What you need to know about AUSTRAC’s Core Guidance
New AML/CTF Tranche 2 regulations come into effect in 2026, and AUSTRAC recently issued its core guidance, known as its reform guidance. This guidance contains over 80,000 words explaining how AUSTRAC interprets the AML/CTF Act and Rules, and what it expects from Tranche 2 businesses who need to apply them. It clarifies what impacted businesses must do, what AUSTRAC expects, and also shares some good practice measures that business should consider implementing.
In short: it’s the official playbook for compliance.
If you were to read the reforms guidance end to end, it would take roughly 8 hours at 200 words per minute, and here’s what it covers:
- ~40% Customer Due Diligence (CDD)
- ~12% AML/CTF Program development and maintenance
- ~11% Training
- ~12% Reporting to AUSTRAC
We’ve done the reading and have broken down the essential info for you below, so you can focus on what matters most for your business.
Understanding AUSTRAC’s language
AUSTRAC uses specific phrases throughout its guidance that indicate how strictly an action applies:
| Phrase | Meaning |
| You must | A legal obligation or an action required in all circumstances to comply with the law. |
| We expect | An action that’s likely necessary to meet your obligations. You can take a different approach, but AUSTRAC may ask you to justify it later. |
| You may / You could | A recommendation or good-practice suggestion. Optional, but often wise to follow. |
Key areas of focus for Tranche 2 businesses
1. Enrolment
Tranche 2 businesses must enrol with AUSTRAC from 31 March 2026. If your business is already providing a designated service(s) when the new regulations kick in, you MUST be enrolled by 29 July 2026, or you can no longer continue to provide those services.
Enrolment ensures AUSTRAC knows who is operating in your sector and that your business is captured under the AML/CTF framework before obligations begin.
2. AML/CTF program
Every reporting entity must have a written, risk-based AML/CTF program that:
- Identifies and assesses your business’s money laundering and terrorism financing (ML/TF) risks.
- Outlines how your business will manage and mitigate those risks.
- Is implemented, monitored, and regularly reviewed for effectiveness.
Your AML/CTF program will form the basis of how your business will comply with the new rules & regulations.
Governance Roles
AUSTRAC identifies three key roles:
- Governing body: the group or person responsible for overall governance and strategic decisions.
- Senior manager(s): those who approve the AML/CTF Program and key compliance decisions.
- AML/CTF compliance officer: manages day-to-day compliance and reports to the governing body.
Small businesses may combine these roles (even into one person), but the responsibilities still apply.
Compliance officer requirements
Your compliance officer must be:
- Employed or engaged at a management level.
- Resident in Australia if services are provided here.
- A fit and proper person.
They don’t have to be an employee, but if outsourced:
- They must have the authority, resources, and expertise to perform the role.
- You must consider conflicts of interest, such as:
- Ties to AML software vendors that might bias system selection.
- Acting as compliance officer for multiple unrelated entities.
Even if you outsource, you remain responsible for ensuring the provider meets AUSTRAC’s standards.
3. Building a strong AML/CTF culture
This is a new and important focus area. While not technically a legal requirement, AUSTRAC views AML/CTF culture as a key indicator of how seriously your business takes compliance. They will actively assess this during supervision.
Indicators of a strong AML/CTF culture
| Strong AML/CTF culture | Poor AML/CTF culture |
| Governing body and managers are engaged with AML/CTF risks and updates. | Governing body disengaged from AML/CTF oversight. |
| AML/CTF is treated as a business priority. | Treated as a box-ticking exercise. |
| Compliance officer is credible, resourced and empowered. | Officer lacks experience, authority or visibility. |
| ML/TF risk considered in key decisions. | Risk ignored in pursuit of business interests. |
| Staff trained regularly and rewarded for compliance. | No or minimal AML training. |
| Disciplinary measures for non-compliance. | Staff non-compliance ignored. |
A strong culture makes compliance smoother, and ultimately protects your business reputation and relationships.
4. Customer due diligence (CDD)
Initial CDD
Initial CDD requires businesses to verify their customer’s identity before providing a designated service (unless delayed CDD applies). This means that you must establish on reasonable grounds:
- The customer’s identity
- Any beneficial owners (25%+ ownership or control)
- Any politically exposed persons (PEPs)
- The purpose and nature of the business relationship
- The source of funds or wealth (for higher-risk customers and PEPs)
Delayed initial CDD
Some flexibility applies in cases like real estate, legal, and conveyancing transactions. For example, real estate agents and conveyancers may complete their initial CDD within 15 days after exchange of contracts or before settlement (whichever is earlier), depending on whether they act for the buyer or seller.
Ongoing CDD
Ongoing CDD means that businesses must continue to monitor their customers for unusual transactions or behaviours. Essentially, watching for any activity that doesn’t match their known profile or expected behaviour. This includes being on the look out for things like:
- Unusual transaction volumes
- Dealings with high-risk countries
- Use of complex entities or trust structures
- Large cash payments
- Inconsistent or evasive behaviour
Enhanced CDD
Where higher risk is identified, it is expected that a business will perform deeper checks, which includes verifying source of funds and source of wealth.
Flexible KYC options
If a customer can’t provide standard ID (e.g., due to personal or cultural barriers), businesses can use alternative verification methods, but must record their reasoning, risk assessment, and any additional controls applied.
5. Training
All Tranche 2 businesses must provide AML/CTF training to their team members. The training should ensure they:
- Understand AML/CTF obligations and the business’s internal procedures.
- Can identify, manage, and report ML/TF risks.
Training must not only be provided at onboarding, but should be ongoing, with refreshers and updates for new risks and rule changes.
Be sure to tailor your training
AUSTRAC has been very clear in their reforms guidance that generic, off-the-shelf or international AML training won’t cut it. Your business’ training sessions should reflect:
- The person’s role and responsibilities.
- The ML/TF risks specific to your industry and business.
AUSTRAC encourages using external training providers, but businesses must be sure to:
- Verify their suitability and local expertise.
- Ensure the content is specific to your business and risk profile.
It is also the business’s responsibility to keep a training register with names, dates, content covered, and assessments completed. This is a key part of the compliance recordkeeping requirements.
Sounds like a lot… You’re not wrong!
Tranche 2 entities will soon face obligations similar to banks and financial institutions, but without the luxury of large compliance teams. AUSTRAC’s reforms guidance is complex, but the goal is simple: AUSTRAC expects small and medium businesses to take AML/CTF compliance seriously.
An all-in-one system like easyAML simplifies this process, helping you:
- Assess risk and build your tailored AML program in one platform
- Manage all your CDD and ongoing monitoring requirements
- Track training, reporting, and recordkeeping
- Demonstrate compliance confidently
The next six months will be key to your compliance success. There are many things that you can start to do now, to position your business in a way that will reduce overwhelm and make compliance a whole lot easier in 2026.
| Focus area | What you must do |
| Enrolment | Enrol from 31 March 2026 |
| AML/CTF program | Develop, document, and follow a program that reflects your unique business risks. |
| Governance | Appoint a fit and proper compliance officer, and ensure appropriate oversight. |
| Culture | Promote AML/CTF within your team as a business priority, not just a legal obligation. |
| CDD | Identify and verify customers, monitor ongoing activity, apply enhanced checks where needed. |
| Training | Provide tailored, ongoing AML/CTF training and maintain records. |
We’ve read the 80,000 words so you don’t have to.
Our platform brings it all together, so your compliance is simple, consistent, and stress-free. Ready to see it in action? Join one of our upcoming 45-minute webinars to watch a live demo of easyAM. We’ll cover your AUSTRAC enrolment, risk assessment, CDD workflows, training logs and reporting, plus time for Q&A. Save your spot and see how simple compliance can be.