Regulatory Updates

New regulated services

10 March 202611 min read
New regulated services

AML Comply has provided a summary of AUSTRAC’s guidance on the newly regulated services below. Please note that this overview is intended as a guide only; for comprehensive details, the full AUSTRAC documentation is included further down this page.

Summary

Overview: The "Tranche 2" Expansion

Starting July 1, 2026, Australian AML/CTF laws will expand to include specific "gatekeeper" professions. These businesses must implement systems to prevent money laundering, terrorism financing, and proliferation financing.

Affected Professions:

  • Lawyers & Conveyancers
  • Accountants
  • Real Estate Professionals (Agents, buyer’s agents, and developers)
  • Trust & Company Service Providers
  • Dealers in Precious Metals and Stones

Timeline & Deadlines

  • March 31, 2026: Enrolment opens for newly regulated industries.
  • July 1, 2026: Full compliance obligations begin.
  • July 29, 2026: Deadline for most newly regulated businesses to complete AUSTRAC enrolment.
  • Note: If you provide virtual asset services or intermediary transfer messages, your start date is earlier (March 31, 2026), with enrolment due by April 28, 2026.

The 6 Key Compliance Obligations

1. Enrolment and Registration

You must enrol your business with AUSTRAC.

  • Submission: You must enrol within 28 days of starting to provide a "designated service."
  • Update: You must notify AUSTRAC whenever your business details (key personnel, contact info, or services) change.

2. Develop an AML/CTF Program

You must create a written "Playbook" tailored to your specific business risk. It must include:

  • Risk Assessment: A formal identification of your specific money laundering/terrorism risks.
  • Policies & Controls: Written procedures to manage those risks.
  • Governance: The program must be approved by senior management and independently evaluated every 3 years.

3. Staff Readiness (Governance & Vetting)

You must ensure your team is capable of identifying risk through:

  • Defined Roles: You must identify a Governing Body (oversight), Senior Managers (approvers), and an AML/CTF Compliance Officer (daily management).
  • Vetting: Conduct "Personnel Due Diligence" to ensure staff are fit to perform their roles.
  • Training: Provide ongoing training so staff understand their obligations and the firm's specific red flags.

4. Customer Due Diligence (CDD)

  • Initial CDD: You must verify the identity of customers, their representatives, and "Beneficial Owners" (the humans behind a company/trust) before providing services.
  • Screening: You must check if clients are on Sanctions Lists or are Politically Exposed Persons (PEPs).
  • Ongoing CDD: You must monitor transactions and update client risk profiles over time.
  • Pre-commencement Clients: You generally don't need to re-verify existing clients unless you become suspicious or their risk profile changes significantly.

5. Reporting Requirements

You are legally required to submit the following to AUSTRAC:

  • SMR (Suspicious Matter Report): If you suspect a person is not who they claim to be or is involved in criminal activity.
  • TTR (Threshold Transaction Report): For any transaction involving $10,000 or more in physical cash.
  • Compliance Report: An annual report summarizing your compliance activities for the previous year.

6. Record Keeping

  • The 7-Year Rule: You must keep accurate records of all CDD, transactions, staff training, and audit results for at least 7 years.

Special Legal Protections

  • Legal Professional Privilege (LPP): The new laws explicitly protect LPP. Nothing in the amended Act overrides the right of a person or lawyer to refuse to produce documents or information that are subject to Legal Professional Privilege. These protections remain in effect when the new laws start on July 1, 2026.

New regulated services

Author: AUSTRAC

From 1 July 2026, AML/CTF obligations will apply to certain services typically provided by the following professions and businesses, known as tranche 2 entities:

  • real estate professionals – such as real estate agents, buyer's agents and property developers
  • dealers in precious stones, metals and products
  • lawyers
  • conveyancers
  • accountants
  • trust and company service providers.

Key obligations summary

The key obligations for businesses regulated by us are to:

  1. Enrol and register with us.
  2. Develop and maintain an AML/CTF program tailored to your business.
  3. Get your staff ready to implement your obligations.
  4. Conduct initial and ongoing customer due diligence (CDD).
  5. Report certain transactions and suspicious activities.
  6. Make and keep records.

In meeting your obligations, the relevant laws also provide clear protections for information that may be subject to legal professional privilege.

Understanding and meeting your obligations is essential to protect your business from misuse by criminals and make sure you comply with Australia’s AML/CTF laws.

1. Enrol and register with us

If you provide a designated service with a geographical link to Australia you must enrol. Enrolment opens 31 March 2026 for newly regulated industries and can’t be done earlier.

If you’re a remittance service provider or virtual asset service provider, you need to enrol and apply for registration.

If you’re already enrolled or registered, you must update your enrolment and registration details to include any of the new designated services you provide from 31 March 2026. You must also continue to update us when your enrolment or registration details change.

The Department of Home Affairs is considering whether transitional rules should be made to extend the deadlines for enrolment and registration mentioned below. This guidance will be updated if any transitional rules are made.

Enrol

Enrolment involves providing basic information about your business, such as its:

  • structure
  • services
  • key personnel
  • contact details.

You must also update your details when they change.

You must submit your enrolment application no later than 28 days after the day you start providing a designated service.

If your business provides any of the newly regulated virtual asset services or intermediary transfer message services, these new laws start 31 March 2026. This means you’ll have until 28 April 2026 to enrol.

If you provide any other newly regulated designated services, the new laws start on 1 July 2026, and you must enrol by 29 July 2026.

Register

You must not provide an existing regulated virtual asset or remittance designated service before you’ve registered with us. This obligation applies to newly regulated virtual asset services from 31 March 2026.

Criminal penalties apply for non-compliance.

Learn more about enrolment and registration and the consequences of not complying.

2. Develop and maintain an AML/CTF program tailored to your business

An AML/CTF program protects your business from criminal exploitation through money laundering, terrorism financing and proliferation financing. It helps you fulfil your obligations and contributes to a safer Australian financial system.

Your program must contain both of the following:

  • A risk assessment: you must identify and assess your money laundering, terrorism financing and proliferation financing risks (we refer to these as ML/TF risks).
  • AML/CTF policies: you must develop and maintain appropriate policies, procedures, systems and controls to manage and mitigate your ML/TF risks and comply with your obligations.

Your program must be documented and approved by a senior manager of your business. It must be kept up to date, including to reflect significant changes to your business and relevant ML/TF risk products we release. It must also be independently evaluated at least once every 3 years.

Reporting group

If you want to share the costs of compliance with other businesses and fit within the framework established by the Act and Rules, you may be able to do so within a reporting group. Entities in a reporting group share some or all risk management and compliance arrangements. This includes those set out in a group AML/CTF program established by a lead entity of the group.

Note that obligations apply differently to foreign branches and subsidiaries.

3. Get your staff ready

Preparing your staff is critical to help you meet your AML/CTF obligations. This includes making sure of all of the following:

  • they’re fit to perform their roles
  • they understand their obligations
  • your business has strong governance and oversight in place.

Governance

Your AML/CTF program must be subject to appropriate governance arrangements.

Strong governance and oversight help protect your business from criminal exploitation and support a culture of AML/CTF compliance.

Your AML/CTF governance structure must clearly identify 3 roles:

  • Governing body: has primary responsibility for your governance and executive decisions, empowers the AML/CTF compliance officer and oversees compliance at the highest level.
  • Senior manager or managers: approves key AML/CTF compliance decisions.
  • AML/CTF compliance officer: manages day-to-day AML/CTF compliance and makes sure policies and procedures are implemented.

These roles are usually held by different people, but in smaller businesses, one person may conduct multiple governance responsibilities.

Conduct personnel due diligence and provide AML/CTF training

Personnel due diligence and training ensure the people performing AML/CTF functions in your business have the right skills, knowledge and integrity to meet your obligations and manage risk.

We expect your business to do both of the following:

  • conduct personnel due diligence: assess the skills, knowledge, expertise and integrity of personnel you employ or engage to conduct AML/CTF functions
  • provide AML/CTF training: make sure personnel understand your AML/CTF obligations and know how to follow your policies, procedures and systems. This is so they can identify, manage and mitigate ML/TF risks.

These requirements help your business comply with AML/CTF obligations and reduce the risk of criminal exploitation.

4. Conduct customer due diligence

Customer due diligence (CDD) helps you understand who your customers are and the ML/TF risks they may bring to your business.

CDD is separated into initial CDD and ongoing CDD.

The level of information you collect and verify to complete CDD will depend on the ML/TF risk profile of the customer.

You must apply enhanced CDD in high-risk scenarios. You may be able to apply simplified CDD in low-risk scenarios.

Initial customer due diligence

Initial CDD involves establishing certain matters about a customer on reasonable grounds before you start providing them with a designated service. This makes sure you identify relevant ML/TF risks from the beginning of your relationship with the customer based on information reasonably available to you.

You must establish the identity of your customer, their representatives, any person on whose behalf they're receiving a service and any beneficial owner of the customer.

You must also establish if any of these persons are any of the following:

  • designated for targeted financial sanctions – which prevents you from dealing with their assets or making assets available to them
  • a politically exposed person (PEP) – a person who holds a prominent public position in a government body or international organisation (for example, a government minister) or is a family member or close associate of such a person.

Ongoing customer due diligence

Ongoing CDD involves monitoring and managing ML/TF risks throughout the customer relationship. This includes all of the following:

  • monitoring transactions and behaviours for suspicious activity
  • updating the customer’s ML/TF risk profile in response to various triggers
  • reviewing, updating and reverifying information as needed.

Pre-commencement customers

You won’t need to do initial or ongoing CDD on a pre-commencement customer until any of the following occurs:

  • you’re required to file a suspicious matter report in relation to the customer
  • there’s a significant change in the nature and purpose of the business relationship with a customer which results in the customer’s ML/TF risk being assessed as medium or high.

This is intended to reduce the regulatory burden of regulating your existing customers, while making sure they’re subject to appropriate CDD measures when their risk profile changes.

5. Report certain transactions and suspicious activity

Reporting certain transactions and suspicious activities maintains the integrity of the financial system and helps law enforcement to combat crime.

The types of reports you may need to submit to us are all of the following:

  • suspicious matter reports (SMR): if you suspect a person isn’t who they claim to be, or you have information relevant to criminal activity
  • threshold transaction reports (TTR): for any transaction involving physical currency (cash) of $10,000 or more international funds transfer reports for instructions to transfer funds into or out of Australia
  • cross-border movement reports: if you move physical currency (cash) and other monetary instruments of $10,000 or more into or out of Australia
  • compliance reports: an annual report about how you met your obligations the previous calendar year.

6. Make and keep records

You must make and maintain accurate and complete records for at least 7 years.

These records provide evidence of your due diligence, risk management practices and compliance with AML/CTF obligations. Your records include documents related to your:

  • AML/CTF program
  • CDD
  • transaction records
  • staff training sessions
  • audit results.

Clear protections for legal professional privilege

The new laws provide clearer protections for information or documents that are subject to legal professional privilege (LPP).

Nothing in the amended Act affects the right of a person to refuse to give information (including by answering a question) or produce a document. This applies if the information or document would be privileged from being given or produced on the grounds of LPP.

These changes come into effect on 1 July 2026.


10 March 2026