AUSTRAC Tranche 2 Reform: AML/CTF Obligations Extend to DNFBPs

Australia's Tranche 1 regime — covering banks, insurers, casinos, money services businesses and other "financial institutions" under a broad definition — has been operational since 2006. Tranche 2 was envisaged from the start as the second wave that would bring non-financial businesses into the regime, aligning with FATF Recommendations 22 and 23 on DNFBPs. The reform has been delayed for nearly two decades — a recurring point of criticism in FATF Mutual Evaluation reports — before legislative passage in December 2024.

For newly-covered entities, the operational reality is that the AUSTRAC compliance bar is high. The agency is one of the more active financial-crime regulators globally, with the major-bank enforcement record (AUD 700 million Commonwealth Bank penalty 2018, AUD 1.3 billion Westpac penalty 2020) demonstrating willingness to impose substantial sanctions. Newly-covered entities should not assume gradual phase-in tolerance — the regulatory framework treats Tranche 2 entities as new compliance subjects with the same fundamental obligations as Tranche 1 entities, calibrated proportionately to size and risk.

Tranche 2 entities take on the same fundamental obligations as Tranche 1 entities, adjusted for the operational scale and risk profile of professional services rather than financial institutions.

1. AML/CTF Programme. A documented programme covering risk assessment, customer identification procedures, ongoing customer due diligence, transaction monitoring proportionate to the business, suspicious matter reporting procedures, employee training, and independent review. The programme must be approved by senior management and reviewed periodically.

2. Customer Identification (KYC). Identification and verification of customers before providing the designated service. For natural persons: identity document verification. For corporates: beneficial ownership disclosure and verification. The depth of identification is calibrated to risk — standard customers receive standard identification; higher-risk customers receive enhanced identification.

3. Suspicious Matter Reports (SMRs). Submission to AUSTRAC where the entity has reasonable grounds to suspect the customer or transaction may be linked to money laundering, terrorism financing, proceeds of crime, or other serious offences. The reporting threshold is similar to Tranche 1 entities — reasonable grounds to suspect, not certainty.

4. Threshold Transaction Reports (TTRs). Reporting of cash transactions above AUD 10,000 (and equivalents in foreign currency). The TTR obligation extends to Tranche 2 entities handling cash transactions in the designated services.

5. International Funds Transfer Instruction (IFTI) reports. Where the entity transmits or receives instructions to transfer funds internationally on behalf of customers, IFTI reports are required.

6. Record-keeping. Customer identification records and transaction records retained for at least 7 years from the end of the relationship or the transaction.

7. Ongoing customer due diligence. Monitoring of customer activity for unusual patterns; updating of customer profiles where changes occur; periodic refresh of higher-risk customers.

Operational priorities for Tranche 2 entities preparing for compliance:

• Customer identification infrastructure. Identity document verification, beneficial ownership disclosure for corporate clients, sanctions and PEP screening. The infrastructure does not need to match a major bank's scale, but it needs to deliver verified identification on every customer receiving a designated service.
• Risk-based customer classification. A documented methodology for classifying customers by risk — informed by customer type, jurisdiction, nature of designated service, and any specific risk indicators. The classification drives the depth of due diligence and the intensity of ongoing monitoring.
• Transaction monitoring proportionate to the business. For a real estate agency, transaction monitoring may focus on cash transactions, third-party payments, and unusual transaction patterns in client trust accounts. For a TCSP, monitoring may focus on the underlying activity of the entities being managed. The architecture differs from a bank's but the fundamental obligation — to identify unusual activity for reporting consideration — is the same.
• SMR submission capability. Familiarity with AUSTRAC's reporting portal, the SMR form, and the operational mechanics of submission. Many Tranche 2 entities will be filing infrequently relative to a bank, but they need to be capable of filing promptly when suspicion arises.
• Training across all designated-service staff. Every employee involved in delivering a designated service needs training on AML/CTF obligations, recognising suspicious activity, the firm's procedures, and tipping-off prohibitions. Tipping-off is particularly important for legal and accounting professionals who may face client confidentiality tension with reporting obligations.
• Independent review. AUSTRAC expects the AML/CTF Programme to be subject to independent review periodically. For smaller Tranche 2 entities, this may be an external consultant; for larger entities, internal audit. The review is itself a regulatory expectation, not optional.