On 1 July 2026, Australia’s AML/CTF Tranche 2 came into effect as the Anti Money Laundering / Counter-Terrorism Financing Act widened its net. Estate agents, lawyers and conveyancers, accountants, trust and company service providers, and dealers in precious metals and stones are now ‘reporting entities’ under AUSTRAC. If that’s you, you’re not alone, and you’re not too late. But you do need to move.

I’ve spent the past few weeks talking to sales and ops leaders across legal, accounting and real estate who are asking the same questions: What do we need to have in place, and how fast can we get it there? This post is my straight answer.

Key takeaways

  • From 1 July 2026, AML/CTF Tranche 2 entities (real estate, legal, accounting, conveyancing, trust and company services, precious metals and stones) must enrol with AUSTRAC and run customer due diligence.
  • Estimates of how many businesses this brings into scope for the first time range from roughly 80,000 to over 100,000, depending on the source. Either way, it’s a lot of small and mid-sized firms with no compliance infrastructure yet.
  • The Privacy Act now applies to these entities too, and the Office of the Australian Information Commissioner (OAIC) has been explicit: don’t hoard ID documents; collect only what you need.
  • Verified, up to date business data is now a compliance input, not just a sales tool. That’s where we come in.

What actually changed on 1 July

Tranche 2 of the AML/CTF reforms took effect on 1 July 2026. If you’re a lawyer, conveyancer, accountant, estate agent, property developer, trust or company service provider, or precious metals and stones dealer, you’re now a reporting entity. That means:

  • Enrolling with AUSTRAC
  • Running customer due diligence (know your customer, or KYC) on new and existing clients
  • Screening for sanctions and politically exposed persons (PEPs)
  • Filing suspicious matter reports and threshold transaction reports when required
  • Meeting Privacy Act obligations on top of all of the above. Most affected firms have never had to think about the Privacy Act before

The OAIC updated its guidance for reporting entities around this change, and the message from Privacy Commissioner Carly Kind was blunt. Businesses should collect only what’s reasonably necessary, and full copies of ID documents shouldn’t be retained once they’ve served their purpose. Plenty of firms are still working out what that means for how they store client files today.

Why the urgency is real, not sales spin

Here’s the thing. A law firm or an estate agency that’s never had an AML/CTF obligation until now doesn’t have a KYC stack. It doesn’t have a due diligence workflow. It doesn’t have a way to verify who it’s actually dealing with beyond a driver’s licence photocopied into a folder somewhere.

These firms are building this infrastructure right now, this month, this quarter. Some will have started already. It seems to me that most haven’t. And every one of them needs a reliable way to answer simple questions before they take on a client: who is this business, who owns it, and is it who it says it is?

That’s not a nice to have. It’s the whole point of the legislation.

Where Firmable fits with AML/CTF Tranche 2

We’re not an AML/CTF compliance platform, and we’re not trying to be. What we are is the enrichment layer that makes KYC (Know Your Customer) and CDD (Customer Due Diligence) workflows actually work with current, verified business data.

If you’re building or buying a compliance stack right now, here’s what you need underneath it:

  • Verified entity data, ABN, ACN, registered address, and structure, so you’re not relying on what a client tells you
  • Ownership and directorship visibility, so you can identify who’s actually behind the business you’re onboarding
  • Ongoing monitoring, because a client’s risk profile the day you onboard them isn’t the same a year later
  • Data that updates, not a one-time check that goes stale the moment circumstances change

For law firms, accounting practices and estate agencies building this out for the first time, that’s a genuine gap. Most are looking at manual checks, spreadsheets, or bolting together tools that weren’t built for this. We can plug straight into that workflow with data that’s already accurate and already there.

And for compliance vendors targeting the 80,000 SMBs that are now racing to meet the requirements of the Act, we have by far the best data set on who they are.

What I’d do if I were you

If you’re in legal, accounting, real estate, conveyancing or trust and company services, and you’re still figuring out your CDD process, don’t wait for an audit to force the conversation. Talk to your team about what tool or processes you’re using today to verify who you’re dealing with, and whether it holds up. There are vendors that can help you understand what a compliance-ready data layer looks like for your workflow, and how quickly it can be put it in place.

And if you’re an AML/CTF compliance vendor, get in touch. My team can walk you through how our AI-native Australian B2B dataset can help you identify the 80,000 businesses that need to meet the new compliance requirements. No lengthy pitch, just a straight conversation about what you need and whether we’re the right fit.

FAQs about AML /CTF Tranche 2

Who exactly is a AML/CTF Tranche 2 entity?

Real estate agents and property developers, dealers in precious metals and precious stones, and professional service providers including lawyers, conveyancers, accountants, and trust and company service providers.

Do I need to comply with AML/CTF Tranche 2 if my firm is small?

Yes. The obligations apply regardless of annual turnover. Size doesn’t exempt you. Read More.

What’s the difference between AML/CTF obligations and Privacy Act obligations?

AML/CTF obligations (enrolment, due diligence, reporting) sit with AUSTRAC. Privacy Act obligations govern how you collect, store and dispose of the personal information you gather while meeting those AML/CTF obligations. Tranche 2 entities now need to satisfy both.

Can I still keep copies of client ID documents on file?

The OAIC’s updated guidance says no, not as standard practice. Copies of full ID documents aren’t required under the AML/CTF regime, and holding onto them creates unnecessary privacy risk. Collect what you need to verify identity, then don’t retain more than that.

How can Firmable help right now?

We provide verified, current business and ownership data that plugs into your customer due diligence process, whether you’re building a new KYC workflow from scratch or replacing manual checks. Reach out to my team and we’ll show you what that looks like for your business.

5-star

“We used Firmable to download every single person in our ICP, score them, and save a very high-quality list. We loaded that list into our dialler and call connects shot up – they more than doubled within the first couple of weeks.”

Madeleine Cooper
Marketing, Operations & GTM at Cotiss
Madeline Cooper
5-star

“Business development is one of the toughest parts of recruitment. We needed a way to segment the market, build contact lists and reach the right people before anyone else.”

Conor Lydon
Director, Cure Recruitment
Conor Lyden testimonial
5-star

“We’re not focused on pushing product. Our goal is to educate buyers and help them run their businesses more effectively. Firmable provides the data foundation that supports this approach.”

Matthew Evlampieff
Head of Sales, Solutions Plus
Matthew Evlampieff Testimonial

Your shorcut to smarter sales

Firmable handles the grunt work – filtering data, surfacing signals, and revealing ready-to-buy accounts – so your team can focus on closing.