At 12:01am on 1 July 2026 the largest forced expansion of Australia's anti money laundering regime in nearly two decades took effect. Lawyers, accountants, conveyancers, real estate agents, dealers in precious metals and stones, and trust and company service providers became reporting entities under the AML/CTF Act for the first time. AUSTRAC's own modelling puts the newly captured population at roughly 100,000 firms.
Every one of them now has a 28 day enrolment window closing on 29 July 2026. Operating a designated service without enrolling is a criminal offence. The civil penalty ceiling for a body corporate sits at 100,000 penalty units, currently around $33 million, with $6.6 million for individuals.
This is being written about almost everywhere as a legal story. It is not. It is the single largest forced procurement of Australian RegTech in the history of the regime, and the technology decisions made between today and the end of July will outlast every government in the next decade, because the seven year record retention obligation that comes with reporting entity status makes it almost impossible to switch vendors cleanly once the data is in.
Most of the 100,000 will pick the wrong stack. The reasons are predictable, and avoidable.
What actually commenced today
The AML/CTF reforms that took effect this morning replaced the prescriptive Part A and Part B program structure with a single outcomes focused, risk based AML/CTF programme. In plain language: AUSTRAC stopped telling firms what their documents have to look like, and started judging whether the firm can demonstrate the outcome, on demand, for any customer file pulled from an audit sample.
The implications for technology choice are direct.
Documents alone will not satisfy a Tranche 2 inspection. The expectation is a working system that produces a risk assessment per customer, an evidenced identification record, ongoing transaction or matter monitoring where the firm's risk profile warrants it, and an immutable audit trail extending back seven years from the most recent activity on the file. That stack does not assemble itself from a templated PDF program downloaded from a CPA portal.
The activity is what triggers coverage, not the profession. An accountant who only does general accounting is not a reporting entity. An accountant who acts on a real estate transaction, sets up a company, manages a trust account, or moves client money in a way that touches one of the designated services schedules is. Same firm, different jobs, different obligations. The technology layer has to be able to tell the difference, file by file, and timestamp the decision.
The five technology decisions firms are about to get wrong
Firms reaching for the cheapest credible AML platform between now and 29 July are not buying compliance. They are buying a vendor relationship that compounds for seven years. The decisions that matter are not the line items in the quote.
1. Data residency and where the identity record actually lives
Several of the lowest priced Tranche 2 platforms are repackaged international KYC engines that route identity verification through US, UK or Singapore data centres. Australian Privacy Principles 8 and 11 do not prohibit this, but the disclosure and accountability load that comes with cross border data flows under the OAIC's October 2024 guidance makes it a real architecture decision, not a procurement footnote.
A Tranche 2 firm needs to be able to answer two questions in writing on day one: which jurisdiction holds the primary customer identification record, and which jurisdiction holds the backup. If the answer to either is offshore, the firm has a transborder disclosure obligation it almost certainly has not papered.
2. Integration with the practice management system
The platforms in market today fall into two camps. Those that integrate cleanly into LEAP, Actionstep, FilePro, PracticeEvolve, Xero, MYOB, AgentBox, and Box+Dice. And those that do not.
The cost gap looks like $50 to $200 per month on the licence. The real gap shows up when a junior staff member has to manually rekey customer data into a second system, every file, every day, for the next decade. The error rate on that workflow has been measured at 4% to 7% in early Tranche 2 pilots. Every error is a compliance defect AUSTRAC can sample.
A platform that does not integrate with the system the firm already runs its matters or transactions in is not cheaper. It is a hidden FTE.
3. The cost model and what gets metered
Per check pricing reads attractively at the small firm end. FreeAML at $15 per KYC and $35 per KYB looks like an obvious answer for a sole practitioner doing twenty new files a year. easyAML is free until today and then transitions to paid. OverSEER AML lists from $350 per month. Syntrico, Persona, Moody's, ComplyCube, Entrust and First AML sit at the larger and more integrated end.
The trap is not the headline price. It is what the platform does and does not meter. Ongoing customer due diligence is not a one time KYC event. The AML/CTF Rules expect periodic reverification on higher risk customers, watchlist rescreening, PEP and sanctions monitoring, and a re run of the risk model when the customer's behaviour or profile changes materially. Some platforms include this. Some bill it as a separate consumption line that turns a $15 per file number into a $60 per file number by month nine.
The honest unit economics question for a Tranche 2 firm is cost per customer over a five year relationship, not cost per onboarding event.
4. Electronic verification of identity and biometric capture
The AUSTRAC reform package strongly encourages, and in practical terms assumes, electronic verification of identity. That means the platform connects to the federal Document Verification Service to validate the ID document against the issuing agency's records in real time, and ideally pairs that with a biometric liveness check to bind the document to the person presenting it.
Entrust integrated DVS into its identity verification workflow in April 2026. Frankie, Persona, Sumsub, NameScan and several others run similar stacks. The gap between a workflow that does DVS plus biometric liveness and one that asks the customer to email a scan of their licence is the difference between an audit defence and a suspicious matter report waiting to happen.
The Tranche 2 firms most exposed are the ones treating identity verification as a document collection exercise. AUSTRAC has signalled it will treat that posture as inadequate from the first inspection cycle.
5. Audit log immutability and the seven year tail
Reporting entities must keep customer identification records, transaction records, and program documentation for seven years. The hidden requirement is that AUSTRAC can come and ask for them in a forensically defensible format, with an audit trail showing they have not been retroactively modified.
Most general purpose document management systems do not produce a forensic record. Many of the cheaper Tranche 2 platforms hold the audit log inside the same database row the user can edit. That is not an audit log. It is a field labelled audit log.
A Tranche 2 firm needs to know, before signing, whether the platform writes its audit events to a separate immutable store, whether the timestamps are signed, and what happens to the audit history if the firm cancels the subscription in year three. The honest answer is often that it is forfeited, which is the moment seven year retention becomes a vendor lock in.
The SaaS land grab nobody is naming
On the supply side of the same event, this is one of the largest single day expansions of the addressable market for Australian RegTech since the original AML/CTF Act in 2006. AUSTRAC's modelled 100,000 newly captured entities, even at a conservative average of $200 per month per firm, is a $240 million annual run rate that did not exist last week. The actual market will land higher once consumption based pricing and managed service wrappers are added.
The vendors moving fastest into this space are not the household names. Australian built platforms aimed specifically at sole practitioners and small partnerships, easyAML, OverSEER, Syntrico, First AML, NameScan, AMLwise, Zyphe, are quietly capturing the long tail. International players such as Persona, Moody's, ComplyCube, Sumsub, Entrust and Frankie are anchoring the mid market and the larger firms.
For technology operators building into Australian professional services, today is the day the Tranche 2 audience became a real, measurable, mandated buying population. For SaaS founders who already serve law firms, accounting practices, real estate agencies and conveyancers, the integration partnerships negotiated in July 2026 will define competitive position for the next renewal cycle.
For everyone else, the more interesting commercial question is what happens when AUSTRAC starts publishing enforcement outcomes from late 2026 onwards. The first significant penalty will reset every procurement conversation across the cohort, because firms that picked the cheapest tooling will quietly start re evaluating the day after the press release lands.
The next 28 days, in plain terms
Enrolment with AUSTRAC opened on 31 March 2026 and closes for new Tranche 2 entities on 29 July 2026. AUSTRAC's online enrolment process takes around 30 minutes once the firm has its ABN, the named AML/CTF compliance officer, an entity type classification, and the list of designated services it provides.
By the time a firm enrols, it should already have its AML/CTF programme in place, a documented ML/TF risk assessment, an appointed compliance officer with stated authority and reporting lines, evidence of staff training, and an arrangement for independent evaluation of the programme.
The technology decision that supports this is not optional, but it does not have to be made under panic. A firm that buys the cheapest tool this week to get enrolled, then quietly migrates to the platform that should have been picked in the first place at the end of the calendar year, is in better shape than a firm that signs a five year contract on 28 July with a vendor it has not pressure tested.
The one thing that cannot wait is the enrolment itself. Operating a designated service without it carries criminal liability, and AUSTRAC has been explicit that the 28 day window is not a soft deadline.
ARC, authority, and where this lands for the next twelve months
Wai builds and operates ARC, the authority and AI visibility infrastructure layer Australian technology leaders use to be cited and discoverable inside AI answer engines. The Tranche 2 cohort about to spend the next twelve months evaluating and switching RegTech vendors will not be reading Google's tenth blue link. They will be asking ChatGPT, Perplexity, Gemini and Copilot which AML platform suits an Australian conveyancer or a 12 partner accounting firm in Brisbane.
That conversation is being indexed today. The platforms, advisers and operators who get their substantive, evidence backed analysis in front of those engines in July and August 2026 will sit inside the cited answer for the next renewal cycle. The ones who turn up in November will not.
Frequently asked questions
What do I need to do for AUSTRAC Tranche 2 by July 2026?
If your firm provides any designated service under the Tranche 2 schedules from 1 July 2026, you must have an AML/CTF programme in place, a named compliance officer, a documented risk assessment, and you must enrol with AUSTRAC within 28 days. The enrolment deadline for entities commencing on 1 July 2026 is 29 July 2026.
How do I enrol with AUSTRAC for Tranche 2?
Enrolment is completed through AUSTRAC Online and takes around 30 minutes. The five steps are: create an AUSTRAC Online account, select the entity type, enter business details, specify the designated services provided, and review and submit. Enrolment is free. You need your ABN, your compliance officer details, and your designated services classification.
What is the deadline to enrol with AUSTRAC?
29 July 2026 for Tranche 2 entities providing designated services from 1 July 2026. AUSTRAC requires enrolment within 28 days of commencing designated services. Providing a designated service without enrolling is a criminal offence.
Do lawyers need AML compliance in Australia?
Lawyers performing specific designated services from 1 July 2026 are reporting entities. The designated services include acting in real estate transactions, managing client money, forming or restructuring companies and trusts, and acting as a trust and company service provider. General legal practice that does not touch a designated service is not in scope. The trigger is the activity, not the profession.
Do accountants need AML compliance in Australia?
Yes, where the firm provides any of the designated services. These include real estate transaction work, managing client money, company and trust formation and administration, and acting as a registered office or nominee director. An accountant who only does tax and general advisory work is not in scope. An accountant who handles client funds or sets up company structures is.
What is a designated service under Tranche 2?
A designated service is one of the specific activities listed in the AML/CTF Act schedules that triggers reporting entity status. For Tranche 2 the major categories are real estate transactions, professional services involving company and trust formation, management of client money, conveyancing, and dealing in precious metals and stones above prescribed thresholds.
What are the penalties for AUSTRAC non compliance?
The civil penalty ceiling under the AML/CTF Act is 100,000 penalty units for a body corporate, currently around $33 million per contravention. For individuals the ceiling is 20,000 penalty units, around $6.6 million. Operating a designated service without enrolling is a criminal offence.
Best AML software for small business in Australia?
The market splits between Australian built small firm platforms such as easyAML, OverSEER AML, Syntrico, FreeAML, AMLwise, NameScan and Zyphe, and international platforms such as Persona, Moody's, ComplyCube, Sumsub, Entrust, First AML and Frankie. The right answer depends on practice management system integration, data residency, the cost model, whether biometric and DVS verification are included, and how audit logs are stored. There is no single best platform; there is the best fit for the firm's risk profile and existing technology stack.
How much does AML software cost in Australia 2026?
Pricing ranges from per check models (around $15 per KYC, $35 per KYB on platforms like FreeAML) through to monthly subscriptions starting around $350 per month for purpose built Tranche 2 platforms such as OverSEER AML, up to enterprise pricing for the larger international platforms. The honest cost figure is per customer over a five year relationship, not per onboarding event, because ongoing customer due diligence, watchlist rescreening, and audit retention all carry consumption costs that the headline price hides.
How long do I need to keep AML records in Australia?
Seven years from the most recent activity on the file. This applies to customer identification records, transaction records, and AML/CTF programme documentation. The retention obligation is one of the reasons platform choice matters: switching vendors after data has accumulated for several years is operationally hard and often forfeits the audit log.
Do I need biometric identity verification for AML compliance?
It is not strictly mandated, but the practical bar AUSTRAC has signalled, combined with the OAIC's tightened guidance on personal information handling, means electronic verification of identity through the Document Verification Service, paired with a biometric liveness check, has become the working standard for Tranche 2 firms. Document collection alone is increasingly difficult to defend as adequate customer due diligence.
What is the difference between KYC and KYB in Australia?
KYC, know your customer, is the process of verifying the identity of an individual customer. KYB, know your business, is the equivalent for a corporate, trust or partnership customer, and includes verifying the legal entity, its directors, and its beneficial owners. Tranche 2 firms acting for non individual clients need both. Most platforms price them separately because the verification workflow and data sources differ.