Tranche 2 AML requirements checklist for newly regulated Australian firms

Tranche 2 AML requirements should be implemented as a sequence of decisions, workflows, evidence records, and reviews. We should avoid treating the checklist as a one-off document exercise. The goal is to prove that the firm can identify when obligations apply and can run the right customer due diligence process every time.

This checklist is general information, not legal advice. It is designed to help firms organise implementation work before 1 July 2026.

1. Confirm whether your services are in scope

Before writing procedures, we need to know which services trigger the AML/CTF workflow. Start with service lines, not job titles. A firm should document the services it provides, the client types involved, whether there is an Australian connection, and which matters may be excluded or require specialist review.

Useful internal questions include:

• Which services involve company formation, trust arrangements, property transactions, funds movement, or control of client assets?
• Which services involve overseas entities, nominee arrangements, or complex ownership?
• Which teams currently collect client identity and authority evidence?
• Which matters require partner, compliance officer, or MLRO-style approval?

For deeper context, read AUSTRAC reporting entity status.

2. Build an AML/CTF program that staff can use

An AML/CTF program should describe the firm's ML/TF risk assessment and the controls used to manage that risk. It should not be written only for management. The people onboarding clients must be able to understand what to do next.

The program should cover:

1. Governance and senior accountability.
2. AML/CTF compliance officer responsibilities.
3. Business-level ML/TF risk assessment.
4. Customer due diligence procedures.
5. Enhanced due diligence triggers.
6. Reporting pathways.
7. Record keeping requirements.
8. Training and personnel controls.
9. Independent evaluation and ongoing review.

AUSTRAC's guidance on the reforms and program starter kits can help firms understand the expected building blocks.

3. Define customer due diligence workflows

CDD is where most operational work happens. We recommend defining workflows for each high-frequency customer type:

Customer type | Evidence and review considerations

Individual | Identity, address, authority, PEP/sanctions risk, service purpose.

Company | Registration evidence, directors, controllers, beneficial owners, ownership chain.

Trust | Trust deed, trustees, settlors, protectors, beneficiaries, controllers, source of funds.

Partnership | Partners, authority, ownership, service purpose, high-risk indicators.

Foreign entity | Registry evidence, jurisdiction risk, ownership evidence, translated documents where needed.

The workflow should state what evidence is required, what can be verified automatically, what needs human review, and what happens if evidence is missing.

4. Create a customer risk rating model

A risk rating model should be simple enough to use and specific enough to explain decisions. It should reflect the firm's customers, services, delivery channels, jurisdictions, products, and transaction patterns.

Common risk factors include customer type, ownership complexity, service type, source of funds, source of wealth, jurisdiction, PEP exposure, sanctions proximity, adverse media, unusual behaviour, and whether the client resists information requests.

Veraxa's customer risk rating calculator shows how a weighted model can convert risk factors into a review outcome.

5. Document reporting and escalation paths

Staff need to know what happens when something does not look right. Suspicious indicators, inconsistent identity details, unexplained funding, sanctions matches, PEP exposure, unusual urgency, and hidden ownership should not sit in inboxes.

A good escalation workflow records:

• Trigger or red flag.
• Evidence attached to the case.
• Reviewer responsible.
• Decision made.
• Rationale for the decision.
• Any reporting or monitoring action.

6. Prepare records before the first regulator question

Record keeping is not just file storage. It is proof that the firm applied its program. The record should show what was asked, what was received, what was verified, who reviewed it, what risk rating was assigned, and why the firm accepted, rejected, or escalated the client.

The record should also preserve the state of the file at the time of decision. If the firm later receives new information, changes a risk rating, or completes a periodic review, the earlier decision should still be explainable. That means the workflow needs version history, timestamps, reviewer identity, and a clear link between evidence and approval.

7. Build an evidence register

An evidence register is the practical bridge between a written AML/CTF program and daily onboarding work. We should list each customer type, each service line, the required documents, the acceptable alternatives, the reviewer role, and the escalation trigger. This prevents staff from inventing evidence requirements matter by matter.

For example, a company workflow may require registration details, directors, authorised signatories, direct owners, beneficial owners, ownership chart, source-of-funds information where relevant, and screening of key people. A trust workflow may require the trust deed, trustees, settlors, beneficiaries, protectors, controllers, and source-of-wealth context. A foreign entity may require registry extracts, certified translations, and higher jurisdiction review.

Evidence category | What the checklist should define

Identity evidence | Accepted documents, expiry rules, verification steps, and exception handling.

Entity evidence | Registration records, directors, controllers, ownership documents, and authority.

Beneficial ownership | Ownership thresholds, control indicators, trust roles, and unresolved gap escalation.

Source of funds or wealth | When it is required, what evidence is acceptable, and who approves unresolved concerns.

Screening results | Which parties are screened, how matches are reviewed, and how false positives are documented.

Approval records | Required reviewer role, rationale fields, timestamp, and conditions attached to approval.

8. Train staff on decisions, not only definitions

Training should not be limited to explaining what AML, CDD, EDD, PEP, sanctions, or beneficial ownership mean. Staff need to practise decisions. We should train people on which workflow to start, what to do when evidence is missing, when to escalate, when not to proceed, and how to document a decision in plain language.

A useful training session includes sample matters. One should be straightforward and low risk. One should involve a company with layered ownership. One should include a trust. One should involve a possible PEP or sanctions match. One should include a client who refuses to provide ownership information. The goal is to find gaps before the firm is working under live regulatory pressure.

9. Set a review cadence before launch

The checklist should include future review. AML/CTF programs, risk assessments, customer files, training, and workflows all need maintenance. New products, new services, new jurisdictions, new staff, and new typologies can change the risk profile.

We recommend assigning cadence by risk level. Low-risk clients may follow a longer periodic review cycle. Medium-risk clients may need earlier refresh. High-risk clients should be subject to enhanced due diligence and more active monitoring. Event-driven triggers should override the calendar when ownership changes, new adverse information appears, documents expire, services change, or unusual activity is identified.

10. Use a 90-day rollout plan

The checklist becomes more useful when it is tied to dates and owners. We recommend a 90-day rollout plan before live obligations apply. The first 30 days should focus on scope, services, customer types, governance, and the business-level ML/TF risk assessment. The next 30 days should build workflows, evidence rules, risk rating, escalation paths, and reporting procedures. The final 30 days should test live scenarios, train staff, correct workflow gaps, and confirm that records can be retrieved quickly.

Rollout phase | Practical deliverables

Days 1-30 | Scope matrix, designated service review, customer type map, risk assessment, compliance officer role, and governance approvals.

Days 31-60 | CDD workflows, evidence register, risk model, EDD triggers, screening review process, reporting pathway, and record keeping rules.

Days 61-90 | Staff training, sample matter testing, reviewer calibration, exception handling, management reporting, and go-live readiness sign-off.

The rollout plan should include accountable owners. A checklist without owners tends to become a passive document. A readiness plan with owners, due dates, sample cases, and review checkpoints becomes an implementation system.

Veraxa helps firms move from static checklists to auditable workflows. For sector-specific implementation, see AML software for accountants, AML software for law firms, AML software for real estate, and AML workflows for TCSPs.

Frequently asked questions

What should be on a Tranche 2 AML checklist?

A practical checklist should include scope review, enrolment readiness, AML/CTF program, compliance officer responsibilities, staff training, CDD workflows, risk rating, reporting paths, record keeping, and independent review planning.

Is a template enough for Tranche 2 AML compliance?

A template can help with structure, but firms still need to customise procedures, train staff, run client workflows, document decisions, and keep evidence.

When do Tranche 2 AML obligations start?

For many newly regulated legal, accounting, conveyancing, real estate, precious metals and stones, and trust and company service providers, obligations begin from 1 July 2026 if they provide designated services.

What is the biggest implementation risk?

The biggest implementation risk is a policy that does not translate into daily work. Firms need operating workflows for client intake, review, escalation, approval, and monitoring.