Preparing for the Tranche 2 AML Changes: Your Five Key Steps by June 2026 (A Guide for Directors and Executives)

Under Australia's Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) laws, a significantly expanded range of businesses and professions will soon be subject to compliance and risk obligations. These "tranche 2" businesses include real estate agents and developers, conveyancers, dealers in precious metals and stones, and professional services providers such as lawyers, accountants, and trust and company service providers. If you operate in one of these sectors, here are five key steps you need to take by June 30, 2026, to get ready for the AML changes.

Step 1: Enrol with AUSTRAC by 31 March 2026

If your business falls within one of the listed sectors, you must enrol with AUSTRAC by March 31, 2026. AUSTRAC provides guidance on the information required for your Australian Business Profile Form (ABPF). This includes details on your business's services and structure, contact information, key personnel names and contact details, financial statements for the most recent financial year, registration numbers (like ABNs or ACNs), foreign registration details if applicable, and any criminal, civil, or enforcement actions related to your business and key personnel.

To prepare for enrolment, identify which designated services you provide, whether you have one or more entities providing those services, and if you have a Reporting Group. You should also compile ASIC searches and obtain financial statements for each entity to help complete your ABPF. This preparatory work will significantly assist with the following steps.

Step 2: Complete Your ML/TF/PF Risk Assessment by 30 June 2026

Your Money Laundering, Terrorism Financing, and Proliferation Financing (ML/TF/PF) Risk Assessment is the foundation of your AML/CTF Program. This assessment evaluates the inherent and residual risks of your business and services being used for illicit activities. By the end of the 2026 financial year (ready for July 1, 2026), you should have the following documents in place:

• An ML/TF/PF Risk Appetite Statement: This document outlines your company's appetite and tolerance levels for ML/TF/PF risks related to customers, products, channels, and business locations. It guides management and staff on Board and Senior Management expectations, helping you understand if your business is operating within or outside its defined risk appetite after the assessment.
• An ML/TF/PF Risk Assessment Methodology: This sets out how you will assess your ML/TF/PF risks. Think of it as the "recipe" for your risk assessment.
• A Context Assessment: This examines the nature, size, and complexity of your business.
• Your ML/TF/PF Risk Assessment: This identifies potential ML/TF/PF risks your business could face, looking at inherent risks (without preventative measures), your controls environment, and residual risks.

If you already have risk and compliance management frameworks, ensure your ML/TF/PF risk documentation is appropriately integrated. It may take time to consolidate details of your controls (measures to prevent, mitigate, or manage risk) and how you monitor/test them, but establishing a solid foundation for your AML/CTF Program is recommended.

Step 3: Prepare Your AML/CTF Program by 30 June 2026

Once your ML/TF/PF Risk Assessment is complete, you can prepare your AML/CTF Program. It is recommended to engage independent assistance for this exercise, especially if it's your first time or if you haven't yet appointed an AML/CTF Compliance Officer (AMLCO).

Step 4: Prepare Your AML/CTF Policy Documents by 30 June 2026

The updated laws require your entity to have several policy documents in place from July 1, 2026. AUSTRAC guidance states that your business must develop and maintain policies, procedures, systems, and controls that appropriately manage and mitigate your business's risks, ensure AML/CTF compliance, and are appropriate for your business's nature, size, and complexity.

Step 4 involves documenting the policies, procedures, systems, controls, and measures that implement your AML/CTF Program from Step 3. These policies may include, but are not limited to:

• Governance protocols: How your governing body stays informed of ML/TF/PF risks related to your designated services.
• Customer Due Diligence.
• Appointing an AML/CTF Compliance Officer (AMLCO).
• Designating senior managers responsible for approving AML/CTF Policies and the ML/TF/PF Risk Assessment.
• Employee Due Diligence.
• ML/TF/PF Risk Awareness (and AML/CTF compliance) Training.
• How Independent Reviews are conducted.
• Information sharing (especially for Reporting Groups).

Documenting these processes can take time, so it's advisable to start this work soon.

Step 5: Appoint an AMLCO by 30 June 2026

You are required to appoint an AML/CTF Compliance Officer (AMLCO). This person must be employed or engaged at a management level and possess sufficient authority, independence, and access to resources and information to effectively perform their functions. Once appointed, you must notify AUSTRAC within 14 days via AUSTRAC Online (details provided after completing Step 1).

With the projected increase in reporting entities from approximately 17,000 to over 100,000, it's advisable to begin the hiring or internal upskilling and training processes for the AMLCO position now.

As the end of the 2025 financial year approaches, it's crucial to ensure you have enough time to prepare for these significant changes. We recommend starting to consider key measures, particularly steps 2, 3, and 4, soon to prepare for the changes impacting your business from July next year. Remember to inform stakeholders about the impact of these requirements and secure documented approvals from your governing body.