AML/CTF Tranche 2 for Australian small firms: what changes on 1 July 2026
A plain-English explainer for accountants, real estate agents, jewellers, conveyancers and trust-and-company service providers. What you have to do, what AUSTRAC and the OAIC will expect, and a 6-week action plan to get there.
TL;DR
From 1 July 2026, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) extends to a new category of "Tranche 2" reporting entities — including accountants, real estate agents, jewellers and dealers in precious metals, conveyancers, and trust-and-company service providers. If you provide a designated service listed in s.6 of the Act, you become a reporting entity. You must enrol with AUSTRAC, appoint an AML/CTF Compliance Officer, run customer due diligence on every customer, file suspicious matter reports, retain records for 7 years, and document an AML/CTF program. Crucially, the Privacy Act 1988 small-business exemption no longer covers your AML/CTF data handling — you need an APP-compliant privacy program too. This guide walks through what's required, what most practitioners miss, and what to do this month.
1. What's actually happening on 1 July 2026
Tranche 2 is the long-delayed extension of Australia's anti-money-laundering regime to professions that historically sat outside it. Lawyers were the original "tranche 2" target in 2006; the current rollout sweeps in accountants, real estate, precious-metal dealers, conveyancers and trust-and-company service providers.
The legal mechanism is an amendment to section 6 of the AML/CTF Act, which defines "designated services". When you provide a designated service, you become a "reporting entity" under the Act and the obligations flowing from Part 1A (program), Part 2 (customer identification), Part 3 (reporting), Part 4 (record-keeping) and Part 10 (offences) all apply to you.
The newly-relevant tables in subsection 6(5B) are:
| Table | Sector | Examples of designated services |
|---|---|---|
| Table 2 | Precious metals / jewellers | Buying or selling bullion or jewellery above the threshold; gold dealing |
| Table 5 | Real estate | Acting as a buyer's or seller's agent in residential or commercial real estate transactions |
| Table 6 | Accounting / legal / trust services | Forming companies, acting as a director, providing registered office, managing client money, certain tax and structuring advice |
2. Are you a reporting entity?
The test is whether you provide any designated service in the course of carrying on a business. If you do, you are in scope — there is no minimum size or turnover threshold for AML/CTF purposes.
Typical practices that need to act:
- Accountants and bookkeepers — particularly if you form companies, act as a registered office, hold client money, or provide structuring advice. The full list of accounting designated services is wider than most practitioners assume.
- Real estate agents and property managers — any agent acting for buyer or seller in a real-property transaction. Property management without sales is typically outside the perimeter.
- Jewellers and precious-metal dealers — over a transaction threshold for cash purchases.
- Conveyancers — overlap with real estate Table 5 and accounting Table 6 depending on the service provided.
- Trust and company service providers — the most heavily regulated sub-sector. Trustee, company secretary, registered office, nominee director services all sit here.
If you are not sure whether your services are designated, AUSTRAC's customise guide for your sector walks through the s.6 tables and gives sector-specific worked examples. Erring on the side of enrolment is safer than waiting for AUSTRAC to ask.
3. What you actually have to do
Enrol with AUSTRAC
Reporting entities must enrol via AUSTRAC Online before commencing or continuing to provide designated services. Enrolment is free and is generally completed within a few business days.
Appoint an AML/CTF Compliance Officer
Section 26F(4)(d) of the Act requires you to appoint a Compliance Officer. In small practices the Practice Principal can fill this role; the appointment must be in writing, the role's authority must be documented, and the person must have access to the governing body. Section 26F(4)(d) is satisfied by an appointment letter plus a delegations register.
Run Customer Due Diligence (CDD) on every customer
Before providing a designated service, you must identify and verify the customer, identify beneficial owners (any individual owning more than 25% or otherwise controlling the customer), screen against politically exposed persons (PEPs) and sanctions lists, and assess money-laundering risk. Enhanced due diligence applies for higher-risk customers; periodic and trigger-event reviews must be documented thereafter.
File Suspicious Matter Reports (SMRs)
If you form a reasonable suspicion of money laundering, terrorism financing, tax evasion or proceeds of crime, you must lodge a Suspicious Matter Report with AUSTRAC within 24 hours (or 3 business days, depending on the trigger). Section 123 prohibits you from disclosing the existence of an SMR to anyone (including the customer) — the "tipping-off" offence carries up to 2 years imprisonment for individuals.
File Threshold Transaction Reports (TTRs)
Cash transactions of AUD 10,000 or more (or equivalent foreign currency) must be reported to AUSTRAC within 10 business days.
Retain records for 7 years
Sections 107 (transaction records), 113 (customer due diligence records) and 116 (program records) all impose a 7-year minimum retention from the date the record is created (or from when the customer relationship ends, for KYC records). Records must be retrievable in legible form, in English, on demand by AUSTRAC.
Document an AML/CTF program
Section 26F requires a written program covering the practice's money-laundering and terrorism-financing risk assessment, the procedures that flow from it, the Compliance Officer's responsibilities, staff training, customer onboarding, ongoing monitoring, and an independent evaluation cycle. The program must be approved by the governing body (the sole director in a small Pty Ltd) and reviewed at least annually.
4. The privacy layer most practitioners miss
This is the trap. Most small firms are exempt from the Privacy Act 1988 under the small-business exemption in section 6D (less than AUD 3 million annual turnover, no listed activities). Becoming a reporting entity removes that exemption for your AML/CTF data handling. Identity documents, beneficial-owner information, source-of-wealth records, PEP screening results, SMR working papers — all become "personal information" under the Privacy Act, and all 13 Australian Privacy Principles apply.
The Privacy Act explicitly names two documents you must have:
- An APP 1.3 privacy policy — publicly available, plain English, describing what you collect, why, who you share it with, where it goes overseas, how to access or correct it, and how to complain.
- An eligible-data-breach statement under Part IIIC — the notification you would issue if a notifiable data breach occurred.
The OAIC also expects, under APP 1.2, that you can demonstrate "practices, procedures and systems" for handling personal information. In practice that means at minimum:
- A collection notice issued at customer onboarding (APP 5)
- A documented data-handling procedure for the AML/CTF surface — KYC collection, CDD storage, SMR working papers (APP 6, APP 11)
- A cross-border disclosure record where overseas KYC providers, cloud storage in other jurisdictions, or any other APP 8 disclosures occur
- An access request procedure that handles the s.123 tipping-off carve-out — you cannot tell a customer their information was used in an SMR, even when responding to a Privacy Act access request (s.123(4) provides a qualified-accountant safe harbour)
- A Notifiable Data Breach response procedure assessed against the Part IIIC thresholds (s.26WH assessment, s.26WK notification)
- A government-identifier handling procedure if you collect TFNs, Medicare numbers or driver-licence details (APP 11, TFN Rule 2015)
- Privacy training for staff who touch customer data, with attestation evidence retained
And from 10 December 2026, APP 1.7 (automated decision-making disclosure) commences — if any of your customer onboarding uses software-driven decisions, you must disclose that in your privacy policy and offer human review on request.
5. Penalties
Civil penalties under the AML/CTF Act run to AUD 33 million per contravention for body corporates. Individuals face up to AUD 6.6 million civil and, for the worst offences (tipping-off, structuring), criminal penalties of up to 10 years imprisonment.
The Privacy Act overlay adds independent OAIC enforcement: civil penalties up to AUD 2.5 million for individuals and AUD 50 million for body corporates for serious or repeated interferences with privacy. The same incident can attract both AUSTRAC and OAIC action — the regulators have an information-sharing memorandum and have demonstrated willingness to coordinate.
The practical risk for small firms is not the headline penalty. It is the reputational and licensing consequence of a public AUSTRAC remediation order or OAIC determination on a small practice's professional registration, PI insurance renewal, and bank relationships. A documented compliance program — even an imperfect one — is the strongest defence.
6. What you should do this month
A 6-week countdown to 1 July 2026:
| Week | What to do |
|---|---|
| Week 1–2 | Enrol with AUSTRAC. Appoint your Compliance Officer in writing. Map which of your services are designated under s.6. |
| Week 3 | Draft your risk assessment. Build customer-onboarding forms (initial CDD, enhanced CDD, beneficial-owner, PEP/sanctions screening). |
| Week 4 | Draft your AML/CTF program document. Set up your record-retention system (7-year, retrievable, in English). |
| Week 5 | Train staff. Capture training attestations. Stand up your SMR and TTR workflow with the tipping-off controls. |
| Week 6 | Privacy layer: publish your APP 1.3 policy, issue your APP 5 collection notice, document your APP 8 cross-border disclosures, finalise your breach-response procedure. |
By 1 July, your reporting-entity status should be enrolled, your program approved by the governing body, your customer-onboarding pipeline live, and your privacy documents published.
7. How privacycovered.com.au helps
We are not a law firm. What we are is a pre-filled-template engine: you give us your firm details, your software stack and the AML/CTF designated services you provide, and we generate a tailored compliance pack in DOCX format — pre-filled, sector-correct, ready to tailor and approve.
The pack includes the OAIC's Privacy Management Plan and the AUSTRAC customise guide and sector starter-kit forms reproduced verbatim under their published licences, plus our own pre-filled documents for the seam between AML/CTF and the Privacy Act — APP 5 collection notice, APP 12 access procedure with the s.123 carve-out, NDB breach-response plan, APP 8 cross-border record, training curriculum and attestation register, and the audit-defensible registers (personal-information holdings, disclosure map, ADM disclosure).
It is templates, not advice. Review with a qualified Australian legal advisor before relying on any of it. But if you are starting from a blank page six weeks out from 1 July, the pack saves you the four-to-six weeks of drafting it would otherwise take.
The pack — AUD $99 flat
70+ pre-filled documents tailored to your profession and software stack. Delivered as DOCX. One form, one payment.
Get your pack →This article is general information about the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the Privacy Act 1988 (Cth) compliance obligations relevant to small Australian practices. It is not legal advice. Engage qualified Australian counsel to confirm your specific obligations and the documents you adopt are fit for your circumstances. Last updated 14 May 2026.