AUSTRAC Tranche 2: What Australian accounting firms must do before 1 July 2026

As of today, there are 58 days until 1 July 2026. By that date, every reporting entity providing a designated service in Australia — including most accounting firms — has to have a working AML/CTF program in place. Not drafted. Working.

Most firms we’ve spoken to in the past month are aiming for a self-imposed go-live earlier than 1 July — early to mid-June, two weeks of buffer before the regulatory deadline. That’s the right move. It also means the practical window to design, choose tools, train staff, and run a real test isn’t 58 days. It’s about 40.

This is a working plan for the firms still figuring out what they need. Four things on file from day one. An eight-week path that still fits. And the failure mode to avoid.

Who’s actually affected — and how the trigger works

The Tranche 2 expansion brings designated non-financial businesses and professions (DNFBPs) into the AML/CTF regime. For accountants, the trigger is the designated service — a defined set of activities that, once you provide one, makes you a reporting entity for that client.

Designated services for accountants include — but aren’t limited to — receiving or holding client funds, acting as or arranging for a director or trustee, forming or restructuring legal arrangements, and selling or transferring shell companies. The list is specific. The trigger is binary. If you provide one designated service, the obligations attach for that client.

Most accounting firms we’ve spoken to are landing on a simpler operating policy: assume every new client engagement may include a designated service, and screen accordingly. It’s faster than running a per-engagement classifier, and it reduces the chance that someone in the firm misses the trigger.

The four things on file from day one

If an auditor walks in on 2 July 2026 and asks for evidence of your AML program, the answer needs four parts on file per client, retrievable in under five minutes:

1. Timestamped identity verification. Document captured, matched to the person, date and result on record.
2. Sanctions and PEP screen. Run against AUSTRAC and global lists, false-positive review noted, refreshed for ongoing monitoring.
3. Risk rating with rationale. Low / medium / high — and the factors that drove the rating. Not an opinion on the page; a mapping from your AML program document.
4. Linked evidence chain. All artefacts attached to the client record in your practice management system, not scattered across inboxes and shared drives.

None of this is what the regulator is auditing for in detail today, but it’s what they’ll ask for once the regime is live. The firms ahead of the deadline have already designed their workflow around producing all four automatically — not as a post-hoc reconstruction.

The 8-week implementation path that still works

Eight weeks is enough — if the time is sequenced. Most firms that miss the deadline don’t miss it because the work is hard. They miss it because they spend six weeks evaluating tools and two weeks scrambling to implement.

Here’s the sequence that works, anchored from today:

Weeks 7-8 (16-30 June) are the buffer — what you use to fix what the pilot surfaced, finalise the AML program document, and onboard the rest of the new-client pipeline before 1 July. Firms ahead of the deadline are already in week 1-2.

What firms ahead of the deadline are already doing

The pattern across the firms we’ve talked to that are ahead of the deadline — already in pilot, with a tool selected, with the AML program drafted — has three components:

• One integrated workflow, not parallel systems. The check fires from inside the practice management software the team already uses. No second tool, no separate login, no exported-and-re-uploaded data.
• One default policy, not per-engagement classification. Every new client is screened. The cost of a redundant check on a low-risk client is trivial. The cost of missing a designated service trigger is not.
• Audit-ready evidence as the by-product. The four things on file from day one are produced by the workflow, not assembled by hand at audit time.

If your firm is on XPM, Karbon, FYI, or HubSpot, the integration architecture for this is already built — the check fires inside the workflow your team uses every day. See the integration list.

The cost of getting this wrong

Civil penalties for non-compliance under the AML/CTF Act run to tens of millions of dollars per contravention for body corporates, and substantial individual penalties for officers. AUSTRAC has been clear that enforcement of Tranche 2 will be active, not passive.

The more practical risk for most accounting firms isn’t the headline penalty. It’s the cumulative cost of running a manual program through an audit cycle: reconstruction time, staff disruption, partner sign-off rework, and the reputational drag of being the firm that “got behind on Tranche 2.”

Eight weeks is enough. Forty days, if you start now and don’t drift on tool selection, is enough. Two weeks is not — and it’s the path most firms are heading toward by default.

The deadline is fixed. The path is short. The firms that get there are the ones that stop evaluating and start implementing — this week, not next month.