AUSTRAC's message this month was aimed at non-bank lenders, but the warning buried inside it applies to every business new to Tranche 2. And it is not the kind of warning you would expect.
Speaking at the AFIA Risk Summit on 6 July 2026, AUSTRAC CEO Brendan Thomas noted that suspicious matter reporting from the non-bank lending sector has gone up. Reports rose from around 8,500 to nearly 9,500 over the year, roughly a 12% increase, and the number of businesses actually lodging reports climbed more than 20%. On the surface that reads as good news: more firms taking their obligations seriously after AUSTRAC's earlier campaign found controls were poor and reporting was low.
But the part worth sitting with is the flip side. Plenty of businesses in the sector still file nothing at all. And AUSTRAC is no longer treating a blank reporting record as a sign that a business is clean. It is treating it as a question that needs answering.
The question that should worry you
Here is the question AUSTRAC is now asking, in effect: how does a business of real size, with a genuine mix of clients and money moving through it, go year after year without ever identifying a single suspicious matter?
For a lot of firms new to the regime, the honest answer is not "because nothing suspicious ever happened." It is "because we were not really looking." And that is exactly the gap a regulator can see from the outside without setting foot in your office.
This is the reframe every Tranche 2 accountant, lawyer, conveyancer, and agent needs to absorb: zero suspicious matter reports is not a gold star. In 2026 it is increasingly a flag. The instinct that "we have never had anything dodgy, so we have nothing to report" is precisely the posture that now draws a second look.
Why newly regulated firms are exposed here
Non-bank lenders got this message because AUSTRAC studied them and found under-reporting. Tranche 2 firms are walking into the regime with no reporting history at all, which is a blank page that cuts both ways.
The threat is real, not theoretical. AUSTRAC described increasingly professionalised laundering networks that buy criminal proceeds from other syndicates and move them through multiple products and jurisdictions, and a rise in insider-enabled activity where staff or contractors help bypass controls. The everyday touchpoints of a professional practice are attractive to exactly this kind of network:
- A conveyancing or property settlement with funds arriving from a third party who has no obvious connection to the buyer.
- A trust or company structure set up quickly with a nominee director and an unclear source of funds.
- A high-value goods sale settled in unusual ways, or unusual early repayments and third-party repayments on a loan dressed up as ordinary cash flow.
None of these are exotic. They are the normal shape of a week's work, and any one of them can be the point where criminal money enters the system. If your process never surfaces them, the problem is the process.
The reverse-check AUSTRAC can run without visiting you
The mechanism to understand is what we would call the reverse-check, because AUSTRAC can do it from your data alone.
Your AML/CTF program contains a risk assessment that says something about your clients: that some are medium or higher risk, that certain services or jurisdictions raise your exposure. Your program also sets out the transaction monitoring rules that are meant to catch problems. Then there is your actual reporting: how many suspicious matter reports you have lodged.
When those three things do not line up, the inconsistency is the flag. A risk assessment that acknowledges higher-risk clients, paired with monitoring rules on paper, paired with zero reports ever filed, tells a regulator that either your risk assessment is wrong or your monitoring is not really running. A business that has genuinely never had a reportable suspicion is possible. A busy one that claims it, with higher-risk clients on its own books, invites the question.
What to actually do this week
You do not fix this by filing reports you do not believe in. Over-reporting to look busy is its own failure. You fix it by making sure your process would actually catch something if it were there.
- Check that monitoring covers the risky moments, not just onboarding. Identity at the start is not enough. The suspicious signal usually shows up in the transaction: the third-party payment, the unusual early repayment, the money that circles in and out through several accounts.
- Watch third-party and unrelated-party funds. Money arriving from, or going to, someone with no clear relationship to your client is one of the most common and most missed indicators.
- Reverse-check your own quiet lines. Take a part of your business that does real volume but has produced no reports, and ask honestly whether that is because it is genuinely low-risk or because nobody is looking at it.
- Line up the three documents. Put your risk assessment, your monitoring rules, and your actual reporting side by side. If your own risk assessment describes exposure that your reporting has never reflected, close that gap before AUSTRAC asks you to explain it.
And remember the mechanics when you do find something: an SMR is filed on reasonable suspicion, not certainty, and tipping-off rules mean you must not tell the client you have reported them.
The takeaway
Filing a suspicious matter report is not an admission that you did something wrong. Under-reporting is the risk. The lesson AUSTRAC handed the non-bank lending sector is the one every Tranche 2 firm should take before its first audit cycle: a spotless record of zero reports is not evidence that your controls work. It might be evidence that they are not switched on.
AML Mate builds transaction monitoring, PEP and sanctions screening, and guided SMR and TTR reporting into the same workspace as your program and client records, so the gap between your risk assessment and your actual reporting does not open up in the first place. Run a free compliance check to see where your firm stands, or view pricing to get set up today.
Source: AUSTRAC, CEO Speech: AFIA Risk Summit, Brendan Thomas, 6 July 2026.
