AUSTRAC requirements: the Tranche 2 compliance checklist
If your business became a reporting entity under Tranche 2 on 1 July 2026, here is what AUSTRAC actually requires, as a checklist. None of it is optional once you provide a designated service — but most of it is more manageable than the penalty headlines suggest, and a genuinely small business can meet much of it with AUSTRAC's free starter kit.
This is general information, not legal advice; work the marginal calls from AUSTRAC's own guidance and, where needed, specific advice.
The checklist, in order
- Enrol with AUSTRAC. A business-profile form through AUSTRAC Online — not an approval process. Deadline: the later of 29 July 2026 or 28 days after your first designated service. Enrol, not 'register'.
- Appoint and notify a compliance officer. A fit-and-proper, management-level person (the owner can hold the role); notify AUSTRAC within the required window. Detail in the compliance officer guide.
- Do an ML/TF risk assessment. Assess how your business could be misused for money laundering or terrorism financing, across your customers, services, delivery and geography.
- Build an AML/CTF program. The written policies and procedures that manage those risks — the documents AUSTRAC's starter kit begins.
- Run customer due diligence (CDD). Identify and verify your customers before or as you provide the service (see the next section).
- Monitor and report. Ongoing monitoring, plus suspicious matter reports (SMRs) and threshold transaction reports (TTRs where they apply).
- Keep records. Auditable records of identity, decisions and reports, retained for the required period (commonly seven years).
- Train your staff. Relevant staff must understand their AML/CTF obligations — and you must be able to show it happened.
- Review it. Keep the program current and have it independently evaluated over time.
Customer ID requirements (CDD), in plain terms
The part people search for as 'AUSTRAC ID requirements' is customer due diligence. Before or when you provide a designated service, you generally must collect and verify your customer's identity from reliable and independent sources. For an individual that means details like full name and date of birth, verified against trusted data or documents; for a company or trust it extends to the entity's details and its beneficial owners — the people who ultimately own or control it. Higher-risk situations call for enhanced checks; simpler ones may allow a lighter touch. This is the obligation most AML software automates, and the one AUSTRAC's guidance is most specific about — verify the detail for your sector against AUSTRAC's own pages.
What you don't have to do
Just as important as the list is what's not on it. There's no minimum-revenue trigger to worry about — but equally, routine work that isn't a designated service doesn't drag you in: tax returns and BAS lodgement, incidental bookkeeping, and (for property) property management and leases of 30 years or less generally sit outside the regime. You don't need enterprise reporting software if your files never generate reportable events, and you don't need to gold-plate a low-risk practice. The regime is risk-based; your response can be too. Our designated services guide sorts what's in from what's out.
Meeting it without over-spending
For a small, low-complexity business, AUSTRAC's free starter kit covers the foundational program documents, and you can add pay-per-use verification only as you need it. Larger or more complex firms will want a platform that carries CDD, monitoring, records and reporting together — compared, with verified pricing, across our reviews. The Government's own estimate put average ongoing compliance cost at about $23,250 a year including staff time — useful context before a vendor quotes against your fear rather than your facts.