Can each staff member share an info@ inbox, or do they need individual emails?

Each staff member must have an individual email and individual mobile number. Two reasons this is non-negotiable:

1. MFA is mobile-based. SMS one-time codes and authenticator apps both rely on the mobile being tied to a specific user. A shared inbox can't receive MFA codes meaningfully - whoever opens the email first gets the code.
2. Training records are user-bound. AUSTRAC's training expectations require evidence that each individual has completed their required modules. A shared account can't credibly demonstrate this - it would be one set of training records claimed for multiple people, which doesn't satisfy the audit standard.

Sharing info@ also defeats:

• Audit traceability for CDD actions (who did what, when).
• Permission segregation by role.
• Privacy and Cyber Security processes in place
• Tipping-off controls (the CO needs to be the sole user with visibility on SMR drafts and submissions).

The right setup: each user has their own login (individual email), individual mobile for MFA, individual training record. Costs nothing extra within the user cap. info@ inboxes remain useful for external email forwarding and general communication, just not as a platform login.

Related articles

• What MFA options does easyAML support?
• Who needs to be trained on AML/CTF?
• When does the firm need to add support staff who don't directly do CDD?
• Why is passkey the recommended MFA?
• During registration with easyAML, if I entered a landline instead of mobile, how can I change it?