In November 2024, Parliament passed the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth), bringing an estimated 90,000 new businesses under Australia’s AML/CTF regime from 1 July 2026. If you run a law firm, accounting practice, real estate agency, trust and company services business, or deal in precious metals or stones, the obligations you face from that date are significant and most business owners are still not ready.
There are a lot of confusing messages in the market with some commentators suggesting that compliance will be straight forward and others highlighting the extreme difficulties that smaller firms will face.
These are the 6 questions we hear most from Tranche 2 businesses:
- What are the AML/CTF requirements, and how is Tranche 2 different?
- How does enrolment with AUSTRAC work?
- Why is AUSTRAC reporting so important?
- What are the civil penalties under Tranche 2, and why are they a new challenge?
- What does Tranche 2 mean for directors and senior management?
- What does it mean to be my own AMLCO?
1. What Are the AML/CTF Requirements, and How Is Tranche 2 Different?
Australia’s AML/CTF framework is governed by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the Act) and its supporting Rules. For most of its history, the Act applied only to financial sector businesses, which included banks, credit unions, remittance providers, casinos and gambling services. These are called Tranche 1 entities.
The 2024 amendments fundamentally expand the Act’s reach. From 1 July 2026, a wide range of professional service businesses must comply with AML/CTF obligations for the first time.
What businesses are now captured?
Under the reforms, you become a reporting entity when you provide one of the new ‘designated services’. Importantly, this means not all legal and accounting firms will be captured, only those providing the new designated services. In broad terms, the Tranche 2 designated services are:
- Real estate: brokering or facilitating a real estate transaction. Typically, this means real estate agents, conveyancers and lawyers, and developers selling directly to buyers without an agent.
- Corporate actions: assisting with buying, selling, transferring, creating, or arranging debt or equity finance for a company or other legal entity. Typically, this means accountants, lawyers or consultants who help plan or execute the deal.
- Trust account services: receiving, holding or managing money or assets to facilitate a transaction. Typically, this means accountants or lawyers.
- Nominee services: acting, or arranging for someone else to act, as a nominee for another person – for example, standing in as a director, trustee, partner, or attorney under a power of attorney. Typically, this means accountants or lawyers.
- Registered office address: providing the use of your address as a registered office, or for mail forwarding, for other companies. Typically, this means accountants, lawyers and shared workspace providers.
- Precious metals and stones: buying or selling precious metals, stones or products with a value of $10,000 or more that involves physical currency and/or virtual assets. Typically, this means jewellers and other dealers.
The test is whether your business provides a ‘designated service’ with a geographical link to Australia in the course of carrying on a business. If so, the full suite of AML/CTF obligations applies to you.
Contact us at contact@ausaml.com and we can help you understand if your business is a ‘designated service’ which falls under Tranche 2.
What do the core obligations require?
Once captured by the regime, reporting entities must:
- Enrol with AUSTRAC on the Reporting Entities Roll
- Appoint an AML/CTF Compliance Officer (AMLCO) at management level
- Prepare and implement an AML/CTF Program tailored to your business
- Conduct initial and ongoing Customer Due Diligence (CDD) on clients before providing designated services
- Conduct Enhanced Due Diligence (EDD) for higher-risk customers, relationships and transactions
- Submit Suspicious Matter Reports (SMRs) to AUSTRAC when a suspicion arises
- Submit Threshold Transaction Reports (TTRs) for cash transactions of $10,000 or more
- Maintain records for seven years
- Undergo regular independent reviews — at least once every three years
How does Tranche 2 differ from what came before?
The key difference is who the laws apply to. Tranche 1 covered businesses operating in or adjacent to the financial system, including banks, credit unions, remittance dealers, currency exchanges, and casinos. These entities have been operating under the AML/CTF Act since 2006 and are well-versed in their obligations.
Tranche 2 brings in the professional services sectors including lawyers, accountants, real estate agents and others listed above. These businesses have operated almost entirely outside any AML framework until now.
The differences go beyond who is covered
There are also substantive differences in how the new obligations are structured compared with the original Tranche 1 framework:
2. How Does Enrolment with AUSTRAC Work?
Enrolment is the formal process of registering your business on the Reporting Entities Roll maintained by AUSTRAC. It is not optional. If you provide a designated service, you must enrol. Failure to do so is a strict liability offence, meaning AUSTRAC does not need to prove intent - the failure alone is sufficient grounds for a penalty.
The enrolment process, step by step
- Step 1: Determine if you’re captured. Use AUSTRAC’s Check if you may be regulated tool at austrac.gov.au to confirm whether your services trigger Tranche 2 obligations.
- Step 2: Register for AUSTRAC Online. You will need to create an account on AUSTRAC’s secure reporting portal if you don’t already have one.
- Step 3: Tranche 2 entities can begin the enrolment process from 31 March 2026. You will need to provide details of your business, key personnel, and the designated services you provide.
- Step 4: Complete enrolment by 29 July 2026. Enrolment must be completed within 28 days of beginning to provide a designated service. For most Tranche 2 businesses, the outer deadline is 29 July 2026.
- Step 5: Notify AUSTRAC of your AMLCO by 29 July 2026.
It is important to understand that obligations commence on 1 July 2026 regardless of whether you have enrolled. Enrolment is not a prerequisite for the duties to apply — you should be building your AML/CTF Program well before that date.
It is also important to enrol for all of the designated services that you provide. Failing to register every designated service can leave part of your business operating outside your enrolment, which is itself a compliance gap AUSTRAC can act on.
Contact us at contact@ausaml.com to help you prepare for your enrolment.
3. Why Is AUSTRAC Reporting So Important?
AUSTRAC serves a dual role in Australia’s financial crime framework: it is both the AML/CTF regulator and Australia’s Financial Intelligence Unit (FIU). The intelligence it collects from reporting entities feeds directly into law enforcement investigations, national security operations, and international intelligence sharing.
Last year, AUSTRAC received more than 2 million threshold transaction reports and over 450,000 suspicious matter reports. Those figures are expected to rise substantially from 1 July 2026 as Tranche 2 entities come online. AUSTRAC has also noted that a disproportionately small number of reporting entities submit the majority of SMRs, many entities that should be reporting regularly have never submitted one. AUSTRAC plans to actively detect entities whose business profiles and ML/TF risk levels suggest they should be making regular SMRs but aren’t. In other words, AUSTRAC is cross-referencing what it knows about your business, your sector, the types of clients you serve, your transaction volumes, against your reporting history. If that profile says you should be seeing suspicious activity and your SMR count is zero, you will be on their radar.
Failure to submit any SMRs is a flag that AUSTRAC may use to identify REs that warrant investigation. Similarly, low quality or excessive SMR submissions are likely to signal to AUSTRAC that you don’t understand or have not appropriately measured your risks. Again, this may trigger investigation by AUSTRAC.
Three key reports you must understand
Suspicious Matter Reports (SMRs)
An SMR must be submitted to AUSTRAC when you form a suspicion that a customer is not who they claim to be, that a transaction involves proceeds of crime, or that information you hold is relevant to an investigation. Critically, the obligation arises as soon as the suspicion forms, which can be before a transaction is completed.
Timeframes are strict:
- Within 24 hours for suspicions related to terrorism financing
- Within 3 business days for all other suspicious matters
Threshold Transaction Reports (TTRs)
A TTR must be submitted for any transaction involving physical currency (cash) of $10,000 or more. This includes deposits, withdrawals, and exchanges. The obligation is automatic; there is no discretion or suspicion threshold.
Annual Compliance Report
Each year, reporting entities must submit an annual compliance report confirming that their AML/CTF Program has been implemented and identifying any issues with its effective operation. AUSTRAC takes non-lodgement seriously. In December 2025, it commenced civil penalty proceedings against multiple entities for failure to lodge their compliance reports.
4. What Are the Civil Penalties Under Tranche 2, and Why Are They a New Challenge?
For Tranche 2 businesses, the civil penalty regime represents a category of legal and financial risk that most have never faced before. AUSTRAC’s penalty framework is extensive, scalable, and operates on a strict liability basis in many areas. This means intent does not need to be proven. If the breach occurred, then the penalty may apply.
How penalties are calculated
Maximum civil penalties are:
These penalties are per contravention. A business with multiple failures e.g., inadequate CDD, missing SMRs, and a non-compliant Program can face separate penalty calculations for each breach.
Why this is new territory for Tranche 2 entities
Tranche 1 entities like banks have compliance teams, legal departments, and years of experience navigating AUSTRAC enforcement. They know what an investigation looks like and how to respond.
Tranche 2 businesses entering this regime for the first time face the same obligations and the same penalties with none of the institutional experience that Tranche 1 entities built over many years.
AUSTRAC has been explicit: civil penalty proceedings and cancellation of registration are on the table for entities that fail to meet their obligations. Recent enforcement actions against clubs, casinos, and foreign exchange businesses show a regulator that is willing to pursue significant penalties even for technical non-compliance.
AUSTRAC has also signalled that it will specifically target ‘low and non-reporting’ entities whose business profile suggests they should be submitting SMRs but are not. Tranche 2 entities that enrol and then fail to report suspicious matters will be identifiable.
5. What Does Tranche 2 Mean for Directors and Senior Management?
This is the question many business owners and partners have not yet grappled with. Under the reformed AML/CTF framework, the obligations are not just imposed on the business entity. They carry explicit governance duties that sit at the level of the governing body which for a company means the board of directors, and for a small business may mean the owner themselves.
The AML/CTF Rules 2025 require every reporting entity to establish a clear governance structure with three defined roles:
In a small business including many real estate agencies, accounting practices and law firms the same person may hold all three roles. This does not reduce the obligations; it concentrates them.
The personal liability dimension
The AML/CTF Act does not directly impose personal civil penalties on directors in the way that, say, the Corporations Act 2001 (Cth) imposes duties on directors. However, the picture is more complex than it appears.
Recent academic and regulatory analysis confirms that ASIC is using section 180 of the Corporations Act (the duty of care and diligence) to pursue directors and officers of companies that fail in their AML/CTF obligations. This ‘extended stepping stones’ approach has been demonstrated in high-profile enforcement action against Star Entertainment Group, where directors and executives faced personal consequences following AUSTRAC investigations including resignations, regulatory proceedings, and reputational consequences.
The amended Act also reinforces this by making it an explicit requirement that the governing body take ‘reasonable steps’ to ensure compliance. This language, which is familiar from other areas of Australian regulatory law, creates a documented accountability standard that regulators can point to.
6. What Does It Mean to Be My Own AMLCO?
Every reporting entity must appoint an AML/CTF Compliance Officer (AMLCO), and in a small practice the obvious candidate is often the owner or office manager. AUSTRAC does not require you to be an AML expert on the day you are appointed, but it does require the role to be genuine — and once you hold it, the day-to-day operation of your entire compliance program rests on your shoulders. Before you put your own name on the AUSTRAC register, it is worth understanding what you are taking on.
Who can be an AMLCO?
- The AMLCO must be a “fit and proper” person at management level, with genuine authority, resources and capacity to perform the role (AML/CTF Act s26K; AML/CTF Rules s5-14). It is a substantive appointment, not a title.
- In a small business the same person may be the governing body, the senior manager and the AMLCO. This does not lighten the load — it concentrates every obligation in one person.
- You must keep a record of the appointment and how you assessed suitability and notify AUSTRAC of your AMLCO (for Tranche 2 businesses), by 29 July 2026, with any later change of AMLCO notified within 14 days.
- AUSTRAC has been explicit that appointing a junior staff member as a nominal AMLCO, and then leaving the obligations unattended, is not a defence.
What the role actually requires
Being the AMLCO is an ongoing operational job, not a title you hold once a year. On a continuing basis, you are responsible for:
- implementing and maintaining the AML/CTF program, and keeping the ML/TF risk assessment current as the business changes;
- carrying out, or overseeing, customer due diligence and enhanced due diligence before designated services are provided;
- monitoring transactions and customer behaviour for signs of money laundering, terrorism financing or proliferation financing;
- forming a view on whether a matter is suspicious, and lodging suspicious matter reports;
- lodging threshold transaction reports for cash of $10,000 or more, and the annual compliance report;
- arranging an independent evaluation of the program at least once every three years;
- training staff, reporting to the governing body, and being the point of contact for any AUSTRAC notice, request or examination.
The deadlines do not move
Several of these obligations run to strict statutory clocks, and missing one is a breach in its own right:
- Suspicious matter reports — within 24 hours where terrorism financing is suspected, and within 3 business days for all other suspicions, measured from when the suspicion forms.
- Threshold transaction reports — for every qualifying cash transaction of $10,000 or more.
- The annual compliance report — on time, every year. AUSTRAC treats non-lodgement seriously: in December 2025 it commenced Federal Court civil penalty proceedings against businesses that had simply failed to lodge.
Falling behind on these is not a paperwork oversight. It can attract civil penalties and infringement notices, and the obligation to report does not wait until you feel ready for it.
Where the personal risk sits
The AMLCO sits at the centre of the most sensitive decisions a reporting entity makes — which is also where personal exposure is greatest.
- Tipping off. Because the AMLCO forms suspicions and lodges SMRs, they are the person most exposed to tipping off. Disclosing information that would, or could reasonably be expected to, prejudice an investigation — including to your own client in the ordinary course of business — is a criminal offence under section 123 of the Act, punishable by up to 2 years imprisonment. A single careless conversation can cross the line.
- Personal accountability. While the Act’s civil penalties largely attach to the business, officers are increasingly accountable in their own name. In March 2026 the Federal Court found Star Entertainment’s former Chief Legal & Risk Officer had personally breached her duties over the company’s handling of money-laundering risk.
- It has to work in practice. AUSTRAC expects the program to be implemented, not merely documented — and as AMLCO, you are the person who has to make that true every day.
Summary: What Your Business Should Be Doing Now
The 1 July 2026 commencement date for Tranche 2 obligations is not far away. Based on everything in this article, here is a practical checklist for businesses entering the AML/CTF regime for the first time:
- Confirm whether your services are captured using AUSTRAC’s online tool
- Conduct a Money Laundering and Terrorism Financing Risk Assessment tailored to your clients, services, and geographic exposure
- Draft and approve an AML/CTF Program that reflects your risk assessment
- Put Customer Due Diligence procedures in place, including identity verification and beneficial ownership checks
- Appoint an AML/CTF Compliance Officer at management level or consider engaging an external expert to serve as your AML Compliance Officer
- Train all relevant staff on their AML/CTF obligations
- Enrol with AUSTRAC via AUSTRAC Online
- Notify AUSTRAC of your compliance officer by 29 July 2026
- Establish an internal review schedule and independent review at least every three years
Sources and references
Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) | Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) | AUSTRAC: Your obligations (austrac.gov.au) | AUSTRAC: Regulatory expectations 2025–26 | AUSTRAC: Changes to transaction reporting from 1 July 2026 | CPA Australia: AML/CTF obligations factsheet for Tranche 2 reporting entities | Norton Rose Fulbright: Tranche 2 and AML/CTF Reforms Hub | Tranche Two Consultants: Governing body obligations
This blog is published for general informational purposes only. It does not constitute legal or financial advice. Businesses should seek independent legal advice regarding their specific obligations under the AML/CTF Act and Rules.
Published June 2026 | AUSAML.com
