This post covers what the Tranche 2 AML/CTF reforms mean in practical terms for lawyers, accountants, conveyancers and real estate agents, and specifically what they require of your client intake process. We cover:
- What Tranche 2 is and which businesses it captures
- What the obligations require you to do
- Why your current intake process may not be sufficient
- What a compliant client intake process looks like in practice
- How to build one without a major IT project
From 1 July 2026, Australia’s AML/CTF regime extends to a new class of businesses.
Lawyers, accountants, conveyancers, mortgage brokers and real estate agents are all professions that have historically sat outside formal anti-money laundering obligations. Tranche 2 will require these businesses to enrol with AUSTRAC, implement a documented AML/CTF program, verify client identity, and maintain records that can withstand regulatory scrutiny.
This is not a future consideration. Enrolment with AUSTRAC opened on 31 March 2026. The obligations are live.
For many businesses, the gap between where their current client intake process sits and where it needs to be is significant.
Not because the intention isn’t there, but because processes that evolved around email and informal verification were never designed to meet a regulatory standard.
This post covers what Tranche 2 requires, where most professional services businesses currently fall short, and what a compliant client intake process looks like in practice.
What Tranche 2 is and who it captures
Australia’s Anti-Money Laundering and Counter-Terrorism Financing regime has long regulated banks, credit unions, remittance providers and similar financial institutions. Tranche 2 extends those obligations to professions that act as gateways to financial and property markets sectors that can be exploited to move or conceal the proceeds of crime.
From 1 July 2026, the following businesses are captured where they provide designated services with a geographical connection to Australia:
Lawyers and law firms: including conveyancing services, the creation or administration of trusts, and the handling of client funds in trust accounts for specific purposes.
Accountants and accounting firms: including tax advice, financial reporting, and the management of client funds or assets.
Conveyancers: including the facilitation of property transfers and the management of settlement funds.
Mortgage Brokers: including the arrangement of credit, the facilitation of home loan applications, and the verification of borrower identity and source of funds.
Real estate agents, buyer’s agents and property developers: including the sale and purchase of real property on behalf of clients.
If your business provides any of these services, you are captured. The obligations apply regardless of firm size – there is no small business exemption.
What Tranche 2 requires of your client intake process
The AML/CTF reforms introduce several obligations that directly affect how you collect and manage client information. These are not abstract compliance requirements, they have specific operational implications for the way your business runs.
A documented AML/CTF program
You are required to have a written AML/CTF program that identifies your business’s specific money laundering and terrorism financing risks, and sets out the policies, procedures and controls you use to manage them.
This program must be tailored to your business. A generic template will not satisfy AUSTRAC.
It must also be reviewed regularly and updated when your business or the regulatory environment changes.
Customer due diligence: consistently and on record
You must verify the identity of clients before providing designated services.
This is formal Know Your Customer (KYC), not recognising a name in an email, not relying on a long-standing relationship, but a documented process that produces a verifiable record every time.
The standard requires you to collect and verify identifying information, record what was verified and when, and be able to produce that record if asked. The same process must apply consistently across all clients, not just new ones.
For higher-risk clients or transactions, enhanced due diligence applies. A more thorough verification and ongoing monitoring of the relationship.
Ongoing due diligence: not just at onboarding
AML/CTF obligations do not end when a client signs on.
You are required to monitor client relationships on an ongoing basis, updating information when circumstances change and being able to demonstrate that monitoring has occurred.
Businesses that treat KYC as a one-time onboarding exercise will fall short of the standard AUSTRAC expects.
Record keeping: structured and retrievable
Every step of your client verification process must be documented and retained. Records must be kept for a minimum of seven years and be retrievable promptly, not reconstructed from an inbox search under pressure.
AUSTRAC’s expectation is not that you remember what happened. It is that your process recorded it automatically.
Suspicious matter reporting
You must have a clear internal process for identifying client behaviours or transactions that may indicate money laundering or other financial crime and a documented escalation path for reporting suspicious matters to AUSTRAC.
Where most businesses currently fall short
The gap between what Tranche 2 requires and how most professional services businesses currently operate comes down to one thing: most intake processes were never designed to produce a compliance record.
Email does not produce an audit trail.
An inbox full of threads, attachments and forwarded messages is a reconstruction exercise, not a record.
Piecing together what was requested, when it was received, who had access to it, and what was verified under scrutiny, from scattered email threads, is not a process AUSTRAC will find acceptable.
Informal identity verification is not documented verification.
Recognising a client’s name, accepting a photo of their licence by email, or relying on a relationship that has existed for years does not constitute a consistent, auditable KYC process.
The standard requires a record that demonstrates what was verified, how, and when, for every client.
Shared inboxes and shared drives have no access controls.
When multiple staff members can access the same client information without restriction, there is no role-based governance.
In a regulated environment, who accessed what and when is part of the record.
There is no visibility over data retention.
Most businesses have no clear picture of where client data sits across their systems: inboxes, local drives, cloud backups, third-party platforms.
Without that visibility, demonstrating controlled retention and deletion is not possible.
What a compliant client intake process looks like
Meeting Tranche 2 obligations does not require a major IT project. It requires a structured, consistent process that produces the records the legislation demands, automatically, as a natural output of how your business operates.
A compliant client intake process for a Tranche 2 entity should include:
A consistent, secure channel for collecting client information.
An efficient client document collection process that is used for every client, every time.
Information is submitted through a secure portal, not email, with encryption in transit and at rest, and Australian data storage.
Documented identity verification at the point of engagement.
Clients submit identity documents through the portal.
Staff view the document, mark it as verified, and delete it, without it ever being downloaded to local infrastructure.
The audit trail records the full sequence: submitted, viewed, verified, deleted.
A timestamped record of every interaction.
When a request was sent, when it was opened, what was submitted, when it was submitted, who had access.
This record builds itself automatically, nobody has to remember to document it.
Role-based access controls.
Sensitive client information is visible only to the team members who need it. Access is governed, not assumed.
Controlled data retention and deletion.
Your business decides how long information is held. When the retention period ends, deletion is complete, confirmed, not assumed.
Ongoing request capability.
You can send follow-up requests to existing clients as circumstances change, updating information, collecting additional verification, maintaining the ongoing due diligence record the legislation requires.
The five industries: what this looks like in practice
Lawyers and law firms
Conveyancing and trust account services carry particular risk under Tranche 2.
Email interception fraud, where a fraudulent party substitutes their own bank details into an email thread, is a known and growing problem in this sector.
A secure client portal eliminates the channel through which that fraud occurs.
The audit trail satisfies the record-keeping obligations.
The identity verification process supports KYC requirements under the new regime.
Accountants and accounting firms
Accountants managing client funds, preparing financial statements or providing tax advice are captured from 1 July 2026.
The practical requirement is a consistent, documented onboarding process for every client and the ability to demonstrate ongoing due diligence as client circumstances change.
A structured intake portal gives you both, without adding administrative load to your team.
Conveyancers
Conveyancers are among the highest-risk Tranche 2 professions, given the volume of funds and property transfers involved.
AUSTRAC will expect a documented, auditable verification process for every client, every transaction.
The days of relying on email chains and photocopied IDs as a compliance record are over.
Mortgage Brokers
Mortgage brokers sit at the gateway between consumer and lender, facilitating large financial transactions and verifying borrower information as a core part of the role. From 1 July 2026 that places them within Tranche 2’s scope.
The practical requirement is structured customer due diligence at engagement, documented identity verification before a loan application is submitted, and source-of-funds verification on deposits and equity contributions.
Email interception fraud at settlement is the most immediate operational risk a structured intake process closes.
The audit trail is what holds the file together when AFCA, ASIC or AUSTRAC asks.
Real estate agents and property developers
For real estate professionals, the obligation to verify client identity before acting on their behalf in a property transaction is now formalised.
The records must be structured, retained for seven years, and retrievable on request.
An email inbox does not meet that standard.
Building a compliant process without starting from scratch
The businesses that will navigate Tranche 2 most smoothly are not necessarily the ones with the largest compliance teams.
They are the ones that implement a structured, consistent process now before scrutiny increases and before the pressure of an audit makes the gaps visible.
Gatheroo is a secure client portal built specifically for Australian professional services businesses that collect sensitive client information.
It gives you the infrastructure that Tranche 2 requires: a consistent intake process, documented identity verification, a full audit trail, role-based access controls, Australian data storage, and controlled data deletion.
Gatheroo helps businesses build a secure, auditable client intake process with Australian data storage, encryption, 2FA access control and a full activity trail, supporting your obligations under Australian privacy and AML/CTF legislation.
A 14-day free trial is available with no credit card required. Most businesses have their first request sent within the same day.
Try Gatheroo Free Read: What a Secure Client Portal Needs to Include
Frequently asked questions
What is Tranche 2 AML/CTF in Australia?
Tranche 2 refers to the second phase of Australia’s Anti-Money Laundering and Counter-Terrorism Financing reforms, which extend AML/CTF obligations to lawyers, accountants, conveyancers and real estate agents from 1 July 2026. These businesses must enrol with AUSTRAC, implement a documented AML/CTF program, verify client identity, and maintain structured records of their compliance activities.
Who is captured under Tranche 2?
Lawyers, accountants, conveyancers, mortgage brokers, real estate agents, buyer’s agents and property developers providing designated services with a geographical connection to Australia. There is no exemption for smaller businesses – the obligations apply regardless of firm size.
What does Tranche 2 require for client identity verification?
A consistent, documented process for verifying client identity before providing designated services – producing a verifiable record of what was verified, how, and when. Informal verification – recognising a client’s name, accepting an emailed photo of their licence – does not meet the standard. The same process must apply to every client.
Does my current email-based intake process meet Tranche 2 requirements?
In most cases, no. Email does not produce a structured, timestamped audit trail. It provides no access controls, no documented verification sequence, and no reliable record of what was received, when, and by whom. A purpose-built secure portal is the practical solution for most professional services businesses.
When did Tranche 2 enrolment open?
Enrolment with AUSTRAC opened on 31 March 2026. AML/CTF obligations commence for Tranche 2 entities on 1 July 2026.
Does Gatheroo make my business Tranche 2 compliant?
Gatheroo gives you the infrastructure that compliance requires: a secure, documented, auditable client intake process, but it does not make your business automatically compliant. Your AML/CTF program, risk assessment and specific obligations require input from a qualified compliance professional. We can help with the process. The compliance sign-off is theirs.
This article is general in nature and does not constitute legal or compliance advice. AML/CTF obligations vary by business type and the services you provide. For advice specific to your obligations under Australia’s AML/CTF legislation, engage a qualified compliance professional or AML adviser.