Australia's anti-money laundering landscape is undergoing its most significant expansion since the original AML/CTF Act was introduced in 2006. Tranche 2 reforms extend mandatory customer due diligence and reporting obligations to an estimated 90,000 additional businesses, many of them small operators who have never dealt with AUSTRAC before. If you run an accounting firm, a real estate agency, a legal practice, or a business in one of the newly designated sectors, this guide explains exactly what you need to do and when.
What Is AUSTRAC Tranche 2 and Why Does It Matter?
AUSTRAC Tranche 2 refers to the long-anticipated expansion of Australia's Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) to cover designated non-financial businesses and professions (DNFBPs). These reforms bring Australia into closer alignment with the Financial Action Task Force (FATF) Recommendations, which have long called on member countries to regulate gatekeeping professions that are vulnerable to money laundering exploitation.
Australia was one of the few FATF member nations that had not yet extended AML/CTF obligations beyond financial services and gambling. The 2024 mutual evaluation placed considerable pressure on the government to act. The result is a phased reform timetable that began taking effect in late 2025, with full compliance deadlines rolling through 2026 and into 2027.
For small businesses, the stakes are real. AUSTRAC has demonstrated through high-profile enforcement actions against Commonwealth Bank, Westpac, and Crown Resorts that it is willing to pursue significant civil penalties for systemic non-compliance. While regulators have signalled proportionate expectations for smaller entities, the obligation to have compliant systems in place is non-negotiable.
Who Is Affected by Tranche 2?
Approximately 90,000 Australian businesses are now captured under the expanded AML/CTF regime. If your business falls into any of the following categories, you have new or enhanced obligations under the AML/CTF Act.
The key sectors brought into scope include:
- Real estate agents and agencies conducting property transactions, including sales, purchases, and commercial leases above prescribed thresholds
- Accountants and tax agents providing designated services such as managing client finances, creating or managing legal entities, and handling financial transactions on behalf of clients
- Lawyers and conveyancers involved in buying and selling real estate, managing client money, and establishing or managing trusts and company structures
- Trust and company service providers (TCSPs) forming companies, acting as directors or secretaries, providing registered office addresses, or acting as trustees
- Dealers in precious metals and stones conducting transactions at or above AUD 15,000
- Other professional service providers as designated by regulation
Many businesses in these sectors are sole traders or small teams. If you are a two-person accounting firm in regional Queensland or a boutique real estate agency in Melbourne, the obligations apply to you just as they apply to the major firms.
What Are the Core Compliance Requirements?
Under Tranche 2, newly captured businesses must implement an AML/CTF program that satisfies AUSTRAC's requirements. The program has two parts, and both must be in place before you can lawfully provide designated services.
Part A: General Compliance
Your Part A program must include:
- Customer identification and verification procedures that specify how you will establish the identity of customers before providing designated services. This includes the "know your customer" (KYC) process using the 2+2 identification standard
- A risk-based approach to customer due diligence, with enhanced measures for higher-risk customers, geographies, and transaction types
- Ongoing customer due diligence requiring you to keep customer information current and monitor transactions for suspicious activity
- Record-keeping obligations requiring you to retain identification records, transaction records, and AML/CTF program documents for a minimum of seven years
- Employee due diligence covering screening of staff who handle designated services
- AML/CTF compliance officer appointment, even for small businesses (this can be the business owner)
Part B: Employee Training
Your Part B program must ensure that all employees who provide designated services, or who are likely to identify suspicious matters, receive appropriate training. Training must cover your AML/CTF obligations, how to identify suspicious behaviour, and how to report internally.
What Is the 2+2 Identification Standard?
The 2+2 standard is the baseline method for verifying a customer's identity. It requires collecting at least two forms of identification from two different categories. This typically means one primary photographic document (such as a passport or driver licence) plus one secondary document from a different category (such as a Medicare card, birth certificate, or utility bill).
For electronic verification, the same principle applies: you need to match customer-provided details against at least two reliable data sources. The Document Verification Service (DVS), operated by the Australian Government, is the primary electronic channel for verifying government-issued identity documents in real time.
Australian Identity Solutions provides DVS-integrated identity verification that enables small businesses to meet the 2+2 standard electronically, without needing to sight and photocopy physical documents. This is particularly valuable for businesses operating remotely or across multiple locations.
What Penalties Apply for Non-Compliance?
AUSTRAC operates a graduated enforcement model, but the maximum penalties are severe. Under the AML/CTF Act:
- Civil penalty provisions carry maximum penalties of up to AUD 28.2 million per contravention for corporations and AUD 5.64 million per contravention for individuals (penalty unit values as at 2026)
- Criminal offences for serious and intentional breaches can result in imprisonment of up to seven years
- Infringement notices for less serious breaches can still amount to tens of thousands of dollars
- Remedial directions requiring businesses to overhaul their compliance programs at their own expense
AUSTRAC has also demonstrated a willingness to publicise enforcement actions, which can cause significant reputational damage regardless of the penalty amount.
For small businesses, the practical risk is not typically a multi-million-dollar penalty. It is an infringement notice, a remedial direction that forces you to engage expensive consultants, and the reputational impact of being publicly identified as non-compliant. Prevention through proper systems is far more cost-effective than remediation after the fact.
When Do Businesses Need to Comply?
The Tranche 2 reforms are being implemented on a phased timeline. The key dates that small businesses should be aware of include:
- Late 2025 to early 2026: Registration with AUSTRAC for all newly captured reporting entities
- Mid 2026: Full AML/CTF program implementation deadline for most sectors, including Part A and Part B requirements
- Ongoing from 2026: Suspicious matter reporting, threshold transaction reporting, and international funds transfer instruction reporting obligations active for all designated services
Businesses should not wait for the final deadline. Developing an AML/CTF program, training staff, and implementing identity verification systems takes time. Businesses that begin the process early will be better positioned to meet their obligations without disruption to their operations.
How Should Small Businesses Prepare?
Preparing for Tranche 2 does not require you to become a compliance expert, but it does require you to take structured, documented steps. Here is a practical preparation roadmap for small businesses:
Step 1: Confirm whether you are captured. Review the list of designated services in the amended AML/CTF Act and rules. If any part of your business provides a designated service, you are a reporting entity and must comply.
Step 2: Register with AUSTRAC. All reporting entities must be registered on the AUSTRAC reporting portal. Registration is free and can be completed online.
Step 3: Appoint an AML/CTF compliance officer. For small businesses, this is often the principal or business owner. The compliance officer is responsible for overseeing your AML/CTF program and acting as the primary contact for AUSTRAC.
Step 4: Conduct a risk assessment. Assess the money laundering and terrorism financing risks specific to your business, considering the types of customers you serve, the services you provide, the channels you use to deliver them, and the geographies involved. Document your assessment.
Step 5: Develop your AML/CTF program. Using your risk assessment as the foundation, create Part A (customer identification, ongoing due diligence, record keeping) and Part B (employee training) programs. AUSTRAC provides guidance and templates for smaller businesses.
Step 6: Implement identity verification technology. Manual, paper-based verification is slow, error-prone, and difficult to scale. Electronic identity verification through a provider like Australian Identity Solutions enables you to verify customers in seconds, with full audit trails that satisfy AUSTRAC record-keeping requirements.
Step 7: Train your team. Ensure all relevant staff understand their obligations, know how to identify suspicious behaviour, and know how to escalate concerns through your internal reporting process.
Step 8: Establish reporting procedures. Set up processes for filing suspicious matter reports (SMRs), threshold transaction reports (TTRs), and international funds transfer instruction reports (IFTIRs) through the AUSTRAC portal.
How Can Technology Reduce the Compliance Burden?
For small businesses without dedicated compliance teams, technology is the most practical way to meet Tranche 2 obligations without diverting resources from core business activities.
Electronic identity verification platforms like Australian Identity Solutions offer several advantages:
- Speed: Verify customer identities in seconds rather than days, maintaining your workflow and customer experience
- Accuracy: DVS-connected verification eliminates manual errors in checking identity documents and reduces the risk of accepting fraudulent documents
- Audit trail: Every verification is logged with timestamps, document details, and results, giving you the record-keeping evidence AUSTRAC requires
- Scalability: Whether you verify ten customers a month or a thousand, the process remains consistent and compliant
- Cost-effectiveness: Pay-per-verification pricing means you only pay for what you use, without the overhead of building in-house systems
Australian Identity Solutions is purpose-built for Australian small businesses navigating AUSTRAC compliance. Our platform integrates with the Document Verification Service and provides industry-specific solutions for real estate, accounting, legal, and other Tranche 2 sectors.
What Resources Are Available to Help?
AUSTRAC has published guidance materials specifically for newly captured entities, including sector-specific guides, risk assessment templates, and online learning modules. Key resources include:
- AUSTRAC's official website (austrac.gov.au) for regulatory guidance, reporting portal access, and industry-specific fact sheets
- Industry association guidance from bodies such as the Real Estate Institute of Australia (REIA), CPA Australia, Chartered Accountants Australia and New Zealand (CA ANZ), and the Law Council of Australia
- The Tax Practitioners Board (TPB) for guidance on how AML/CTF obligations interact with existing TPB registration and proof of identity requirements
- Australian Identity Solutions for practical, technology-driven compliance support. Contact our team to discuss your specific Tranche 2 requirements
Key Takeaways
- Tranche 2 expands AML/CTF obligations to approximately 90,000 Australian businesses in sectors including real estate, accounting, legal services, and trust and company service providers
- All captured businesses must register with AUSTRAC, appoint a compliance officer, conduct a risk assessment, and implement a two-part AML/CTF program covering customer due diligence and staff training
- The 2+2 identification standard requires verifying customer identity using at least two documents from two different categories, either physically or electronically via DVS
- Penalties for non-compliance are significant, with civil penalties reaching millions of dollars per contravention and the potential for criminal prosecution in serious cases
- Technology is the most practical path to compliance for small businesses. Electronic identity verification through providers like Australian Identity Solutions reduces manual effort, improves accuracy, and creates the audit trails regulators expect
- Do not wait for the deadline. Businesses that start preparing now will be in a far stronger position when AUSTRAC begins compliance monitoring in earnest
- Seek sector-specific guidance from AUSTRAC, your industry association, and technology partners like AIS who understand the unique challenges facing Australian small businesses
The expansion of Australia's AML/CTF regime is a significant regulatory shift, but it is also an opportunity. Businesses that implement robust identity verification and compliance systems will not only satisfy their legal obligations but also build stronger customer trust, reduce fraud risk, and position themselves as professional, trustworthy operators in their industry.
If you need help preparing for Tranche 2, get in touch with Australian Identity Solutions to learn how our platform can streamline your compliance journey.