notes that you do not want surfaced to the client.
• TTR threshold monitor — Frank flags any single cash transaction at or above the threshold (currently AUD $10,000) for the practice's TTR consideration.
• AML/CTF program template — a customisable board-approval-ready policy document (analogous to our engagement letter templates).

What Frank does not do. Frank does not draft SMR text or store any suspicion narrative — SMRs are written in AUSTRAC Online directly, with the Frank Evidence Pack as the supporting file. Frank does not lodge SMRs or TTRs to AUSTRAC, does not perform behavioural transaction anomaly detection or ML-based risk scoring, and does not act as your AML/CTF Compliance Officer. The practice retains full responsibility for the AML/CTF program, the designated services it provides, the lodgements it makes, and the ongoing customer due diligence on every client. The screening results, Evidence Packs, TTR drafts and record register Frank produces are inputs to the practice's judgement, not substitutes for it.

PEP coverage — be aware of the limit of self-declaration. Frank's default PEP workflow relies on the customer answering a self-declaration question and the practitioner cross-checking any “yes” against publicly available sources (e.g. Parliament rosters, foreign government sites). This is a defensible, AUSTRAC-Rules-compliant approach for practices serving everyday Australian SMEs and individuals, but it does not detect foreign PEPs whose customers don't self-declare. Practices serving wealth-management clients, foreign tax residents, or politically-exposed industries should enable the commercial PEP / adverse-media database upgrade for full coverage. Frank can configure that upgrade on request.

What you, the practitioner, remain responsible for

Notwithstanding the above, you (the registered tax agent) remain solely responsible for:

• Compliance with all obligations under the TASA, the Code of Professional Conduct (s 30-10), the recordkeeping obligation (section 30 of the Tax Agent Services (Code of Professional Conduct) Determination 2024 and TPB(I) 47/2024), and any other professional or regulatory standards applicable to your practice;
• Supervision of staff using the Service (supervisory expectations under sections 35 and 40 of the 2024 Determination) — including ensuring junior staff use Frank within the scope of your firm's policies and applicable professional standards. Frank does not, and is not intended to, provide a supervision layer; principal practitioners cannot rely on the Service to discharge supervisory obligations;
• Verifying that any data, summary or output from the Service is accurate before relying on it for a tax-agent service or BAS service to a client;
• Lodging documents with the ATO or any other agency on the client's behalf;
• Maintaining your TPB registration, professional indemnity insurance, and continuing professional education;
• The professional judgement you apply to a client's affairs, irrespective of any output the Service may surface;
• Your firm's own quality management system and breach-reporting processes under the post-2024 Code obligations;
• All AML/CTF reporting entity obligations from 1 July 2026 (or earlier where you opt in to early enrolment), including AUSTRAC enrolment, the board-approved AML/CTF program, customer due diligence, ongoing monitoring, SMR and TTR lodgements, and the appointment and supervision of an AML/CTF Compliance Officer. Frank does not perform any of these reporting-entity functions; it provides workflow and record-keeping inputs that the practice uses to discharge them.

Sub-processors and data location

The full sub-processor list (with contractual-safeguard posture, recipient location and data-hosting region) lives in the Privacy Policy at Section 4 and is the canonical source — please rely on that list. The providers most relevant to a practice tier deployment are summarised below; each row gives the recipient location (the company we contract with) alongside the data hosting region (where the underlying data physically sits).

• Database, auth and file storage: Supabase Inc. — recipient: United States; data hosting region: Sydney (ap-southeast-2). All practice and client data sits in the Sydney tenancy.
• AI inference: Anthropic, PBC — recipient: United States; data hosting region: United States. Under our current commercial agreement, user-supplied content is processed for inference and is not used to train Anthropic's base models.
• Document embeddings: OpenAI, L.L.C. — recipient: United States; data hosting region: United States. Semantic search across canonical financial document types (trust deeds, building contracts, leases, etc.).
• Backend API hosting: Render Services, Inc. — recipient: United States; data hosting region: Oregon, United States. API request payloads transit Oregon at request-time but are not persisted on Render disk.
• Frontend hosting: Vercel Inc. — recipient: United States; data hosting region: Sydney edge cache for AU visitors with US origin.
• Payment processing: Stripe Payments Australia Pty Ltd — recipient: Australia (US parent); data hosting region: United States. Card data is tokenised by Stripe and never touches Frank's infrastructure.
• Transactional and marketing email: Resend Inc. — recipient: United States; data hosting region: United States.

Personal Information transferred to overseas sub-processors is subject to written agreements (DPA / SCC / equivalent) designed to provide protection consistent with the Australian Privacy Principles, supported by Frank's APP 8.1 reasonable-steps statement at Section 5 of the Privacy Policy. We can provide the contractual paper-trail to a practice on request as part of due diligence.

AUSTRAC sector starter kits. AUSTRAC published five sector-specific AML/CTF Program Starter Kits on 30 January 2026 — covering lawyers, accountants, real-estate professionals, conveyancers, and dealers in precious metals and stones. Practices should treat the relevant Starter Kit as an authoritative AUSTRAC reference when shaping their AML/CTF Program. Frank's template content has been cross-checked against the Accountants Starter Kit and we will keep the cross-check current as AUSTRAC issues updates.

Questions

If you would like a Data Processing Agreement, the current security posture summary, or to discuss how Frank fits with your firm's specific compliance approach, contact us at hello@financefrank.ai.

Last reviewed: 2026-05-10. We will update this page when material changes are made to the platform or to the regulatory environment.

See also: Our approach (B2C) · Security · Privacy · Terms · Benchmarks