Why ISO 37301 Is a Winning Strategy

ISO 37301 defines what a certifiable compliance management system (CMS) must look like: documented obligations, risk assessment, leadership & governance, competence & training, operational controls, raising concerns, impartial investigations, monitoring & indicators, internal audit, management review, and continual improvement/corrective action. These “shall” requirements are not theory—they align naturally with AUSTRAC’s risk‑based expectations and the legal obligations found in the AML/CTF Act and AML Rules 2025.

• AUSTRAC requires a risk‑based AML/CTF program tailored to the nature, size and complexity of your business, with a current ML/TF risk assessment before providing designated services. ISO 37301 requires documented context, scope, obligations, and a risk assessment process that is periodically reassessed.

• AUSTRAC mandates governance (oversight by the governing body and compliance officer), program documentation and approvals, periodic reporting to the governing body, and independent evaluation. ISO 37301 requires leadership & commitment, compliance function independence, documented information control, internal audit, and management review.

The Core: Your ML/TF Risk Assessment

A credible AML/CTF program starts with a methodical ML/TF (and PF) risk assessment across services, customer profiles & types, delivery channels/technology, geographies, and third‑party/outsourced activities. AUSTRAC expects you to identify, assess and mitigate these risks, review and update regularly (or upon significant change), and have it up‑to‑date before serving customers. ISO 37301’s risk assessment clause (4.6) and AML requirements echo each other here.

• Act: s 26C (undertake risk assessment), s 26D (review and update at triggers and at least every 3 years), s 26E (must be up‑to‑date before providing designated services).

• Rules: 5‑1 (review cadence); AUSTRAC program guidance provides a practical roadmap for the assessment and periodic updates.

Pro tip (ISO): Keep your methodology documented (inputs, rating scales, criteria, residual risk) and your update triggers explicit (regulatory changes, new product/channel, AUSTRAC communications, adverse events). ISO 37301 requires documented information and periodic reassessment; AUSTRAC expects responsiveness to AUSTRAC‑issued risk intel.

Governance That Stands Up To AUSTRAC’s Expectations (and ISO 37301 Auditors)

A strong AML/CTF program relies on real accountability and oversight.

• Governing body & top management: exercise appropriate ongoing oversight; ensure resources; approve risk assessment and AML/CTF policies; receive periodic reports.

• AML/CTF Compliance Officer: designated at management level, with authority, independence and access to information, and notified to AUSTRAC.

• Reporting cadence: structured 12‑monthly reporting from the compliance officer to the governing body, covering risk mitigation effectiveness, compliance status, deficiencies & remediation, and AUSTRAC interactions.

Pro tip (ISO): Evidence governance with board minutes, approval logs, and a RACI model. ISO 37301 requires documented roles and a functioning compliance function; AUSTRAC expects demonstrable oversight and resourcing.

Authoring the AML/CTF Program: Documents That Matter

Your AML/CTF program must be documented, approved, version‑controlled, and kept current. AUSTRAC may request your documentation, and the Act/Rules spell out what you need and when. ISO 37301 requires formal documented information creation, control and retention.

• Act: s 26N (program documentation), s 26P (senior‑manager approvals & notifying governing body), s 26Q (AUSTRAC requests), s 26G (comply with your policies).

• Rules: 5‑15 (documentation timing), 5‑3 (sanctions policy), 5‑4 (update policies after evaluation), 5‑10 (independent evaluations).

• ISO: 7.5 (documented information creation, version control, retention and integrity).

Program content checklist:

• Compliance Policy (plain language; non‑retaliation; commitment to applicable requirements)—ISO 5.2.

• ML/TF Risk Assessment (methodology, results, update schedule)

• Governance & Roles (Governing body, Senior manager, Compliance Officer; approvals; reporting)

• CDD SOPs (initial/ongoing/simplified/enhanced; PEPs; beneficial ownership; reliance; nested services)

• Sanctions SOP (lists, matching, escalation, freeze)

• Transfers of Value SOPs (ordering/beneficiary/intermediary duties)

• Reporting SOPs (SMR, threshold transactions, exception reporting; secrecy/tipping‑off)

• Record‑keeping Policy (7‑year retention across transactions, customer docs, CDD & reliance, program records)

• Training & Competence (role‑based training; effectiveness assessment; records)

• Independent Evaluations (scope, frequency; remediation & policy updates)

Operating Your Program Day‑to‑Day

ISO 37301 requires operational planning & control (8.1), establishing & testing controls (8.2), raising concerns (8.3), and impartial investigations (8.4). AUSTRAC expects the same in practice.

• Operational control: Ensure your CDD, sanctions screening, monitoring, and reporting processes have defined criteria, evidence trails, and competent operators.

• Third parties & reliance: If you rely on another reporting entity, the AML Rules set contractual, assessment, and procedural requirements; ISO requires control of externally provided processes.

• Raising concerns & investigations: Provide visible, accessible, confidential channels (accept anonymous reports, protect reporters), and run impartial investigations with outcomes reported to governance—mind the secrecy/tipping‑off prohibitions in the Act

Monitoring, Indicators, Independent Evaluations & Management Review

To show effectiveness (for AUSTRAC and ISO auditors), you need monitoring & indicators (KPIs), independent evaluations, and management reviews—and you must retain complete evidence.

• Indicators & reporting: Define what you monitor (e.g., SMR timeliness, false‑positive rates, overdue CDD reviews, control test pass rates), how and when you report, and how you ensure accuracy/completeness

• Independent evaluations: Conduct periodically, capture findings, implement Corrective Action Plans (CAPs), and update policies; ISO requires internal audit and corrective action evidence.

• Management review: Governing body/top management review the program at planned intervals, with specific inputs (noncompliance trends, audit/evaluation results, adequacy of resources) and decisions for improvement.

Record‑Keeping: The Seven‑Year Rule (and Document Control)

AUSTRAC’s Act requires 7‑year retention for transaction & customer records, CDD & reliance evidence, and AML/CTF program documentation. ISO 37301 requires control of documented information—availability, integrity, version control, retention & disposition. Put simply: if you didn’t retain it, you didn’t do it.

Real‑World Example: Independent Real Estate Agencies (Tranche 2 Focus)

Independent real estate agencies face exposure via client onboarding, payments, and third‑party arrangements. Aligning with ISO 37301 and your AML obligations helps standardise controls and evidence:

• CDD tailored to property transactions: beneficial ownership checks (companies/trusts), PEP screening, source‑of‑funds for high‑risk transactions; ongoing monitoring.

• Sanctions checks on counterparties and payments prior to settlement; clear escalation & decision‑rights when potential matches arise.

• Risk assessment inputs: cash‑intensive buyers, offshore structures, complex trusts, high‑risk jurisdictions, third‑party referrers; periodic reassessment as market conditions change.

• Evidence: reliance agreements with lawyers/conveyancers (if used) that meet the requirements set out in the rules; documented approval & review cycles; training logs for frontline staff; annual compliance officer reports.

Frequently Asked Questions (FAQ)

Q1: Do I need ISO 37301 certification to satisfy AUSTRAC?
No—AUSTRAC doesn’t require ISO certification. But ISO 37301 gives you a structured, auditable CMS that maps cleanly onto AUSTRAC’s expectations, improving assurance and readiness for independent evaluations under the Rules.

Q2: How often must I review my ML/TF risk assessment?
Under the Act, at triggers (e.g., significant changes, AUSTRAC communications) and at least every 3 years—and it must be up‑to‑date before providing services. ISO 37301 also requires periodic reassessment.

Q3: What records must I keep (and for how long)?
Keep transaction records, customer documents, CDD & reliance evidence, and program documentation for 7 years. Maintain integrity and version control per ISO 7.5.

Q4: What is an independent evaluation under the AML Rules?
A periodic, objective review of your program’s effectiveness with findings and remediation, often complementing internal audits. Update policies post‑evaluation.

Need help building an ISO 37301‑aligned AML/CTF program?

AML Advisers designs audit‑ready programs for independent real estate agencies, conveyancers, law firms and accountancy firms for Tranche 2‑impacted businesses across SEQ, Gold Coast, Sunshine Coast, Ipswich and Northern NSW. We’ll deliver:

• ML/TF risk assessment (methodology + report),

• AML Compliance Policy and program documentation,

• CDD, sanctions & reporting SOPs,

• Governance reporting pack (board/committee),

• Training & competence framework,

• Independent evaluation plan, management review templates, and

• Record‑keeping & evidence repositories (7‑year compliance).

 Contact AML Advisers today to book a free, confidential consultation to navigate your Tranche 2 AML reforms preparation with an ISO 37301‑aligned AML/CTF program.

Introduction: An Economic Theory in the Modern Spotlight

The Laffer Curve, a cornerstone of supply-side economics, has recently re-entered global policy debates. Its namesake, economist Dr. Arthur Laffer, has publicly criticised high-tax proposals in the UK and, notably, Australia’s tobacco excise policy, stating, “It’s not working at all. Your taxes are way too high.”

These interventions underscore a critical question: How can this decades-old theory help explain a growing crisis in Australia—the explosion of money laundering linked to the illicit tobacco and vape trade?

This analysis examines a consequential side effect: while achieving public health goals, Australia's high excise may have pushed the tobacco market into a prohibitive range on the Laffer Curve. This economic shift has correlated with declining tax revenue and fostered a rampant black market, creating fertile ground for organised crime and challenging the nation's Anti-Money Laundering (AML) regime.

The Laffer Curve in a Nutshell

At its core, the Laffer Curve is a simple model of the relationship between tax rates and government revenue. Its premise is twofold:

• At a 0% tax rate, the government collects no revenue.

• At a 100% tax rate, it also theoretically collects no revenue, as the incentive to engage in the taxable activity vanishes.

The model posits an optimal tax rate between these extremes that maximises revenue. The controversial implication is that under certain conditions, cutting tax rates can actually increase total revenue by stimulating greater economic activity.

The entire debate hinges on one question: where on this curve does a specific market sit?

Australia's Tobacco Policy: Public Health Success and Economic Distortion

Australia’s public health campaign against smoking is globally recognised. The strategy is fundamentally fiscal: make tobacco prohibitively expensive to deter use. This is executed through a permanent annual excise increase of 12.5%, plus bi-annual indexation.

The public health result is clear success: national smoking rates have plummeted to below 6% of adults.

However, the economic side effects are significant. Australia now has among the most expensive cigarettes in the world, with a pack often costing AU$40-$50.

The Perverse Incentives and the Illicit Market Response

For an addictive product, extreme pricing creates a harsh reality. While many quit, a residual demand remains, disproportionately in lower socio-economic groups. For these consumers, the choice is often not to quit, but to find cheaper alternatives.

This is where the Laffer Curve becomes acutely relevant.

• Official excise revenue has sharply declined, from a peak of $16.3 billion in 2019/20 to an estimated $7.4 billion recently.

• This suggests the market may be beyond the revenue-maximising peak. The high tax has catalysed a massive shift toward the illicit market.

The situation is compounded by vaping regulations. Australia's prescription model for nicotine vapes has unintentionally created a parallel, entirely illicit vape market, readily available in convenience stores.

The economic incentive for criminal suppliers is overwhelming. The profit margin created by high excise and prohibition is irresistible.

The AML Conundrum: From Illicit Trade to Money Laundering

The link between high-tax illicit markets and money laundering is historical and profound. Australia faces a modern Prohibition-era challenge:

• The illicit tobacco trade is estimated to be worth $4 billion annually.

• Illicit cigarettes may account for one in every five sold.

This generates enormous cash that must be laundered. A primary method, identified by authorities, involves convenience stores with private ATMs. Criminals use illicit cash to "fill" these ATMs; customer withdrawals then dispense "dirty" cash while generating a "clean" electronic transaction record.

The trade has also sparked a rise in violence, including firebombings and armed robberies, stretching law enforcement.

The Small Business Squeeze: A Catalyst for Complicity

To understand the trade's proliferation, consider the position of small retailers. Their traditional model is under severe pressure, with minimal margins on legitimate tobacco. Faced with rising costs, selling illicit products can become a matter of economic survival. The high margins drive a vicious cycle, normalising illegality within the legitimate retail sector.

Policy Crossroads: Enforcement as a Chosen Path

Confronted with this crisis, states are pursuing aggressive enforcement. Queensland provides a recent and stark example.

In late November 2025, under new laws, Queensland Health Authorities and police raided retailers across the state, ordering immediate 90-day closures. The new powers allow for:

• On-the-spot business closures for up to three months.

• Criminal penalties for complicit landlords (fines up to $161,300 and jail time).

• Undercover operations within stores.

Health Minister Tim Nicholls called the laws “an absolute game changer,” designed to "cut off profits" and "remove the financial rewards" of the illegal industry. Industry groups supported the move, arguing the black market had "seen organised crime groups embed themselves in local retail strips."

Queensland’s policy decision is clear: intensified prohibition and stricter enforcement are the chosen mechanisms.

Conclusion: Balancing Acts and Future Challenges

The government faces a complex balance. The public health success is undeniable, but economic and criminal side effects are severe.

The situation illustrates a Laffer Curve dilemma: a policy can become so effective at suppressing a legal market that it stimulates a larger, uncontrolled illegal one. The 2026 expansion of Tranche 2 AML reforms to "gatekeeper" professions will help track the laundering of the proceeds from this illicit activity, but the primary response, as seen in Queensland, is shifting toward direct suppression.

The fundamental tension remains: finding an equilibrium that maintains public health gains without ceding vast market share to criminals. The experience of alcohol prohibition in the United States serves as a stark historical lesson. The ongoing challenge will be to see if enforcement can curb the criminal incentives that the current economic landscape has created.

Today (1/12/25) marks exactly 8 months until the Tranche 2 compliance deadline of July 1st, 2026. The clock is ticking!

For thousands of Australian accountants, lawyers, real estate agents, and jewellers, this date marks their formal entry into the nation’s anti-money laundering (AML) and counter-terrorism financing (CTF) regime.

In response to the understandable anxiety from these newly regulated Tranche 2 entities, AUSTRAC has promised a crucial resource: sector-specific guidance and AML/CTF Program Starter Kits. Designed to "help small, low-complexity businesses" develop their ML/TF risk assessments and AML/CTF programs, these kits are positioned as a cornerstone for a smooth transition into the AML/CTF framework.

However, a cloud of confusion hangs over this well-intentioned initiative. With the kits now delayed until the end of January 2026, a critical question remains unanswered: Who, exactly, are these "small, low-complexity businesses"?

A review of recent statements from various industry bodies reveals a worrying and ongoing lack of consensus, suggesting that many firms risk relying on a solution that may not be built for them.

The Promise: A Streamlined Path to AML/CTF Compliance

AUSTRAC’s official line positions the starter kits as a way to "streamline compliance processes" for a "significant number of businesses that are small and low complexity". The regulator emphasises cost savings, noting that the kits will help businesses avoid the high expense of developing their own programs from scratch. An impact analysis for the Attorney-General's Department estimates upfront costs of $4,460 for small businesses, a significant burden the kits aim to mitigate.

The promise is clear: a tailored, accessible, and affordable entry into a complex regulatory landscape for designated services.

The Problem: A Chronological Patchwork of Definitions for Tranche 2 Reporting Entities

The confusion about which reporting entities will qualify has unfolded over several months.

• 29 July 2025 - REIWA: The Real Estate Institute of Western Australia was an early voice, stating the kits will be "available for small businesses with 15 or fewer licensed agents or registered sales representatives." 

• 31 May 2025 - NSW Law Society: Striking a note of caution, The Law Society of New South Wales highlighted that “The Kit is expected to be available in late 2025, together with a definition of ‘small business’.” This admission was a red flag for many.

• 20 October 2025 - CPA Australia: Advocating for the smallest accounting firms, CPA Australia published a statement quoting a representative “urg[ing] AUSTRAC to finalise its Starter Program Kit for sole practitioners and micro firms as soon as possible.” 

• 23 October 2025 - Queensland Law Society: Just days later, the Queensland Law Society used a broader term, referring to the kits being for "small and medium legal practices." 

• 26 November 2025 - Law Society of Tasmania: Most recently, the Law Society of Tasmania echoed CPA Australia's focus, stating the kits will be "suitable for sole practitioners and low complexity legal practices."

This chronological patchwork of interpretations creates a dangerous ambiguity for many Tranche 2 entities who may be left in a regulatory no-man's-land.

The Hidden Gap: From AML Policy to Operational Reality

Even for businesses that correctly fall within the "small, low complexity" definition, a significant risk remains. The starter kits are designed to help businesses develop two key documents: an ML/TF Risk Assessment and an AML/CTF Program. However, writing a policy is only the first, and arguably the easiest, part of the compliance journey.

The real challenge—and where most businesses fall down—is operationalisation. A policy sitting in a drawer is useless to AUSTRAC. The regulator will expect to see your program in action

Creating the AML/CTF framework is half the battle; implementing it is the other, far more difficult half. Without clear guidance on these operational hurdles, a sole practitioner could be left with a compliant-looking policy but no practical way to execute it, leaving them just as exposed to regulatory action as having no program at all.

The Peril of "Wait and See" for Your AML Compliance

With this level of ongoing inconsistency and the significant operational gap, a "wait and see" approach is a high-risk strategy. Banking on the belief that a starter kit will solve all your Tranche 2 obligations in January 2026 is a gamble you cannot afford to take.

A generic starter kit, while helpful for documentation, cannot replace the foundational, bespoke work needed to build a living, breathing compliance culture grounded in a true risk-based approach.

The Path Forward: Secure Your AML/CTF Compliance Now

The July 2026 deadline is not as far away as it seems. The journey to AML/CTF compliance involves understanding obligations, conducting a risk assessment, drafting policies, and—most importantly—designing and implementing operational processes. The window for a smooth, cost-effective transition is closing rapidly.

Here is what you should be doing right now:

1. Conduct a Gap Analysis: Understand where your current processes stand against the upcoming AML/CTF regulations.

2. Map Your Workflows: Identify where CDD, client risk assessment, and ongoing monitoring will need to be embedded into your daily operations.

3. Use the Kits as a Benchmark, Not a Bible: When released, use the starter kits for documentation, but integrate them into the foundational work you've already started.

Stop Gambling with Your Compliance. Let's Build Your Defences Today.

The evolving guidance and operational gaps mean that relying solely on a starter kit is a dangerous game. The time for proactive preparation is now.

As an independent AML consultant specialising in the Tranche 2 reforms, I bridge the critical gap between policy and practice. I provide Tranche 2 entities with a clear, pragmatic path to full compliance that works for your specific business.

Don't wait for the deadline to become a crisis. Book your free, no-obligation AML Compliance Health Check today. We will review your current position, identify your biggest risks, and outline a clear roadmap to ensure you are operational and confident by July 2026.

Introduction

With Australia’s Tranche 2 AML/CTF reforms fast approaching, law firms, real estate agencies, and accounting practices are bracing for a new wave of anti-money laundering (AML) compliance obligations. At the core of these requirements are two critical processes: Client Due Diligence (CDD) and AML Risk Assessments (RAs). While AUSTRAC’s guidance makes these concepts sound straightforward, embedding them into day-to-day operations is anything but simple. Many Tranche 2 businesses assume AUSTRAC’s sector-specific guidance and starter kits will do the heavy lifting. The reality? Operationalising these reforms is your responsibility—not AUSTRAC’s.

This article explores why operationalising these requirements is challenging, common pitfalls, AUSTRAC expectations, and practical strategies for Tranche 2 businesses.

AUSTRAC Expectations Under Tranche 2

AUSTRAC requires businesses to adopt a risk-based approach (RBA). Key obligations include:

• Customer identification and verification before providing designated services.

• Assessing money laundering and terrorism financing (ML/TF) risk for clients and transactions.

• Applying proportionate controls such as enhanced due diligence (EDD) for high-risk clients.

• Conducting ongoing monitoring of clients/transactions and record-keeping for at least seven years.

For law firms, this means verifying clients and conducting CDD and client/matter Ras prior to recording time. For real estate agencies, it means conducting CDD and Ras on sellers before signing listing contracts and for buyers, prior to the transaction taking place. There are provisions for delayed initial due diligence for auctions. For accountants, it applies when managing client funds or forming companies.

Failure to comply can result in AUSTRAC penalties, reputational damage, and even criminal liability.

Why Operationalisation Is Harder Than It Looks

On paper, AML compliance seems procedural and like other compliance activities Tranche 2 businesses already conduct such as conducting checks on registered bidders in an auction context. In practice, it requires:

• Integration into existing workflows without disrupting client service.

• Technology and training investment for staff unfamiliar with AML compliance.

• Balancing regulatory rigor with commercial realities—especially in competitive markets.

Challenges in Implementing Client Due Diligence checks include:

1. Data Collection and Verification

• Real estate agents often deal with offshore buyers or complex trust structures, making beneficial ownership verification difficult.

• Law firms face similar hurdles when acting for corporate clients with layered ownership or international corporate entities.

• Accountants may struggle with clients using multiple entities for tax planning.

Manual checks against government registries, sanctions lists, and PEP screening are time-consuming but more often the most cos- effective and compliant method of UBO identification, verification and screening.

1. Balancing Compliance and Client Experience

• A property buyer expecting a quick settlement may resist lengthy AML checks.

• Law clients under time pressure for litigation or conveyancing may view compliance as a nuisance.

• Accountants risk losing clients if onboarding feels intrusive.

The challenge is educating clients on why these checks are mandatory without creating friction.

1. False Positives and Alert Fatigue

• Sanctions screening tools often flag common names or outdated data.

• Smaller firms lack dedicated compliance teams to triage alerts, leading to delays and frustration.

1. Keeping Pace with Regulatory Change

• AUSTRAC updates guidance regularly. For small practices, adapting policies and retraining staff is resource-intensive.

Challenges in AML Risk Assessments

Risk assessments underpin the entire AML framework, but common mistakes include:

• One-Size-Fits-All Ratings
  Treating all clients as low risk because they’re “local” ignores factors like occupation (e.g., politically exposed persons), business activities or source of wealth/funds.

• Overreliance on Automation
  Automated scoring can miss contextual red flags which may appear during a transaction.

• Insufficient Staff Training
  Without understanding risk indicators or ML/TF typologies, staff may treat assessments as a tick-box exercise.

Operational Pain Points

• Resource Constraints
  Many small law firms and agencies lack compliance officers, forcing admin staff to manage AML tasks alongside core duties.

• Data Silos
  Client data often sits in separate systems—CRM, accounting software, and email—making it hard to maintain a single risk profile.

• Technology Integration
  RegTech solutions promise efficiency but come with significant cost and complexity barriers for smaller firms.

Practical Tips for Tranche 2 Businesses

1. Adopt a Risk-Based Approach

• Focus on high-risk scenarios: offshore clients, complex structures, cash transactions.

• Apply enhanced due diligence (EDD) for these cases—such as deeper understanding of/verification of their source of funds or obtaining additional documentation.

2. Leverage Technology Wisely

• o Use ID verification platforms integrated with sanctions screening however opt for in person verification where possible to minimise onboarding cost and reduce risk.

• Automate low-risk checks in possible but keep human oversight for nuanced cases.

1. Embed Compliance in Client Onboarding

• For real estate agencies: include AML checks in pre-commencement workflows.

• For law firms: integrate CDD into matter opening procedures.

• For accountants: make AML checks part of engagement letters.

2. Continuous Training

• Train staff to spot AML red flags (e.g., unusual payment methods, reluctance to provide ID).

• Use AUSTRAC resources and industry webinars.

3. Client Education

• Explain AML obligations upfront in plain language.

• Provide FAQs or short guides to reduce resistance.

4. Regular Review

• Update risk assessments annually or when business models change.

• Monitor AUSTRAC updates and adjust policies accordingly.

Conclusion

Operationalising AML compliance, Client Due Diligence (CDD), and risk assessments is far more than a regulatory checkbox—it’s a cultural shift. For Tranche 2 businesses, success depends on embedding compliance into everyday workflows, leveraging existing systems and tools, and fostering a risk-aware culture from the top down. Those that embrace this approach will not only meet AUSTRAC’s expectations but also strengthen trust and resilience in an increasingly regulated environment.

Yet, many soon-to-be regulated businesses underestimate the operational realities of these reforms. The processes within a corporate law firm differ dramatically from those in a retail bank. Matter creation and transaction details are often gathered manually, and obtaining complete information can take far longer than expected. Unless those drafting CDD policies, procedures, and training materials fully understand how time-consuming it is to identify, verify, and screen beneficial ownership structures, significant delays in client onboarding and service delivery are inevitable.

Consider a typical corporate law firm scenario: a Partner or Practice Executive initiates a new business intake request with incomplete details about the client, matter parties, or transaction. Compliance teams must then chase down all relevant information to set up the matter correctly and complete onboarding. At this stage, they must also identify elevating risk factors—such as sanctions exposure, business activity, negative news, PEP status, or shareholder jurisdictions on grey lists—that may require escalation to senior management. These triggers are often identified manually because most legal practice management systems (LPMs) are not designed for AML risk events.

All of this occurs in a fast-paced environment where Partners are focused on billing targets, not compliance checks. The tension between speed and thoroughness is real—and unless addressed, it can undermine both compliance and client experience.

While many Tranche 2 entities concentrate on building an AML program framework, the true measure of its effectiveness lies in how well it can be operationalised. The goal is to meet AML obligations without impeding business activity—a balance that is notoriously difficult to achieve. Having worked within an AML function at a Big Six Australian law firm, I can attest to the complexity and effort required to make this work in practice.

If you want to ensure that your business  operationalises these reforms in a robust, efficient and cost-effective manner, book a no-obligation free 30-minute consultation to see how we can assist you making your AML/CTF Program work for you.

On 19 November 2025, AUSTRAC hosted its first Real Estate Town Hall, a landmark event for property professionals preparing for AML/CTF Tranche 2 reforms. These changes will bring real estate agents, property developers, and conveyancers under Australia’s anti-money laundering framework for the first time.

If you’re in real estate, this is not just a compliance update—it’s a major shift in how you do business. Here’s what was covered and what you need to do now.

AUSTRAC’s Role

AUSTRAC is Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regulator. Its mission is to:

• Detect, deter, and disrupt criminal abuse of the financial system.

• Collect and analyse financial intelligence to protect Australia from serious crime.

• Work with regulated businesses to ensure compliance and reduce risk.

For real estate professionals, AUSTRAC will now oversee your compliance obligations under Tranche 2 reforms.

National Risk Assessment & Real Estate

AUSTRAC’s National Risk Assessment identified real estate as a high-risk sector for money laundering and terrorism financing. Why?

• Large transaction values make property attractive for laundering illicit funds.

• Complex ownership structures and offshore buyers create opacity.

• Cash-heavy deals and informal arrangements increase vulnerability.

This risk profile is a key driver behind Tranche 2 reforms.

Reforms Passing Parliament

The AML/CTF Tranche 2 legislation passed in 2024, marking a significant milestone in Australia’s fight against financial crime.

• Effective Date: 1 July 2026

• Goal: Align Australia with global standards set by the Financial Action Task Force (FATF).

• Impact: Real estate agents, property developers, and conveyancers will become reporting entities under the AML/CTF Act.

Case Study from the Town Hall

AUSTRAC shared a real-world example:

• A criminal syndicate laundered 600,000 AUD via a Real Estate Trust Account. This included a 200,000 cash deposit to the buyers agent and 400,000 via domestic transfers to the Real Estate Trust account all referencing the same property.

• The lack of due diligence or reporting obligations from the Real Estate Business allowed the scheme to go undetected as the three financial institutions could not see the whole picture.

Lesson: Without robust AML controls, real estate businesses can be exploited for serious crime. Implementing Customer Due Diligence (CDD) and reporting mechanisms is critical to prevent Australia’s financial system from abuse.

Starter Kits & Sector Guidance

To support the industry, AUSTRAC will release in late January 2026:

• Starter Kits: Templates for AML/CTF programs, risk assessments, and reporting processes.

• Sector Guidance: Practical advice tailored to real estate businesses, including examples of suspicious indicators and compliance checklists.

These resources will help businesses meet obligations without starting from scratch.

AUSTRAC’s Regulatory Expectations

AUSTRAC expects real estate businesses to:

• Enrol as a reporting entity from 31 March 2026.

• Develop and implement an AML/CTF Program that addresses your specific risks.

• Conduct Customer Due Diligence before providing services.

• Submit Suspicious Matter Reports (SMRs) and Threshold Transaction Reports (TTRs).

• Maintain records for at least seven years.

• Train staff to recognize red flags and understand compliance obligations.

Compliance Timeline

• 31 March 2026: Enrolment opens for newly regulated entities.

• 1 July 2026: Obligations commence.

Town Hall Q&A: Your Questions Answered

Here are some of the most common questions raised during the Town Hall:

Q: How can real estate agents achieve ongoing due diligence?

A: Ongoing due diligence applies when a customer returns after the initial transaction. It involves monitoring subsequent interactions and transactions.

Q: Can we outsource AML/CTF functions to a consultant?

A: Yes, you can engage AML consultants or outsource functions. However, your business remains responsible for compliance.

Q: Do we have to stop business if we submit an SMR?

A: No. You can continue providing services but must manage ML/TF risks appropriately.

Q: What does “enter into an arrangement” mean?

A: It refers to sharing CDD information with another party. You decide who performs screening, but ensure it meets your compliance requirements.

Q: What checks should we do if we don’t manage a trust account?

A: You still need to verify identity and conduct risk checks. Use screening services for PEPs and adverse media.

Q: Do micro businesses or buyers’ agents need to comply?

A: Yes. If you broker a sale or purchase, you are regulated—even if you don’t handle client funds.

Q: Will AUSTRAC provide a portal for sanctions checks?

A: No dedicated portal, but you can use the DAFT Consolidated list & AUSTRAC guidance on sanctions screening.

Why Act Now

Failure to comply can result in:

• Civil penalties

• Reputational damage

• Loss of trust from clients and regulators

Early preparation avoids penalties and ensures smooth compliance.

How AML Advisers Can Help

At AML Advisers, we specialise in helping real estate businesses navigate Tranche 2 reforms. Our services include:

• Custom AML/CTF Programs tailored to your risk profile.

• Staff training to meet AUSTRAC requirements.

• Ongoing compliance support so you stay ahead of regulatory changes.

Don’t wait until July 2026—start preparing now.

📞 Contact AML Advisers today for a free no-obligation consultation and ensure your business is ready for the Tranche 2 reforms.

For professionals in law, accounting, and real estate, the arrival of the Tranche 2 AML reforms may appear to be a sudden regulatory shift. In reality, these reforms represent the culmination of a deliberate, multi-decade process to fortify Australia's financial defences. Understanding the protracted history of Tranche 2 AML reforms in Australia is critical to appreciating both their necessity and the pressing urgency for compliance.

This analysis traces the long road of the Tranche 2 AML reforms, from the foundational AML/CTF Act 2006 to their recent passage into law, underscoring why DNFBPs Australia are now firmly in the regulatory spotlight.

The Global Context: From Drug Proceeds to Terrorist Funds

The modern fight against financial crime began with initiatives like the U.S. Bank Secrecy Act (1970), which established basic "know your customer" (KYC) principles. The global standard was cemented in 1989 with the formation of the Financial Action Task Force (FATF), whose 40 Recommendations provided the initial blueprint for national regimes focused primarily on the proceeds of drug trafficking and organised crime.

The Paradigm Shift: The War on Terror and the Formalisation of CFT

The terrorist attacks of September 11, 2001, fundamentally reshaped the global landscape. The focus dramatically expanded from tracking the proceeds of crime to actively disrupting the funding of terrorism.

• The U.S. PATRIOT Act (2001): This legislation dramatically amplified AML tools for counter-terrorism purposes, introducing Enhanced Due Diligence and mandating comprehensive Anti-Money Laundering Programs for a wider range of institutions.

• The FATF's Expanded Mandate: The FATF issued its Special Recommendations on Terrorist Financing, which were fully integrated into its core standards, formally rebranding the field as Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT).

• The EU's Rapid Alignment: The European Union moved swiftly to embed this new paradigm, explicitly incorporating CFT standards into its directives and cementing a holistic approach to financial crime.

This global shift is critical to understanding Australia's own framework. The very "C" in Australia's AML/CTF Act 2006 is a direct product of this post-9/11 consensus.

Expanding the Net: The Inevitable Inclusion of DNFBPs

A key evolution was the recognition that terrorists and criminals exploit the same professional channels. Following jurisdictions like the EU, the international consensus solidified: effective AML/CFT frameworks must cover Designated Non-Financial Businesses and Professions (DNFBPs).

Australia's Starting Point: The Incomplete Framework of 2006

Australia's modern framework began with the AML/CTF Act 2006. This legislation was a direct response to FATF standards but was implemented in two phases:

• Tranche 1 (2006): Regulated the traditional financial sector.

• Tranche 2 (Planned for the future): Was always intended to extend obligations to DNFBPs.

This two-stage approach left a strategic vulnerability in Australia's financial crime defences for nearly two decades.

The Catalyst for Change: The 2015 FATF Mutual Evaluation Report

The FATF Mutual Evaluation Report Australia in 2015 was unequivocal, identifying Australia’s failure to regulate DNFBPs as a "glaring weakness." This international censure framed the Tranche 2 AML reform delays as both a national security and economic reputation risk, making reform a matter of urgency.

From Consultation to Legislation: Scrutiny, Debate, and Final Passage

Momentum turned with the Statutory Review AML/CTF Act 2022, which provided a powerful, evidence-based case for closing the regulatory gap. This led to a definitive timeline:

• 2023-2024 Public Consultation: The government undertook two rounds of extensive consultation on the Tranche 2 AML reforms, engaging stakeholders across the legal, accounting, real estate, and civil society sectors.

• Parliamentary Scrutiny: The *Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024* was introduced on 11 September 2024. On 19 September 2024, the Senate referred the Bill to the Legal and Constitutional Affairs Legislation Committee for an inquiry and report by 13 November 2024.
  This process included a pivotal public hearing on 30 October 2024, which heard testimony from a wide range of stakeholders, including the Law Council of Australia, the Real Estate Institute of Queensland, CPA Australia, Transparency International Australia, the Australian Federal Police, AUSTRAC, and leading academics. This thorough scrutiny informed the Committee's final recommendations, which included technical amendments to the 'tipping off' offence and the treatment of barristers.

• Legislative Debate & Key Amendments: The subsequent parliamentary debate saw substantive amendments proposed, though not passed, which highlighted key sector concerns:

• Senator David Shoebridge proposed an amendment to address a perceived conflict between a lawyer's duty to the court and their new statutory obligations to report suspicious matters, seeking to protect legal professional privilege.

• Senator Jacqui Lambie proposed an amendment to exempt small businesses (those with fewer than 15 employees) from the regime, aiming to reduce the regulatory burden.
  The rejection of these amendments underscored Parliament's commitment to a comprehensive and consistent Tranche 2 AML reforms framework without creating high-risk exemptions.

• Legislative Passage: After this robust debate, the Bill passed Parliament on 29 November 2024 and received Royal Assent on 10 December 2024.

The Path Ahead: A Call to Action for Regulated Entities

The long-awaited Tranche 2 AML reforms are now law. The theoretical debate has ended, replaced by a concrete compliance imperative. The transition period has begun, and DNFBPs must now undertake a rigorous preparation process, developing risk-based programs, appointing compliance officers, and educating their staff.

For firms providing designated services, the preparation window is definitive. The history of Tranche 2 delays is over; the era of Tranche 2 compliance has begun.

Is your firm prepared for the most significant shift in Australian AML/CFT compliance since 2006? With the legislation now in effect, proactive compliance is not just advisable—it is mandatory. Contact AML Advisers today to book a free, confidential consultation to navigate your Tranche 2 AML reforms preparation.

Many businesses approaching the Tranche 2 reforms focus on one thing: writing the AML/CTF Program document. While this is a critical requirement, it's only the first step. The real challenge—and where many fail—is translating that document from a shelf-ready policy into an operationally embedded framework that is practical, pragmatic and cost-effective.

The "Knowing-Doing" Gap in AML Compliance

Your team might know the policy, but will they follow it when under pressure to close a property deal or onboard a key client? Common failure points include:

• Rushed Customer Due Diligence (CDD) & Risk Assessments: A sales agent, eager to secure a listing, collects minimal ID information, rushes through the client and transaction risk assessment without truly identifying the potential risk profile of client and transaction and doesn’t verify the client's source of funds.

• Ongoing Monitoring: A lawyer, focused on complex legal work, fails to spot a red flag in a trust account transaction because there's no clear process or reporting mechanism.

• Missed red risk flags or trigger events:  An employee fails to identify elevating risk factors associated with a client or transaction in their risk assessment due to a basic or non-existent risk rating methodology which does adequately capture the inherent risks of their customer base and services.

Bridging the Gap: From Document to Doing

1. Process Integration: Map your AML obligations directly onto your existing workflows.

   • For a real estate agent, this means CDD checks are a mandatory step before the listing agreement is signed.

   • For a lawyer, it means a client and matter risk assessment is built into the CRM or matter management system.

2. Leverage Technology If Possible: Many soon to be regulated Tranche 2 businesses will conduct mainly manual checks due to cost considerations. If resources allow, try and use technology for identity verification, PEPs and sanctions screening, and even basic transaction monitoring. This improves onboarding efficiency, reduces time, human error and your compliance burden.

3. Practical, Role-Based Training: Move beyond reading the policy. Train your front-line staff with real-world scenarios they will face. "What do you do if a client refuses to provide source of wealth information?" or "This is what a suspicious property transaction might look like."

4. Clear Accountability & Empowerment: Ensure every team member knows their role and is empowered to pause a transaction if compliance isn't met. This might mean a complete culture shift of the business which must come from the top.

How an AML Consultant Adds Value Here

An experienced consultant does more than write a policy. They help you:

• Conduct AML process design workshops to integrate controls seamlessly.

• Advise on cost-effective AML technology that fits your practice.

• Develop and deliver bespoke AML training that resonates with your staff.

Make your compliance program a living, breathing part of your business. Book a no-obligation free 30-minute consultation to see how we can assist you making your AML/CTF Program work for you.

A High-Risk Sector Under the Spotlight

The Australian real estate market is not just a pillar of the economy; it is a prime target for financial crime. The 2024 Australian National Risk Assessment (NRA) explicitly categorises the domestic real estate sector as a "very high" money laundering risk, with real estate agents themselves posing a "medium" risk.

With the impending Tranche 2 AML reforms, your profession will soon be regulated by AUSTRAC under the AML/CTF Act. This means a legal obligation to understand and mitigate these risks. Your frontline role is critical. Being able to identify key red flags for money laundering is your agency's first and most important line of defence.

The 5 Critical Red Flags Every Real Estate Professional Must Know

1. The Secretive or Rushed Buyer

Criminals often priorities speed and anonymity over the normal considerations of a property purchase.

• What to Look For:

• A buyer disinterested in property features, price negotiation, or building inspections.

• A remote buyer who doesn’t inspect the property.

• An insistence on an abnormally fast settlement, often facilitated by all-cash offers or single-source wire transfers from an unrelated third party.

• Reluctance to meet in person and a preference for opaque, digital-only communication.

• Use of a Power of Attorney or an intermediary with no clear, legitimate connection to the transaction.

• Attempts to avoid or rush through standard Know Your Customer (KYC) or presenting documents that appear altered or forged.

2. Complex or Opaque Corporate Structures

Legitimate ownership is often hidden behind a web of entities to conceal the Ultimate Beneficial Owner (UBO).

• What to Look For:

• The purchasing entity is a shell company, a complex trust, or a series of interlinked companies registered in known offshore havens.

• The representative you deal with is evasive or unable to clearly explain the ownership structure.

• A refusal to provide essential documents like Trust Deeds, company structure charts, or shareholder registers.

• Use of nominees or third-party representatives who seem to be acting on instructions from an undisclosed principal, deliberately distancing the true owner from the transaction.

3. Unusual or Suspicious Payment Methods

The method of payment is a major tell-tale sign of layering—a stage in money laundering designed to obscure the origin of funds.

• What to Look For:

• Payments from a third party (e.g., a friend, relative, or unrelated company) without a legitimate commercial or personal explanation.

• A buyer who pays using a method inconsistent with their profile (e.g., large amounts of cash from a supposedly salaried employee).

• A buyer who deposits cash into your trust account, then pulls out of the deal and requests a refund via a different method (e.g., a cheque to a different name).

• Offering to pay significantly higher fees or a premium price to incentivise the agent to overlook procedures.

• Insisting on settlement in a foreign currency without any logical connection to the buyer or the transaction.

4. Illogical or Commercially Irrational Transactions

Money laundering is not about sound investment; it's about placing illicit funds into the legal economy, often in ways that defy logic.

• What to Look For:

• A buyer who agrees to pay significantly above the market value with no clear rational or logic as to why.

• Rapid "flipping" of properties—buying and selling in quick succession with a sharp, unexplained increase in value.

• Frequent and significant changes to transaction instructions without reasonable justification.

• Instructions to direct sale proceeds to an unrelated third party, rather than the seller.

• A pattern of rapid, consecutive property transactions ("back-to-back settlements") that seem to have no clear financial or logical driver.

5. Inconsistent Source of Wealth or Funds (SOW/SOF)

This is the cornerstone of detection. The story doesn't add up.

• What to Look For:

• A clear mismatch between the buyer's stated occupation (e.g., student, low-income worker) and their ability to purchase a multi-million dollar property.

• An inability or unwillingness to explain the Source of Funds (SOF) or Source of Wealth (SOW), or providing documentation that is vague, contradictory, or suspected to be forged.

• The use of complex loan arrangements or deposits from unusual or unverifiable sources.

• A buyer who becomes nervous, agitated, or defensive when asked standard Customer Due Diligence (CDD) questions.

• Funding substantial property renovations with no visible legitimate source of income or financing.

From Detection to Action: Your Compliance Protocol

Identifying a red flag is only the beginning. As a regulated entity, you must have a clear, actionable response plan.

Step 1: Document Meticulously
Keep a detailed, contemporaneous record of all interactions, communications, and the specific factors that raised your suspicion. This audit trail is crucial for both internal review and, if needed, for AUSTRAC.

Step 2: Conduct Enhanced Due Diligence (EDD)
A red flag triggers an obligation to dig deeper. This is not about accusation; it's about verification. EDD measures include:

• Requesting additional, verified documentation on the Source of Funds.

• Seeking senior management approval to proceed with the client relationship/ transaction.

• Conducting deeper background checks on the beneficial owners.

Step 3: Escalate Internally
Immediately report your concerns to your designated AML Compliance Officer (AMLCO) and Senior Manager. A robust internal reporting culture is vital for an effective AML/CTF program.

Step 4: Submit a Suspicious Matter Report (SMR)
If, after conducting EDD, your suspicions remain, your business has a legal obligation to submit an SMR to AUSTRAC. This must be done within 3 business days of forming a suspicion. It is a criminal offence to "tip off" the client that you have filed an SMR.

Don't Navigate This New Landscape Alone

The transition to becoming a regulated AUSTRAC reporting entity is complex. Recognising red flags is one thing; having the frameworks, risk rating methodology, training, and confidence to act on them is another.

AML Advisers specialises in providing end-to-end AML compliance solutions for the real estate sector. We help you:

• Develop a bespoke AML/CTF Program tailored to your agency's specific risks.

• Train your frontline staff to confidently identify and respond to these red flags.

• Establish clear procedures for Enhanced Due Diligence and SMR reporting.

• Provide ongoing support to ensure you meet your regulatory obligations.

Protect your business, your reputation, and the integrity of the financial system.

Book a free, no-obligation confidential consultation with AML Advisers to see how we can assist you on your Tranche 2 Journey.

A Regulatory Earthquake in Australia

The impending Tranche 2 AML reforms represent the most significant shift in Australia’s financial crime landscape in decades. Set to take effect from July 2026, these changes will expand the Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CTF Act) to include Designated Non-Financial Businesses and Professions (DNFBPs).

This means for the first time, the following professions will become AUSTRAC reporting entities:

• Real Estate Agents, Buyers' Agents, and Developers

• Dealers in Precious Stones and Metals

• Lawyers and Legal Practitioners

• Conveyancers

• Accountants

• Trust and Company Service Providers

With over 80,000 new businesses entering the regime, Australia is closing a critical gap identified by the global Financial Action Task Force (FATF). While this brings us in line with international standards (like the EU's reforms from over 20 years ago), it creates an unprecedented demand for AML/CTF compliance expertise.

The Compliance Divide: The "Haves" vs. "Have-Nots"

The surge of new entrants will create a stark divide between those with existing AML knowledge and those starting from scratch.

The "Haves" – Businesses with a Head Start:

• Multinational Firms: Companies already operating under UK, EU, or other robust AML regimes can adapt existing frameworks for the Australian context.

• Financial Services Adjacents: Accountancy firms with financial planning divisions can leverage in-house experience with existing AML/CTF obligations.

• Professionals with Audit Experience: Law firms that have conducted independent AML audits for Tranche 1 entities possess valuable skills in interpreting legislation and drafting policy.

• Large Franchises: Real estate franchises can centralise resources, developing group-wide compliance programs and leveraging their scale for technology solutions.

The "Have-Nots" – The Challenge for Independent Businesses:
For the vast majority of small to medium-sized law firms, independent real estate agencies, and accounting practices, the path is far steeper. These businesses are "starting from scratch," facing three core challenges:

1. The Expertise Scarcity & Cost Crisis: The demand for skilled AML Compliance Officers (AMLCOs) is exploding. Salaries for AML analysts are already surpassing $100,000, with experienced AMLCOs commanding packages well over $200,000—a prohibitive cost for many SMEs.

2. The Operational Learning Curve: Even hiring an AML professional from a bank doesn't guarantee success. They must first understand the nuances of your specific business, services, and client base before they can even begin drafting a compliant AML/CTF Risk Assessment.

3. The "Bespoke" Mandate from AUSTRAC: Regulators have been clear: generic, template-based compliance programs are unacceptable. Your AML/CTF Program must be tailored to your business's unique risk profile, with controls proportionate to those risks. While sector-specific guidance is coming, interpreting and implementing it operationally is a complex, high-stakes task.

The Strategic Solution: Engaging an AML Consultant

For businesses facing these hurdles, an AML consultant is not an expense; it's a strategic investment in compliance, risk management, and operational continuity. Here’s how they deliver value:

1. Access Deep Regulatory Expertise & Best Practices
An AML consultant provides immediate access to specialised knowledge of the Tranche 2 reforms and the AML/CTF Act. They bring proven AML compliance frameworks from other sectors, helping you implement effective, rather than just minimal, standards.

2. Achieve Significant Cost Efficiency & ROI
Hiring a consultant is a cost-effective compliance solution. You avoid the high salary and overhead of a full-time AMLCO, engaging expert help on a flexible, project basis. Most importantly, their work provides a direct return on investment by mitigating regulatory fines and reputational damage that can cripple a business.

3. Develop a Truly Bespoke and Effective Compliance Program
Leveraging their experience, consultants conduct a thorough AML gap analysis and work with you to build a customised AML/CTF Program. They ensure your Customer Due Diligence (CDD) and ongoing customer monitoring processes are seamlessly integrated into your daily operations and leverage your existing systems, processes and tools to make your compliance burden cost-effective.

4. Enhance Operational Efficiency
Beyond policy, consultants optimise AML processes to reduce friction. They provide guidance on AML technology solutions, helping you select and implement the right tools for client onboarding, transaction monitoring, and reporting.

5. Empower Your Team and Assure Your Board
A key benefit is AML training and knowledge transfer. Consultants upskill your staff, from front-line employees to senior management, building long-term internal capacity. Furthermore, engaging a reputable expert demonstrates regulatory diligence to AUSTRAC and provides your board with confidence in your risk management strategy.

Who Needs an AML Consultant Most?

An AML consultant is particularly vital for:

• Small to Medium-Sized Enterprises (SMEs) in law, real estate, and accounting who lack in-house compliance resources.

• Businesses for whom generic "starter kits" will be insufficient due to their complexity, size, or specific risk profile.

• Growing firms that need to build a scalable, compliant framework from the ground up.

• Any organisation seeking an independent, expert assessment of their readiness for the July 2026 deadline.

Don't Navigate Tranche 2 Alone

The Tranche 2 AML reforms are a compliance imperative. While the challenge is significant, you don't have to face it alone. An experienced AML consultant provides the strategic guidance, deep expertise, and practical support to not only achieve compliance but to strengthen your firm's overall resilience against financial crime.

Prepare for the future of compliance. Book a no-obligation free 30-minute consultation with AML Advisers for a confidential assessment of your Tranche 2 readiness.