AML Compliance 101: Preparing for Tranche 2
Tranche 2 Overview
Australia's AML/CTF landscape is undergoing significant transformation. With the introduction of Tranche 2 reforms, professions previously outside the AML/CTF regime including the legal and real estate sectors will soon be subject to new compliance responsibilities. These changes aim to fortify Australia's financial system against illicit activities and align with international standards.
A core concept within these reforms is the notion of a Designated Service which is a financial or business activity that, when provided, triggers AML/CTF obligations. Examples of Designated Service include managing client funds, facilitating real estate transactions, establishing companies or trusts, or providing legal, accounting, or financial advice in connection with transactions.
Who Is Affected?
Effective 1 July 2026, the following professions, collectively known as "Tranche 2 entities" will be required to comply with the AML/CTF Act:
Real Estate Professionals: Real estate agents, buyers’ agents, and property developers involved in settlements or client fund management or management of client funds.
Legal Professionals: Lawyers and conveyancers who handle trust accounts or advise on business structures.
Other Professions: Accountants, trust and company service providers and dealers in precious metals and stones.
Key Obligations Under Tranche 2
As part of the expanded AML/CTF framework, Tranche 2 entities must implement comprehensive measures to detect, mitigate, and report money laundering and terrorism financing risks. Below are the principal compliance obligations in greater detail:
1. Enrolment with AUSTRAC
Entities must enrol with AUSTRAC from 31 March 2026 and be fully compliant by 1 July 2026 if providing any Designated Services. This is a formal requirement that enables AUSTRAC to monitor compliance and oversee reporting obligations.
Tip: Real estate agents handling client funds or legal professionals managing trust accounts will likely fall within the scope and must not delay enrolment.
2. Development of an AML/CTF Program
All Tranche 2 entities must implement and maintain a compliant AML/CTF program. This is the cornerstone of your internal compliance strategy and includes two key components:
Part A – Risk-Based Controls:
Identify money laundering and terrorism financing risks relevant to your operations.
Define procedures to assess and mitigate those risks, including governance and staff training.
Appoint a compliance officer to oversee implementation and monitoring.
Part B – Customer Due Diligence (CDD):
Outline how your business will collect and verify customer identity information.
Specify when and how to apply simplified, standard, or enhanced due diligence.
Include procedures for ongoing monitoring, politically exposed persons (PEP) checks, and suspicious activity identification.
Your AML/CTF program must be:
Tailored to your business size, services, and risk exposure.
Documented and reviewed regularly.
Available for inspection by AUSTRAC on request.
3. Customer Due Diligence (CDD) Requirements
Customer Due Diligence is an ongoing process — not a one-time task. Under Tranche 2, entities must implement a lifecycle approach to knowing their customers.
Key requirements include:
Verify identity before providing any Designated Service.
Collect and retain customer information, including full name, date of birth, residential address and beneficial ownership details.
Apply Enhanced Due Diligence (EDD) when dealing with higher-risk clients or situations.
Review and update CDD information periodically to ensure it remains accurate and relevant.
When to Apply Enhanced Due Diligence (EDD):
EDD must be applied in the following higher-risk scenarios:
The customer is a Politically Exposed Person (PEP), or a close associate or family member of a PEP.
The customer operates through complex ownership or control structures.
The customer is based in or connected to a high-risk jurisdiction.
Transactions are unusually large, complex, or inconsistent with the client’s known profile.
Important: If you cannot verify a customer's identity or establish the source of funds, you must not proceed with the service.
4. Reporting Obligations
Timely and accurate reporting is mandatory. Tranche 2 entities must report the following to AUSTRAC:
Suspicious Matter Reports (SMRs): Lodged when you suspect on reasonable grounds that a transaction may be linked to criminal activity, even if the transaction hasn't occurred yet.
Threshold Transaction Reports (TTRs): Required for any cash transactions of AUD $10,000 or more (or equivalent in foreign currency). Non-cash payments, such as electronic transfers or cheques, are not subject to TTR requirements.
International Funds Transfer Instructions (IFTIs): Must be submitted for any cross-border fund transfers, regardless of value.
Note: All reports must be submitted via AUSTRAC’s online reporting portal within the prescribed timeframes. Failure to report may result in civil or criminal penalties and can significantly damage your organisation’s reputation.
5. Record Keeping
Entities must retain all relevant AML/CTF records for at least seven years, including:
Customer identification documentation.
Risk assessments and AML/CTF programs.
Records of transactions, SMRs, TTRs and IFTIs.
Staff training and internal audit records.
These records must be stored securely and be readily accessible for regulatory review or audit.
6. Staff Training and Compliance Culture
All relevant staff must receive regular AML/CTF training. This ensures that staff:
Understand their compliance responsibilities.
Know how to identify and report suspicious behavior.
Are aware of legal and reputational consequences for non-compliance.
Training must be documented and repeated at regular intervals, including:
At least annually for all relevant staff.
When an employee’s role changes to involve designated services or higher-risk functions.
When AML/CTF regulations or internal procedures are updated.
As part of new employee onboarding for those in relevant roles.
Employee Due Diligence: Implement verification procedures for employees in designated roles, including background checks and role-based access controls. This reduces internal risk and aligns with AUSTRAC’s expectations for internal governance under Part A of the AML/CTF Program.
Best Practice: Maintain a training register and require formal acknowledgment of completion to support audit readiness and compliance assurance.
Preparing for Compliance
For legal and real estate professionals, the transition to compliance involves:
Assessing current practices against new AML/CTF requirements.
Implementing a robust and secure identity verification process.
Training staff on AML/CTF obligations and procedures.
Establishing systems for ongoing monitoring and reporting.
Franchise networks and larger firms should ensure that compliance measures are uniformly applied across all branches and agents.
My Databoss: Your AML Compliance Partner
Navigating the complexities of AML/CTF compliance can be challenging. My Databoss offers a comprehensive solution to streamline this process for legal, real estate, and professional services firms:
Verification Tools
Secure Identity Verification: Validate passports, driver’s licences and other ID documents using government-grade verification services.
Biometric Screening: Enhance identity checks with facial recognition and liveness detection to prevent impersonation and fraud.
Security & Privacy
End-to-End Encryption: All data is encrypted in transit and at rest, aligned with Australian Privacy Principles (APPs).
User Control: Customers retain full control over who can access their data and for how long.
Secure Data Sharing: Share verified credentials , not raw documents, through encrypted workflows, with full audit trails and user consent.
Compliance Automation
Customer Due Diligence (CDD) Reporting: Automatically generate audit-ready reports to meet AUSTRAC standards.
Data Retention Management: Apply customised retention periods for each ID document and data field. Expiry tracking, secure deletion and audit logging are automated to ensure ongoing compliance.
Sanctions & PEP Screening: Real-time monitoring of global watchlists and politically exposed persons.
With My Databoss, you gain a secure, scalable and auditable compliance infrastructure that is designed to help you meet your legal obligations and build client trust.
Act Now
With the 1 July 2026 compliance deadline approaching, now is the time to prepare. Visit www.mydataboss.com to learn how we can help you get AML Ready.