Ostride LabsGlossaryTranche 2 AML reforms

Glossary

  • 14 min

On this page

Read more

AUSTRAC: What It Expects from Modern Product Teams

13 min

Consumer Data Right (CDR): What Teams Must Ship

10 min

Tranche 2 AML reforms

Updated 7 Feb 2026

()

Tranche 2 AML reforms: what changes from 1 July 2026

Tranche 2 expands Australia’s AML/CTF regime to new professions and services. If you deliver designated services, you will be regulated, you will need a program, and you will need audit ready evidence. This page explains who is in scope, the key milestones, and the practical build plan to get compliant without shipping compliance debt.

Book a call

Quick summary

  • Start date: AML/CTF obligations apply to tranche 2 entities from 1 July 2026.
  • Enrolment opens:: AUSTRAC enrolment for newly regulated sectors opens from 31 March 2026.
  • Who is impacted: This is about services, not job titles. If your business provides a designated service, you are in scope.
  • What changes: You will need a risk based AML/CTF program, customer due diligence, ongoing monitoring, reporting, record keeping, and governance.
  • What teams feel it: Compliance, product, engineering, data, security, and ops. Tranche 2 is not a policy document. It is an operating system.

Practical takeaway:

If you wait until Q2 2026 to start, you will ship something fragile. The fastest path is to treat compliance as architecture, then implement the minimum viable control set, then iterate.

Definition

Tranche 2 AML reforms refers to the expansion of Australia’s Anti Money Laundering and Counter Terrorism Financing (AML/CTF) regime to additional services and sectors that have historically sat outside direct AUSTRAC regulation. You will often hear these sectors called gatekeepers because they can enable, or block, the movement of illicit funds through property, structures, and professional services.

Key milestones

.
31 March 2026
1 July 2026
What happens:
Enrolment opens for newly regulated tranche 2 sectors.
AML/CTF obligations start for tranche 2 entities.
What to do:
Prepare your scope memo, appoint an owner, and start your program architecture. Do not wait for enrolment to begin engineering work.
Operate your controls end to end. If you cannot evidence it, you did not do it.

31 March 2026

What happens:
Enrolment opens for newly regulated tranche 2 sectors.
What to do:
Prepare your scope memo, appoint an owner, and start your program architecture. Do not wait for enrolment to begin engineering work.

1 July 2026

What happens:
AML/CTF obligations start for tranche 2 entities.
What to do:
Operate your controls end to end. If you cannot evidence it, you did not do it.

Who it applies to in Australia

Tranche 2 is broad, but it is not vague. It targets designated services typically delivered by specific professions and industries. The cleanest way to think about scope is: what services do you provide, and what money movement or asset transfer do those services enable.

In-scope screening table

Use this as a first pass screen. If you answer Yes to any row, you are likely in scope. If you answer No to all rows, you may be out of scope, but you still need to validate against AUSTRAC guidance for your exact services.

Screening question
Examples
Likely outcome
Do you provide real estate services that help buy, sell, transfer, or develop property?
Agent, buyer’s agent, certain developer functions.
Likely in scope
Do you help clients create, manage, or use companies, trusts, or similar structures?
TCSP activities, formation services, nominee arrangements.
Likely in scope
Do you provide accounting or advisory services tied to moving or controlling funds?
Client money handling, certain transactional services.
Likely in scope
Do you deal in precious metals, stones, or high value portable goods?
Dealers and related services.
Likely in scope
Do you provide legal services that fall into designated service categories?
Selected transactional services, not all legal work.
Likely in scope
Are you already an AUSTRAC reporting entity for any other designated service?
Existing reporting entity status.
Already regulated

Do you provide real estate services that help buy, sell, transfer, or develop property?

Examples
Agent, buyer’s agent, certain developer functions.
Likely outcome
Likely in scope

Do you help clients create, manage, or use companies, trusts, or similar structures?

Examples
TCSP activities, formation services, nominee arrangements.
Likely outcome
Likely in scope

Do you provide accounting or advisory services tied to moving or controlling funds?

Examples
Client money handling, certain transactional services.
Likely outcome
Likely in scope

Do you deal in precious metals, stones, or high value portable goods?

Examples
Dealers and related services.
Likely outcome
Likely in scope

Do you provide legal services that fall into designated service categories?

Examples
Selected transactional services, not all legal work.
Likely outcome
Likely in scope

Are you already an AUSTRAC reporting entity for any other designated service?

Examples
Existing reporting entity status.
Likely outcome
Already regulated

If any row is Yes: Likely in scope. Validate exact scope and start program planning now.
If all rows are No: Probably out of scope, but validate against AUSTRAC guidance.

Check if you may be regulated (AUSTRAC)

Key obligations and what they mean in practice

Most teams fail Tranche 2 for one reason: they treat obligations as a compliance checklist instead of a system. Obligations are processes, data, controls, and evidence that must work every day.

AML/CTF program and governance

  • Define your risk assessment, controls, escalation paths, and ownership.
  • Document how your program maps to your designated services.
  • Set a review cadence. Programs die when they are not maintained.

Customer due diligence (CDD) and identification

  • Verify identity and capture beneficial ownership where required.
  • Apply a risk based approach: not every customer needs the same level of friction, but every customer needs the right level of evidence.
  • Make decisions auditable: who approved, what signals, what timestamp, what data sources.

Ongoing monitoring and suspicious matter reporting

  • Define triggers for review, including transaction patterns and behavioural anomalies.
  • Make case management real. Alerts without triage is theatre.
  • Keep a clean chain of custody for investigations and outcomes.

Record keeping and audit trail

  • Store identity evidence, decisions, and changes over time.
  • Ensure retention, access controls, and integrity.
  • Be able to answer: who knew what, when, and why.

What Ostride Labs actually builds here

We design the compliance architecture, map your designated services to controls, then implement the minimum viable system: identity, risk scoring, monitoring hooks, and evidence storage. The goal is simple: ship fast and still pass audits.

See Compliance and architecture

Affected sectors (high level)

Sector
Why it matters
Typical control gaps
Real estate
Property is a common laundering vector due to value and liquidity.
Identity proof quality, beneficial owner capture, inconsistent record retention.
Legal and conveyancing
Designated transactional services can enable asset movement and structure creation.
Service mapping, documentation, workflow evidence, staff training at scale.
Accounting and advisory
Advisory and execution can sit directly on the funds flow.
Risk assessment, program ownership, ongoing monitoring.
Trust and company service providers (TCSP)
Structures can obscure ownership and control.
Beneficial owner verification, change detection, evidence of decisions.
Precious metals and stones
High value, portable, difficult to trace.
Customer profiling, transaction thresholds, suspicious pattern detection.

Implementation roadmap (what to build, in what order)

A practical rollout prioritises three things: scope clarity, evidence design, and a minimum viable control set. If you do these in the wrong order, you will rework everything.

Phase
Timeline
What you deliver
Owner
Now to Feb 2026
Scope and service mapping
Now to Feb 2026
Designated service map, scope memo, risk baseline.
Compliance lead + product lead
Feb to Mar 2026
Program architecture
Feb to Mar 2026
Program structure, control catalogue, evidence model, operating cadence.
Compliance + security + engineering
From 31 Mar 2026
Enrolment readiness
From 31 Mar 2026
AUSTRAC enrolment pack, responsible persons, documented processes.
Compliance lead
Apr to Jun 2026
Controls build and integration
Apr to Jun 2026
CDD flows, risk scoring, monitoring hooks, case management, audit trail.
Engineering lead
Jun 2026 onward
Operate and prove
Jun 2026 onward
 Training, test cases, reporting runs, audit simulation, continuous improvement
Compliance lead + ops

Evidence and audit trail requirements

The fastest way to fail an AUSTRAC review is to rely on tribal knowledge. Evidence must be systematic: consistent data capture, immutable logs, and clear decision records.

What you should be able to show

  • Identity and verification evidence for customers that required CDD.
  • Beneficial ownership records and how you validated them.
  • Risk assessments and how they drive controls.
  • Monitoring alerts, triage outcomes, and escalation actions.
  • Training logs and role based responsibilities.
  • Versioned program documents with review history.

Frequently Asked Questions

  1. Is every accounting, legal, or real estate automatically in scope?No. Tranche 2 is service based. If you provide a designated service, you are in scope for that service. Many firms will be partially in scope. Your first deliverable should be a service map that can survive scrutiny.
  2. What is the difference between being in scope and being audit ready?Being in scope is a legal status. Audit ready is operational reality. Audit ready means your controls run end to end, staff know the playbook, and your evidence is accessible and consistent.
  3. What should a product team build first?Start with scope mapping and an evidence model. Then implement minimum viable identity and decision logging. If you build UI flows before you design evidence, you will rebuild them.

  4. Do we need eKYC?Many regulated workflows rely on electronic verification and strong identity evidence. The exact approach depends on your risk profile and services. If you operate a digital onboarding flow, treat identity as a core system, not a vendor widget.
  5. Can we outsource the whole thing to a vendor?You can outsource components. You cannot outsource accountability. Vendors do not answer regulator questions for you. Your program owner does.

Related reading on Ostride Labs

External resources

  1. AUSTRAC: AML/CTF reform overview
  2. AUSTRAC: key dates and new Rules

Want a Tranche 2 readiness plan you can execute?

The fastest way to fail an AUSTRAC review is to rely on tribal knowledge. Evidence must be systematic: consistent data capture, immutable logs, and clear decision records.

Book a Call

Rating:

Share

Our newsletter (you’ll love it):

    Let's talk!