By Justin Amos, Co-Founder & CEO, iDeed Pty Ltd
The views expressed in this article are those of the author and reflect our interpretation of AUSTRAC’s published guidance and the AML/CTF Act as at April 2026. This article is general in nature and does not constitute legal advice. If you have questions about how the reforms apply to your specific practice, we’re happy to help - or you can refer to AUSTRAC’s guidance at austrac.gov.au.
The quiet change that affects 100,000 firms
For most of Australia’s professional services sector, anti-money laundering and counter-terrorism financing compliance has been someone else’s problem. Banks, financial planners, remittance dealers - they’ve been navigating AUSTRAC obligations for years. Accounting firms, law firms, conveyancers, real estate agents and precious metals dealers have not.
That changes on 1 July 2026.
Tranche 2 of Australia’s AML/CTF reforms brings five categories of professional services firms into the regulatory regime for the first time. From that date, if your firm provides a designated service - which for accountants includes things like managing client money, assisting in the planning or execution of transactions, and company or trust formation services - you are a Reporting Entity under the AML/CTF Act.
The obligations that follow are real, material, and enforceable.
AUSTRAC has been explicit about its posture. AUSTRAC CEO Brendan Thomas has stated publicly:
“This year marks a regulatory shift, from regulation that primarily checks for compliance to one focused on substantive risks and harms.”
- AUSTRAC, Regulatory Priorities 2025–26, austrac.gov.au
Non-compliance penalties for a body corporate reach $22.2 million. AUSTRAC has indicated enforcement begins immediately.
This article is a practical overview of what’s actually required, and why getting it right matters beyond just ticking a box.
Not sure if your practice is captured? Use our free compliance cost calculator to understand your obligations and estimate your compliance investment.
Who this applies to
The five categories of Designated Service Providers (DSPs) brought in under Tranche 2 are:
| Category | Designated services include |
|---|---|
| Accounting firms | Managing client money, assisting in the planning or execution of transactions, company or trust formation services |
| Legal practices | Conveyancing, managing client funds, company formation, trust services |
| Conveyancers | Purchase, sale or transfer of real estate |
| Real estate agents | Brokering the purchase, sale or transfer of real estate |
| Precious metals & stones dealers | Buying, selling or exchanging precious metals, stones or products above certain thresholds |
If your firm provides any of these services, you need to understand what follows.
The “new clients” point - and why it matters
One of the most common misconceptions doing the rounds right now is that every firm needs to verify their entire existing client base by 1 July 2026.
This is not correct, and the distinction matters significantly for how you plan.
The obligation to perform Customer Due Diligence (CDD) applies to:
- New clients from 1 July 2026
- Existing clients - only if you provide them with a new designated service after 1 July 2026 (CDD is triggered immediately for that client in connection with that service)
For most small to mid-size practices, this means July 1 is manageable. You need to be set up and ready for new clients coming through the door - not to verify your entire book overnight.
What you need in place by 1 July 2026
- A compliant AML/CTF programme (policy document, risk assessment, process document)
- A nominated AML/CTF compliance officer, named in your AUSTRAC enrolment by 30 May 2026
- AUSTRAC enrolment, submitted by 29 July 2026
- A functional process for performing CDD on new clients from day one
Want to understand what this costs your practice? Our compliance cost calculator breaks it down by firm size and client mix.
What a compliant AML/CTF programme actually requires
The AML/CTF Act requires every Reporting Entity to have a written AML/CTF programme that is appropriate to the nature, size and complexity of their business. AUSTRAC has published template documents for each DSP category to help firms get started.
At a minimum, your programme needs to cover:
Your AML/CTF risk programme
- A risk assessment of your practice - identifying your ML/TF risks by client type, service type, delivery channel and geography
- Risk appetite decisions - which client types and transaction types you will and won’t service
- Policies and procedures for managing identified risks
- Employee due diligence - including background checks on staff in AML/CTF roles
- AML/CTF training for relevant staff
- Independent evaluations at least once every 3 years
Your CDD procedures
- How you will identify and verify the identity of new clients
- How you will identify beneficial owners of non-individual clients
- How you will perform ongoing CDD and monitoring
- How you will handle enhanced due diligence for high-risk clients
- How you will keep records for the required seven-year retention period
The programme is a living document. It needs to be reviewed and updated as your practice changes, risks evolve, and AUSTRAC guidance develops.
A note on independent evaluations
Under the reformed Act, every reporting entity must have its entire AML/CTF programme independently evaluated - covering your risk assessment, governance framework, CDD procedures, transaction monitoring, reporting, record-keeping and staff training.
Your AML/CTF policies must set the frequency of these evaluations (at least once every three years). For newly regulated Tranche 2 firms, the transitional rules stagger the first evaluation deadline by AUSTRAC account number, with the earliest deadline being 30 June 2029.
ARCaml has partnered with RUCK Compliance to provide these evaluations. Because RUCK can access the majority of the information required through the ARCaml platform, it makes the process faster and more cost-effective than a standalone review.
The ongoing relationship distinction - why accountants and lawyers carry more
Not all DSP types carry the same ongoing compliance burden, and it’s worth being clear about this.
For real estate agents and most precious metals dealers, the client relationship is largely transactional. CDD is performed at the point of the transaction, and the relationship may not extend much further. Ongoing monitoring exists but the practical frequency of client interaction is lower.
For accountants and lawyers, the picture is fundamentally different. These professions typically have long-standing, ongoing client relationships. A client who first engaged your accounting firm five years ago may still be an active client today - and under the new obligations, that relationship will require:
- Periodic CDD reviews - at intervals appropriate to the client’s risk rating (high-risk clients annually, medium-risk every two years, lower-risk every three years)
- Trigger event monitoring - CDD must be refreshed when circumstances change materially, such as a significant change in the client’s business structure, ownership, or transaction patterns
- Ongoing screening - sanctions and PEP lists checked on an ongoing basis, not just at onboarding
- Record maintenance - all CDD records accessible and producible to AUSTRAC for seven years
For an accounting or legal firm with a client base of hundreds - many of them companies, trusts and complex structures - this is not a set-and-forget exercise. It is an ongoing operational function that needs to be built into how the practice runs.
The compliance officer - what the role actually involves
By 30 May 2026, every Reporting Entity must name a nominated AML/CTF compliance officer in their AUSTRAC enrolment. This is a hard statutory deadline.
The compliance officer must be a natural person - an individual within the firm, not a service provider. They are responsible and accountable for the firm’s AML/CTF programme.
In most small practices, this role will fall to a partner, practice manager or senior manager who is already carrying a full workload.
The compliance officer’s responsibilities include:
- Owning and maintaining the firm’s AML/CTF programme
- Reviewing CDD outputs and making decisions about client onboarding
- Escalating suspicious matters and, where required, submitting Suspicious Matter Reports to AUSTRAC
- Submitting the Annual Compliance Report to AUSTRAC by 31 March each year
- Keeping the programme current as the business and regulatory environment changes
How much of this person’s time these obligations consume depends entirely on how the firm has structured its compliance execution. With the right support - structured CDD reports delivered for review, analyst execution of checks, a system of record for all evidence - the compliance officer role becomes a genuine oversight function. Without it, it becomes a second job.
Trying to figure out how much time your compliance officer will actually spend? Our calculator models the time and cost impact by firm type.
What CDD actually involves - the iceberg beneath the surface
Identity verification is the visible tip of the CDD obligation. Every platform in the market will send your client a verification link and run a biometric check. That covers individual clients reasonably well.
The real workload sits below the waterline - and for accounting and legal firms, the majority of clients are not individuals. They are companies, trusts, partnerships and complex structures.
AUSTRAC requires firms to identify the beneficial owner of every non-individual client - the natural person who ultimately owns or controls the entity. For a company, that means tracing through the shareholder register to find any individual holding 25% or more.
For a discretionary trust with a corporate trustee, it means:
- Obtaining the trust deed
- Identifying the trustee, appointor, settlor and class of beneficiaries
- Performing full KYB on the corporate trustee, including directors and shareholders
- Identifying every natural person at the end of that chain
- Verifying each one and screening for sanctions and PEPs
That is not a task that a self-serve verification link completes. It is an analyst research exercise requiring judgment, document review and structured documentation.
For a firm with 30 new complex-structure clients per year, that is conservatively 60 to 120 hours of non-billable compliance work annually - before ongoing monitoring and periodic reviews.
“There may be several links in the chain of owners… you may need to do your own research, especially if the customer has a complex structure.”
- AUSTRAC, Beneficial Owners guidance, austrac.gov.au
The regulator is not expecting a biometric scan. It is expecting documented, defensible, risk-based decision-making.
What AUSTRAC is actually looking for
AUSTRAC’s own published guidance states clearly:
“The reforms also mark a regulatory shift, from regulation that primarily checks for compliance, to one focused on substantive risks and harms.”
- AUSTRAC, Getting ready for change, austrac.gov.au
This is the regulator explicitly saying that a checkbox exercise is not what they are after. They want evidence that your firm understood the actual risk presented by each client and managed it appropriately.
A structured CDD report - with risk rating documented, sanctions and PEP screening completed, beneficial ownership mapped, source of funds considered where required, and analyst notes on file - is what that evidence looks like.
It is the difference between being able to demonstrate substantive risk management and being unable to explain your decisions if AUSTRAC comes knocking.
How to think about your options
Firms approaching this for the first time broadly have three options:
Option 1: Build it internally
Appoint a compliance officer, build the programme, train staff, and run all CDD checks manually. Viable for larger firms with dedicated compliance resources. For most small to mid-size practices, it means fee earners doing compliance work.
Option 2: Use a self-serve platform
A number of platforms have launched specifically for Tranche 2. They provide the programme management tools and send verification links to clients. Your staff review results, write up files and manage the UBO research for complex structures. The technology does the workflow - you do the compliance work.
Option 3: Use a co-sourced execution model
A service provider runs the compliance execution on your instruction - covering identity verification, sanctions and PEP screening, beneficial ownership mapping and risk rating - and delivers a structured CDD report. You review and approve. The compliance officer maintains oversight and makes decisions. The execution workload is off the firm’s plate.
The right choice depends on your firm’s size, client mix, and appetite for building internal compliance capability. For practices with a significant proportion of company and trust clients, and for compliance officers who are also fee earners, the execution workload is the critical variable.
Not sure which model suits your practice? Use our compliance cost calculator to compare the cost of each approach for your firm size and client mix.
A practical framework for getting started
We have published a detailed roles and responsibilities framework - the ARCaml RACI - that sets out exactly how the compliance function can be divided between a firm’s compliance officer and an outsourced execution provider.
It covers every function from initial CDD through to AUSTRAC reporting, ongoing monitoring, and programme governance. It is available at ideedworks.com.au and is a useful starting point regardless of which approach your firm takes.
It gives a clear picture of what needs to be owned internally and what can be delegated.
The deadlines at a glance
| Date | What happens |
|---|---|
| 30 May 2026 | Compliance officer must be named in AUSTRAC enrolment |
| 30 June 2026 | Financial year end - relevant for tax deductibility of compliance costs |
| 1 July 2026 | Tranche 2 obligations commence - CDD required for all new clients |
| 29 July 2026 | AUSTRAC enrolment deadline |
| 1 July 2029 | Transition period ends - existing clients must be brought into compliance |
Final thought
The firms that will navigate this well are the ones that treat it as an operational challenge to be solved - not a compliance burden to be avoided. The obligation is real, the deadline is fixed, and AUSTRAC has signalled clearly that it will enforce.
The good news is that for most small practices the July 1 requirement is more manageable than it first appears. New clients only. Eight practical tasks to have your programme in place. A clear role for your compliance officer. And a growing ecosystem of tools and services specifically built for Australian Tranche 2 DSPs.
The time to sort it out is now - not in June.
Ready to get started? Visit ideedworks.com.au to access the ARCaml RACI framework, try our compliance cost calculator, and find out how ARCaml can support your practice through every step of the Tranche 2 journey.
Justin Amos is Co-Founder and CEO of iDeed Pty Ltd, operators of ARCaml - an AML/CTF compliance platform built for Australian designated service providers. ideedworks.com.au
The views expressed in this article are those of the author and reflect our interpretation of AUSTRAC’s published guidance and the AML/CTF Act as at April 2026. This article is general in nature and does not constitute legal advice. If you have questions about how the reforms apply to your specific practice, we’re happy to help - or you can refer to AUSTRAC’s guidance at austrac.gov.au.
Justin Amos
Co-Founder & CEO, iDeed Pty Ltd
Justin is Co-Founder and CEO of iDeed, operators of ARCaml - an AML/CTF compliance platform built for Australian designated service providers.
Connect on LinkedIn