For many firms, the conversation around tranche 2 reform has shifted. It is no longer just about understanding the legislation. It is about implementation.
With AUSTRAC’s program starter kits now available, the real question is no longer whether firms are aware of the reforms. It is whether they can build a practical, defensible compliance approach in time for commencement. From 1 July 2026, designated services provided by lawyers, conveyancers and real estate professionals will come under AUSTRAC regulation. Enrolment for newly regulated industries opened on 31 March 2026. That makes this next phase critical.
At PEXA Clear, we are seeing a clear pattern across the market: firms want practical guidance on what the starter kits mean operationally, where the gaps remain, and how to create processes that stand up on day one.
AUSTRAC’s program starter kits are a major step forward. They provide sector-specific guidance and templates to help newly regulated businesses start building an AML/CTF program. Starter kits are a strong foundation. But they are not the finish line. That distinction matters. The starter kits are designed to help firms get started, not to solve compliance in full.
They can save significant time by providing a foundation across risk assessments, policy documents, processes and forms. But firms still need to determine whether the kit suits their business profile, tailor controls to their services and customers, embed those controls into day-to-day workflows, and build a repeatable process for ongoing compliance.
For lower-complexity practices, the starter kits may go a long way. For firms with cross-border exposure, more complex clients, multiple service lines or higher-risk matters, they are best viewed as a baseline that requires further refinement.
Across the market, firms are now asking more practical implementation questions: whether they are providing a designated service, whether the starter kit is sufficient for their business, how to complete a risk assessment properly, who should take on the role of AML compliance officer, whether sanctions and PEP screening can realistically be done manually, how to respond when source of funds or source of wealth questions arise, and when a matter becomes suspicious enough to warrant escalation.
These are the right questions. They show firms are moving beyond awareness and into implementation.
One of the biggest mistakes firms can make is treating tranche 2 compliance as a documentation exercise.
A better starting point is to step back and map how the business actually operates. This matters because AML/CTF risk is not the same as regulatory risk. Firms need to assess the risk of money laundering, terrorism financing and criminal misuse of their services, then apply controls that are proportionate to that risk.
In practice, the most effective compliance programs are built into existing business processes, particularly onboarding.
The risk assessment is not just another form to complete. It sits at the centre of the AML/CTF program. If a firm misunderstands its risk, everything that follows becomes harder. Policies become too generic, due diligence becomes inconsistent, escalation becomes unclear, and record keeping becomes harder to justify.
For many firms, the most practical way to complete a risk assessment is to work through a real onboarding journey. Consider a typical client, a typical matter, the usual transaction value, the geography involved, and how instructions are received. That exercise can quickly turn a daunting document pack into a workable set of operational decisions.
The AML compliance officer is not a nominal role. This person needs sufficient authority, independence and standing to influence culture, oversee escalation and act as a key contact point where needed.
In many small firms, that will likely be the principal or practice owner. For sole practitioners and smaller businesses, one person may wear several hats. What matters is that the role is clearly assigned, properly documented and supported by practical processes.
Many firms are now grappling with sanctions screening and politically exposed person screening. Some checks can be done manually using publicly available resources. But the real issue is whether that approach is practical at scale. Manual processes create pressure on time, consistency and record keeping, especially where beneficial ownership needs to be understood or a result requires deeper review.
A risk-based approach is essential. A local business dealing mostly with Australian individuals will face a different screening burden to a firm managing complex entities, cross-border matters or higher-risk customers. The more customers a firm handle, the harder manual screening becomes to sustain reliably.
Source of funds and source of wealth remain two of the areas causing the most uncertainty.
For many professionals, these questions may initially feel unfamiliar or uncomfortable. But in a tranche 2 environment, they are part of normal risk-based due diligence.
The key shift is not just collecting information but assessing it. Firms need to recognise when something does not align, when a customer is reluctant to provide information, or when the explanation for a transaction does not make sense. Those are the moments that may require further review or escalation.
Done well, this is not about adding friction for legitimate customers. It is about protecting the practice from being used for illicit purposes.
Suspicious matter reporting is often seen as one of the most confronting aspects of AML/CTF compliance. It should not become an everyday event.
A strong compliance posture tends to deter higher-risk activity and make firms less attractive to criminals in the first place. But firms still need a clear internal process for identifying unusual activity, escalating concerns, assessing whether there are reasonable grounds for suspicion, documenting decisions, and balancing AML obligations with legal and professional duties.
Governance matters here. Staff need to know how to raise concerns, and compliance leads need a workable framework for deciding what happens next.
Tranche 2 preparation is not only about AML/CTF. It also brings privacy obligations into sharper focus. Firms will need to think carefully about how they collect, use, store and disclose personal information for AML/CTF purposes. For businesses that have not previously operated under the Privacy Act in this way, this adds another implementation layer.
That means practices should be reviewing collection notices, privacy policies, data handling and access controls, record retention practices, and data breach response plans. The important point is that privacy and AML/CTF are not incompatible. But they do need to be managed together.
First, confirm whether you provide a designated service. Then review the correct starter kit for your profession and service type. From there, assess whether the guidance fits your business profile or whether additional controls are needed.
Next, map compliance into onboarding and matter workflows, appoint the right compliance lead, and make sure privacy obligations are being considered alongside AML/CTF requirements.
Most importantly, start early. The firms that begin now will be far better placed to move from policy intent to operational readiness before July 2026.
The market does not need more information alone. It needs practical implementation support. That is where PEXA Clear can help.
As firms move from regulatory guidance to operational execution, they need confidence that their approach is fit for purpose, proportionate to risk, practical for staff to follow, easier to evidence, and scalable over time. PEXA Clear helps bridge the gap between guidance and execution, so compliance is not just documented, but embedded into the way work gets done.
