Australia’s AML/CTF regime just got significantly bigger. On 10 December 2024, the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 received Royal Assent, extending Australia’s existing anti-money laundering framework to approximately 90,000 businesses that had no previous AUSTRAC obligations. If you’re a lawyer, accountant, real estate agent, conveyancer, dealer in precious metals or gemstones, or provider of trust and company services — you are now a reporting entity under Australian law, and your countdown has already started.
AUSTRAC enrolment for Tranche 2 entities opened on 31 March 2026. Full AML/CTF obligations commence on 1 July 2026. That’s a narrow window — and many affected businesses are only now becoming aware of what’s required. This guide explains who is caught, what they must do, when they must do it, and how to approach the compliance build without overcomplicating it.
Background: What Is AML/CTF and Why Did Australia Expand It?
Australia’s Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) originally covered financial institutions, gambling operators, bullion dealers, and digital currency exchange providers — the traditional “financial sector” conduits for money laundering. These were designated as Tranche 1 reporting entities and have been subject to AUSTRAC obligations since the Act’s commencement.
What the original Act did not cover was the professional services sector — lawyers, accountants, and real estate agents — despite these professions being widely identified by the Financial Action Task Force (FATF) as high-risk conduits for money laundering and proceeds of crime. FATF had been consistently rating Australia as non-compliant on this point, and in 2024 Australia’s mutual evaluation report made it clear that the gap needed closing.
Tranche 2 closes that gap. It brings Australia into alignment with comparable jurisdictions — the UK, New Zealand, Canada, and all EU member states — that have long covered professional services under their AML frameworks. The expansion was not a surprise to the professions involved; Tranche 2 had been discussed, consulted on, and deferred for over a decade before the 2024 legislation finally passed.
Who Is Now Covered Under Tranche 2?
Tranche 2 coverage extends to businesses providing what the Act calls “designated services” in the professional services and certain non-financial sectors. The core Tranche 2 categories are:
Legal practitioners — solicitors, barristers, and law firms providing certain designated services including property transactions, managing client funds, company formations, and trust structures. Not all legal work is covered; criminal defence and litigation work is outside scope, but the vast majority of commercial, property, and corporate legal practice is caught.
Accountants and tax agents — accountants providing services involving company formations, trust establishment, managing client funds or assets, and the buying or selling of businesses or real estate on behalf of clients. Routine tax compliance work (preparing and lodging returns) is generally not caught, but advisory work touching on asset structures, business sales, or fund management is.
Real estate agents and conveyancers — agents and conveyancers involved in the buying and selling of real property, including residential and commercial transactions. This is one of the highest-risk categories from a money laundering perspective — real property is a significant vehicle for the parking and layering of criminal proceeds in Australia.
Trust and company service providers — businesses that form companies, trusts, or other legal entities on behalf of clients; provide registered office, directorship, or secretarial services; or help clients establish complex ownership structures.
Dealers in precious metals and gemstones — businesses buying or selling precious metals (gold, silver, platinum) or precious stones above threshold values. This sector had already been partially covered under Tranche 1 for cash dealers; Tranche 2 extends and clarifies those obligations.
If your business falls into any of these categories and provides the relevant designated services, you are a reporting entity. The obligation to enrol with AUSTRAC applies regardless of business size — sole practitioners, small firms, and large organisations are all caught if they provide designated services.
Key Dates: The Tranche 2 Compliance Timeline
The Tranche 2 compliance timeline is tight, and the critical dates are already here. Understanding the sequence matters — some obligations have earlier deadlines than others, and missing the enrolment window creates immediate legal exposure even before the full obligations commence.
31 March 2026 — Enrolment opens. From this date, Tranche 2 entities can enrol with AUSTRAC as reporting entities. Enrolment is the formal registration process that brings your business within the AUSTRAC regulatory framework. Without enrolment, you cannot lawfully provide designated services in a compliant manner once full obligations commence.
1 July 2026 — Full obligations commence. This is the single most important date. From 1 July 2026, all Tranche 2 entities must: be enrolled with AUSTRAC; have an AML/CTF program in place (either AUSTRAC’s simplified starter program or their own); be conducting customer due diligence on new clients; and be filing Suspicious Matter Reports and Threshold Transaction Reports as required.
29 July 2026 — Enrolment deadline and compliance officer notification. Tranche 2 entities must have completed enrolment by this date. They must also have notified AUSTRAC of their nominated AML/CTF Compliance Officer by this date. Note that while enrolment doesn’t need to happen by 1 July, full obligations still commence 1 July — meaning you must be operationally compliant from that date even if you have until 29 July to complete the enrolment paperwork.
31 March 2027 — First annual compliance report. The first Annual AML/CTF Compliance Report covering the period from 1 July 2026 to 31 December 2026 is due by 31 March 2027. Annual reports will thereafter be due on 31 March each year covering the preceding calendar year.
From 1 July 2029 — Independent evaluations. AUSTRAC has confirmed that the deadline for the first independent evaluation of a Tranche 2 entity’s AML/CTF program will be no earlier than 1 July 2029. Independent evaluations must then occur at least every three years.
What You Need to Do: The Five Core Obligations
The AML/CTF Act creates five primary compliance obligations for Tranche 2 entities. Each requires a distinct set of systems, processes, and documentation. Building them from scratch before 1 July 2026 requires a structured approach — which is why starting immediately is critical for businesses that haven’t yet begun.
1. Enrol with AUSTRAC
Enrolment is the administrative gateway to all other AML/CTF obligations. It is completed through AUSTRAC’s online portal (AUSTRAC Online) and requires you to provide details of your business, the designated services you provide, and the identity of your nominated AML/CTF Compliance Officer. AUSTRAC provides guidance on the enrolment process through its reform guidance pages. Enrolment is free and can typically be completed in a single session once you have the required information assembled.
2. Implement an AML/CTF Program
An AML/CTF program is the core of your ongoing compliance obligation. It’s a written, risk-based framework that identifies the money laundering and terrorism financing risks your business faces and documents how you manage them. For most Tranche 2 entities, the program will need to address: business risk assessment; customer due diligence procedures; employee training; compliance monitoring; reporting obligations; and record-keeping requirements.
AUSTRAC has developed a simplified “starter program” framework specifically for Tranche 2 entities. This is a template-based program that eligible businesses can adopt and adapt rather than building from scratch. The starter program is appropriate for lower-complexity businesses with a relatively straightforward risk profile. Higher-risk businesses — those handling complex client structures, high-value transactions, or clients in elevated-risk jurisdictions — will need a more tailored program.
3. Customer Due Diligence (CDD)
Customer due diligence is the process of knowing who your clients are, verifying their identities, and understanding the nature of your business relationship with them. For Tranche 2 entities, CDD requirements commence when you provide a designated service. Standard CDD involves verifying the identity of the customer (and beneficial owners where relevant), understanding the purpose of the business relationship, and ongoing monitoring of the relationship and transactions.
Enhanced CDD is required for higher-risk customers or transactions — politically exposed persons (PEPs), clients with connections to high-risk jurisdictions, complex ownership structures, or transactions that appear inconsistent with the nature of the business relationship. Your AML/CTF program must specify when enhanced CDD applies and how it is conducted. For a systematic approach to tracking all your AML/CTF obligations including CDD requirements, purpose-built compliance obligations management software provides an obligation register that automatically flags when each requirement applies and tracks completion.
4. Suspicious Matter Reports (SMRs) and Threshold Transaction Reports (TTRs)
Reporting obligations are the operational heart of the AML/CTF framework. You must submit a Suspicious Matter Report to AUSTRAC where you have reasonable grounds to suspect that a transaction or activity is related to money laundering, terrorism financing, proceeds of crime, or a range of other prescribed circumstances. Suspicious matter reports must be submitted within three business days of forming the suspicion (or 24 hours for terrorism financing suspicions).
Threshold Transaction Reports must be submitted for all cash transactions of AUD 10,000 or above (or the foreign currency equivalent). These are not discretionary — if a cash transaction exceeds the threshold, a TTR must be filed regardless of whether the transaction appears suspicious. Both SMRs and TTRs are submitted through AUSTRAC Online.
5. Ongoing Record-Keeping and Annual Compliance Reporting
AML/CTF records — CDD records, transaction records, risk assessments, employee training records — must be retained for seven years. This record-keeping obligation is non-negotiable and underpins AUSTRAC’s ability to investigate and audit reporting entities. Your AML/CTF program must document your record-keeping system and who is responsible for it.
Annual compliance reports are submitted to AUSTRAC by 31 March each year. They certify that your business has reviewed its AML/CTF program during the preceding year, assessed its effectiveness, and confirmed that it meets the requirements of the AML/CTF Act and Rules. The first report for Tranche 2 entities is due 31 March 2027.
Penalties for Non-Compliance
AUSTRAC’s enforcement record makes it clear that non-compliance with AML/CTF obligations carries serious consequences. The penalties under the AML/CTF Act are among the most significant in Australian regulatory law:
For failure to enrol as a reporting entity: civil penalties of up to 60,000 penalty units for a body corporate (one penalty unit = AUD 330 as of 2026, making the maximum penalty AUD 19.8 million). For failure to have an AML/CTF program: similar civil penalty exposure. For failure to submit required SMRs or TTRs: civil and criminal penalties, with criminal penalties for intentional failure including imprisonment for individuals.
AUSTRAC has demonstrated it will use its enforcement powers. The landmark enforcement actions against Commonwealth Bank (AUD 700 million), Westpac (AUD 1.3 billion), and Star Entertainment are all AML/CTF cases. While these involved Tranche 1 financial institutions, the same enforcement framework now applies to Tranche 2 entities. The regulatory expectations for professional services firms are the same as for banks — just calibrated to the risk profile and size of the business.
Building Your AML/CTF Compliance Program: Where to Start
With less than three months to 1 July 2026, building AML/CTF compliance from scratch requires a focused sequence. Many businesses that haven’t yet started will feel behind — and in some respects they are — but the compliance build is achievable if approached in the right order:
Step 1: Confirm your coverage. Confirm that your business provides designated services that bring it within Tranche 2 scope. AUSTRAC’s guidance provides detailed coverage analysis by profession. If your services are borderline, get professional advice before assuming you’re out of scope — the consequences of incorrectly self-excluding are severe.
Step 2: Enrol with AUSTRAC. Enrolment is now open. Even if your full program isn’t ready, enrolling immediately demonstrates good faith and ensures you’re in the system. Gather your business details, determine your designated services, and appoint your Compliance Officer before you start the enrolment form.
Step 3: Conduct a money laundering/terrorism financing risk assessment. Before you can write your AML/CTF program, you need to understand your risk profile. The risk assessment examines your customer base, the services you provide, the delivery channels you use, and the countries you have exposure to. The risk assessment is the foundation of your program — a program without it is structurally incomplete.
Step 4: Adopt or develop your AML/CTF program. Assess whether AUSTRAC’s starter program is appropriate for your business. If your risk profile is straightforward, the starter program provides a compliant foundation that you customise to your business. If your risk profile is more complex, you’ll need a tailored program — which typically requires specialist AML/CTF advisory assistance.
Step 5: Implement CDD procedures and train your team. Your CDD procedures need to be in place before you commence designated services for new clients from 1 July 2026. Train relevant staff on the procedures, what to look for, when to escalate, and how to file SMRs.
Step 6: Build your obligation register. An AML/CTF obligation register tracks every specific compliance requirement, who owns it, its current status, and when it’s next due for review. This is distinct from your AML/CTF program — the program is your framework document, the register is your management tool. Our compliance register template provides a ready-to-use structure that can be adapted for AML/CTF obligations.
For businesses with multiple compliance frameworks operating in parallel — AML/CTF plus privacy, employment, and WHS obligations — an integrated approach to compliance management becomes important. Tracking each framework separately creates fragmentation and increases the risk of obligations falling through the gaps. See our business compliance obligations guide for how AML/CTF fits within the broader Australian compliance landscape.
When to Get Professional Help
Most Tranche 2 entities — small law firms, sole-practitioner accountants, boutique real estate agencies — can navigate the enrolment process and adopt the AUSTRAC starter program without specialist AML/CTF consultants. AUSTRAC’s guidance is detailed and practical, and the starter program is designed for exactly this type of business.
Professional AML/CTF advisory assistance is worth investing in where: your business has a complex client base (high-net-worth individuals, corporate structures, international clients, PEPs); you provide services across multiple designated service categories; your revenue from designated services is material and enforcement risk is therefore higher; or your risk assessment identifies high-risk exposure that the starter program doesn’t adequately address.
Professional services associations — the Law Council of Australia, CPA Australia, the Institute of Public Accountants, the Real Estate Institute of Australia — have all produced Tranche 2 guidance for their members. These are worth reviewing alongside AUSTRAC’s own materials.
Frequently Asked Questions
I’m a sole-practitioner accountant. Do Tranche 2 obligations apply to me?
It depends on the services you provide. If you assist clients with company formations, trust structures, buying or selling businesses, or managing client money — yes, you are a reporting entity. If you only prepare tax returns and financial statements, you are likely not caught. Most sole-practitioner accountants who do any commercial advisory work will have at least some designated service exposure. Check AUSTRAC’s guidance for accountants or seek confirmation from your professional association.
Can I use AUSTRAC’s starter program or do I need a custom one?
The starter program is designed for lower-complexity Tranche 2 entities with a straightforward risk profile: Australian clients, standard transaction types, no politically exposed persons, no high-risk jurisdiction exposure. If that describes your business, the starter program is a legitimate compliance tool — not a second-class option. You must still conduct a risk assessment and customise the program to your specific business, but the framework is provided. If your risk profile is more complex, a custom program is advisable.
What if I miss the 1 July 2026 deadline?
AUSTRAC has indicated it will take a risk-based, proportionate approach to enforcement for Tranche 2 entities in the initial period after 1 July 2026, acknowledging that many businesses are building compliance programs for the first time. However, this does not mean non-compliance is without consequence — AUSTRAC can and does issue formal warnings, remedial directions, and civil penalty proceedings. A business that hasn’t enrolled, has no program, and is conducting designated services post-1 July 2026 without any compliance infrastructure is in a materially different position to one that has enrolled, is using the starter program, and is actively building its CDD procedures. Start now — even incomplete progress is better than none.
How do AML/CTF obligations interact with my existing compliance framework?
AML/CTF sits alongside — not instead of — your existing compliance obligations. Lawyers still have professional conduct rules. Accountants still have tax obligations. Real estate agents still have licensing requirements and consumer law obligations. AML/CTF adds a new layer on top of the existing framework. Businesses that have an integrated compliance management approach — tracking all obligations in one system rather than managing each framework independently — will find the AML/CTF addition manageable. Businesses managing compliance through disconnected spreadsheets and ad hoc processes will find it harder to absorb a new regulatory layer without something falling through the cracks.
For a structured approach to tracking, reviewing and maintaining all your compliance obligations — AML/CTF included — review our compliance audit checklist which covers how to assess your compliance position across multiple frameworks, and our guide to building a compliance register to bring AML/CTF obligations into a unified tracking system.