What is Tranche 2 AML/CTF reform in Australia?

Tranche 2 expands Australia's AML/CTF regulations to gatekeeper professions — real estate agents, lawyers, accountants, conveyancers, and TCSPs — with compliance obligations starting 1 July 2026. These businesses must enrol with AUSTRAC, implement AML/CTF programs, conduct customer due diligence, and submit suspicious matter reports.

Who needs AML compliance software in Australia?

Under Tranche 2, AML compliance software is needed by real estate agencies, law firms, conveyancing practices, accounting firms, trust and company service providers (TCSPs), and other gatekeeper professions that must comply with AUSTRAC regulations from July 2026.

What KYC checks are required for AML compliance?

Required KYC checks include: identity document verification (passport, driver's licence), biometric face matching, PEP and sanctions screening, proof of address verification (council rates, water bill, strata bill), source of wealth documentation, and ongoing monitoring of business relationships.

What is an SMR (Suspicious Matter Report)?

A Suspicious Matter Report (SMR) is a mandatory report to AUSTRAC when a reporting entity suspects a person may be involved in money laundering, terrorism financing, or other criminal activity. SMRs must be submitted within 24 hours under the AML/CTF Act 2006.

How does AML Workflow use AI?

AML Workflow uses Anthropic's Claude AI models for four key functions: PEP disambiguation (Haiku 4.5), risk assessment generation (Sonnet 4.6), enhanced due diligence analysis (Opus 4.6), and SMR drafting assistance. All AI outputs are marked as drafts requiring human review — the platform never auto-decides compliance outcomes.

Countdown to 1 July 2026: Your Tranche 2 Deadline Preparation Checklist

Countdown to 1 July 2026 Tranche 2 AML/CTF compliance deadline for Australian businesses

1 July 2026 is not just another financial year. For an estimated 80,000–90,000 Australian businesses — real estate agents, lawyers, conveyancers, accountants, and trust and company service providers — it is the date their AML/CTF obligations become legally enforceable. After this date, providing a designated service without an AML/CTF program in place is not merely a compliance gap — it is unlawful.

With the deadline now weeks away, businesses that have not yet started their compliance preparation face a narrowing window. This countdown checklist breaks down exactly what needs to happen, in what order, and by when — so you can move from zero to compliant before 1 July. For a more detailed roadmap, see our step-by-step guide on preparing for Tranche 2 compliance.

Why the Deadline Is Real: Enforcement, Not Guidance

AUSTRAC has been clear: the AML/CTF Act takes full effect for Tranche 2 entities on 1 July 2026. While the regulator has signalled an "educative" approach in the early months — prioritising guidance over enforcement for businesses making genuine efforts to comply — this does not mean the obligations are optional or can be deferred. Key points:

Enrolment deadline is firm — reporting entities must enrol with AUSTRAC by 29 June 2026. Late enrolment is a contravention.
Enforcement powers are real — AUSTRAC can issue remedial directions, infringement notices, and enforceable undertakings. Civil penalty proceedings can be initiated for serious or systemic non-compliance.
Penalties are substantial — up to A$6.6 million for individuals and A$33 million per contravention for body corporates.
No grandfathering — existing customers and transactions are not exempt. CDD must be applied to new clients from 1 July, and existing clients must be brought into the program according to your documented transition plan.

The "wait and see" approach is not a strategy. AUSTRAC and professional bodies — the Law Society, CPA Australia, the Real Estate Institute — have been unequivocal: businesses should be preparing now, not in late June. For small and medium businesses, we have a dedicated guide on Tranche 2 compliance for small businesses that addresses the unique challenges SMEs face.

Week 1 (Now): Scope and Foundation

Objective: Determine if you are in scope and lay the groundwork.

Confirm your status — Do you provide a designated service? Review the list in section 6 of the AML/CTF Act. If you buy or sell property on behalf of clients, manage client money, form companies or trusts, conduct conveyancing, or provide a registered office — you are likely a reporting entity. If unsure, seek professional advice this week; do not guess.
Appoint your AML/CTF Compliance Officer (AMLCO) — This is a named individual, not a department. For small firms, it may be the principal or a senior partner. The AMLCO must have sufficient seniority and authority to implement the AML/CTF Program and report directly to the governing body. AUSTRAC requires the AMLCO's details at enrolment, so this must be resolved before the enrolment deadline.
Brief your governing body — Whether a board, partnership committee, or sole principal, the governing body must understand Tranche 2 obligations, their oversight responsibilities, and the timeline. This briefing should be documented.
Join AUSTRAC Online — If you do not already have an AUSTRAC Online account, register now. The enrolment process itself is completed through this portal.

Week 2: Risk Assessment (Part A of Your AML/CTF Program)

Objective: Complete your ML/TF Risk Assessment.

This is the foundation document for your entire compliance framework. The risk assessment must evaluate ML/TF risk across four dimensions:

Services — Which designated services do you provide? Each carries a different risk profile. Conveyancing with trust account management presents different risks than company formation.
Customers — Who are your clients? Individuals, companies, trusts, foreign residents? Do any fall into PEP, high-risk jurisdiction, or complex structure categories?
Channels — How do you deliver services? Face-to-face, online, through agents or referrers? Non-face-to-face channels typically carry higher impersonation risk.
Countries — Which jurisdictions do your clients, transactions, and source of funds connect to? FATF-listed countries, sanctioned jurisdictions, and countries with high corruption perceptions require elevated attention.

For most small to medium businesses, this is a 10–20 page document, not a 100-page thesis. AUSTRAC expects it to be proportionate to the size and complexity of your business. However, it must be written, approved by the governing body, and kept current. For more on building your risk framework, see the complete overview of AUSTRAC and AML Tranche 2.

Week 3: Policies and Procedures (Part B of Your AML/CTF Program)

Objective: Document how your business will comply operationally.

Your Part B policies must address, at minimum:

CDD procedures — How will you identify and verify customers? What documents are acceptable for individuals, companies, and trusts? When is ECDD triggered, and what additional steps does it involve? Who conducts CDD, and who approves high-risk customers?
SMR procedures — Who can identify a suspicious matter? What is the internal escalation path? Who makes the final decision to submit an SMR? How do you ensure no one tips off the customer?
Record keeping — Where are CDD records, risk assessments, SMRs, and training records stored? For how long? How are they retrieved if AUSTRAC requests them within a statutory timeframe?
Staff training — What AML training do new staff receive? What is the annual refresher cycle? Is training role-specific (frontline staff vs. AMLCO vs. senior management)? How is training documented?
Independent review — Who will conduct your independent review, at what frequency, and against what criteria? For small firms, an external consultant or a senior staff member independent of the compliance function may be appropriate.
Ongoing monitoring — How do you monitor customer transactions? What triggers a review or re-verification? How often are customer risk profiles updated?

The Part B document is your operational manual. It should be practical enough that a staff member can read it and understand exactly what to do when onboarding a new client, when a PEP match appears, or when a transaction looks unusual.

Week 4: Technology, Training, and AUSTRAC Enrolment

Objective: Implement the tools, train the team, and lodge your enrolment.

Select and deploy AML compliance technology — Manual CDD — checking physical ID documents by sight, searching Google for adverse media, maintaining client risk assessments in spreadsheets — is neither scalable nor regulator-ready. Select a platform that handles automated identity verification, PEP/sanctions screening, risk scoring, and audit trail generation. Deploy it this week so you have time to test before go-live.
Train all staff — Every person who interacts with clients or handles transactions must understand the business's AML obligations, how to conduct CDD, how to recognise a red flag, and the SMR escalation procedure. Training should be role-specific and documented. Even if your firm is 3 people, run the training session and keep a signed attendance record.
Enrol with AUSTRAC — Complete your enrolment via AUSTRAC Online. You will need your ABN, AMLCO details, designated service descriptions, and an estimate of transaction volumes. Enrolment must be completed by 29 June 2026 at the latest. Do not leave this to the last day — AUSTRAC Online may experience high traffic in the final week before the deadline.
Test your processes end to end — Run 2–3 test scenarios with real staff: onboard a mock client, complete CDD, handle a mock PEP match, escalate a mock suspicious transaction, and generate an audit report. If any step fails, fix it now — not on 1 July.

Week 5 (Final Week): Finalise, Review, and Go Live

Objective: Ensure everything is operational for 1 July.

Final governing body sign-off — Your governing body must formally approve the AML/CTF Program (Parts A and B). This is a legal requirement. Document the approval date, who approved it, and ensure the signed program is stored with your compliance records.
Confirm AUSTRAC enrolment is complete — Log into AUSTRAC Online and verify your enrolment status is confirmed, not pending. Print or save the confirmation for your records.
Brief all staff on go-live procedures — From 1 July, every new client engagement must follow the CDD process. No exceptions. Existing clients being transitioned should be managed according to your documented transition plan.
Set calendar reminders — Schedule your first quarterly program review (October 2026), your first annual independent review (by 30 June 2027), your annual compliance report lodgement (by 31 March 2027), and your next staff refresher training (January 2027). Compliance is a continuous process, not a one-off project.
Go live on 1 July 2026 — From this date, your AML/CTF Program is operational. Every designated service you provide must follow the procedures you have documented. Your technology is running. Your staff are trained. Your records are being generated. You are compliant — not just in theory, but in practice.

What If You Are Not Ready by 1 July?

The honest answer: you are carrying significant legal risk. If your enrolment is not lodged, your AML/CTF Program is not approved, or your CDD processes are not operational by 1 July, you cannot lawfully provide designated services. Continuing to do so without an AML/CTF program in place exposes the business and its principals to civil penalties, enforceable undertakings, and regulatory scrutiny.

If you are genuinely behind schedule, consider:

Prioritise the minimum viable compliance framework — A basic risk assessment, a concise Part B program, a deployed technology platform, and completed AUSTRAC enrolment. You can refine and expand the program after 1 July, but the core must be in place.
Seek professional compliance advice — AML consultants and law firms specialising in financial services regulation can fast-track the documentation and process design if your internal capacity is stretched.
Use technology to compress the timeline — A modern AML platform that includes templated AML/CTF Program documents, built-in CDD workflows, and automated screening can reduce the implementation timeline from months to days.
Do not ignore the deadline — The cost of non-compliance — in penalties, reputational damage, professional discipline, and lost business from referral partners who need AML-compliant counterparties — far exceeds the cost of getting ready, even under a compressed timeline.

The Clock Is Ticking — But the Path Is Clear

For Australian gatekeeper professions, Tranche 2 represents a genuine regulatory transformation. The obligations are new, the consequences are real, and the deadline is imminent. But the pathway to compliance is well-defined: scope, appoint, assess risk, document procedures, deploy technology, train staff, enrol, go live. Tens of thousands of businesses have followed this path already. The remaining weeks are enough — but only if you start now.

Key Takeaways

1 July 2026 is the date AML/CTF obligations become legally enforceable for Tranche 2 entities — it is not a trial period or soft launch
AUSTRAC enrolment must be completed by 29 June 2026 — late enrolment is a contravention
The 5-week preparation timeline: Scope & Foundation → Risk Assessment → Policies & Procedures → Technology, Training & Enrolment → Finalise & Go Live
An AML/CTF Program (Parts A and B) must be approved by your governing body and in place before providing any designated service
Technology is the single biggest lever for compressing your compliance timeline — purpose-built AML platforms can reduce implementation from months to days
If you are not ready by 1 July, prioritise the minimum viable framework and seek professional advice immediately — non-compliance is not a viable option