Most firms preparing for Tranche 2 already know they have to do customer due diligence. The part that catches people out is not the what, it is the when. The reformed AML/CTF rules are specific about timing, and the timing is where the everyday breach happens: the matter is already moving, the client is mid transaction, and the identity checks are still sitting in someone's "I'll get to it" pile.
From 1 July 2026, the default is simple to say and easy to get wrong in practice. You complete initial customer due diligence before you provide a designated service, not after. (AUSTRAC, customer due diligence) If you are an accountant setting up a company structure, a conveyancer opening a file, or an agent taking on a vendor, the checks come first.
The timing rule, in plain terms
A "designated service" is the specific activity that brings you into the regime: managing client money, conveyancing, forming companies or trusts, buying or selling real estate, dealing in high value goods over the cash threshold, and so on. The rule attaches to that moment. Before you start providing the service to a new customer, you need to have identified them and verified that they are who they say they are.
The reason the regulator draws the line there is straightforward. Identity checks are only useful if they happen while you can still walk away. Run them after you have acted and they stop being a control. They become a record of a risk you already took.
So the practical test for any new client from 1 July is one question: have the checks been completed before the first designated service is provided? If the honest answer is "we usually catch up later", that is the gap to close this week.
The narrow exceptions, and why not to lean on them
The rules do allow initial CDD to be completed while you begin providing the service in limited circumstances, broadly where the money laundering and terrorism financing risk is low and delaying would interrupt normal business. (AUSTRAC, about the reforms) This is a genuine allowance, not a loophole. It exists for the legitimate case where stopping everything to finish verification would be unreasonable and the risk is plainly low.
Two cautions. First, it is an exception sized to low risk, so it cannot become your standard process for every client. Second, you have to be able to show why a given matter qualified. A blanket "we always verify later" is exactly the most-but-not-all finding that small firms get pulled up on. Treat the before-you-act rule as the norm and the exception as the rare, documented departure.
What "initial CDD" actually includes
CDD is more than collecting a driver licence. For a new customer, initial due diligence generally covers:
- Identify and verify the customer. Full name, date of birth, address, then verification from reliable, independent sources.
- Beneficial ownership. For a company or trust, work out who really owns or controls it, and verify those individuals. This is where launderers hide, so it is where the regime looks hardest. (Beneficial ownership and UBO verification)
- Nature and purpose. Understand what the client is actually engaging you to do, so an unusual request later stands out.
- Screening. Check the customer and beneficial owners against sanctions lists and for politically exposed person status, and apply enhanced checks where they hit.
- Risk rating. Assign a money laundering and terrorism financing risk to the customer, because that rating drives how much further work you do.
None of this requires an enterprise system. It does require that the steps happen in the right order, the same way, every time, and that you keep the record.
The one that surprises people: existing clients
If the before-you-act rule applied to every client you already have, the first week of July would be unworkable. It does not. For customers you were already providing services to before the regime starts, there is a transitional pathway: you carry the relationship forward and complete initial CDD over a longer transition window, rather than re-papering everyone on day one. (AUSTRAC, about the reforms)
The important exception to the exception: if something triggers, the clock changes. A suspicion, a material change in the client or the work, or a new higher risk matter pulls that customer back into "verify now" territory. So the transition buys you breathing room on your back book, not a permanent pass. New clients from 1 July get the full before-you-act treatment from the start.
Build the gate into your workflow, not your memory
The firms that stay compliant here do not rely on someone remembering. They put a hard step in the process: no designated service is provided until the client's CDD is marked complete. In a small practice that can be one rule everyone follows. In a busier one it is a status on the file that has to be green before work starts.
That is the difference between a policy that reads well and a control that actually fires. The reformed Act expects ongoing CDD too, so the checks are not a one time gate. You keep monitoring the relationship and refresh when risk changes. But the single highest value habit you can build before 1 July is the simplest one: checks first, service second.
Where AML Mate fits
This is the rhythm AML Mate is built around. Each client gets an identity and verification record, beneficial ownership capture, PEP and sanctions screening, and a risk rating, with a clear status you can see before any work starts. The point is not more admin. It is that the before-you-act step is in front of you on every new client instead of living in someone's memory. (What "a program in place" actually requires)
With 9 days until obligations start, this is the most worthwhile thing to get right, because it is the one you will use on literally every new client. Get the order fixed now: the checks, then the work.