Australia’s AML Tranche 2 reforms bring lawyers, accountants, real estate and other professional services firms into scope for AML/CTF regulation. The priority now is to identify designated services, embed risk-based controls, and show clear governance. Readiness depends on whether your approach works in practice and stands up to regulatory scrutiny.
Australia’s AML Tranche 2 reforms are often framed as a regulatory extension. In reality, they represent a broader shift in how professional services firms are expected to understand, manage and evidence financial crime risk.
For organisations newly in scope, the challenge is not simply compliance. It is building practical, defensible capability, often within tight timeframes and with limited prior experience of AML/CTF regimes.
This is where the real complexity lies.
A structural shift, not just new obligations
Tranche 2 extends AML/CTF requirements beyond financial institutions to sectors such as legal services, accounting, real estate and trust and company services.
These sectors are often involved in high-value transactions or complex structures, making them vulnerable to exploitation by organised crime. The intent of the reforms is to close that gap – bringing more businesses into scope, improving detection and aligning Australia with international standards.
But the practical implication is more significant:
AML/CTF becomes embedded in how firms operate—not something applied around the edges.
First challenge: clearly defining your scope
One of the most common early risks is misunderstanding whether, and where, obligations apply.
The regime is activity-based. It is not enough to ask whether your firm is in an affected sector, what matters is whether you provide “designated services”.
These services typically include:
- Supporting property or business transactions
- Creating or restructuring legal entities
- Managing client money or assets
- Acting within financial or corporate transactions
In practice, many firms underestimate how widely these activities occur across their business.
What good looks like:
- A clear, documented view of in-scope services
- Alignment across business units and legal entities
- Early resolution of grey areas, rather than deferred interpretation
Beyond compliance: applying a true risk-based approach
Tranche 2 introduces familiar AML/CTF components of customer due diligence, monitoring, reporting and record keeping.
However, the regulatory expectation is not procedural adherence alone. It is the application of risk-based judgement. This requires firms to understand:
- The nature of their clients
- The purpose and structure of transactions
- Where exposure to financial crime risk is higher
This is a material shift for organisations used to more deterministic compliance models.
What good looks like:
- Risk assessments grounded in how the business actually operates
- Due diligence calibrated to risk, not applied uniformly
- Clear articulation of risk appetite and escalation thresholds
Operational impact: where complexity often sits
For many newly regulated firms, the most significant impact is operational. The reforms require changes across:
- Client onboarding and data capture
- Internal processes and controls
- Governance frameworks
- Technology and reporting capability
A common misstep is trying to layer AML requirements on top of existing processes. This typically leads to duplication, inefficiency and inconsistent outcomes.
More effective approaches start from a different premise: how should client lifecycle processes work when compliance is embedded from the outset?
What good looks like:
- Integration of AML requirements into core business processes
- Reduction of duplication between teams
- Targeted investment in tools that support consistency and scalability
Governance: from delegation to accountability
Tranche 2 increases expectations on senior management and boards. Leadership teams are responsible for ensuring that risks are identified, assessed and managed appropriately. This moves AML/CTF away from being a purely technical or compliance-led function.
It raises more fundamental questions:
- Who ultimately owns financial crime risk?
- How is it reported and challenged?
- What evidence demonstrates that controls are working?
What good looks like:
- Clear executive accountability
- Meaningful management information, not just volume metrics
- Evidence-based assurance over controls
The risk of false confidence
A common pitfall is assuming that the existence of policies, procedures or systems equates to compliance.
Regulatory scrutiny typically focuses on:
- Whether controls operate effectively in practice
- Whether risks were genuinely understood
- Whether issues were escalated and addressed appropriately
In other words, substance matters more than structure.
What good looks like:
- Regular testing and validation of frameworks
- Early identification and resolution of gaps
- Recognition that initial models will evolve
Timelines are fixed, but maturity is not
Key milestones are already established:
- Enrolment with AUSTRAC from March 2026
- Full compliance obligations from July 2026
For firms starting from a low baseline, this is a relatively short timeframe.
The challenge is not just meeting the deadline, but building an approach that is sustainable and defensible beyond it.
A practical test of AML reforms readiness
A useful way to assess preparedness is not to ask:
“Are we compliant?”
But instead:
“Could we clearly explain and defend our approach to a regulator?”
This shifts the focus from documentation to outcomes – how the framework operates in practice, and how well risks are understood and controlled.
Final thought
Tranche 2 is not a one-off compliance exercise. For firms newly in scope, the real task is to build an approach that is proportionate, embedded and capable of withstanding scrutiny.
If you are assessing what this looks like in practice, you can explore a more detailed overview here:
