A Law Firm's Guide to Tranche 2 AML/CTF Obligations in 2026

This is an IT operator’s perspective on the systems and software Australian law firms are using to meet AUSTRAC’s Tranche 2 AML/CTF regime. It isn’t legal advice or a compliance opinion. Whether any particular control satisfies your obligations is your compliance officer’s or AML advisor’s call. We implement the technical stack. They sign off on whether it clears the bar.

From 1 July 2026, the partner who signed off on the firm’s last trust-account reconciliation is also the one on the hook if the firm’s AML systems can’t stand up to an AUSTRAC audit. The systems most firms have in place right now would not. AUSTRAC has been explicit that failure to manage money-laundering and terrorism-financing risk remains a serious regulatory matter, and that civil penalty proceedings and registration cancellations are on the table for firms that don’t meet the obligations in 2026.

Tranche 2 is the biggest compliance shift the Australian legal profession has faced in a decade. It runs parallel to the Legal Profession rules, not inside them. The technical work underneath is largely an IT project, and the firms starting that work in early 2026 will be fine. The firms waiting until May will not.

What does Tranche 2 require from law firms?

Tranche 2 brings lawyers and conveyancers providing “designated services” into the AML/CTF regime as reporting entities. That makes AML-style obligations a matter of federal law for the firm, on top of its existing legal profession rules. The designated services that trigger capture include real estate conveyancing, the creation or administration of trusts, buying and selling of business entities, and the handling of client funds in a trust account for specific purposes.

Once captured, the firm must enrol with AUSTRAC, nominate a compliance officer, write a tailored AML/CTF programme, identify and verify clients, monitor transactions, report suspicious matters and threshold transactions, and retain records for seven years. None of that is light-touch. It’s closer to the regime that banks already operate.

The firms that need to pay the closest attention are mid-size practices with a conveyancing or trust-heavy workload. A criminal-only firm with no trust work and no conveyancing is probably outside Tranche 2’s scope. A twelve-seat practice doing a hundred conveyancing settlements a year is squarely inside it.

What systems does the regime actually demand?

Identity verification at onboarding, ongoing transaction monitoring, suspicious-matter reporting pipelines to AUSTRAC’s portal, immutable record retention for seven years, and the ability to produce evidence of all of it when an auditor asks. Five technical building blocks, most firms have one or two of them already.

The systems can be broken down roughly like this. Customer due diligence: the firm needs a reliable way to verify who the client actually is and, for higher-risk matters, who ultimately controls the client entity. Beneficial-ownership checking sits here, as does politically-exposed-person (PEP) and sanctions screening. Ongoing monitoring: the firm needs to detect unusual patterns across the life of a matter, not just at onboarding. Reporting: the firm needs the plumbing to send suspicious-matter reports (SMRs) and threshold transaction reports (TTRs) into AUSTRAC’s systems. Record retention: every piece of evidence has to survive for seven years in a form that’s accessible and tamper-resistant. And control evidence: the firm needs to be able to show an auditor that each of the above actually operated, not just that it was written down.

Which of those will most firms already have?

Record retention and access control are typically two-thirds solved on day one if the firm has a halfway-decent Microsoft 365 setup. The other three components are usually missing entirely.

A well-configured Microsoft 365 tenant with retention labels, data loss prevention policies, conditional access and auditing on the E5 security add-ons covers long-term retention, access control, and much of the audit-trail generation. Firms that have been using these capabilities to satisfy other regulators (privacy, cyber insurance, larger corporate clients) will find their existing investment carries a lot of Tranche 2’s weight.

What almost nobody we assess has in place is identity verification against a document-level authoritative source, transaction monitoring tuned to the firm’s actual client base, and a reporting integration with AUSTRAC’s portal. These are the new builds.

When does AUSTRAC’s Tranche 2 start?

Enrolment opens on 31 March 2026. Firms must have enrolled with AUSTRAC and notified their compliance officer by 29 July 2026. The full AML/CTF programme and operational obligations start on 1 July 2026. Those three dates govern 2026 planning.

Working backwards from 1 July 2026, a firm that wants to be comfortably operational on commencement day should aim to have its AML/CTF programme document written, its compliance officer trained, its identity-verification workflow tested, and its record-retention labels applied across the Microsoft 365 tenant by mid-May 2026. That leaves a six-week buffer for the inevitable bugs, vendor delays, and edge cases that appear once real clients start moving through the new workflow.

Is the Tranche 2 rollout staged for smaller firms?

No meaningful staging by firm size has been announced. The obligations apply from 1 July 2026 regardless of headcount. AUSTRAC’s transitional rules provide minor technical carve-outs during the commencement window, but the core programme obligation does not wait on firm size.

That is a genuine challenge for smaller practices. A ten-seat firm with conveyancing work has the same AML/CTF programme obligation as a hundred-seat firm with the same work. The implementation choices available to a smaller firm are narrower (fewer options for bespoke builds, less bandwidth to operate a sophisticated stack), but the regime does not grant a grace period based on that.

What software is worth shortlisting for Tranche 2?

Three shortlist patterns are working for mid-size Australian firms. An integrated purpose-built AML platform (First AML, Kyckr, NameScan) that handles identity verification, PEP and sanctions screening, ongoing monitoring, and SMR filing from a single interface. A layered stack built on your existing identity and document-management systems, with identity-verification bolted in as a dedicated service. Or a tight bolt-on for firms whose practice-management software already ships an AML module (some Affinity, LEAP and Smokeball plugins now exist, with varying maturity).

The choice depends on how much conveyancing and trust work the firm actually does. A firm with hundreds of high-risk matters a year will stretch the bolt-ons quickly and benefit from the integrated platform. A firm with thirty matters a year won’t get value out of a six-figure platform licence and should layer a point-solution identity-verification service into the existing environment.

Two caveats on the platform market. First, it’s a young market in Australia for Tranche 2 specifically. Vendors are still stabilising their offerings, and a vendor’s track record with banks or AFS licensees doesn’t automatically translate to legal practice workflows. Second, practice-management AML modules vary widely in quality. Run a real matter through any module you’re considering before signing.

Off-the-shelf versus custom build

Custom-built AML systems have essentially no case for a law firm of any size. The regulatory bar is high, the compliance risk of getting it wrong is high, and the market has competent off-the-shelf options. The only reason to consider bespoke is if the firm has extreme volume and a workflow that no vendor supports, which is vanishingly rare in Australian legal practice.

What is realistic is picking an off-the-shelf platform and integrating it properly into the firm’s practice management, document management, and identity systems. That integration work is where CCP spends most of its time on an AML engagement.

Microsoft 365 licensing implications

If the firm’s AML/CTF programme relies on Microsoft 365 for record retention, audit logging, and data-loss prevention (most do), the firm needs the right licence tier. Microsoft 365 Business Premium covers retention labels and basic DLP. Microsoft 365 E3 plus the E5 Security add-on, or full E5, covers the advanced auditing, eDiscovery, and conditional-access features auditors increasingly ask about. Firms on Business Standard will struggle to produce the evidence Tranche 2 implies.

The licence step-up is not trivial. Business Premium to E3 plus E5 Security is roughly double the per-seat cost. It’s a real input into the Tranche 2 budget and should be modelled before committing to the overall programme shape.

What does Tranche 2 cost a mid-size firm to implement?

For a 20-to-100-seat Australian firm, our current view is a one-off implementation spend in the 25,000 to 80,000 Australian-dollar range depending on platform choice, plus an ongoing licensing cost in the 12,000 to 40,000 dollar range per year for the AML platform and any licence step-ups. These numbers are estimates and move with vendor pricing, not formal quotes.

The one-off spend covers the AML/CTF programme document, compliance-officer training, platform selection and procurement, integration into the existing identity and document-management systems, workflow design for client onboarding, and staff training. A firm with an existing well-managed Microsoft 365 tenant and competent practice-management configuration will sit at the lower end. A firm that needs to simultaneously fix baseline IT hygiene will sit at the higher end, and the Tranche 2 programme becomes a forcing function for long-overdue work.

Ongoing versus one-off

The ongoing cost is the one firms under-estimate. A Tranche 2-captured firm is not buying a project; it’s acquiring a compliance function. That function runs monthly for the life of the firm. Compliance-officer time, quarterly programme review, annual independent review in some configurations, software licensing, and the long tail of minor matters like a new hire training or a new office opening all attract ongoing effort.

Budget for the Tranche 2 programme to cost more in its second year than in its first, once the annual-review and training cycles reach full operation.

What this means for the managing partner

It means the programme needs an owner inside the firm’s leadership, and that owner needs time to own it. A designated compliance officer is a legal requirement, but a compliance officer without managing-partner backing is a compliance officer who can’t get decisions made when they need to be. The programme shape depends on partner-level choices about risk appetite, client acceptance policy, and how much money the firm will spend on technology to operate it.

The practical version of that backing is three things. First, a recurring partnership agenda item on AML/CTF status for the first twelve months after commencement. Second, authority for the compliance officer to refuse or escalate client onboarding when the risk picture warrants it (the “conveyancing referral that’s too good to be true” situation). Third, a willingness to pay for the technology properly rather than trying to stretch practice-management modules beyond their real capability.

What CCP does about Tranche 2 for law firms

We don’t write AML/CTF programme documents. We set up the systems the programme runs on, and we keep them running.

For a law firm client preparing for Tranche 2, our involvement typically breaks into three streams. The first is the Microsoft 365 and identity work: retention labels, conditional access, audit logging, and the licensing uplift where needed. This is often the fastest-moving stream because most of the configuration is vendor-supported and well understood. The second is AML platform selection and integration: shortlisting the two or three platforms that fit the firm’s workload, running proofs of concept against real matter data, and integrating the chosen platform into the practice-management system so staff don’t have to context-switch between five screens for every onboarding. The third is the evidence layer: making sure every control the programme claims to have produces audit-grade evidence that AUSTRAC can see if they ask. This is the part firms under-invest in and then scramble for at audit time.

The AML/CTF programme document itself, the legal interpretation of which matters fall under Tranche 2’s scope, and the risk-assessment methodology that underpins the programme remain with the firm’s legal and compliance advisors. Our boundary is explicit. We handle the machinery. They handle the interpretation.

The firms we’re seeing start this work in April and May 2026 are going to be comfortable by 1 July. The firms starting in June will ship something that functions. The firms starting in July will be apologising to AUSTRAC inside six months.

Primary sources

• AML/CTF transitional rules update, AUSTRAC’s rolling guidance page for Tranche 2 reforms. Accessed 21 April 2026.
• AML/CTF transitional rules 2026, the formal transitional rules registered for 2026 commencement. Accessed 21 April 2026.
• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), as amended, available via Federal Register of Legislation.