1. When do I need to be compliant, and what are the key deadlines?
Full compliance obligations commence on 1 July 2026. However, there are important milestone dates before then:
January 2026: Finalization of Tranche 2 specific guidance with AML/CTF starter packages released.
31 March 2026: Enrolment with AUSTRAC opens
Why start now? The greatest operational burden comes when client cooperation is required to capture customer information. Collecting this information progressively over the next 6 months is far less burdensome than attempting to implement changes closer to the compliance date. Starting early allows for proactive compliance, gradual team training, risk identification, and avoids rushed costs.
2. Does my business need to comply? How do I know if I'm a reporting entity?
You're a reporting entity if you provide designated services under the AML/CTF Act. Tranche 2 specifically includes:
Lawyers and legal practitioners - When buying/selling real estate, managing client money, managing accounts, organizing company formations, or creating/managing legal entities
Conveyancers - When conducting real estate settlement services
Accountants - When preparing transactions for real estate/business sales, managing client money or accounts, or organizing contributions for legal entities
Real estate agents - When facilitating real property transactions
Trust and Company Service Providers - When forming companies, acting as directors/trustees, providing registered offices, or acting as nominee shareholders
Dealers in precious stones and metals - When facilitating high-value transactions
The designation applies only when providing these specific services, not based on your business size or structure.
Check your status: Check if you'll be regulated | AUSTRAC
3. What are the penalties for non-compliance?
Non-compliance carries severe consequences:
Civil penalties: The maximum civil penalty for a company for each contravention is $21 million
Criminal prosecution: Certain breaches (intentional violations, providing false information) can result in imprisonment and significant fines
Enforceable undertakings: AUSTRAC may require remedial actions, compliance reviews, or enhanced reporting
Reputational damage: Public disclosure of compliance failures can severely damage professional reputation, client trust, and business viability
Operational disruption: Regulatory investigations consume significant management time and resources
Professional implications: Breaches may affect professional registration or licensing
Civil liability: Potential claims from clients or third parties who suffer losses
Beyond penalties, non-compliance exposes your business to exploitation by criminals, potentially making you complicit in serious crimes.
More information: Consequences of not complying | AUSTRAC
4. What is an AML/CTF Program and what must it contain?
An AML/CTF Program is a formal framework of policies, procedures, and controls outlining how your business identifies, manages, and mitigates money laundering and terrorism financing risks. It consists of Risk Management and Controls and Customer Identification/Verification
Risk Management and Controls
Risk assessment based on customers, services, channels, and geography
Board/senior management oversight and approval
AML/CTF Compliance Officer (AMLCO) appointment
Employee due diligence and screening procedures
Transaction monitoring systems
Reporting procedures for AUSTRAC
AUSTRAC feedback response procedures
Staff training and awareness programs
Record keeping (7-year minimum retention)
Internal controls and governance structure
Independent audit arrangements
Customer Identification and Verification
Customer Due Diligence (CDD) procedures
Enhanced Due Diligence (EDD) for high-risk customers
Beneficial ownership identification
Verification methods and acceptable documents
Timing requirements for identification
Ongoing due diligence and periodic reviews
Key principle: Your program must reflect your actual operations, not a generic template. Consider operational feasibility, technology integration, customer experience, resource allocation, and sector-specific requirements.
5. What is Customer Due Diligence (CDD) and how do I implement it?
Customer Due Diligence (CDD) is the cornerstone of AML/CTF compliance—the process of identifying and verifying your customer's identity and understanding your business relationship.
Standard CDD involves:
Collecting Information
Full name, date of birth, address
Government-issued identification documents (passport, driver's license)
Verifying Information
Confirm accuracy through reliable, independent sources
Check document authenticity and expiration dates
Australian passports expired within 2 years are acceptable
Beneficial Ownership Identification (for corporate customers)
Directors and company secretaries
Shareholders/partners with >25% ownership
Trust beneficiaries, settlors, appointers, guardians, protectors
Understanding complex ownership structures
Document Checks
Ensure identification documents haven't expired
Implement risk-based procedures for discrepancies (suspected forgery, identity mismatches)
Enhanced Customer Due Diligence (ECDD) applies heightened scrutiny for:
Foreign Politically Exposed Persons (PEPs)
High-risk customers per your risk assessment
Customers from high-risk jurisdictions
Complex ownership structures
TIP: Start building your Customer Due Diligence register now. Collecting information over the next 6 months reduces operational burden compared to rushing near the deadline.
6. Who is an AML/CTF Compliance Officer and what are their responsibilities?
An AML/CTF Compliance Officer (AMLCO) is the designated person responsible for managing your business's AML/CTF compliance.
Requirements:
Must be a "fit and proper person"
Need not be an employee (can be external consultant)
Cannot be domiciled outside Australia
Key Responsibilities:
Acting as primary contact for AUSTRAC
Providing day-to-day oversight of AML/CTF policy and procedures
Ensuring reports are submitted to AUSTRAC (SMRs, TTRs, etc.)
Coordinating staff training programs
Conducting and updating risk assessments
Reporting to the board/committee and senior management
Addressing AUSTRAC feedback and guidance
Managing record keeping and customer due diligence registers
For Tranche 2 entities, this is typically a senior partner, director, or dedicated compliance professional with appropriate authority and expertise.
Important: While you can outsource many operational tasks, you cannot outsource the AMLCO appointment—this person must be within your organization and accountable to your business.
7. What reports must I submit to AUSTRAC?
Reporting entities have several key reporting obligations:
Suspicious Matter Reports (SMRs)
What: Any transaction/activity raising suspicion of money laundering, terrorism financing, or serious crime
When: Within 24 hours (terrorism financing) or 3 business days (other suspicions)
Warning: Do NOT seek further information that would "tip off" the customer
Threshold Transaction Reports (TTRs)
What: Transactions involving physical currency (cash) of AUD $10,000+ or foreign equivalent
When: Within 10 business days after transaction
Note: Most Tranche 2 entities have limited cash exposure and minimal TTR obligations
International Funds Transfer Instructions (IFTIs)
What: Instructions for transferring funds into/out of Australia (any amount)
When: Within 10 business days
Note: Limited applicability for most Tranche 2 entities
AUSTRAC Compliance Reports
What: Periodic reporting on how your entity meets AML/CTF obligations
When: As required by AUSTRAC (typically annually)
Cross-Border Movement (CBM) Reports
What: Movement of physical currency AUD $10,000+ into/out of Australia
When: Before sending/carrying cash out, or within 5 business days of receiving from overseas
Note: Limited applicability for most Tranche 2 entities
For most professional service providers, SMRs and Compliance Reports will be the primary obligations.
More information: Reporting | AUSTRAC
8. What can I outsource and what must remain in-house?
You CAN outsource:
✅ Customer identification and verification (identity verification platforms like VerifiMe)
✅ Sanctions and PEP screening services
✅ Transaction monitoring software/services
✅ Report preparation and lodgment assistance
✅ Employee training programs and e-learning
✅ Independent audits and testing
You CANNOT outsource:
❌ Overall accountability - Your business remains ultimately responsible for compliance
❌ Compliance Officer appointment - The AMLCO must be within your organization ❌ Board/senior management adoption - Your leadership must approve the AML/CTF Program
❌ Ultimate responsibility - You remain responsible for ensuring outsourced services meet regulatory requirements
When outsourcing, ensure:
Appropriate contractual arrangements with providers
Oversight mechanisms and performance monitoring
Regular reviews of provider performance
Clear documentation of responsibilities
Service level agreements that meet regulatory timelines
How VerifiMe helps: VerifiMe handles customer identification, verification, PEP screening, sanctions checking, and digital record keeping—allowing you to focus on your core business while maintaining compliant processes.
9. Why is starting early so important? What are the risks of delaying?
Benefits of Starting Early:
Proactive Compliance
Ensures your organization is well-prepared by the regulatory deadline
Reduces risk of last-minute non-compliance issues
Risk Mitigation
Identifies and addresses potential risks sooner
Allows time to resolve gaps in your AML/CTF program before they become critical
Operational Efficiency
Gradual implementation allows your team to become familiar with procedures
Leads to more efficient and accurate data management
Reduces disruption to client service
Cost Savings
Avoids increased costs associated with rushing the process
Prevents need for additional resources or expedited services near the deadline
Building Trust
Demonstrates commitment to compliance
Enhances reputation with regulators, customers, and partners
10. How does VerifiMe help me comply, and what do I still need to do myself?
What VerifiMe Provides:
a) Customer Identification & Verification
✅ Automated verification for individuals, companies, trusts, and associations
✅ Beneficial ownership identification for complex structures
✅ Real-time verification against government databases and trusted sources
✅ Document verification and secure storage
✅ Acceptable document checking and expiry validation
b) Compliance Support
✅ Risk assessment scoring tools for customer classification
✅ Seven-year digital record keeping with comprehensive audit trails
✅ PEP (Politically Exposed Persons) screening
✅ Sanctions list checking against current DFAT lists
✅ Ongoing monitoring capabilities for periodic reviews
✅ Evidence documentation for compliance reporting
✅ Progressive data collection—start capturing information now
What You Still Need to Develop:
❌ Your organization's specific risk assessment
❌ Governance structures and board oversight arrangements
❌ Employee training programs tailored to your business
❌ Transaction monitoring procedures appropriate to your services
❌ Internal reporting and escalation processes
❌ Suspicious matter detection and reporting procedures
❌ AUSTRAC enrollment and compliance reporting
❌ Independent review arrangements
The VerifiMe Advantage:
Unlike basic identity verification tools, VerifiMe is specifically designed for
Australian AML/CTF compliance requirements:
Built around AUSTRAC's customer due diligence framework
Supports the complexity of Australian business structures (trusts, companies, partnerships)
Maintains the specific records required for AUSTRAC compliance
Enables you to start collecting data now, before the compliance deadline
Provides ongoing compliance support as regulations evolve
Seamless integration with your existing business processes
Getting Complete Support:
While VerifiMe handles the technical aspects of customer identification and verification, we can refer you to experienced AML/CTF consultants who specialize in Tranche 2 compliance to help with risk assessments, program drafting, governance structures, training materials, and monitoring procedures.
Contact us:
Email: [email protected]
Web: www.verifime.com
Disclaimer: This document provides general information and is not legal advice. Regulatory requirements are subject to change. Consult legal advisors and refer to official AUSTRAC guidance when developing your compliance framework.
For current information, visit: www.austrac.gov.au