On 8 May 2026, AUSTRAC launched two targeted supervisory campaigns into Australia's virtual assets sector. Most Tranche 2 firms will file it under "crypto news" and move on. That is the wrong filing. Strip away the digital-asset subject matter and what you are looking at is a working demonstration of how AUSTRAC supervises a freshly regulated sector at the exact moment its obligations take effect. The crypto sector entered the reformed AML/CTF regime on 31 March 2026. Tranche 2 enters on 1 July 2026. You are watching, in real time, a dress rehearsal for what happens to your own sector eight weeks from now. (Decrypt coverage)
What AUSTRAC Actually Did
The agency did not announce penalties. It announced campaigns. That distinction is the whole point.
The first is the "ramps and rails" campaign, in which AUSTRAC is engaging directly with 36 over-the-counter operators that convert cryptocurrency to cash and back. These are the on-ramps and off-ramps where value crosses between the crypto world and the banking system, and they are precisely the chokepoints money laundering depends on.
The second is a campaign across 27 local crypto exchanges, focused on assessing their readiness for the reformed regime and reviewing their governance arrangements. Note the verbs: assessing readiness, reviewing governance. Not "auditing past breaches." Not "responding to a complaint." AUSTRAC selected a cohort of 63 businesses and went looking, before anything went wrong, to see whether they were actually ready to operate under the new rules.
AUSTRAC CEO Brendan Thomas summarised the intent plainly: AUSTRAC is "checking how well crypto businesses in Australia are managing money-laundering risks, ahead of major new laws coming into force." On the rebrand of digital currency exchanges into virtual asset service providers, he was blunt that the reform "is more than a name change." The reforms took the sector from one definition to a much broader one, brought custody and brokerage services into scope, and set the value-transfer "travel rule" to become mandatory from 1 July 2026.
Why a Crypto Campaign Is a Tranche 2 Preview
Here is the connection that matters for the roughly 90,000 lawyers, accountants, conveyancers, real estate agents and dealers in precious metals coming into the regime on 1 July.
Both sectors are travelling the same road, a few months apart. The virtual assets sector's expanded obligations commenced 31 March 2026. Within six weeks, AUSTRAC had not sent a friendly newsletter, it had stood up two structured supervisory campaigns and started knocking on doors. Tranche 2's obligations commence 1 July 2026. There is no reason to assume the regulator's instinct will be different for your sector. The same regulator, the same chief executive, the same reformed Act, and demonstrably the same supervisory reflex: pick a cohort, assess readiness, review governance, do it early.
That reflex tells you three things about how you are likely to be supervised, and none of them match the comfortable assumption that a small professional firm will fly under the radar until 2027.
Three Things the Campaigns Reveal About AUSTRAC's Method
Supervision is proactive and cohort-based, not complaint-driven. AUSTRAC did not wait for a suspicious transaction to surface or a whistleblower to call. It chose 36 here and 27 there and engaged them directly. For Tranche 2, the practical implication is that "no one has complained about us" is not a safety position. The regulator builds its own list and works through it. A mid-sized suburban accounting practice or a busy conveyancing firm is exactly the kind of entity that appears on a readiness-focused cohort list, because cohorts are built from "who is newly in scope," not "who has already failed."
Governance is a first-order target, not a footnote. One whole campaign is explicitly about reviewing governance arrangements. In a small firm, "governance" sounds like a big-business word, but AUSTRAC means something concrete and answerable: who is your AML/CTF compliance officer, what authority do they actually have, who signed off your program, how does the business oversee it, and can you show that oversight happening rather than just asserting it. A program document sitting in a shared drive that no named person owns and no one reviews is a governance finding waiting to be written. (What a Part A to F program actually contains)
"Readiness" is itself the test. The second campaign assesses readiness for the reformed regime. Sit with that. Being unprepared is not a neutral state you occupy quietly while you catch up. In a readiness campaign, unpreparedness is the finding. If AUSTRAC ran a readiness assessment on your firm on 2 July 2026, the day after obligations begin, "we are still working on our program" is not an answer that helps you. It is the answer the campaign is designed to surface. (Are you actually business-ready? A self-assessment)
The Honest Question to Ask Your Own Firm
Run the crypto playbook against your own practice and answer plainly. If an AUSTRAC officer engaged you in week one of July as part of a Tranche 2 readiness campaign, what would they find?
Would they find a named compliance officer with real authority, or a job title quietly assigned to whoever was in the room? Would they find an AML/CTF program mapped to the specific designated services you actually provide, or a generic template downloaded and never tailored? Would they find evidence of governance, a sign-off, a review schedule, a record of the business overseeing its own program, or would "governance" be a word with nothing behind it? Would they find that you are ready, or that you are still intending to be?
This is the same standard visible across AUSTRAC's recent enforcement arc. The Tabcorp investigation centred on program design, program execution, and customer monitoring. (What the Tabcorp investigation teaches Tranche 2) The payments-sector audit notice found monitoring that was "not attuned to the full range of risks." (What the MHITS audit notice means) The virtual assets campaigns add the front end of that same story: AUSTRAC checks readiness and governance early, and it does so by campaign. The thread running through all of it is that the regulator works proactively from "who should be ready" toward "show me that you are."
The Practical Read With Eight Weeks To Go
You cannot retrofit readiness in the first week of July if you start in the first week of July. The crypto sector had its obligations switch on at the end of March and was being supervised by early May. Apply the same compression to your own timeline and the message is uncomfortable but clear: the work that makes you defensible in a readiness campaign has to be done before 1 July, not started after it.
Concretely, that means three things in scope before the deadline. A compliance officer who is named, who knows they hold the role, and who has the authority to act. An AML/CTF program that is mapped to your actual designated services rather than a generic template, with a Part A risk assessment that reflects your real client base. And visible governance: a sign-off, a review cadence, and a record that the business is overseeing the program, not just storing it. (What enrolment and program readiness involve)
Where AML Mate Fits
AML Mate is built to produce exactly what a readiness campaign looks for: a compliance plan and Part A to F program mapped to the designated services you actually provide, a named compliance officer structure, and a documented review trail that demonstrates governance rather than asserting it. The free compliance check at /check gives you a five-minute read on where a readiness review would find gaps, while there is still time to close them before 1 July 2026. The crypto sector did not get a quiet first quarter. There is no reason to plan as though yours will.