For many businesses about to fall under Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) Tranche 2 regulations, compliance still sounds like a verification problem. Check the client, collect some ID, tick the box and move on.
That is exactly where many businesses will go wrong.
From 1 July 2026, Tranche 2 obligations will apply to a wider group of Australian businesses, including real estate professionals, lawyers, accountants, conveyancers, trust and company service providers, and dealers in precious metals, stones and products. Those businesses will need to enrol with AUSTRAC, build and maintain an AML/CTF program, train staff, conduct customer due diligence, report suspicious matters and keep records.
What does Tranche 2 involve?
Identity verification is simply the front door of these changes. Behind it sits an entire compliance ecosystem that businesses must design, implement and maintain on an ongoing basis. This includes:
A formal ML/TF risk assessment covering client types, services, payment channels, and jurisdictions
- A documented AML/CTF policy that must be operationalised into daily processes
- Controls and workflows aligned to your specific risk profile
- Annual staff training, including for new starters
- Ongoing monitoring of clients and transactions
- Annual compliance reporting to AUSTRAC, typically lodged between 1 July and 30 September of each year
- A review of the risk assessment and AML/CTF program at least every three years, and sooner if the business changes materially
- Independent evaluation at least every three years (your first evaluation may take place sooner than the three-year deadline)
What compliance actually costs
The government's most recent Regulation Impact Statement estimated that setup costs range from $4,460 for smaller businesses to $85,550 for larger ones, with annual ongoing costs between $6,020 and $82,660. For businesses with turnover between $200,000 and $2 million, that means approximately $28,650 upfront and $33,230 each year.
Table 19 | Option 4 average upfront and ongoing (annual) burden per tranche two business ($, real terms), by reform and turnover¹⁶⁶
Reform | Frequency | $0 - $200k | $200k - $2m | $2m - $10m | $10m+ |
|---|---|---|---|---|---|
Enrolment | Upfront | 230 | 230 | 290 | 700 |
Annual | - | - | - | 60 | |
AML/CTF Program | Upfront | 3,400 | 11,240 | 15,100 | 37,040 |
Annual | 5,180 | 17,550 | 23,840 | 46,500 | |
Customer Due Diligence | Upfront | 560 | 12,140 | 15,380 | 23,050 |
Annual | 800 | 15,170 | 18,050 | 27,420 | |
Reporting | Upfront | 160 | 2,010 | 3,320 | 7,210 |
Annual | 30 | 410 | 860 | 2,890 | |
Record-keeping | Upfront | 110 | 3,030 | 4,040 | 17,550 |
Annual | 10 | 100 | 1,000 | 5,790 | |
Total | Upfront | 4,460 | 28,650 | 38,130 | 85,550 |
Annual | 6,020 | 33,230 | 43,750 | 82,660 |
These numbers include the combined cost of enrolment, risk assessments, policy development, staff training, verification systems and reporting infrastructure.
The stakes for non-compliance are severe. Under AUSTRAC's civil penalty framework, corporations can face penalties of up to 100,000 penalty units. At $330 per unit, that's up to $33 million. Individuals face penalties of up to 20,000 penalty units.
Beyond the financial penalties, there is reputational damage, forced remediation and the emotional burden of navigating an AUSTRAC audit to consider.
Three options for complying with Tranche 2
There are broadly three ways businesses will approach Tranche 2, and each comes with a very different cost and risk profile
DIY
Do-it-yourself (DIY) compliance tools appeal because they seem affordable and immediate. Many offer templates, questionnaires and checklists.
The problem is that DIY often leaves the hardest work to you.
A tool can collect data, but that does not mean the program is defensible before AUSTRAC. It may not reflect the nuances of a real estate agency versus an accountant or a lawyer. It may not guide the business through edge cases such as beneficial ownership, offshore structures, trusts or higher-risk customers.
That is a serious weakness because AUSTRAC is focused on risk-based systems, not generic paperwork. It is not enough to have a policy sitting on the shelf. You need to be able to show how the policy has been implemented, how decisions were made and how risks are being managed over time.
The reporting risk alone is worth reconsidering the DIY option. When your first annual compliance report is due – or if AUSTRAC requests specific information – a DIY approach can quickly become challenging. Records may be incomplete, scattered across various systems or stored in formats that AUSTRAC won’t accept. Pulling it all together under pressure is time-consuming, stressful and leaves you feeling exposed at exactly the moment you need to be in control.
In other words, DIY can save money upfront while creating larger costs later through rework, remediation, management time and risk exposure.
Consultant-only
The traditional alternative is to hire consultants to design the program, review the risks and advise on obligations.
That can solve the expertise gap, but it often introduces a different cost profile.
Consultant-led models can be expensive to set up and maintain. They can be slower when verifications or escalations need to happen quickly. Critical knowledge can end up sitting with the consultant rather than being embedded in your business. If policy, verification, reporting and recordkeeping all live in separate places, the business can still end up with the same fragmentation problem.
Reporting time compounds this further. When your annual report is due or AUSTRAC asks for more details, you are relying on a third party to have the right records, provide them promptly and present them in the format that AUSTRAC requires. That dependency on someone outside your business, working to their own timeline, is its own risk.
This is particularly relevant in sectors where speed matters commercially. In real estate, poor compliance design can create deal friction, frustrate clients and slow transactions. Done badly, compliance becomes an obstacle. Done well, it becomes part of a smoother client process.
A blended approach
A third option for many Tranche 2 businesses is a blended approach that combines the speed and consistency of software with the judgment and oversight of AML consultants.
This model avoids the core weaknesses of both extremes. Unlike a DIY tool, it does not leave businesses to interpret complex obligations on their own. Unlike using consultants, it does not push everything into point-in-time projects, static documents and manual follow-up.
A blended model is especially valuable because AML/CTF compliance is not just about setting up a policy. It is about operationalising that policy across onboarding, verification, risk assessment, training, reporting and recordkeeping.
For many businesses, that blended approach is likely to be the most commercially sensible path: lower friction, better visibility, stronger controls and less risk of expensive rework later.
The hidden costs of cutting corners
One of the most overlooked compliance risks is the temptation to treat AML/CTF as the responsibility of just one or two people.
In practice, compliance only works when people who are customer-facing are part of the system. AUSTRAC needs visibility of suspicious matters, and that visibility depends on frontline staff knowing the policy, recognising red flags and knowing who to escalate it to. They do not need to decide whether conduct is definitively criminal. They just need to know what looks suspicious and how to raise it quickly.
If that wider team is not trained, if responsibilities are unclear, or if there is no simple way to escalate issues, the whole system starts to break down. Bottlenecks develop, accountability blurs and important information can be missed.
That is exactly the kind of weakness AUSTRAC is trying to prevent. Its reform guidance places strong emphasis on effective systems, controls, governance and risk management. The governing body must receive appropriate information. Senior managers must approve and oversee key parts of the program. Training must reach relevant personnel. Reviews and evaluations must happen.
A business that tries to compress all of that into one staff member, while everyone else works outside the system, is not really reducing costs. It is moving costs into hidden places where it becomes harder to measure and harder to fix.
AUSTRAC's expectations are clear: it is not enough to have a policy. You must be able to prove, with evidence, why you made the decisions you did and how your controls were applied.
The businesses that move first will benefit
Behind the added cost and complexity of Tranche 2 sits a genuine commercial opportunity. Businesses that implement a fast, frictionless compliance process can verify clients in minutes, keep deals moving and build client trust. Agencies that haven't solved this will face complaints about delays, challenges with their onboarding process, and, in the worst cases, will lose clients to competitors who have.
The businesses that get this right from the start will have a compliance infrastructure that is built, tested and running before the wider market has caught up. That could be a real commercial advantage.
How Visibl solves the problem
Most of the cost and risk in Tranche 2 compliance comes from fragmentation. Businesses end up with policies in one place, verifications in another, training tracked on a spreadsheet and reporting cobbled together under pressure at year end. Visibl is built to remove that fragmentation.
The platform brings onboarding, verification, risk assessments, monitoring, reporting, training and recordkeeping into one platform, and pairs that with certified AML specialists when the complexity goes beyond what software alone can handle. That combination of digital consistency and human judgment is what separates a defensible compliance program from one that looks adequate until it is tested.
The risk assessment process is tailored to the industry and the business itself. A real estate agency works through questions specific to how it operates, while an accounting firm sees a different set. Those answers shape a risk profile that specialists then review, helping the business understand not just what its risks are, but what controls are appropriate and why.
Day to day, the platform is designed to keep business moving rather than slow it down. Agents can send a verification link, the client completes the process digitally and results can often be returned within minutes. Every action, decision and piece of evidence is retained in a structured audit trail.
When reporting is due, structured reports can be generated for AUSTRAC without the scramble of pulling records from across the business. And if AUSTRAC requests more information or an audit, Visibl’s specialist team can support the business through that process.
The result is a compliance program that is simpler to run, harder to break and far easier to defend.
Wondering what complete Tranche 2 compliance would actually look like for your business? Book a demo with Visibl to see how the platform can make your Tranche 2 compliance simpler, faster and audit-ready from day one.
And if you want to get an estimate on typical monthly expenses try our pricing calculator where you’ll answer 4 simple questions.
