Around 90,000 businesses are about to become AML regulated.
From 1 July 2026, Australia's anti-money laundering and counter-terrorism financing regime expands to cover a swathe of professions that have never had a reporting obligation in their lives. Lawyers, accountants, conveyancers, real estate agents and developers, and dealers in precious metals, stones and products all move inside the perimeter. AUSTRAC's own estimate puts the newly regulated population at roughly 80,000 to 90,000 businesses, pushing the total regulated count toward 100,000. The reforms for existing reporting entities already commenced on 31 March 2026. The new "tranche 2" designated services switch on from 1 July 2026, and newly regulated businesses must enrol with AUSTRAC by 29 July 2026.
For these firms, this is not a compliance refresh. It is a standing start. They have to build an AML/CTF program, appoint an AML compliance officer, conduct customer due diligence, monitor transactions and submit suspicious matter reports, in a matter of weeks. The temptation to reach for AI to do it quickly is obvious and, in places, correct. The risk is reaching for AI to do the parts that a regulator expects a person to own.
What actually changed
The reforms flow from the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which reshaped the regime in two ways that matter here. First, it modernised the obligations that already applied to banks, remitters and gaming operators, simplifying and consolidating the framework. Those changes landed on 31 March 2026. Second, and more consequentially, it extended the regime to "tranche 2" entities: the professional services and high-value-goods sectors that handle the transactions money launderers favour.
These are the businesses through which property is bought, companies are structured and value is stored. A conveyancer settles a house. An accountant sets up a trust. A real estate agent takes a deposit. A dealer sells a kilogram of gold. Each is a point where illicit funds can be cleaned, and each has, until now, sat outside AUSTRAC's reach. The reform closes that gap.
The obligations that follow are familiar to anyone in financial services and entirely new to a suburban law firm. A reporting entity must develop and maintain an AML/CTF program built on a money laundering and terrorism financing risk assessment. It must carry out customer due diligence proportionate to that risk, keep records, monitor for unusual activity, report suspicious matters and threshold transactions, and submit to independent review. None of this is optional, and AUSTRAC has been explicit that enrolment is the start of the obligation, not the end of it.
What this means for GRC practitioners
Two audiences are reading this development differently, and both are right.
For GRC teams in established financial services, Tranche 2 is mostly a third-party and counterparty question. Your firm has run an AML program for years. The change is that the professional service providers you deal with, the law firms, the accountants, the agents handling property settlements, are now regulated entities with their own obligations. That alters the risk picture for shared customers and for any service you provide to those sectors. It is worth a deliberate look at where your customer base and your correspondent relationships now include freshly regulated, and predictably immature, AML programs.
For the newly regulated, the task is existential in compliance terms. A firm that has never thought about money laundering risk now has to demonstrate that it has, and to do so on a documented, defensible basis. The core artefact is the ML/TF risk assessment: a written analysis of how the business could be misused to launder money or finance terrorism, given its customers, services, delivery channels and jurisdictions. Everything else, the due diligence settings, the monitoring rules, the reporting thresholds, flows from that assessment. Get the risk assessment wrong and the whole program rests on sand.
This is where the pressure to move fast collides with the need to move well. A firm with a 29 July enrolment deadline and no prior compliance function will be tempted to generate a program from a template and move on. AUSTRAC has seen template programs before. A risk assessment that could have been written for any firm in the country is the clearest possible signal that no real assessment happened.
Where AI genuinely helps
AI earns its place in this work, provided it is pointed at the load-bearing administrative effort and not the judgement. There are four jobs where it is a strong fit.
Drafting the program scaffolding. A general-purpose AI model is good at producing the structure of an AML/CTF program: the sections, the headings, the policy language that has to be present, the procedural steps for customer due diligence and reporting. For a firm starting from nothing, this collapses days of formatting and boilerplate into hours, leaving the compliance officer to spend their time on the parts that are specific to the business.
Structuring the risk assessment. AI cannot decide how risky your firm is. It can interview you toward the answer. Used well, a model walks a practitioner through the risk factors AUSTRAC expects them to consider, prompts for the customer types, services, channels and geographies that drive exposure, and organises the responses into a coherent document. The judgement is the practitioner's. The drafting and the prompting are the machine's.
Tuning customer due diligence and monitoring. For firms with existing client and transaction data, AI is useful for clustering customers by risk characteristics, surfacing patterns a human would miss across thousands of records, and proposing where enhanced due diligence should apply. In established financial services, machine learning has long been used to reduce the false positives that drown transaction monitoring teams. The same logic helps a newly regulated firm avoid building a monitoring rulebook that either flags everything or nothing.
Drafting suspicious matter reports. When a practitioner has formed a suspicion, AI can help turn a messy set of facts into the clear, structured narrative a suspicious matter report requires, with the chronology in order and the grounds for suspicion stated plainly. The suspicion is the human's to form. The writing is something a model does well.
Where AI must not own it
The risk-based approach that sits at the heart of the regime is a judgement, not an output. AUSTRAC does not want a program that a model produced and a partner signed without reading. It wants evidence that the reporting entity understood its own exposure and made deliberate choices about how to manage it. Three lines should not move to the machine.
The first is the suspicion itself. A suspicious matter report is triggered when a person forms a suspicion on reasonable grounds. That is a legal and professional judgement that carries weight and consequence. An AI model can surface anomalies and prompt a closer look, but the formation of suspicion, and the decision to report, belongs to the AML compliance officer. A model that auto-files reports, or that suppresses them, is a model making a reporting decision the law assigns to a person.
The second is the calibration of risk appetite. Deciding that a particular customer type is high risk, or that a service line warrants enhanced due diligence, is a decision the firm must be able to explain. If the only explanation is that the model recommended it, the firm has outsourced the very thing the regulator is testing.
The third is accountability. The obligation rests on the reporting entity and, specifically, on its governing body and AML compliance officer. No AI deployment shifts that. If a program fails because a model hallucinated a control or a monitoring rule quietly stopped working, the consequence lands on the firm, not the vendor. That asymmetry should shape how much trust a firm is willing to place in an automated step that it cannot fully see.
There is also a confidentiality dimension specific to the newly regulated professions. Lawyers and accountants hold privileged and sensitive client information. Feeding client matter detail into a general consumer AI tool to "speed up" due diligence can breach confidentiality and professional obligations long before it breaches the AML rules. Any AI used in this work has to be one the firm has approved, with data handling it can stand behind.
The practical sequence
For a newly regulated firm, the order of work matters more than the speed. Build the ML/TF risk assessment first, with a person doing the thinking and AI doing the structuring and drafting. Let that assessment drive the program, not the other way around. Use AI to scaffold the policies and procedures, then edit them down to what is true for the business. Where client and transaction data exists, use AI to inform the calibration of due diligence and monitoring, but record why the settings landed where they did. Keep the risk assessment, the calibration reasoning and the program version history as a governance record, because that record is what a defensible position looks like when AUSTRAC asks how the firm decided.
The firms that struggle will be the ones that treat 29 July as a documentation deadline and generate a program to clear it. The firms that come through well will treat it as the moment they had to understand their own exposure to financial crime, and will use AI to carry the weight of building the program once the thinking is done.
Context callout. Australia is not inventing this. The Financial Action Task Force, the global standard setter on financial crime, recommended regulating these professions, the lawyers, accountants, real estate agents and dealers in high-value goods, back in 2003. Most FATF members acted years ago. Australia has been one of the last holdouts, and that gap has drawn repeated criticism in mutual evaluation reviews. Tranche 2 is the country closing a long-standing hole in its defences, not a regulator inventing a novel burden. Reading it as overdue alignment with a standard the rest of the developed world adopted two decades ago sets the right expectation: AUSTRAC is not going to accept that this is unfamiliar territory for very long.
The discipline the reforms reward
The honest value in this moment is not the program document. It is the discipline the reforms force a firm to build, and that discipline happens to be the same one good AI governance demands.
A defensible AML/CTF program is, at its core, a documented chain of reasoning: here is how our business could be misused, here is how risky we judge each part of it to be, here is what we do about it, and here is why those controls are calibrated the way they are. That is precisely the artefact that disciplined AI deployment also produces. A firm that can explain why its transaction monitoring threshold sits where it does is a firm that can explain why its AI model is configured the way it is. The habit of writing down the reasoning, rather than trusting the output, transfers directly.
This is why the worst move is to bolt an AI tool onto an immature program and hope the tool supplies the rigour. It will not. A model that recommends a risk rating without the firm understanding why produces a program that fails the first time it is tested, because the firm cannot defend a judgement it never made. Build the judgement first. Document the reasoning. Then let AI carry the load of drafting, organising and monitoring underneath a structure the firm actually owns. The reforms are an opportunity disguised as a deadline. Treated narrowly, they produce a program nobody believes. Treated well, they build the muscle a firm needs for every AI decision that comes after.
Content disclaimer: This article is for general educational and informational purposes only. It does not constitute legal advice, regulatory guidance, or a substitute for professional compliance judgement. Regulatory obligations vary by entity type, licence, and circumstance. Always refer to primary source guidance from AUSTRAC, the OAIC, or the relevant regulatory authority.
TheAICommand. Intelligence, At Your Command.
