AUSTRAC Tranche 2 compliance: what 1 July 2026 means for Australian businesses

By Rohan Le Page, Co-CEO of ShareRing

If you run a law firm, an accounting practice, a real estate agency, a conveyancing firm, or you deal in precious metals, dealer-broker services, trusts or company services, you have until 1 July 2026 to be ready for AUSTRAC Tranche 2.

That date is not provisional. It is the date a sweeping expansion of Australia’s anti-money laundering and counter-terrorism financing regime takes effect for tens of thousands of businesses that have, until now, sat outside the regulator’s direct line of sight. Estimates put the number of newly captured entities at around 100,000, roughly six times the size of the existing reporting population.

This guide explains what AUSTRAC Tranche 2 actually requires, who is in scope, where firms most often misread the obligations, and how reusable, privacy-first KYC reduces the operational burden of compliance to something a small practice can run without hiring a dedicated compliance function.

What is AUSTRAC Tranche 2?

AUSTRAC is Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) regulator. Since 2006, the AML/CTF Act has applied to Tranche 1 entities, which include banks, financial institutions, gambling and casino operators, digital currency exchanges, bullion dealers, and remittance service providers. Per AUSTRAC’s 2024-25 reporting, more than 17,000 reporting entities have been operating under that regime.

Tranche 2 is the long-delayed extension of the same regime to a much larger group of professional service providers and dealers. The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 received Royal Assent on 10 December 2024 and brings the following sectors into scope from 1 July 2026:

• Legal practitioners. Solicitors, barristers, and law firms providing services on behalf of clients in connection with property transactions, the management of client money, the formation or operation of legal arrangements, and other designated services.
• Accountants and tax practitioners. Those providing services in relation to property transactions, managing client funds, the formation of companies and trusts, and other designated services.
• Real estate professionals. Agents, buyer’s advocates, property managers, and developers involved in the sale or purchase of real property.
• Conveyancers. Practitioners handling property transfers.
• Dealers in precious metals and precious stones. Where transactions exceed prescribed thresholds.
• Trust and company service providers (TCSPs). Providers of company formation, nominee directorships, and trustee services.

The expansion brings Australia in line with Financial Action Task Force (FATF) recommendations. Since the 2015 FATF mutual evaluation, Australia has been flagged as one of the few advanced economies still failing to extend AML/CTF coverage to legal, accounting, and real estate sectors. The 2026 deadline is the regulator’s response to a decade of FATF pressure and follow-up reports.

Who is actually in scope from 1 July 2026?

A common mistake is assuming Tranche 2 captures every accounting firm or every law firm. It does not. It captures the designated services these firms provide. The scope is service-based, not entity-based.

For lawyers, the designated services include:

• Acting on behalf of a client in the buying or selling of real property
• Receiving, holding, or paying client funds (other than for legal fees)
• Acting on behalf of a client in the management of bank, savings, or securities accounts
• Acting on behalf of a client in the creation, operation, or management of companies, trusts, partnerships, or similar legal arrangements
• Acting on behalf of a client in the buying or selling of business entities

For accountants, the designated services include the same property-related activities, plus the formation of companies and trusts, acting as a nominee director or shareholder, and providing a registered office address for a client’s entity.

For real estate professionals, the designated services include any service in connection with the sale, purchase, or transfer of real property, regardless of the price or whether the agent is acting for the buyer or the seller.

If your firm provides any of these designated services, you are in scope and must comply by 1 July 2026.

What does Tranche 2 compliance actually require?

Compliance has six concrete components. Each one is an operational discipline, not a one-off task.

1. Enrolment with AUSTRAC

Every reporting entity must enrol on the AUSTRAC Reporting Entity Roll. Enrolment opens on 31 March 2026 and closes on 29 July 2026 for Tranche 2 entities. Enrolment is administrative but it is the gateway to everything else. Missing this step before you start providing designated services is itself a contravention of the Act.

2. Build and maintain an AML/CTF program

Every Tranche 2 entity must have a written AML/CTF program approved by the firm’s principal or board. The program has two parts.

Part A is the risk-based framework: how the firm identifies and assesses the money laundering and terrorism financing risks of its customer base, how those risks are managed, how the firm trains its staff, how it monitors transactions, and how it reviews the program over time.

Part B is the customer identification procedure: how the firm verifies the identity of new customers before providing designated services, and how it handles ongoing customer due diligence over the life of the relationship.

3. Conduct customer due diligence

Customer due diligence (CDD) is the operational core of compliance. For every new customer of a designated service, the firm must:

• Verify the customer’s identity using reliable and independent documentation or data sources.
• Identify and verify the ultimate beneficial owner if the customer is a company, trust, or other legal arrangement.
• Understand the nature and purpose of the business relationship.
• Conduct enhanced due diligence on customers assessed as higher risk (politically exposed persons, customers from high-risk jurisdictions, customers with complex ownership structures).
• Maintain ongoing monitoring of the relationship for transactions that are inconsistent with the customer’s risk profile.

In a typical small law firm, this is the work that explodes the compliance overhead. A solicitor who acts on a property settlement now needs to verify the buyer, the seller, and the beneficial owners behind any corporate trustees, before the matter can be opened. Multiplied across every property file, every trust formation, and every company incorporation, the verification load can easily exceed 50 hours a month.

4. Reporting obligations

Reporting entities must submit two kinds of reports to AUSTRAC.

Suspicious Matter Reports (SMRs) are filed when the firm forms a suspicion that a transaction or proposed transaction is connected to a possible offence. SMRs must be filed within 24 hours of the suspicion forming for terrorism financing matters, and within 3 business days for money laundering and other offences.

Threshold Transaction Reports (TTRs) are filed for cash transactions of AUD 10,000 or more.

For Tranche 2 entities, SMRs are likely to be the dominant reporting category because cash transactions are rare in legal and accounting practice. The challenge is that SMR obligations are subjective: the firm must form a reasonable suspicion based on what it knows, and a failure to report when suspicion arose is itself a contravention.

5. Record-keeping

Every reporting entity must keep records of customer identification, AML/CTF programs, training, and reports for at least seven years from the date the record was created or the relationship ended. Records must be retrievable on request from AUSTRAC and must be in a form that allows audit.

6. Reviews and audits

The AML/CTF program must be independently reviewed at regular intervals. AUSTRAC does not prescribe the frequency in legislation, but industry practice is annual or biennial review for higher-risk firms.

Why this is harder than it looks

Tranche 1 entities have had two decades to build AML/CTF infrastructure. Most banks have a dedicated AML team, automated transaction monitoring, customer onboarding workflows that integrate with regulator-grade identity verification, and a board-level financial crime governance function. The marginal cost of compliance for a bank is high in absolute terms but low per customer.

A typical Tranche 2 entity is a 5 to 30-person professional services firm with no dedicated compliance function and no AML expertise on the partner bench. The cost of building this infrastructure from scratch is steep:

• A compliant CDD process for a single new customer can take 30 to 60 minutes of paralegal or admin time when run manually using passport copies, utility bills, and ASIC searches.
• Enhanced due diligence on a complex corporate client, including beneficial ownership tracing, can run several hours.
• Re-verifying the same customer every time they engage on a new matter is a duplicative cost that customers themselves resent.
• AML training and program documentation consume principal time that would otherwise be billable.

Most concerning, these are obligations the firm cannot decline to meet without exiting the designated service entirely. The choice is comply or stop providing the service.

How reusable, privacy-first KYC simplifies Tranche 2 compliance

Reusable, privacy-first KYC flips the compliance model from “every firm verifies every customer from scratch” to “the customer verifies themselves once and presents a verified credential to every firm they engage.”

Here is how it works in a Tranche 2 context.

A customer engaging your firm completes a one-time identity verification through ShareRing. Document capture, biometric liveness check, AML screening, and politically-exposed-person screening run on the customer’s phone. The customer’s identity data stays in their encrypted Vault on their device.

When the customer engages your firm, they share a signed verification credential. Your firm receives a cryptographically signed result that confirms the customer’s identity has been verified to UK DIATF Accredited Medium-High Confidence and AUSTRAC AML/CTF compliant standards. You receive the verification result and the audit trail. You do not receive, store, or hold the customer’s underlying identity documents.

The compliance benefits are immediate:

• CDD time drops from 30 to 60 minutes per customer to under 2 seconds for verification confirmation. First-time customers complete the underlying verification in about 60 seconds before they ever engage your firm. Returning customers, those who have verified previously through ShareRing for any purpose, clear verification in roughly 2 seconds.
• Beneficial ownership verification on corporate clients uses the same reusable architecture. Each beneficial owner verifies once and presents the credential to your firm.
• Re-verification disappears. When the same client returns for a new matter, no fresh verification is needed because the credential is already on file.
• Record-keeping is automated. Your firm receives the verification artefact. ShareRing’s audit trail is signed, timestamped, and AUSTRAC compliant. Storage and retrieval are part of the service.
• Privacy obligations are met by design. Because the customer’s data never leaves their device, your firm has no PII to protect, no breach exposure, and no obligation to store, encrypt, or destroy customer documentation under the Privacy Act. What you do not hold cannot be stolen, sold, or leaked.

The conventional Tranche 2 compliance approach asks every firm to invest in AML infrastructure, take on PII storage liability, train staff to handle customer documentation, and build an audit-ready record system. Reusable, privacy-first KYC collapses the operational compliance work into a verification result that arrives in your system seconds after the customer initiates engagement.

What happens if you miss the deadline?

Operating a designated service from 1 July 2026 without an enrolment, an AML/CTF program, and a CDD process is a contravention of the Act. AUSTRAC has both civil penalty and criminal enforcement powers, and the maximum civil penalties for body corporates run into the tens of millions of dollars per contravention. The reputational risk is arguably worse: AUSTRAC publishes enforcement actions, and a finding against a legal or accounting firm carries professional consequences with the relevant regulator (Law Society, CPA Australia, CA ANZ) on top of the AUSTRAC penalty.

Frequently asked questions

When does AUSTRAC Tranche 2 take effect?

1 July 2026 is the date all designated services provided by Tranche 2 entities (lawyers, accountants, real estate professionals, conveyancers, dealers in precious metals and stones, trust and company service providers) come under the AML/CTF Act.

Does AUSTRAC Tranche 2 apply to every law firm or every accounting firm?

No. It applies to firms that provide designated services. A law firm that exclusively does litigation and provides no property, trust, or company services may not be in scope. A firm that does any property work, manages client funds, or forms companies for clients is almost certainly in scope.

What happens if a firm is not ready by 1 July 2026?

A firm providing designated services without an AML/CTF program in place, without enrolment with AUSTRAC, or without conducting required customer due diligence is in contravention of the Act. AUSTRAC has both civil penalty and criminal enforcement powers, with the maximum civil penalty per contravention for body corporates running into the tens of millions of dollars.

Is reusable KYC accepted by AUSTRAC?

Yes. AUSTRAC accepts electronic identity verification using reliable and independent data sources, and the AML/CTF Rules permit verification by a third-party provider provided the reporting entity remains accountable for the result. Reusable verification through ShareRing is consistent with this framework.

Does ShareRing store the customer’s identity data?

No. ShareRing is built on a privacy-first architecture. The customer’s identity data is held in an encrypted Vault on the customer’s own device. ShareRing does not store identity documents. Reporting entities receive a cryptographically signed verification result; they do not receive or hold the underlying personally identifiable information. What is never stored can never be stolen, sold, or leaked.

How long does it take to be ready for Tranche 2 compliance with ShareRing?

A typical engagement is live within 2 weeks. ShareRing provides the AML/CTF Part B customer identification procedure, the verification workflow, the audit-trail record-keeping, and integration with the firm’s existing practice management system. The firm focuses on the Part A risk-based framework, training, and reporting; ShareRing handles the verification engine.

Get ready for 1 July 2026

The Tranche 2 deadline is non-negotiable and the operational lift is real. Firms that wait until early 2026 to start building their AML/CTF program will find themselves competing with every other Tranche 2 entity for the same compliance consultants, the same training capacity, and the same identity verification onboarding queues.

ShareRing is enrolling Tranche 2 entities now to ensure their customer due diligence infrastructure is live, tested, and auditable well before the deadline. Speak to our team to scope what compliance looks like for your specific firm.