← Blog
industry 2026-03-06 7 min read

AUSTRAC Tranche 2: What 70,000+ New Reporting Entities Need to Know Before July 2026

The AML/CTF Rules 2025 bring 70,000-90,000 new businesses under AUSTRAC's reporting obligations. Here's what Tranche 2 means, who's affected, and how to prepare.

By AuditDSS Team

On 31 March 2026, the AUSTRAC AML/CTF Rules 2025 take effect. This is not a minor update to the existing 2007 Rules — it is a new regulatory instrument that brings an estimated 70,000 to 90,000 additional businesses under AUSTRAC’s AML/CTF reporting regime for the first time.

If you’re a real estate agent, accountant, lawyer, or trust and company service provider, you are likely a new reporting entity under Tranche 2. Here’s what you need to know.

What is Tranche 2?

Australia’s AML/CTF regime was always intended to extend beyond the financial sector. “Tranche 1” (the AML/CTF Act 2006 and Rules 2007) covered traditional financial services: banks, remittance providers, gambling operators, and digital currency exchanges.

“Tranche 2” extends these obligations to the designated non-financial businesses and professions (DNFBPs) — the sectors identified by the Financial Action Task Force (FATF) as high-risk for money laundering but previously unregulated in Australia:

  • Real estate agents: Buying, selling, or transferring real property
  • Lawyers and conveyancers: Certain transaction-related services
  • Accountants: Specified financial and transactional services
  • Trust and company service providers (TCSPs): Formation and management of legal entities
  • Dealers in precious metals and stones: High-value transactions

Australia has been under international pressure from FATF to implement Tranche 2 for over a decade. The 2025 Rules are the legislative response.

What the Rules 2025 require

The AML/CTF Rules 2025 contain 154 rules across 12 Parts and 46 Divisions, decomposing into 1,975 atomic obligations — each a specific, testable requirement that can be independently violated and enforced.

The major obligation categories:

CategoryRulesKey requirements
Customer due diligence43Identity verification, ongoing CDD, enhanced CDD for high-risk
Registration35AUSTRAC registration, enrolment, reporting entity obligations
AML/CTF programs20Risk-based program design, implementation, review
Reporting14Suspicious matter reports, threshold transaction reports, IFTI
Enrolment9Entity enrolment procedures and requirements
Transfers of value9Value transfer obligations and tracing
Correspondent banking4Enhanced due diligence for correspondent relationships
Reporting groups4Group-level reporting arrangements

How 2025 differs from 2007

The Rules 2025 are not simply an extension of the 2007 Rules to new sectors. They represent a modernised regulatory framework:

Structural differences:

  • The 2007 Rules have 614 rules across 20 chapters; the 2025 Rules have 154 rules across 12 Parts — a more consolidated structure
  • The 2025 Rules use modern drafting conventions with clearer obligation boundaries
  • Some obligations that were implicit in 2007 are explicit in 2025

Substantive differences:

  • Enhanced customer due diligence requirements are more prescriptive
  • AML/CTF program requirements are more detailed on risk assessment methodology
  • Reporting obligations include updated thresholds and timelines
  • New provisions for digital identity verification and electronic records

What stays the same:

  • The core framework: identify, verify, monitor, report
  • Risk-based approach as the organising principle
  • AUSTRAC’s enforcement powers and penalty framework (these come from the Act, not the Rules)

Why both 2025 and 2007 matter

If you’re an existing reporting entity (bank, remittance provider, gambling operator), the 2007 Rules still apply to you. The 2025 Rules apply to the newly designated services.

If you’re a new reporting entity under Tranche 2, the 2025 Rules are your primary instrument — but the 2007 Rules contain relevant context, especially for:

  • Understanding AUSTRAC’s interpretation of key concepts (e.g., “reasonable steps”, “proportionate”)
  • Learning from enforcement precedent (all 23 AUSTRAC enforcement actions, totalling $2.69B in penalties, relate to 2007 Rules obligations)
  • Cross-referencing where the 2025 Rules reference or build on 2007 concepts

AuditDSS covers both instruments: 768 rules total (154 from 2025 + 614 from 2007), decomposed into 5,534 testable obligations with 4-axis risk scoring calibrated on real enforcement data.

The compliance timeline

Now — March 2026: Prepare your AML/CTF program. Understand which obligations apply to your designated services. Register with AUSTRAC if you haven’t already.

31 March 2026: Rules 2025 take effect. New reporting entities must have their AML/CTF programs operational from this date.

1 July 2026: Full compliance expected. AUSTRAC has indicated a transition period for good-faith compliance efforts, but the obligations are enforceable from 31 March.

What AUSTRAC’s enforcement history tells new entities

New Tranche 2 entities have no direct enforcement precedent — the 2025 Rules are brand new. But AUSTRAC’s enforcement of the 2007 Rules provides strong signals about where the regulator focuses:

  1. Customer due diligence failures dominate enforcement actions — expect the same focus on CDD for DNFBPs
  2. “Adequate program” is the baseline test — AUSTRAC penalises inadequate programs, not just individual control failures
  3. Penalties escalate rapidly — from $5M for smaller entities to $1.3B for systemic failures
  4. Proportionality is tested — controls must match your risk profile, not just exist on paper

The enforcement data from 2007 is mapped to the corresponding 2025 obligation categories in AuditDSS’s risk scoring. This means even new entities get enforcement-calibrated risk scores — the closest available proxy for where AUSTRAC is likely to focus.

Preparing your AML/CTF program

For new reporting entities (Tranche 2)

  1. Register with AUSTRAC before 31 March 2026
  2. Identify your designated services — which services you provide that fall under the new regime
  3. Build your AML/CTF program covering:
    • Customer identification and verification procedures
    • Risk assessment methodology
    • Transaction monitoring appropriate to your services
    • Suspicious matter reporting procedures
    • Record keeping requirements
    • Staff training and awareness
  4. Test your program against the full obligation set — not just the high-level requirements, but every specific condition and threshold in the 154 rules

For existing reporting entities

  1. Review your current program against both the 2007 and 2025 requirements
  2. Identify any new obligations that the 2025 Rules introduce for your existing services
  3. Update your risk assessment to reflect the expanded regulatory landscape

The cost of getting it wrong

AUSTRAC has not signalled a lenient approach to Tranche 2 enforcement. The regulator’s track record:

  • CBA: $700M (2018) — transaction monitoring failures
  • Westpac: $1.3B (2020) — international funds transfer failures
  • SkyCity: $67M (2022) — AML/CTF program deficiencies
  • Multiple entities: $5M-$25M (2023-24) — CDD and reporting failures

These penalties were imposed on large financial institutions. Smaller Tranche 2 entities will face proportionally smaller penalties — but even a $1M penalty can be existential for a real estate agency or accounting firm.

AuditDSS covers both the AUSTRAC AML/CTF Rules 2025 (Tranche 2) and Rules 2007 — 768 rules, 5,534 obligations, 4-axis risk scoring calibrated on 23 enforcement actions and 133 FATF assessments. Upload your AML/CTF program and get a risk-scored gap analysis in under 5 minutes. Start your assessment.

Ready to score your compliance?

Upload your compliance document and get a risk-scored gap analysis in under 5 minutes.

Get started