On 1 July 2026, the AUSTRAC Tranche 2 reforms bring a new group of professional and property services into the Australian AML/CTF regime. Lawyers, accountants, real estate businesses, conveyancers, trust and company service providers, and dealers in precious metals and stones need to decide whether they provide designated services and, if they do, properly build for the regime.

The legal basis is the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which received Royal Assent on 10 December 2024. Together with the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 and later amendment rules, it pushes the regime beyond its traditional financial sector base and changes what both new and existing reporting entities need to do.

This article sets out what changes on 1 July 2026, what newly regulated businesses need to have in place, and what existing AUSTRAC reporting entities still need to sort out during the transition.

The headline change: a wider regulatory perimeter

From 1 July 2026, the following will be reporting entities to AUSTRAC: legal professionals, accountants and auditors, real estate agents and property managers, conveyancers, buyers' agents, property developers, trust and company service providers, and dealers in precious metals, precious stones and bullion.

Enrolment with AUSTRAC opened on 31 March 2026. Businesses providing newly regulated designated services from 1 July 2026 must enrol within 28 days of starting to provide those services, which for many will mean by 29 July 2026.

For firms coming into AML/CTF regulation for the first time, the model itself is not new. What is new is having to build it inside their own business. In practice, six areas need to be in place: enrolment, risk assessment, programme design, customer due diligence, ongoing monitoring and reporting, and record-keeping.

The six obligations

These are the six areas that matter. The categories are familiar. The hard part is making them work day to day.

First, enrolment with AUSTRAC. Every reporting entity must enrol with AUSTRAC and provide the prescribed information about the firm, its designated services, and its compliance arrangements.

Second, a risk assessment. The firm must assess its exposure to money laundering and terrorism financing risk across its customer base, the designated services it provides, the jurisdictions it operates in, and the delivery channels it uses. The risk assessment is the foundation of everything else in the programme.

Third, an AML/CTF programme. The programme is the documented set of policies, procedures, systems and controls that the firm uses to manage its money laundering and terrorism financing risk. It must be tailored to the risk assessment and must cover governance, training, due diligence, transaction monitoring and reporting.

Fourth, initial customer due diligence. The firm must complete initial customer due diligence before providing a designated service. Enhanced due diligence is required for higher-risk customers, including politically exposed persons and customers from higher-risk jurisdictions.

Fifth, ongoing customer due diligence and reporting. The firm must conduct ongoing customer due diligence throughout the relationship. It must also make the reports required for the designated services it provides and the triggers that arise in practice, including suspicious matter reports and, where applicable, threshold transaction reports, within the prescribed timeframes.

Sixth, record-keeping. The firm must retain records of customer identification, transactions, and the operation of its AML/CTF programme for seven years.

Three issues that usually emerge early

When firms build an AML/CTF programme for the first time, the same issues usually show up early.

The first is how long sound programme design takes. Mapping designated services, identifying inherent risks, deciding how much identification and verification different customer groups require, and properly documenting the results is not a small task. Firms that treat programme design as merely a document often underestimate the effort involved.

The second is that customer risk rating is harder than it first appears. The reformed regime moves away from the old 2+2 safe harbour approach towards risk-based depth. Firms need to explain why a customer received a given level of scrutiny and the reasoning behind it. A tick-box risk rating will not stand up well. One built on the firm's actual knowledge of the customer, the service and the wider risk picture takes more work, but it is far more defensible.

The third is that ongoing customer due diligence is usually the hardest part to run properly. It is easy to design a stronger onboarding process and assume the customer's risk profile will stay where it started. It rarely does. Ongoing due diligence means keeping the file up to date as circumstances and behaviour change. That is demanding in firms with long-running customer relationships, especially when the original file was not designed for easy updates.

What existing AUSTRAC reporting entities need to absorb

The reforms matter just as much for existing reporting entities. The Anti-Money Laundering and Counter-Terrorism Financing Rules 2025, as amended from 31 March 2026, put much of the operational detail into a cleaner structure. That helps, but firms still need to rework their programme, governance, due diligence, and reporting settings to align with the current rules.

There is a transitional arrangement for some existing entities. If a business is enrolled as a reporting entity on 30 March 2026 and maintains the required transitional policies, it may continue to use applicable customer identification procedures from 31 March 2026 to 31 March 2029, rather than moving all customers immediately to the new initial customer due diligence framework.

The choice matters. Moving early commits the firm to the reformed requirements across the relevant customer population and to the implementation work that follows. Staying on existing ACIP delays some of that work, but it also creates a harder transition in 2029 and may leave the firm managing different approaches during the transition. There is no standard answer. It depends on the firm's current CDD model, the size and complexity of its customer base, and the capacity of its delivery teams over the next three years.

Existing entities also need to ensure that any required notification to AUSTRAC about their AML/CTF compliance officer is made within the applicable transitional timeframe. For entities already enrolled before 31 March 2026, the AUSTRAC guidance sets 30 May 2026 as the deadline.

What practitioners should do before commencement

What needs to be done now depends on where the firm is starting from.

For firms entering the regime for the first time, the priorities are straightforward. Confirm whether you provide a designated service, and enrol with AUSTRAC within the required period. Finish the risk assessment and AML/CTF programme. Appoint the AML/CTF compliance officer. Train staff before the programme goes live. The programme needs to be working from the point the business begins providing the designated service.

For existing reporting entities, the immediate priority is deciding how to manage the transition from ACIP to the reformed initial CDD framework. That decision affects systems, processes, training, governance and sequencing. Existing entities should also confirm the applicable timeframe for notifying AUSTRAC about their AML/CTF compliance officer and ensure any required notification is made on time.

For all firms, the point is the same. The regime is moving away from formal process alone and towards risk-based judgement, effectiveness and evidence. Programmes built to satisfy the form of the rules without changing how risk is identified, escalated, and managed will come under pressure early on. AUSTRAC will be looking for controls that work, not just documents that read well.

Final thought

Tranche 2 is the biggest expansion of the Australian AML/CTF regime in two decades. For firms entering the regime for the first time, the regime changes how designated services are assessed, onboarded, and monitored. For existing reporting entities, it is a substantial redesign of a regime they already run.

The 1 July 2026 start date is not the end of the job. It is when supervisory expectation meets operational reality. Many firms will have documents in place. Fewer will have tested governance, workable escalation paths, and due diligence settings that stand up under scrutiny. That is where most of the implementation risk sits.