On 1 July 2026, Australia’s AML/CTF Tranche 2 came into effect as the Anti Money Laundering / Counter-Terrorism Financing Act widened its net. Estate agents, lawyers and conveyancers, accountants, trust and company service providers, and dealers in precious metals and stones are now ‘reporting entities’ under AUSTRAC. If that’s you, you’re not alone, and you’re not too late. But you do need to move.
I’ve spent the past few weeks talking to sales and ops leaders across legal, accounting and real estate who are asking the same questions: What do we need to have in place, and how fast can we get it there? This post is my straight answer.
Key takeaways
- From 1 July 2026, AML/CTF Tranche 2 entities (real estate, legal, accounting, conveyancing, trust and company services, precious metals and stones) must enrol with AUSTRAC and run customer due diligence.
- Estimates of how many businesses this brings into scope for the first time range from roughly 80,000 to over 100,000, depending on the source. Either way, it’s a lot of small and mid-sized firms with no compliance infrastructure yet.
- The Privacy Act now applies to these entities too, and the Office of the Australian Information Commissioner (OAIC) has been explicit: don’t hoard ID documents; collect only what you need.
- Verified, up to date business data is now a compliance input, not just a sales tool. That’s where we come in.
What actually changed on 1 July
Tranche 2 of the AML/CTF reforms took effect on 1 July 2026. If you’re a lawyer, conveyancer, accountant, estate agent, property developer, trust or company service provider, or precious metals and stones dealer, you’re now a reporting entity. That means:
- Enrolling with AUSTRAC
- Running customer due diligence (know your customer, or KYC) on new and existing clients
- Screening for sanctions and politically exposed persons (PEPs)
- Filing suspicious matter reports and threshold transaction reports when required
- Meeting Privacy Act obligations on top of all of the above. Most affected firms have never had to think about the Privacy Act before
The OAIC updated its guidance for reporting entities around this change, and the message from Privacy Commissioner Carly Kind was blunt. Businesses should collect only what’s reasonably necessary, and full copies of ID documents shouldn’t be retained once they’ve served their purpose. Plenty of firms are still working out what that means for how they store client files today.
Why the urgency is real, not sales spin
Here’s the thing. A law firm or an estate agency that’s never had an AML/CTF obligation until now doesn’t have a KYC stack. It doesn’t have a due diligence workflow. It doesn’t have a way to verify who it’s actually dealing with beyond a driver’s licence photocopied into a folder somewhere.
These firms are building this infrastructure right now, this month, this quarter. Some will have started already. It seems to me that most haven’t. And every one of them needs a reliable way to answer simple questions before they take on a client: who is this business, who owns it, and is it who it says it is?
That’s not a nice to have. It’s the whole point of the legislation.
Where Firmable fits with AML/CTF Tranche 2
We’re not an AML/CTF compliance platform, and we’re not trying to be. What we are is the enrichment layer that makes KYC (Know Your Customer) and CDD (Customer Due Diligence) workflows actually work with current, verified business data.
If you’re building or buying a compliance stack right now, here’s what you need underneath it:
- Verified entity data, ABN, ACN, registered address, and structure, so you’re not relying on what a client tells you
- Ownership and directorship visibility, so you can identify who’s actually behind the business you’re onboarding
- Ongoing monitoring, because a client’s risk profile the day you onboard them isn’t the same a year later
- Data that updates, not a one-time check that goes stale the moment circumstances change
For law firms, accounting practices and estate agencies building this out for the first time, that’s a genuine gap. Most are looking at manual checks, spreadsheets, or bolting together tools that weren’t built for this. We can plug straight into that workflow with data that’s already accurate and already there.
And for compliance vendors targeting the 80,000 SMBs that are now racing to meet the requirements of the Act, we have by far the best data set on who they are.
What I’d do if I were you
If you’re in legal, accounting, real estate, conveyancing or trust and company services, and you’re still figuring out your CDD process, don’t wait for an audit to force the conversation. Talk to your team about what tool or processes you’re using today to verify who you’re dealing with, and whether it holds up. There are vendors that can help you understand what a compliance-ready data layer looks like for your workflow, and how quickly it can be put it in place.
And if you’re an AML/CTF compliance vendor, get in touch. My team can walk you through how our AI-native Australian B2B dataset can help you identify the 80,000 businesses that need to meet the new compliance requirements. No lengthy pitch, just a straight conversation about what you need and whether we’re the right fit.
FAQs about AML /CTF Tranche 2
Real estate agents and property developers, dealers in precious metals and precious stones, and professional service providers including lawyers, conveyancers, accountants, and trust and company service providers.
Yes. The obligations apply regardless of annual turnover. Size doesn’t exempt you. Read More.
AML/CTF obligations (enrolment, due diligence, reporting) sit with AUSTRAC. Privacy Act obligations govern how you collect, store and dispose of the personal information you gather while meeting those AML/CTF obligations. Tranche 2 entities now need to satisfy both.
The OAIC’s updated guidance says no, not as standard practice. Copies of full ID documents aren’t required under the AML/CTF regime, and holding onto them creates unnecessary privacy risk. Collect what you need to verify identity, then don’t retain more than that.
We provide verified, current business and ownership data that plugs into your customer due diligence process, whether you’re building a new KYC workflow from scratch or replacing manual checks. Reach out to my team and we’ll show you what that looks like for your business.

