Tranche 2 reforms 2026: A complete guide for DNFBPs

Following the passage of the AML/CFT Amendment Act by the Australian Parliament in late 2024, Tranche 2 anti-money laundering and countering the financing of terrorism (AML/CFT) reforms will officially commence on July 1st, 2026.

The implementation of these reforms will bring significant changes for approximately 90,000 new entities, most of which are designated non-financial businesses and professions (DNFBPs).

The expansion also helps protect the integrity of the Australian economy and aligns the nation with global AML standards set by the Financial Action Task Force (FATF).

What is Tranche 2?

The Tranche 2 reforms are a set of regulations that will modernize Australia’s AML/CFT framework. It will also give the Australian Transaction Reports and Analysis Centre (AUSTRAC) greater powers. The reforms are threefold:

• Extending the AML/CFT rules to cover high-risk (or gatekeeper) professions.
• Modernizing the regulation of virtual assets (VAs) and virtual asset service providers (VASPs).
• Simplifying and clarifying the AML/CFT regime to increase flexibility and reduce regulatory impacts. 

The Tranche 2 reforms will help fight the evolving threat of organized financial crime throughout Australia. As of late 2025, the Australian Criminal Intelligence Commission (ACIC) and Australian Institute of Criminology (AIC) estimated that the cost of organized crime in Australia has reached over $82.3 billion per year, a figure that exceeds the nation’s annual defense budget. Tranche 2 will also help close critical gaps in the financial ecosystem by extending regulations to DNFBPs, including non-financial professions such as lawyers, accountants, and real estate agents. These sectors handle large sums of money and complex transactions, making them attractive targets for illicit financial activity such as money laundering (ML) or terrorism financing (FT).

The new reforms will also help ensure the country retains its reputation as a trusted financial center ahead of the FATF mutual evaluation in late 2026.

Tranche 2 vs Tranche 1

Tranche 2 of the AML regime was first proposed in 2007, following the introduction of Tranche 1 in 2006. In 2022, limited reforms were introduced across Australia. Known informally as Tranche 1.5, changes included improvements to customer due diligence and information sharing.

The key similarities and differences between Tranche 2 and Tranche 1 at a glance include:

What is the Tranche 2 reform timeline?

The government has outlined a phased approach to Tranche 2 implementation, providing newly regulated businesses with a clear sequence of deadlines. This structure distinguishes between the initial CDD enrollment period and the date when complete compliance duties begin. For most DNFBPs, the critical date is July 1, 2026.

Find a summary of the key compliance deadlines below:

1. March 31, 2026:
   • Enrollment for newly regulated industries with AUSTRAC opens.
2. July 1, 2026: 
   • Tranche 2 reforms take immediate lawful effect. 
   • Businesses must submit their enrollment application within 28 days of this date. VASPs face an earlier deadline. 
3. July 29, 2026: 
   • Enrollment deadline for Tranche 2 entities.
   • Deadline to appoint an AML/CFT compliance officer.
4. July 1, 2029: 
   • The first independent evaluations for Tranche 2 entities commence, with deadlines staggered to prevent auditor shortages.

Early preparation for Tranche 2 is a key differentiator for firms looking to avoid the common pitfalls of a rushed rollout. By establishing robust frameworks well in advance of the effective dates, businesses can identify potential vulnerabilities early, ensuring they meet the new standards without disrupting their core operations.

For official guidance on complying with Tranche 2 reforms, consult the AUSTRAC website, which regularly publishes detailed information, updates, and regulatory resources to help businesses meet their obligations.

What are the objectives of the Tranche 2 reforms?

The main objectives of the Tranche 2 reforms in Australia are to:

• Modernize Australia’s AML/CFT approach.
• Level up with international best practice.
• Respond to the growing threat of financial crime.
• Ensure ongoing confidence in Australia’s financial system, which is under the oversight of the Australian courts.
• Include DNFBPs in AML compliance.
• Give AUSTRAC more oversight.
• Close loopholes.

What DNFBPs are affected?

The implementation of the Tranche 2 reforms will mark a significant expansion of the regulatory regime, bringing gatekeeper professions into the compliance fold for the first time. To align Australia with international standards, the following DNFBPs will now be required to meet formal AML/CFT obligations:

• Legal professionals
  • Lawyers
  • Notaries
  • Other independent legal professionals
• Financial professionals
  • Accountants
  • Auditors
  • Insolvency practitioners
• Trust and company service providers
  • Formation agents
  • Nominee shareholders
• Real estate
  • Real estate agents
• High-value dealers
  • Dealers in precious metals and stones.
  • Dealers in high-value goods (fine art, antiques, luxury cars, yachts)

The State of Financial Crime 2026

From expanding the AML perimeter to the development of an innovative digital asset industry, uncover the key regulatory themes Australian firms need to be across to remain compliant and competitive.

Download now

How will the changes affect businesses?

The expansion of the AML/CFT Amendment Act 2024 requires DNFBPs to transition from standard professional gatekeepers to formal “reporting entities.” This shift is triggered by the provision of a “designated service” under the “assisting rule”, a legal term covering specific activities that AUSTRAC deems “high-risk”, and these include:

1. Handling client funds.
2. Managing property transfers.
3. Establishing complex legal structures (such as trusts and companies).

How do I identify “designated services” via the assisting rule?

Under the “assisting” rule, lawyers, accountants, and real estate agents are captured much earlier in the process. For example, preparatory work, such as drafting contracts, conducting title searches, or providing advice, constitutes a “designated service.” The obligation triggers immediately, even if the transaction is later abandoned or never completes.

How can companies comply with the new Tranche 2 regulations?

The 2024 Act moves away from the old “Part A/Part B” structure toward a unified and reformed program. The program must be tailored to an organization’s specific risks rather than being a generic template. AUSTRAC’s focus has shifted to outcomes: firms are required to demonstrate that their program actually works to mitigate risk, specifically regarding how customers are verified (KYC) and how they monitor ongoing behavior.
This shifts the goalposts for Australian DNFBPs from previous “tick-the-box” compliance policies.

To remain compliant following an outcomes-based approach, businesses will need to meet four core requirements:

1. How can I develop a unified ML/TF/PF risk assessment?

Firms are required to formally document the risks their businesses face. A significant addition under the 2024 reforms is the mandatory inclusion of proliferation financing (PF), the risk of funds being used to support weapons of mass destruction. An assessment must now cover:

1. Money laundering
2. Terrorist financing
3. Proliferation financing

Note: Even if a PF risk is low, AUSTRAC requires firms to document this rationale to comply formally with the new Act.

2. What is CDD and ultimate beneficial owner (UBO) identification?

Firms are required to verify the true identity of their customers and unmask UBOs, the individuals who ultimately own or control 25% or more of a corporate entity or trust. For lawyers and accountants dealing with complex family trusts or offshore corporate structures, identifying the UBO can be a massive hurdle. Under the new rules, taking a client’s word for it is no longer sufficient. Legal professionals are required to establish an auditable trail of verification, and manually unraveling these layers is time-consuming and can be prone to error. 

3. How can I designate a “fit and proper” compliance officer?

By July 29, 2026, businesses are legally obliged to appoint a compliance officer. The new rules introduce strict eligibility criteria:

• Residency: They must be an Australian resident.
• Fit and proper: They must pass an internal “fit and proper” test regarding their integrity and competence.
• Authority: They must be at a management level with the power to report directly to the board or governing body.

4. How can I create a sound reporting infrastructure?

Once the reporting clock begins, organizations should prepare to handle:

• Threshold transaction reports (TTRs): Any physical cash transaction of $10,000 or more must be reported to AUSTRAC within 10 business days.
• Automated screening: With only a 28-day window to enroll after July 1st, many DNFBPs will find it difficult to maintain manual politically exposed persons (PEPs) and sanction screening. Implementing digital KYC tools now can ensure checks are processed efficiently without slowing down business operations.
• Suspicious matter reporting (SMR): Entities are obliged to implement clear internal pathways for submitting reports to AUSTRAC. This is particularly time-sensitive; for example, suspicions related to terrorism financing must be reported within 24 hours.

Note: Firms must also maintain a strict seven-year record-keeping requirement for all CDD and transaction data to ensure an auditable trail for future regulatory reviews.

What are the compliance challenges expected with Tranche 2?

Australia’s compliance burden is rising, and beyond mere costs, DNFBPs will face specific operational hurdles under the new Tranche 2 regime. The following challenges will be fundamental to address early:

1. What is the “hard start”?

Unlike banks, which have a transition period, Tranche 2 entities face a “hard start” on July 1, 2026. This means organizations must already have fully compliant CDD systems in place, creating an immediate technological bottleneck. The key information of this “hard start” includes:

• 90,000 new entities will need to verify both existing and new clients. 
• Manual passport-and-photocopy methods will likely collapse under this volume, making digital scalability a necessity.

2. How can staff navigate client privilege and reporting?

DNFBP staff are not currently trained to spot red flags or report suspicious activity, and the AML/CFT Amendment Act 2024 has made this even more pressing. The Amendment Act has introduced a high-pressure gray area for DNFBPs, specifically law firms, regarding the intersection of SMRs and Legal Professional Privilege (LPP):

• Staff should be trained to distinguish between privileged confidential legal advice and facts of providing a “designated service” (not privileged). 
• If the entire suspicion is based on LPP, firms are not required to submit an SMR or an LPP form.
• If suspicion is based on a mix of information, legal practitioners are legally required to submit an SMR using non-privileged facts (such as transaction records or client identity). However, they must also submit a prescribed LPP form to AUSTRAC explaining why specific details are being withheld under privilege.
• If a suspicion is formed, “tipping off” laws prohibit notifying the client. This may require a firm to withdraw from the matter without revealing the true reason, creating a complex professional conduct dilemma.

3. What are the existing technology gaps?

Many DNFBPs rely on manual processes that cannot scale, particularly for know-your-customer (KYC) requirements. This is particularly an issue as AUSTRAC enforces an outcomes-based regime. To comply with the new Act, organizations need technology that provides real-time data feeds on sanctions, PEPs, and adverse media. If a client is sanctioned on a Tuesday, the system needs to flag this on Tuesday, not during next year’s annual review.

The 4 key penalties for non-compliance under Tranche 2

As of 2026, AUSTRAC lists the specific enforcement actions for non-compliance under Tranche 2 as:

1. Civil penalty orders

A civil penalty is a court-ordered fine for serious or systemic breaches. In 2026, the value of a single penalty unit is $330 (indexed annually).

• For corporations: Up to 100,000 penalty units equal $33,000,000 in total.
• For individuals: Up to 20,000 penalty units equal $6,600,000 in total.

Note: These are per contravention. If a firm fails to report 100 separate transactions, the math becomes catastrophic.

2. Enforceable undertakings

This is a legally binding agreement where a business agrees to fix specific failures within a set timeframe. If the terms of the undertaking are broken, AUSTRAC can apply to the Federal Court to enforce them. In recent years, AUSTRAC has significantly increased its use of these undertakings to force long-term structural change within firms.

3. Infringement notices

These are ‘on-the-spot’ fines issued by AUSTRAC for specific, easily proven administrative breaches. They are most commonly used for:

• Failing to enroll or register with AUSTRAC.
• Missing reporting deadlines for TTRs or SMRs.
• Inadequate KYC record-keeping does not require a court order, and it is AUSTRAC’s most frequent tool for penalizing smaller firms that have “slipped up” on basic compliance chores.

4. Remedial directions

A remedial direction is a formal, written instruction from the AUSTRAC CEO requiring the recipient to take a specific action to “clean up their act.” This might include a directive to:

• Redesign a faulty KYC software process by a specific date.
• Submit a backlog of reports that were not lodged.
• Appoint an external auditor to evaluate their compliance. Failing to follow a remedial direction is considered a serious breach and typically escalates the matter to the Federal Court.

See the full list of AUSTRAC penalties for non-compliance.

How can my company automate our compliance under Tranche 2?

1. With Tranche 2 on the horizon, DNFPs can no longer rely on time-consuming, efficiency-draining manual processes. For many DNFPs, the answer is our cost-effective, self-service Starter Plan. It provides a plug-and-play way to deploy the same powerful AI-driven compliance tools used by global financial institutions.

Our platform is designed to handle the heavy lifting of Australia’s new regulatory landscape. Here’s how the Starter Plan helps you achieve automated compliance:

• Streamlined onboarding and due diligence: Move away from manual identity and company checks. Our solution automates customer and company screening, letting you build an instant, auditable trail for AUSTRAC. 
• Dynamic, real-time screening: An outcomes-based approach requires dynamic risk management. Our AI-powered database provides real-time alerts for sanctions, PEPs, and other watchlists, ensuring your decisions are always grounded in live data.