AML/CTF Tranche 2: the complete guide for real estate, accounting, legal, conveyancing, TCSPs and precious metals

What is Tranche 2 and when does it commence?

Australia's AML/CTF regime was extended via the AML/CTF Amendment Act 2024 (Royal Assent 10 December 2024). From 1 July 2026, the scheme captures six new sectors collectively referred to as "Tranche 2".

Enrolment with AUSTRAC opens 31 March 2026 and the absolute deadline for new reporting entities providing services on day one is 29 July 2026 (28 days after commencement).

This is not a soft launch. AUSTRAC has signalled an active enforcement posture, and the daily penalty for failure to enrol is AUD $19,800 per day.

Who is captured by Tranche 2?

Six sectors are newly captured when they provide a "designated service":

1. Real estate agents — selling, buyer's agency, property development sales
2. Accountants and bookkeepers — managing client money, company / trust formation, buying-selling business entities
3. Lawyers and solicitors — transactional work involving property, company / trust formation, trust account management
4. Licensed conveyancers — property transfers, settlements, PEXA transactions, managing settlement funds
5. Trust and company service providers (TCSPs) — formation as a service, nominee director / shareholder, registered agent
6. Precious metals and stones dealers — gold, silver, platinum or precious stones, with cash transactions of $10,000+

Common carve-outs that are NOT captured (by themselves):

• Tax preparation only
• Bookkeeping only (no client money)
• Residential property management (rent collection, no sales)
• Litigation-only legal work
• Precious metals dealers below the $10K cash threshold

If your business is in one of the six sectors but you only do work that doesn't tick a "designated service" box, you are not captured. Our scope checker walks the decision tree.

What is a 'designated service'?

The AML/CTF Act lists discrete services that trigger capture (table 1 of section 6, as expanded by the 2024 amendments). The principle: you're captured when your services *facilitate the movement, structure, or concealment of value*. Selling a property is captured because property is a value-store. Litigation is not captured because there's no value movement.

The seven Tranche 2 obligations

Once captured, you have seven core obligations:

1. Enrol with AUSTRAC — within 28 days of first providing a designated service after 1 July 2026.
2. Maintain a written AML/CTF program — Part A (risk assessment) + Part B (CDD systems).
3. Carry out customer due diligence (CDD) — identity verification + beneficial-ownership identification before providing services.
4. Lodge SMRs, TTRs and IFTI reports — to AUSTRAC Online.
5. Designate an AML/CTF compliance officer — senior employee, fit and proper, cannot be outsourced.
6. Train all relevant staff — initial + refresher, documented.
7. Have your program independently reviewed — at risk-based intervals (typically every 2 years).

AUSTRAC enrolment — process and deadline

Enrolment opens 31 March 2026 via AUSTRAC Online. You need:

• ABN + business activity profile
• Key personnel (directors, senior managers)
• Estimated reporting volume by service type
• Compliance officer details

Enrolment is free. AUSTRAC may request additional information; respond promptly. You'll receive a Reporting Entity Number (REN) and access to AUSTRAC Online.

Hard deadline: within 28 days of first providing a designated service after 1 July 2026. If you intend to provide services on day one, enrol by 29 July 2026.

Building your Part A risk assessment

Part A of your program is your ML/TF risk assessment: a written analysis of your business's exposure to money laundering and terrorism financing risk. Required content:

• Customer types you serve (PEPs, foreign nationals, complex structures, cash-heavy)
• Products/services you offer (which designated services from the Act)
• Delivery channels (face-to-face, online, intermediated)
• Jurisdictions you transact with (especially high-risk countries per AUSTRAC guidance)

Your overall risk rating drives the design of Part B controls. Higher-risk = more granular CDD, enhanced due diligence triggers, lower SMR thresholds.

The board (or senior management) must approve Part A. Revisit annually or on material change.

Building your Part B CDD systems

Part B covers the operational controls:

• Customer identification — name, address, DOB for individuals; ABN, registered office, beneficial owners (≥25%) for non-individuals
• Verification — government ID + electronic-database verification, or biometric
• Beneficial owner identification — natural persons who ultimately own or control ≥25%
• Enhanced due diligence (EDD) — triggered by PEPs, high-risk countries, complex structures, adverse media
• Ongoing CDD — monitor for changes in customer profile, behaviour, risk
• Transaction monitoring — automated or manual review for suspicious patterns
• Record-keeping — 7 years minimum

Reporting: SMRs, TTRs, IFTIs

Three core report types lodged via AUSTRAC Online:

• Suspicious Matter Report (SMR) — within 3 business days of forming a suspicion (24 hours for terrorism financing). Tipping-off offence prohibits telling the customer.
• Threshold Transaction Report (TTR) — within 10 business days for cash transactions ≥$10,000 AUD.
• International Funds Transfer Instruction (IFTI) report — within 10 business days for international funds movement you instruct or receive.

Reports are XML-formatted; most software automates the generation and lodgement.

Independent review

Your Part A program must be independently reviewed at appropriate intervals. AUSTRAC's guidance: typically every 2 years for lower-risk entities, annually for higher-risk. The reviewer must be independent — internal audit may suffice for large entities; SMBs typically engage an external consultant.

The review tests effectiveness of the program, identifies improvements, and is documented for AUSTRAC inspection.

Compliance officer designation

You must designate a senior employee as your AML/CTF Compliance Officer. Requirements:

• Sufficient seniority and authority within the business
• Fit and proper person (no relevant criminal history)
• Cannot be outsourced to an external firm

For sole-practitioner businesses, the principal practitioner can be the Compliance Officer.

Penalties for non-compliance

The penalty regime is deliberately severe:

• Civil penalties up to $33M per contravention (165,000 penalty units for corporations)
• $19,800 per day for failure to enrol (continuing offence)
• Criminal liability including up to 2 years imprisonment for tipping-off, up to 10 years for serious offences
• Loss of registration in many sector-specific regimes (e.g. real estate licence implications)

Recent enforcement scale: Westpac $1.3B (2020), Crown $450M (2023), Sportsbet $19M (2024). The penalty curve runs from infringement notices to civil penalty proceedings; AUSTRAC chooses based on cooperation, scale, and harm.

How to prepare in the next 90 days

If you're a captured Tranche 2 entity, here's a 90-day prep plan:

1. Days 1–7: Run our scope checker to confirm capture and obligations. Designate a draft Compliance Officer.
2. Days 8–30: Engage an AML consultant or buy a Tranche 2-specific software platform (compare options on our AML software page). Draft Part A risk assessment.
3. Days 31–60: Build Part B systems — CDD workflow, identity verification provider, sanctions/PEP screening, file templates. Test SMR workflow with sample data.
4. Days 61–75: Staff training pack. AUSTRAC Online enrolment dry-run (account creation only).
5. Days 76–90: Independent review of program before go-live. Board / management sign-off. Calendar AUSTRAC enrolment for late June 2026.

If you're outside the 90 days now, compress. The deadline is fixed.