Australia’s AML Tranche 2 Reforms go live on 1 July 2026, bringing many legal, accounting, real estate and trust service providers into the AML/CTF regime for the first time.
Here is a practical countdown to what firms should prioritise now
For Australia’s professional services sector, the countdown is no longer theoretical. It is operational.
On 1 July 2026, Australia’s AML/CTF regime expands significantly.
For the first time, large parts of the legal, accounting, real estate and trust and company services sectors will fall under AUSTRAC regulation.
This is not a marginal change. It represents a shift in how thousands of firms operate day-to-day, with new expectations around governance, controls, and evidence of compliance. Many of these businesses are approaching financial crime regulation for the first time.
With enrolment open since 31 March 2026 and full compliance required from 1 July 2026, the window for readiness is narrow.
What matters now is not just understanding the regulation – but executing a proportionate, workable plan.
Who is in scope — and why timing matters
The Tranche 2 Reforms extend AML/CTF obligations to “designated non-financial businesses and professions” (DNFBPs), including legal, accounting, real estate, and trust service providers.
Many of these firms have historically operated outside the AML regime. That gap is now closing, bringing Australia into closer alignment with international standards.
The practical implication is clear: from July, firms that provide designated services must have an AML/CTF programme in place, not just an awareness of risk.
The reality of the timeline
The challenge is not just the scope – it is the timing.
Firms have moved quickly from “Are we in scope?” to “Are we operationally ready?” in a matter of weeks.
And while enrolment is required, it is only the starting point. The real work lies in building:
- A risk-based AML/CTF programme
- Controls that work in practice
- A governance structure that stands up to scrutiny
As one consistent theme across the countdown reinforces: enrolment is not the work – it is the beginning of the work.
Focus on a proportionate approach not over-engineering
A consistent message from AUSTRAC is that AML/CTF programmes should be risk-based and proportionate.
Why this matters for the newly regulated firms?
Over-engineering controls can create unnecessary cost and friction. Under-engineering exposes firms to risk and regulatory challenge. The balance lies in:
- Focusing on highest-risk services first
- Designing controls that are workable in practice
- Building evidence that demonstrates effectiveness
This is where experience from regulated sectors becomes valuable – not to replicate complexity, but to apply lessons pragmatically.
Where firms are turning for support
As the deadline approaches, many firms are facing a common constraint: capacity.
Building an AML/CTF framework requires:
- Subject matter expertise
- Programme delivery capability
- Operational integration
For firms without in-house AML experience, resourcing becomes the bottleneck, in particular when demand for skilled professionals increases rapidly near the regulatory deadline.
This is where targeted support — whether advisory, delivery, or interim expertise — can help firms maintain momentum without overburdening internal teams.
The countdown to readiness: what matters, when
Against that backdrop, the final weeks before 1 July provide a practical way to prioritise.
50+ days: Confirm scope and ownership
At this stage, firms needed to answer two critical questions:
- Do we deliver a designated service?
- Who is accountable for delivery of AML compliance?
Without clarity here, progress stalls. Assigning ownership early is essential to maintaining pace and coordination across the programme.
40+ days: Enrolment and mobilisation
Registration with AUSTRAC is mandatory but it is not a deliverable in itself.
This phase is about mobilisation:
- Gathering business and personnel information
- Mapping services and customer journeys
- Defining workstreams and timelines
Firms that treat enrolment as the finish line risk underestimating the operational lift that follows.
30–40 days: Risk assessment first
A common mistake is starting with policies or tooling. The more effective approach starts with risk. Firms need to identify:
- Where they are most exposed to financial crime risk
- Which services or client types require closer attention
- How existing controls perform in practice
This risk-led approach is central to meeting AUSTRAC expectations in a proportionate way.
30 days: Programme design
With one month to go, programme design becomes unavoidable. At this stage, firms should be documenting:
- Policies and procedures
- Control frameworks
- Oversight and reporting mechanisms
The key is practicality. Controls must work for front-line teams, not just meet theoretical regulatory expectations.
20+ days: Operational readiness
Documentation alone is not sufficient, AML policies and procedures must be embedded into:
- Client onboarding
- Matter or transaction handling
- Escalation and decision-making processes
This is where many programmes are tested. If processes are not integrated into daily workflows, they quickly become ineffective.
Two weeks to go: People and training
Even well-designed programmes can fail without clarity at the front line. Teams need to understand:
- What constitutes a red flag
- When to pause or escalate activity
- How decisions are recorded and approved
Clear, role-based guidance is critical to avoiding uncertainty at the point of execution.
Final 10 days: Governance and accountability
As go-live approaches, accountability needs to be explicit:
- Named owners and deputies
- Defined reporting lines
- Regular management information (MI)
AML compliance must be owned at a senior level, not left as an operational afterthought.
Final days: Stress testing
In the final days and hours, firms should focus on removing friction:
- Walking through end-to-end scenarios
- Testing escalation routes
- Confirming documentation and communication
This stage is about identifying gaps before regulators – or clients – do.
From 1 July: a shift to business as usual
The most important transition happens after ‘go-live’.
From 1 July, AML compliance becomes part of daily operations – not a project. Firms must:
- Conduct customer due diligence on new clients
- Monitor activity and report suspicious matters
- Maintain records and evidence of controls
Even where programmes are still maturing, regulators expect a clear plan and prioritisation of the highest-risk areas. Perfection is not expected immediately. But credible progress is.
Tranche 2 Reforms are a structural shift, not a compliance exercise
The countdown to 1 July has made one thing clear: firms that act early and focus on practical implementation are better positioned than those approaching readiness reactively.
At this stage, success is not about building the most sophisticated programme. It is about building one that:
- Reflects the firm’s real risk profile
- Works in day-to-day operations
- Can be evidenced and sustained
Need extra delivery capacity to ensure Tranche 2 readiness?
If your organisation needs extra capacity to deliver Tranche 2 readiness, targeted support can make the difference between a rushed response and a controlled implementation.
Momenta can help you build a proportionate framework that works in practice — without placing unnecessary strain on internal teams.
Expand your capacity with targeted support:
- Specialist AML expertise
- Programme delivery support
- Interim resource to strengthen execution
