Blogs

Is your business ready for the AUSTRAC Tranche 2 AML/CTF reforms? Here’s what you need to know.

Australia's AML/ CTF laws - Big changes are on the way.

Is your business ready for the AUSTRAC Tranche 2 AML/CTF reforms? Here’s what you need to know.

Big changes are coming to Australia’s anti-money laundering laws, and if you’re in law, real estate, accounting, or other professional services, this affects you. The new AML/CTF Rules 2025 are part of AUSTRAC’s reform rollout, and they’re designed to tighten up how businesses handle financial crime risk.

Here’s the short version.

What’s changing?

From 1 July 2026, a new group of businesses (called Tranche 2 entities) will be required to follow AUSTRAC’s rules. This includes:

Law firms
Real estate agencies
Accounting practices
Other professional service providers

These businesses will now be considered reporting entities, meaning they’ll need to register with AUSTRAC and follow a set of compliance obligations.

Key requirements

Once the rules kick in, Tranche 2 entities will need to:

Enrol with AUSTRAC and keep business details up to date
Create an AML/CTF program that outlines how they manage risk
Conduct customer due diligence (CDD) including ID checks, beneficial ownership, and source of funds
Report suspicious activity and large cash transactions
Submit annual compliance reports

There are also options for businesses to form reporting groups, which lets multiple firms share one AML program under a lead entity. This can reduce duplication and make compliance more manageable.

Why it matters

If you’re running a business that deals with property, trust accounts, or financial transactions, these rules are not optional. Non-compliance can lead to serious penalties, reputational damage, and operational disruption.

But here’s the good news: you don’t have to build your compliance framework from scratch.

APLYiD takes the headache out of AML

APLYiD’s software is built to take the stress out of AML obligations. It automates ID verification, streamlines customer due diligence (CDD), and keeps your records audit-ready. Instead of juggling spreadsheets and chasing documents, you get a clean, secure system that does the heavy lifting.

With the 2026 deadline approaching, now’s the time to get ahead. APLYiD helps you stay compliant without drowning your team in admin. It’s a no brainer.

So what’s next?

Upcoming AUSTRAC key dates - oct 2025, dec 2025, 31 Mar 2026, 1 July 2026

The rules won’t take effect until July 2026, so there’s still time to make sure you’re prepared. We’ve outlined some of the key upcoming dates for you below:

October 2025: Release of AUSTRAC core guidance.
December 2025: Release of AUSTRAC sector specific guidance - Small Business Starter Kits, including a risk assessment and AML/CTF program.
31st March 2026: Enrolment opens for Tranche 2 entities and AML/CTF obligations begin for current reporting entities and newly regulated virtual asset service providers.
1st July 2026: AML/CTF obligations take effect for Tranche 2 entities.FAQs:

What is CDD and EDD?

Customer Due Diligence (CDD) is split into two parts:

Initial CDD: Done at the start of a customer relationship. It involves assessing risk based on customer type, service, and geography, plus screening for politically exposed persons (PEPs) and financial sanctions.
Ongoing CDD: Monitoring and updating customer risk profiles throughout the relationship.

Depending on the risk level, businesses must apply either:

Simplified CDD: For low-risk customers, with basic know your customer (KYC) and identity verification.
Enhanced CDD (EDD): For high-risk customers, including foreign PEPs, complex ownership structures, or transactions involving high-risk countries. This includes verifying source of wealth and funds, and getting senior management approval.

Can CDD be delayed?

Yes, but only in limited circumstances. Delayed CDD is allowed if:

It’s essential to avoid disrupting business
You have policies to complete CDD quickly
The risk of delay is low and well-managed
You follow the specific conditions in the AML/CTF Rule

What happens with pre-existing customers?

If a customer was onboarded before the new rules, they’re considered a pre-commencement customer. You’ll need to monitor them for any changes that increase their risk level. If that happens, you must complete both the initial and ongoing CDD.

How long do I need to keep records?

Reporting Entities must keep records for 7 years after a relationship ends or a transaction is completed. This includes:

What data was collected
How risk was assessed
What steps were taken to verify identity

You don’t need to keep copies of ID documents - just a record of what was used (e.g. passport details). The great news is that APLYiD will securely store this information for you for the required timeframe.

What are the basics for identity verification?

You must verify both individuals and legal entities (like companies or trusts). This can be done using:

Reliable documents
Independent electronic data
Or a combination of both

And, you need to be confident that:

Individuals are who they say they are
Entities are legitimate and beneficial owners are identified

This is where APLYiD comes in. Our software automates this process and cuts out the admin. Keeping your business efficiently compliant and audit ready.

What are Politically Exposed Persons (PEPs)?

AUSTRAC defines three types of PEPs:

Domestic PEPs (Australian officials)
Foreign PEPs (international government roles)
International organisation PEPs (e.g. UN, WTO)

Foreign PEPs are automatically high-risk. Domestic and international PEPs must be assessed individually. For high-risk PEPs, you’ll need to:

Get senior management approval
Verify source of wealth and funds
Monitor transactions closely

Do my staff require specific training?

All Reporting Entities must run AML/CTF training programs, which should be tailored and delivered regularly. Staff should understand:

The business’s legal obligations
What non-compliance means and what the consequences are
The types of risks they may encounter
Their role in the AML/CTF program

Using APLYiD reduces human error. Plus, it can also flag potential fraud risks.

What if I want to outsource CDD?

Working with external providers to support CDD can help manage risk and cut down admin for your team. However, you’re still accountable. Before you get started with outsourcing it’s important to check:

Have a written agreement approved by senior management
Ensure all KYC data is accessible within 7 days
Regularly assess the provider’s compliance and risk handling

You can rest assured that we’re keeping ahead of Tranche 2 reforms to give you total compliance peace of mind with APLYiD.

Keen to try it out? Get started in minutes today.

406% increase in the account creation - thanks to faster, smoother, onboarding

How APLYiD increased account creation by 406% through quicker onboarding

Non-Compliance: What is could be costing you - blue banner

What you need to know about the hidden costs of non-compliance with AML laws.

All you need to know: Biometric Privacy Code - red block

What you need to know about the new NZ Biometric Processing Privacy Code

APLYiD partners with MRI Software for no-nonsense AML compliance for Australian real estate agencies

Reasonable steps in compliance - what dpoes it mean? Shoe, bird, calculator

What does ‘reasonable steps’ really mean in AML compliance?

Total AML Complince - Whithout friction, bottlenecks or admin - Dark, calculator

APLYiD delivers total AML compliance – without friction, bottlenecks or admin

AML vs KYC explained: What professionals need to know

Australia - Tranche 2 AML & CTF compliance

Is your business ready for the AUSTRAC Tranche 2 AML/CTF reforms? Here’s what you need to know.