Why Tranche 2 Needs a History Lesson
The conversation around Australia's Tranche 2 AML/CTF reforms has tended to miss something crucial: hindsight. While much of the current industry commentary treats this as something entirely new, the lived experience of Tranche 1 institutions (i.e., entities initially captured by the AML/CTF Act) between 2006 and 2008 offers valuable intelligence on how this might pan out if we follow the same paths. Failing to embrace innovation in compliance is a lesson the big banks with their deep pockets, institutional knowledge and experienced bench of compliance specialists are yet to learn. Consequently, they continue to spend millions of unnecessary dollars maintaining and improving their programs today. Collectively, if we follow the same playbook without radically changing our thinking, we are bound to repeat the same mistakes. The good news is that there are options available today that have capitalised on the mistakes of the past to pave a much more efficient and effective path for Tranche 2 entities (i.e., entities captured under the designated services introduced in the December 2024 revision of the
AML/CTF Act).
The Resource Paradox: Same Rules, Different Starting Point
AML/CTF Act. They had hundreds of dedicated compliance staff, enterprise-grade risk management frameworks, and budgets stretching into the hundreds of millions. Yet even they struggled. Technology procurement timelines blew out to 2-3 times initial estimates. Staff training took months, sometimes years, to embed genuine behavioural change. And the remediation cycles? Those dragged on for 4 to 10 years after the deadline had passed.
Fast forward to 2026. The Tranche 2 expansion will bring approximately 80,000 to 90,000 new reporting entities into the fold, including real estate agents, conveyancers, developers, accountants, lawyers, and dealers in precious metals and stones. The Office of Impact Analysis estimates this will impose approximately $13.9 billion in regulatory burden over ten years. But here is the kicker: where major banks could deploy dedicated compliance functions with hundreds of staff, Tranche 2 entities typically operate with zero existing dedicated staff. It's all new and starting without a baseline infrastructure or culture of compliance which was a key building block the big banks had when they started their journey.
Your regulatory obligations are substantially equivalent to those that proved so challenging for Tranche 1 institutions. This asymmetry between regulatory burden and organisational capacity is not adequately captured in resource estimates that focus on absolute cost figures, without reference to what SME organisations can bear.
The Long Tail of Non-Compliance
Tranche 1 entities started well post the 2008 compliance deadline with no major enforcement actions for almost a decade. But then, Commonwealth Bank's $700 million AUSTRAC penalty in 2018 was followed closely by Westpac's $1.3 billion settlement in 2020. Crown Resorts faced significant enforcement action in 2023 and NAB entered into an Enforceable Undertaking with AUSTRAC that was only lifted in 2025. This paints a picture of consistent underinvestment and lack of continuous program improvements that eroded the nation’s AML/CTF defenses over time.
Partnering with a trusted and experienced AML/CTF service provider like Aus AML will provide you with a reliable all-in-one service that integrates financial crime This pattern tells us something crucial: compliance is not a one-off project with a finish line. It is a continuous journey that demands sustained investment, ongoing vigilance, and the ability to adapt as regulatory expectations evolve. This isn't purely an Australia- specific issue that will go away, but a global one where organisations such as FATF are providing the same message of constant vigilance and improvement in risk management to all countries. In today’s interconnected global economy Australia cannot afford to be the weak link, so we know this won’t be the end of the road. The institutions that thought they could tick a box and move on learned the hard way that was not the right strategy.
The 2026 Difference: Managed Services
There is some good news. The managed services that banks wished they had in 2008 are available today. Back then, the market was nascent. Technology vendors offered software solutions, but comprehensive managed services spanning program design, operations and, most importantly, expertise and advice were not widely available. Data sovereignty and security concerns constrained outsourcing enthusiasm for functions involving sensitive customer information.
Today, the landscape has transformed. Specialist compliance service providers have matured. Cloud-native scalable technology platforms offer enterprise-grade capabilities without enterprise-grade infrastructure investments. Regulatory guidance on outsourced compliance arrangements is explicit and detailed. And there are proven track records in adjacent jurisdictions showing what works and what does not.
The Choice Before You
The siloed approach taken by Tranche 1 entities proved to be expensive and ineffective. To be fair, it was driven by a lack of genuine alternatives and fit the generally accepted thinking for compliance strategies for big banks at the time. But now, advancements in cloud-based technology coupled with modern approaches to problem solving inspired by the sharing economy have resulted in a genuine second option. The managed services that banks wished they had in 2008 are available today. The question is whether Tranche 2 entities will use them before history repeats itself.
Unsure of the optimal approach to compliance for your business? Talk to the team at Aus AML today.
