- Resources
- Blog
- Australia’s Tranche 2 AML/CTF Reforms: The Compliance Era Has Begun for Lawyers, Accountants, Real Estate and Other Professional Services
Australia’s Tranche 2 AML/CTF Reforms: The Compliance Era Has Begun for Lawyers, Accountants, Real Estate and Other Professional Services
Anti-money Laundering Services
Contents
July, 2026
On 1 July 2026, Australia’s anti-money laundering rules went through their biggest expansion in decades. Under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, an estimated 90,000 businesses (real estate professionals, lawyers, conveyancers, accountants, trust and company service providers, and dealers in precious metals and stones) became “reporting entities” regulated by AUSTRAC for the first time. The industry calls them “Tranche 2” entities. Internationally, the same group goes by designated non-financial businesses and professions (DNFBPs).
For the past 20 years, the AML/CTF legislation in Australia has mainly affected the banks, casinos, and remitters. Other professions, such as real estate, legal, and trust companies that are involved in most property, corporate, and trust transactions, were left out of its scope. The situation has changed for the first time, with obligations in force from 1 July 2026. It means that if you fall into the designated services category but have not registered with AUSTRAC yet, you do not have much time left, only until 29 July 2026.
Reasons for Australia’s Reaction
Australia’s gatekeeper professions were among the last in any Financial Action Task Force (FATF) member country to remain outside AML regulation. The FATF has expressed its concerns regarding the lack of regulation since 2015. It is understandable, as criminal wealth will use the path of least resistance due to the absence of any barriers preventing it from being legalized through real estate, companies, and trusts, provided that there is no requirement for professionals to investigate further.
Tranche 2 alters this situation for the whole category, i.e., any regulated professional must know their money laundering, terrorism financing, and proliferation financing (ML/TF/PF) risks, check and verify their customers, and inform AUSTRAC about any suspicious actions taking place. Australia’s next FATF review is also coming up, which gives regulators every reason to show the new regime actually works.
Which Entities Are Impacted by the Law?
The legislation talks about designated services provided by a professional rather than their occupation, so you are considered to be a reporting entity if, during your work, you delivered a designated service, irrespective of the title you have.
Real estate professionals are buying and selling agents who broker property transactions, as well as developers.
Legal practitioners and conveyancers come into scope when assisting with property transactions, managing client money, or creating and managing companies and trusts. Regular litigation work and general advice stay outside the net, and the law specifically protects legal professional privilege.
Accountants, like lawyers and conveyancers, perform transactions related to property, managing clients’ assets, or setting up and administering companies and trusts. Pure audit work, tax preparation, and bookkeeping generally fall outside the designated services.
TCSPs: serve to create corporations and trusts, act as or arrange nominee directors and shareholders, and provide registered office or correspondence addresses.
Dealers: engage in buying and selling bullion, precious metals, stones, or certain jewelry where cash of AUD 10,000 or more changes hands. The reforms also modernized the coverage of virtual asset service providers, whose obligations likewise turn on whether the services they provide are designated services.
The practical step is to check each of your service lines against the designated services table. If even one line is caught, that part of the business carries the full set of obligations.
Your Obligations Under the New Regulatory Environment
Although AUSTRAC has some major compliance expectations from reporting entities, its structure does not require keeping up the same standards as those imposed upon banks. Thus, each reporting entity has the responsibility of establishing the five pillars.
1. Enroll with AUSTRAC
Enrolment opened on 31 March 2026, and businesses providing designated services from 1 July must apply by 29 July 2026 (the rule is 28 days from when you first provide a designated service, so a later start date means a later deadline). When you enroll, you also nominate an AML/CTF compliance officer, someone at a management level who passes the fit and proper test and takes charge of compliance day to day. In small firms, this is usually a principal or partner. You can bring in outside help for the role, but the accountability stays with you.
2. Develop an AML/CTF Program Made up of Three Components
The reformed Act did away with the old “Part A and Part B” program structure. A compliant program now has three connected parts:
- Risk assessment: an honest, written-down assessment of the money laundering, terrorism financing, and proliferation financing risks tied to your customers, your services, how you deliver them, and the countries involved. Everything else gets built on top of this.
- Policies: the actual procedures and controls that deal with those risks: identifying customers, escalating concerns, reporting, staff training, and personnel screening.
- Governance: oversight from the board or senior management, a nominated compliance officer, and independent evaluation of the whole program at regular intervals.
AUSTRAC has published sector-specific Program Starter Kits for real estate, legal, accounting, TCSP, and precious metals businesses. They give you a useful floor to work from. What they do not give you is a safe harbor. A starter kit filled in without a real risk assessment behind it will not survive regulatory scrutiny.
3. Customer Due Diligence: Initial and Ongoing
Prior to conducting any designated services, you must have completed an initial customer due diligence (CDD) by identifying who your customer is, verifying their identity using reliable and independent sources of evidence, determining which beneficial owners ultimately own or control them, and screening for politically exposed persons and any exposure to sanctions. The depth of verification is risk-variable: you would carry out simplified CDD where risks are demonstrably low or enhanced CDD where they are high, and the old “safe harbor” shortcuts are a thing of the past. Ongoing CDD works for the duration of your entire relationship with the customer, as it requires you to continuously monitor customer transactions, maintain updated records, and assess risk accordingly whenever necessary. Transitional provisions allow companies to make the necessary changes to pre-existing customers, effectively giving firms sufficient time to implement the changes as those existing relationships are reviewed or their risk changes.
4. Report to AUSTRAC
Suspicious matter reports (SMRs): firms must report instances when they have reasonable grounds for believing that a customer or transaction has any links to an offense, usually within three working days (24 hours in the case of terrorist financing). Strict tipping-off rules also apply, so you cannot tell anyone anything that might prejudice an investigation.
Threshold transaction reports (TTRs): firms need to report any physical currency transactions worth AUD 10,000 or more within 10 business days.
There is also an annual compliance report, a yearly attestation to AUSTRAC on where your compliance stands.
5. Keep Records
Firms must keep records of their CDD, transactions carried out, any risk assessments that have been undertaken, and any other relevant internal decisions made. Generally, this will be kept for 7 years, and firms must ensure that information can easily be retrieved by AUSTRAC when necessary. In an AUSTRAC examination, if it is not recorded, it did not happen.
Key Dates
| Date | Milestone |
| 10 December 2024 | Amendment Act received royal assent, locking in the Tranche 2 timetable. |
| 31 March 2026 | AUSTRAC enrolment opened for newly regulated businesses; existing reporting entities began updating their enrolment details (window ran to 30 May 2026). |
| 1 July 2026 | Obligations commenced. Newly regulated businesses must now comply with program, CDD, reporting, and record-keeping requirements. |
| 29 July 2026 | Deadline for newly regulated businesses to apply to enroll with AUSTRAC (28 days after obligations began). |
Where Firms Are Getting It Wrong
“The business is small, so no rules will be applied.” There is no exemption for small businesses. Obligations scale with risk and complexity, but they do not disappear.
“Enrolment is the last step.” This is basically the first step. The actual obligations, such as risk assessment, the AML/CTF program, CDD, and reporting obligations, commence from 1 July 2026, regardless of when enrolment took place.
“We have obtained the template, so now we’re okay.” This assumption may be erroneous, as a program that does not reflect the actual nature of customers, services, and channels may reflect a negative compliance position. AUSTRAC has said it plans to take an education-first approach with firms making a genuine effort. Firms doing nothing should expect far less patience, and civil penalties under the Act can run into the tens of millions of dollars for serious contraventions.
“AML compliance does not generate any positive outcomes.” Knowing one’s own customers usually leads to superior business decisions being made. Firms with a real picture of their customers exit bad clients earlier, and banks, insurers, and referral partners are starting to prefer working with businesses that have credible financial crime controls in place.
Your Next 30 Days: An Action Plan
- Establish the scope. Map out all services that fall under designated services. Nominate a compliance officer and enroll prior to the 29 July 2026 deadline.
- Conduct the risk assessment first. Only conduct policy writing when you have knowledge of your ML/TF/PF risks. Risk assessments dictate everything down the chain.
- Create a three-part program. Use the AUSTRAC starter kit as the base unit and adjust accordingly for your risk profile.
- Operationalize CDD and reporting. Include verification procedures, beneficial ownership, escalation, and training procedures, among others, in client intake workflows, and train every client-facing person to recognize red flags.
- Do assurance planning. This means scheduling the independent evaluation, the annual compliance report, and periodic refreshes of the risk assessment now, as these are recurring obligations rather than one-off projects.
Conclusion
Tranche 2 does not represent a desktop exercise; it represents a formal recognition that Australia’s gatekeeper professions are the front line against dirty money. Firms that spend the next twelve months building controls proportionate to their actual risk will find compliance manageable, possibly even useful commercially. Firms gambling on being too small to notice are up against a regulator that has new powers, a new mandate, and a global audience watching how it uses them.
How SG Analytics Can Help
SG Analytics’ Financial Crime Compliance practice supports newly regulated Australian businesses at every stage of Tranche 2 readiness: scoping and enrolment, risk assessments, building the three-part program, running initial and ongoing CDD, quality assurance on SMR and TTR reporting, and independent evaluations. The practice combines AML domain expertise with AI-enabled delivery, so compliance stays proportionate, whatever your firm’s size. To discuss your readiness, contact our FCC team.
Related Tags
Anti-money Laundering ServicesAuthor
Zubair Ahamad
Associate Vice President - Banks
Contents