AUSTRAC Tranche 2 AML obligations: what Australian firms need by 1 July 2026

AUSTRAC Tranche 2 AML obligations bring certain services provided by lawyers, accountants, conveyancers, real estate professionals, dealers in precious metals and stones, and trust and company service providers into Australia's AML/CTF regime from 1 July 2026. We need to treat this as an operating deadline, not only a policy deadline.

AUSTRAC's reform guidance explains that newly regulated entities will need to enrol, develop and maintain an AML/CTF program, prepare staff, conduct customer due diligence, report certain matters, and keep records. The practical question for most firms is how to turn those requirements into repeatable client onboarding, review, escalation, and monitoring work.

This article is general information for compliance planning. It is not legal advice. Firms should assess their own services, risk profile, and obligations with qualified advisers.

What Tranche 2 changes for Australian businesses

Tranche 2 expands AML/CTF obligations into professional and property sectors that can be misused to move, hide, or legitimise illicit value. AUSTRAC's AML/CTF reform guidance identifies services commonly provided by real estate professionals, lawyers, conveyancers, accountants, dealers in precious metals and stones, and trust and company service providers.

The change does not mean every activity in every firm is automatically regulated. Reporting entity status follows designated services and the required Australian connection. That is why firms need service-level triage, not a generic sector label. A law firm may handle one matter that triggers AML/CTF work and another that does not. An accounting firm may need a different workflow for company establishment, trust support, or advisory work than it uses for routine tax preparation.

The main operating shift is that client onboarding becomes a compliance control. Firms need to know who the customer is, what service is being provided, who owns or controls the customer, what risk indicators are present, what evidence was collected, what review occurred, and why the firm proceeded.

Core Tranche 2 obligations

AUSTRAC summarises the key obligations as enrolment, AML/CTF program, staff readiness, customer due diligence, reporting, and record keeping. For implementation, we should translate those obligations into workstreams:

Obligation | Practical workflow requirement

Enrol with AUSTRAC | Confirm in-scope services, business details, key personnel, and enrolment readiness.

AML/CTF program | Document risk assessment, policies, procedures, controls, review cadence, and senior approval.

Staff readiness | Train staff on when AML checks apply, how cases move, and who approves exceptions.

Customer due diligence | Collect identity, entity, beneficial ownership, authority, purpose, and risk information.

Reporting | Route suspicious indicators and reportable events to the right internal decision-maker.

Record keeping | Retain evidence, decisions, approvals, timestamps, and review history for auditability.

Why onboarding is the pressure point

Most newly regulated firms already perform some form of client intake. The issue is that intake is usually not built as an AML control. It may be spread across engagement letters, email attachments, practice management notes, spreadsheets, portals, and partner judgement.

That fragmentation creates three problems. First, it is hard to prove that the right checks happened before the firm provided a regulated service. Second, it is hard to show why a high-risk client was accepted, escalated, or rejected. Third, it is hard to keep the file current when ownership, risk, services, or client behaviour changes later.

A Tranche 2 workflow should capture:

1. Whether the service is potentially in scope.
2. The customer type and legal structure.
3. Required identity and entity evidence.
4. Directors, controllers, trustees, beneficial owners, or other relevant persons.
5. Screening results for sanctions, PEP, and adverse media where applicable.
6. Customer risk rating and rationale.
7. Enhanced due diligence triggers.
8. Reviewer, approval, rejection, or escalation outcome.
9. Record retention and ongoing review schedule.

What firms should prepare before 1 July 2026

AUSTRAC's regulatory expectations say newly regulated entities are expected to be enrolled, have an AML/CTF program, have a compliance officer, train staff, and be ready to engage with clients and report suspicious matters by 1 July 2026.

That means preparation should not stop at drafting an AML/CTF program. We should also test whether staff can actually use it. A policy that says "conduct customer due diligence" is not enough if the team does not know which documents to request, when to escalate, how to record source-of-funds concerns, or where approval evidence is stored.

The highest-value readiness work is usually:

• Map in-scope services by matter or engagement type.
• Define customer types and evidence requirements.
• Build risk-rating rules that match the firm's services.
• Decide which cases need senior review.
• Create escalation paths for sanctions, PEP, unusual behaviour, source-of-funds, and complex ownership.
• Replace inbox-driven document chasing with a structured client portal.
• Keep approvals, reviewer notes, and evidence in the same record.

Sector-by-sector workflow implications

The Tranche 2 change will not feel the same in every sector. We should design workflows around the way regulated work is actually delivered, because the evidence, risk indicators, and reviewer roles differ by business model.

Sector | Likely workflow emphasis

Accounting and advisory firms | Entity onboarding, trust and SMSF review, beneficial ownership, company setup, client authority, and partner approval for higher-risk advisory work.

Law firms and conveyancers | Matter triage, source-of-funds review, property transaction context, privilege-sensitive escalation, and partner review of unusual risk.

Real estate businesses | Buyer and seller identity, representative authority, property-specific risk indicators, foreign buyer context, and source-of-funds concerns.

TCSPs and corporate service providers | Layered ownership, nominee arrangements, directors and controllers, source of wealth, ongoing monitoring, and periodic review.

Dealers in precious metals and stones | High-value transaction intake, customer identity, unusual payment behaviour, cash or third-party payment risk, and record keeping.

This matters because a single generic form will almost always fail at the edges. A trust onboarding workflow needs different evidence from an individual property buyer. A conveyancing source-of-funds review needs different reviewer prompts from an accounting engagement. A TCSP ownership chart needs stronger document linkage than a basic individual client file.

Minimum viable operating model before the deadline

By the time obligations start on 1 July 2026, a newly regulated firm should be able to run a complete file from intake to approval without improvising. We would treat the minimum viable operating model as six connected controls.

First, service triage decides whether AML/CTF steps apply. Second, customer classification identifies whether the customer is an individual, company, trust, partnership, foreign entity, representative, or another structure. Third, evidence collection asks for the documents and declarations required for that customer and service. Fourth, risk rating converts customer, service, jurisdiction, ownership, PEP, sanctions, and behavioural risk factors into a review outcome. Fifth, escalation and approval assigns high-risk cases and exceptions to the right reviewer. Sixth, record keeping and monitoring preserve the evidence and carry the relationship into future review.

The operating model should be tested on real examples before launch. We should run at least one low-risk individual, one company, one trust, one foreign entity, one incomplete file, one high-risk jurisdiction, one PEP indicator, and one possible sanctions match. If staff cannot complete those scenarios without leaving the workflow, the process is not ready.

Common Tranche 2 implementation mistakes

The most common mistake is starting with policy documents and leaving workflow design until later. Policy is necessary, but it does not collect documents, assign reviewers, capture decisions, or remind the team when a client needs review. The second mistake is assuming existing client files are enough. Historic tax, legal, or property records may be useful, but they may not prove CDD, beneficial ownership, risk rating, and approval in the way AML/CTF obligations require.

The third mistake is treating screening as the whole solution. Sanctions and PEP checks are important, but a Tranche 2 program also needs service triage, identity and entity evidence, ownership review, source-of-funds indicators, enhanced due diligence, suspicious matter escalation, and retained decisions. The fourth mistake is leaving judgement undocumented. Professional firms will always need judgement. The control issue is whether that judgement is visible, consistent, and attached to evidence.

How Veraxa supports Tranche 2 workflows

Veraxa is designed for firms that need to operationalise Tranche 2 AML requirements without building internal compliance software. We help teams create jurisdiction-aware intake workflows, collect documents, extract document-backed data, route reviews, apply risk rating, capture beneficial ownership, and retain audit evidence.

For firms preparing now, the best next step is to test scope and implementation readiness:

• Use the AUSTRAC Tranche 2 calculator to check whether services may be captured.
• Use the Tranche 2 roadmap calculator to plan implementation work.
• Read the Tranche 2 AML requirements checklist for a practical build sequence.
• Book a Veraxa demo to map the workflow to your sector.

Frequently asked questions

What are Tranche 2 AML obligations?

Tranche 2 AML obligations are AML/CTF requirements that apply to certain designated services commonly provided by lawyers, accountants, conveyancers, real estate professionals, dealers in precious metals and stones, and trust and company service providers from 1 July 2026.

Who is affected by AUSTRAC Tranche 2?

Affected businesses can include law firms, accounting firms, conveyancers, real estate agents, buyer's agents, property developers, jewellers, and trust and company service providers, depending on the designated services they provide and their Australian connection.

What should firms have ready by 1 July 2026?

Firms should have enrolment readiness, an AML/CTF program, a compliance officer, staff training, customer due diligence workflows, reporting pathways, and record keeping processes ready before the obligations start.

Is Tranche 2 compliance software mandatory?

No specific software product is mandatory. The requirement is to comply with AML/CTF obligations. Software helps firms apply policies consistently, route exceptions, capture evidence, and keep records.

Where should a firm start?

Start with service triage. Identify which services may be designated services, then define the intake, CDD, risk rating, review, reporting, and record keeping workflow for each relevant service line.