Anti-Money Laundering and Counter-Terrorism Financing reforms – a practical guide for newly regulated ‘tranche two’ entities

Executive summary

On 29 August 2025 the final Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (the Rules) came into effect. The Rules prescribe the newly overhauled compliance regime and regulatory framework in respect of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the Act). These Rules follow the earlier amendments of the Anti-Money Laundering and Counter-Terrorism Amendments Bill 2024 (the Amendatory Act), passed in November 2024. This reform will see substantial change across industry, including extending the application of the Act to business sectors which have previously been outside the ambit of the Australian Transaction Reports and Analysis Centre’s (AUSTRAC)  traditional reporting entities and hence it’s regulatory authority.

Who is impacted?

The regime phases in over two ‘tranches,’ beginning from 31 March 2026 for ‘tranche one’ entities, these being ‘traditional reporting entities,’ such as financial institutions, banks, financial planners, digital currency providers, gambling services, superannuation funds and life insurance companies. Enrolments open for newly regulated ‘tranche two’ entities on 31 March 2026 in anticipation of the official commencement date, 1 July 2026.

It is essential that entities are aware of their obligation to enrol with AUSTRAC before the appropriate commencement date. It will now be a legal requirement to do so before you can provide a ‘designated service.’

Relevantly, ‘tranche two’ entities are those typically providing ‘designated services,’ which includes the following professions/industries:

• Legal Professionals
• Conveyancers
• Accountants
• Real Estate Agents
• Buyers Agents
• Property Developers
• Fund Managers
• Professional Trustees
• Financial Advisors
• Trustee and Company Service/Secretarial Firms
• Precious Metals and Stones Dealers

All regulated and newly regulated entities will need to determine how they will internally manage  their reporting obligations under the Rules, including the appointment of an ‘AML/CTF compliance officer.’ Businesses may choose  to do this independently, or alternatively join a ‘Reporting Group,’ which will enable  independent firms to participate in group programmes. This approach is likely to be relevant  where firms are part of national associations.

Key changes

The Rules prescribe that all entities will be required to either implement or update their existing written Anti-Money Laundering and Counter Terrorism Financing (AML/CTF) program. The AML/CTF policy provisions within the Rules feature a comprehensively updated Customer Due Diligence (CDD) and Know Your Client (KYC) regime, which is predicated upon risk assessments as a contextual guide to a new scenario-based data collection framework.

The challenge

Whilst there has been considerable modification, given that tranche one entities have historically been subject to  historic prescriptive minimum requirements under the former regime, we expect a level of familiarity with the new regulatory oversight. The concern, however, is in the extension of the Rules to tranche two entities, which will see a broad array of businesses across Australia required to draft and implement AML/CTF programs. The move signals a complex transition for many businesses, who previously may not have been subjected to such rigorous regulatory and compliance obligations in order to service their clients – this is where we expect challenges to arise.

This presents a significant exposure, as a failure to comply carries the risk of an inquiry, the imposition of civil fines/penalties and ultimately, may provide cause for allegations to be made against both companies and natural persons/office holders in the course of discharging their directorial .  The scope of directors’ duties as regards the AML/CTF obligations under the Corporations Act was recently tested in ASIC v Bekier.[1] In this matter, Two Star Entertainment Group directors, including the former CEO and Chief Legal & Risk Officer, were found to have breached their duty to exercise their powers and discharge the same with care and diligence under Section 180(1). Both failed to act upon and notify the board of deficiencies identified in the AML/CTF program, giving rise to a foreseeable risk that Star would breach one or more of its AML/CTF obligations. Under the new reforms, Section 26H of the Act is amended to further impose a positive duty on governing bodies of reporting entities to both ‘exercise appropriate and ongoing oversight’ as well as take reasonable steps to ensure the entity is appropriately identifying, assessing, managing and mitigating AML/CTF risks in strict compliance to internal AML/CTF policies, the Act and the Rules. The takeaway here is clear in that directors/office holders must turn an enquiring mind to AML/CTF risks to ensure appropriate oversight.

Practical guidance for ‘tranche two’ entities

AUSTRAC has published some welcome guidance, along with ‘starter-kits,’ both available via their website. There is still, however, an ostensible lack of practical clarity within both the guidance and legislation as regards the requisite operational expectations on organisations to formulate ‘AML/CTF policies’ and how these intersect with the AML/CTF program. This largely by virtue of the volume of requirements and multi-instrument approach with there being requirements under both the Act and the Rules.

There is a particular disconnect within the existing guidance as to the role of the updated CDD regime and KYC data collection phase – and importantly how policies surrounding this may be implemented into the AML/CTF program to facilitate a more thorough AML/CTF risk assessment. The AUSTRAC guidance does not treat the client onboarding process as forming part of the AML/CTF program, and instead, it’s seen as  a separate ‘policy.’ However, in practice, it would follow logically that the AML/CTF program should include an established procedure for conducting any initial CDD at the time of customer onboarding. This will include mechanisms for verification, ongoing monitoring, or reviews of existing client data where they are requesting new services and will be followed by a risk assessment pursuant to the information/data which has been captured. The outcome of the risk assessment would then dictate if additional enhanced CDD and KYC data collection is required per the Rules and, if applicable, identify the occurrence of any reportable instances.

As such, we have prepared practical guidance on this basis to assist in the preparation of AML/CTF programs and de-mystify the CDD/KYC data collection requirements.

What is a ‘designated service’?

Prior to undertaking any CDD or risk assessments, businesses will need to understand if they will fall within the ‘tranche two’ reporting entity remit and providing a ‘designated service.’

The list of expanded ‘designated services’ under Section 6 of the Act is exhaustive. Positively, AUSTRAC have published a quick guide to assist entities understand whether or not they will be regulated.

For ease of reference, we highlight the newly classified designated services specific to Real Estate Services and Professional Services below, along with the relevant reporting entities likely to be captured under this remit:

It is important to note that Item 2 is likely to include off the plan sales and real estate transfers even for no value or consideration. Further, Fund Managers, particularly of Real Estate Investment Trusts (‘REITs’), should be aware that where an asset is disposed of / sold off using in-house employees, or related parties who are not ‘independent,’ the Rules are likely to be invoked. Leasing agents should however note that leasehold interests of 30 years or less are not considered ‘Real Estate’ under the Act and will not be captured.

AUSTRAC’s Professional Services Guidance has cleared up much of the conjecture surrounding what constitutes a designated service and at what point within the transaction does a firm actually provide such service.

Key terms such as ‘assisting,’ ‘planning, ‘organising’ or ‘otherwise acting on behalf of a person’ are applicable only when it is sufficiently linked to the outcome of a designated service. Meaning a firm’s involvement will need to ‘directly advance’ a relevant transaction.

‘Directly advancing’ in this context is linked to applicable outcomes within Table 6, for example:

1. Drafting and execution of a trust deed.
2. Restructuring of assets, a body corporate, entities or a legal arrangement.
3. Receiving, holding or managing assets/securities in connection with a transaction.

Both preparatory and execution steps can be deemed to advance the transaction, however merely influencing the customer, or providing ancillary advice will not trigger regulatory obligations under the Act. This means that general advice, such as advising on the tax implications of a transaction, is unlikely to be captured.

AUSTRAC has also drawn the distinction that a designated service will be deemed to have commenced upon acting on instructions from the customer, or when steps are taken to directly advance a transaction.

Litigation lawyers and solicitors providing wills, estates and planning services will be interested to note that legal dispute resolution services will generally not fall within the scope of Table 6 and that the drafting of a will, and the subsequent creation of a testamentary trust, similarly won’t constitute a designated service. For further information as regards designated services in respect of Legal Professionals, The Law Society of New South Wales has published guidance specific to the Profession.

Initial customer due diligence

The AUSTRAC guidance details that customer identification and verification must be documented in Part B of the written AML/CTF program. The Act prescribes that a designated service may not be delivered unless applicable customer identification procedures (ACIP) have been carried out. Again, we suggest as the first step of their AML/CTF program reporting entities ought to perform initial CDD, which will entail the collection of some KYC and ‘customer verification’ data.

There is a slight deviation between the Act at Section 28(2) and  Section 6 of the Rules, insofar as that the Rules are substantially more detailed and scenario oriented as opposed to the ‘matter’ outlined in the Act. Section 6 of the Rules provides the requisite guidance as to the minimum information required, dependent on the customer scenario, as follows:

We note that where the customer is part of a nested services relationship and for life insurance policies,  there are specific, and quite stringent, initial CDD information collection requirements prescribed by the Rules.

In verifying customer data, the AUSTRAC guidance, is a great resource as to what qualifies effective verification to ensure the statutory requirements are met. We do expect ‘RegTech’ to play a large role in the verification and collection process. This within itself poses an additional privacy risk and prudent businesses ought to seek affirmative consent prior to uploading any client data to third-party software.

Further, there are exceptions to the Rules, along with a ‘delayed initial CDD’ framework,’ which is intended to ensure that the ordinary course of business is not interrupted where there is a perceived low AML/CTF risk.

Importantly, the delayed initial CDD framework applies to real estate transactions, where there may be several parties undertaking CDD on the same client and reduces duplication of information. Here, a simplified CDD process may be implemented.

Risk assessment

Following the initial CDD process, organisations should undertake risk assessments utilising the information collected. The Act prescribes that the AML/CTF program must include a risk assessment that “identifies and assess the risks of money laundering, financing, of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services” and further that decisions made under such “must be appropriate to the nature, size and complexity of the reporting entities business.” The AUSTRAC guidance considers this as forming Part A of the AML/CTF program.

In doing so, a reporting entity must have regard to certain risk categories outlined in Section 26C(3) of the Amendatory Act whilst undertaking the assessment. We have taken the time to review these and compiled the below based on the relevant risk triggers and threshold indicators as identified by AUSTRAC:

The above risk triggers and threshold indicators are explicitly general in nature and in practice these will vary between industry/designated services. We direct businesses to AUSTRAC’s Risk Assessment ‘starter kits’ for industry specific risk triggers, which will provide  specific information relevant to the ‘nature, size and complexity’ of individual organisations – ensuring compliance with the Act.

The guidance above is important, as the updated CDD framework and ongoing monitoring requirements are enlivened upon the reporting entities conclusion as to the risk profile of the customer and/or the relevant transaction following the risk assessment.

The outcome of the risk assessment should allow entities to dictate whether simplified, standard or enhanced CDD will apply, being the ‘updated CDD framework,’ as follows:

Insurance considerations

1. Cyber Liability

Given the increased data collection requirements, we expect businesses to hold substantially more items of personally identifiable information and sensitive data (both financial and transaction oriented). This creates an additional exposure for many newly regulated entities. It is imperative that data is treated appropriately and, if not already in place, strong security controls, encryption standards, data classification and governance protocols are implemented to mitigate against the risk of a breach. While organisations may rely on third-party vendors, outsourced providers or RegTech platforms, ultimately, the responsibility for client data vests with the organisation. In situations where breaches and events do occur, a specifically tailored cyber liability insurance policy may be called upon in response to third-party liability claims for the same and additionally in respect of ‘first party’ losses sustained directly by the policyholder.

Further, Bellrock continues to observe cyber security is increasingly recognised as a board-level governance risk rather than a purely operational function. This has materialised recently in actions led by two separate regulatory bodies, being ASIC vs FIIG Securities and the recent case of the Office of the Australian Information Commissioner who initiated investigation into Vinomofo Pty Ltd. Policyholders need to ensure that cover for regulatory investigations arising from a breach are afforded cover under their cyber liability policies. Further, it is critical that directors fall within the definition of Insured under a cyber liability policy as we continue to observe strict cyber liability exclusions being applied to Directors’ & Officers’ policies.

2. Directors’ & Officers’ Liability, Statutory Liability & Management Liability

As detailed above, failure to comply with the AML/CTF obligations carries the risk regulatory inquiries and the imposition of civil fines/penalties for strict liability offences, ultimately this may include allegations against natural persons and office holders for breaches of both their duties under the Corporations Act and the newly amended Section 26H of the AML/CTF Act.

Relevantly, coverage may be sought under directors & officers liability, statutory liability and/or management liability policies depending on the applicable circumstances whether allegations have been made against the entity or its directors/officers. It is imperative that policyholders ensure that their policies (including the insuring clause within their management liability policy) incorporate an appropriate trigger for enquiries brought by AUSTRAC and/or ASIC.

3. Professional Indemnity

We expect that there may also be some remedy available under professional indemnity policies which contain a regulatory investigation extension. These extensions clauses typically only provide cover for investigations arising out of the performance, or failure to perform, professional services. Given the AML/CTF regime is inherently intended to be embedded within the delivery of professional services it remains to be seen whether this interpretation will extend to insurance cover when failures, resulting in regulatory action, are considered by insurers and/or the courts.

Next steps

It is imperative that new reporting entities complete and review their AML/CTF Programs in anticipation of the rapidly approaching commencement date 1 July 2026. Bellrock are working with partner legal firms to assist clients with the drafting, reviewing and updating of AML/CTF programs and policies. We continue to work with our clients to ensure that their insurance programmes are aligned with the AML/CTF reform and the newly emerging cyber and statutory liability exposures.

Please speak to a Bellock advisor to ensure your business is adequately prepared.

[1] Australian Securities and Investments Commission v Bekier (Liability Judgment) [2026] FCA 196