Australian AML Reform Guide: Tranche 2 and What It Means for Your Business

Australia's AML/CTF Act 2006 was a significant development — it captured financial services, digital currency, and remittance businesses under a comprehensive regulatory framework. But it deliberately excluded a large sector of the economy: the designated non-financial businesses and professions (DNFBPs). This exclusion was always intended to be temporary, pending separate reform.

The FATF mutual evaluation of Australia in 2015 highlighted the gap. FATF found that Australia was one of the few FATF member states that had not extended its AML/CTF regime to lawyers, accountants, real estate agents, and other professionals who regularly handle large sums of client money or facilitate high-value transactions. These professions are internationally recognised as significant ML risk vectors — criminal proceeds are frequently channelled through real estate purchases, legal structures, and financial arrangements facilitated by these professionals, often without their knowledge.

FATF placed Australia in "enhanced follow-up" — a designation indicating significant deficiencies in the country's AML/CTF framework. Subsequent FATF evaluations continued to identify the DNFBP gap as a major weakness. Australia's absence of coverage for lawyers and real estate agents compared unfavourably with the UK, US, EU, and other comparable jurisdictions that had addressed the issue years earlier.

The domestic political journey to reform was long. Several consultation rounds, parliamentary inquiries, and draft legislation preceded the AML/CTF Amendment Act 2024. Opposition from professional bodies — particularly the Law Council of Australia — slowed progress. But the combination of FATF pressure, high-profile property laundering cases, and growing evidence that Australia's property market was being used to launder foreign corruption proceeds ultimately drove the legislation through Parliament.

The AML/CTF Amendment Act 2024 received royal assent and represents the final legislative step. The implementation timeline allows affected businesses a transition period to prepare — but that period is finite and the obligations are real.

The AML/CTF Amendment Act 2024 creates a new category of "designated non-financial businesses and professions" (DNFBPs) that will be captured as reporting entities from 1 July 2026. The affected businesses and the services that trigger obligations are as follows.

Lawyers and law firms are captured when providing designated legal services. These services include: acting for a client in buying, selling, or leasing property; managing client money, securities, or other assets; providing assistance with the establishment, operation, or management of a company, trust, or partnership; providing assistance with the buying or selling of a business; and acting as a trustee or nominee director.

Not every legal service is captured — litigation, criminal defence, family law, and many other legal practice areas do not involve the specific financial services that create ML risk. But most commercial law, property law, estate planning, and business transaction work will be captured.

Accountants are captured when providing certain accounting services: managing client money, securities, or assets; providing assistance with the sale or purchase of a business; assisting with the creation, operation, or management of a company, trust, or partnership; and certain tax advisory services connected to international transactions.

Again, not all accounting services are captured — compliance preparation, audit, and many tax services fall outside the designated service list. But accounting firms with corporate advisory, business sale, or client asset management practices will be captured.

Real estate agents are captured for the sale of residential and commercial property. This includes acting as an agent in the sale of any real property in Australia, and conducting property auctions. Property management services (residential rental management) are not captured by the initial Tranche 2 provisions.

Conveyancers are captured for conveyancing services — the legal process of transferring property ownership at settlement. Conveyancers are uniquely positioned to verify the source of settlement funds and the identity of both parties to a property transaction.

Precious metals dealers are captured for dealings in physical gold, silver, platinum, and other precious metals, particularly for transactions above defined thresholds.

The AML/CTF Amendment Act 2024 establishes a phased implementation timeline that affected businesses need to plan around. Missing these deadlines carries real legal consequences.

The first major deadline is 31 March 2026 — the date by which newly captured reporting entities must enrol with AUSTRAC. Enrolment involves registering as a reporting entity on AUSTRAC Online, providing business details, and identifying the designated services being provided. This is a prerequisite to operating under the AML/CTF regime — providing designated services after this date without being enrolled is itself an offence.

The second major deadline is 1 July 2026 — when the full suite of AML/CTF obligations commences. From this date, newly enrolled reporting entities must have a compliant AML/CTF Program in place and operational, must be conducting customer due diligence on new customers, must have ongoing monitoring procedures active, and must be filing Suspicious Matter Reports where the obligation arises.

Transitional provisions apply to existing customers — businesses do not need to immediately conduct full KYC on all existing customers from day one. Instead, a risk-based approach applies: existing customers should be assessed, with higher-risk customers prioritised for earlier CDD review. AUSTRAC guidance on the specific transitional provisions for existing customer records is expected to be released in 2025.

There is no deadline extension available. The Act is clear on its commencement provisions, and AUSTRAC has signalled its intention to actively supervise the new reporting entity categories from commencement. Businesses that approach 1 July 2026 without a compliant program in place will be in breach of the Act from day one of their obligations.

The obligations for newly captured Tranche 2 reporting entities are the same obligations that have applied to financial services businesses since 2006 — the AML/CTF Act does not create a lighter-touch regime for DNFBPs. However, the practical application of these obligations will look different for a law firm or accounting practice than for a bank or digital currency exchange.

The AML/CTF Program requirement applies in full. Every new reporting entity must develop, document, and implement an AML/CTF Program with Part A (governance, risk assessment, CDD procedures, ongoing monitoring, training, compliance officer appointment, independent audit provision) and Part B (KYC procedures for each customer type). The Program must be risk-based — calibrated to the entity's actual ML/TF risk exposure, customer base, and service types.

Customer due diligence must be completed before providing a designated service to new customers from 1 July 2026. For a law firm, this means verifying the identity of a new client before commencing a matter that constitutes a designated service. For a real estate agent, this means verifying the buyer and seller before proceeding with a property transaction. For a conveyancer, this means verifying clients before conducting settlement.

Ongoing customer due diligence applies. Higher-risk customers must be reviewed periodically. Triggers for re-verification — material changes in customer information, changes in transaction patterns, adverse media — must be monitored and acted upon.

Suspicious matter reporting applies in full. If, in the course of providing a designated service, a professional forms reasonable grounds to suspect that a transaction or activity may be related to money laundering or other serious offences, an SMR must be filed with AUSTRAC within three business days. The tipping-off prohibition applies.

Record-keeping requirements apply. All customer identification records, transaction records, and AML/CTF Program documentation must be retained for seven years.

Developing a compliant AML/CTF Program for the first time is the most significant challenge facing newly captured businesses. The Program is not a standard template that can be downloaded and adopted unchanged — it must reflect the specific risks, customer base, services, and governance structures of the individual business.

The starting point is a business risk assessment. Before drafting procedures, the business must assess its ML/TF risk exposure: What designated services do you provide? Who are your customers (individual, corporate, trust, foreign)? What is the purpose of typical client transactions? Are any clients PEPs or from high-risk jurisdictions? Do you handle client money? How large and complex are the transactions you facilitate?

The risk assessment informs the Program's proportionality. A small suburban law firm doing residential conveyancing with a local individual client base has a lower inherent ML risk profile than a Sydney commercial law firm advising on mergers, acquisitions, and cross-border transactions for corporate clients. The Program — and the resources committed to compliance — should reflect this difference.

The AML/CTF Rules specify what must be in the Program. Beyond the legal requirements, AUSTRAC has released compliance guides specifically for the new DNFBP sectors, including example risk assessments and program structures. These guides are valuable references — they indicate AUSTRAC's expectations for the sector without dictating a single approach.

One important consideration for new reporting entities is the independent audit requirement. The AML/CTF Act requires an independent audit of the AML/CTF Program at intervals of no more than three years. For a business implementing its first Program in 2025-26, planning for the first audit in 2027-28 should be part of the implementation plan.

Technology platforms like VeriGo can significantly reduce the time and cost of implementing a compliant program. Pre-built industry packs with AML/CTF Program templates, KYC workflow configurations, AUSTRAC reporting templates, and staff training resources allow a business to meet its obligations without building compliance infrastructure from scratch.

The customer due diligence obligations for professional service businesses — law firms, accounting firms — have some distinctive features compared to financial services entities. The nature of professional relationships, the privilege considerations, and the transaction-based structure of professional engagements create practical differences in implementation.

For a law firm, the CDD obligation attaches at the matter level — to the specific engagement that constitutes a designated service — rather than at the general client level. A client who has been with a law firm for 20 years for personal family legal matters (not designated services) becomes subject to CDD when they engage the firm for a property transaction (a designated service). The prior relationship does not substitute for CDD at the point the designated service commences.

Verification of client identity must be completed before the designated service is commenced. For a property transaction, this means before the firm begins acting on the transaction — not at settlement. This timing requirement changes the client intake process: identity documents must be collected and verified before legal advice on the transaction is given.

Source of funds verification for legal and accounting matters typically focuses on trust account receipts. When a client deposits funds into a firm's trust account in connection with a property purchase, business acquisition, or other significant transaction, the source of those funds must be verified. Bank statements, sale proceeds, loan documentation, or other evidence demonstrating the legitimate origin of the funds is required.

For corporate and trust clients — common in commercial legal and accounting practice — beneficial ownership mapping applies in full. The firm must identify the natural persons who ultimately own or control the client entity, and conduct individual KYC on each beneficial owner above the 25% threshold. This can significantly extend the client onboarding process for clients with complex corporate structures.

For businesses affected by the Tranche 2 reforms, the time to prepare is now — not in late 2025. The implementation timeline is more compressed than it appears once the practical work involved is considered. Here is a structured preparation approach.

In 2024 and early 2025, affected businesses should focus on understanding and scoping. Determine which of your services are captured designated services. Map your current client base to understand the scale of the CDD exercise ahead. Identify whether any existing clients are known PEPs or high-risk. Assess your current client intake and file management processes to understand what changes are needed.

By mid-2025, affected businesses should be in the planning and design phase. Begin developing your AML/CTF Program — either internally or with external compliance assistance. Select a technology platform to support KYC, CDD, and reporting workflows. Identify your compliance officer. Begin staff training planning.

In Q3-Q4 2025, affected businesses should be in the implementation phase. Finalise and approve the AML/CTF Program. Configure technology workflows for client onboarding. Roll out staff training. Test the SMR lodgement process. Review your client engagement terms and onboarding questionnaires to incorporate AML/CTF requirements.

By 31 March 2026, enrol with AUSTRAC. This requires a completed enrolment form on AUSTRAC Online with details of the business and the designated services it provides.

From 1 July 2026, apply CDD to all new designated service engagements. Begin transitional CDD review of existing higher-risk clients. Activate ongoing monitoring processes. File SMRs as required.

Do not wait for AUSTRAC to come to you. Businesses that proactively implement compliant programs before the deadline are far better positioned than those who scramble at the last minute — and they avoid the risk of being non-compliant from day one of their obligations.