Since 1 July 2026, if your practice provides a designated service, you are a reporting entity under AUSTRAC's Tranche 2 reforms. In the weeks since, a lot of accountants and lawyers have been told a reassuring thing by a software vendor or a colleague: your practice-management tool now runs an identity check, so the AML side is handled.
It is worth being precise here, because the gap between "we verify client identity" and "we are AML/CTF compliant" is where firms get exposed. An identity check is real and useful. It is also one part of one obligation out of six.
What an identity check actually is
When you verify a client's identity, you are confirming that the person is who they say they are. Done electronically, that usually means checking an identity document and, in stronger versions, matching a live photo to it or checking the details against a data source. It is a genuine control and you do need it.
But identity verification sits inside a larger obligation called customer due diligence (CDD), and CDD itself is one of several things AUSTRAC expects a reporting entity to have. Confirming who someone is does not, on its own, tell you whether the money laundering or terrorism financing risk they present has been assessed, mitigated, monitored, reported and documented. That is the rest of the regime.
The six obligations, in plain terms
From 1 July 2026, a Tranche 2 reporting entity must have all of the following in place. An identity check touches one of them.
-
Enrol with AUSTRAC. You must enrol via AUSTRAC Online, and for most Tranche 2 firms the deadline is 29 July 2026. (AUSTRAC, summary of obligations for Tranche 2 entities)
-
Have an AML/CTF program. A written program tailored to your business: a risk assessment identifying the money laundering and terrorism financing risks specific to your practice, the policies and controls that mitigate them, governance and oversight, and a named AML/CTF compliance officer. This is the document AUSTRAC will ask to see. An ID tool does not produce it.
-
Conduct customer due diligence. Initial CDD before you provide a designated service, ongoing CDD through the relationship, and enhanced due diligence when the risk is higher (for example a politically exposed person or a complex ownership structure). Identity verification is the first step of initial CDD. It is not the whole of CDD, and it is not the ongoing part.
-
Screen and monitor. Checking clients against sanctions and politically exposed person lists, and monitoring for activity that does not fit the client's profile. Lists change, so this is not a one-off at onboarding.
-
Report to AUSTRAC. Suspicious matter reports when you have reasonable grounds to suspect, threshold transaction reports for cash of AUD 10,000 or more, and an annual compliance report. These have statutory timeframes and specific formats.
-
Keep records for seven years. Records of your program, your CDD, your transactions, your staff training and any audit results, retained and retrievable.
An identity check helps with part of number three. Numbers one, two, four, five and six are still yours to build.
Why "my software already does AML" is a risk, not a comfort
The reassurance is easy to accept because it sounds like the problem is solved. The exposure is that AUSTRAC does not audit your receipts for identity checks. It audits your program. If a regulator asks to see how you assessed your risks, what your policies are, who your compliance officer is, how you monitor and report, and how you keep records, an identity verification tool has no answer to any of those questions.
A few honest distinctions worth holding onto:
- Verifying identity is not assessing risk. Knowing who a client is does not tell you how risky they are. The risk assessment is a separate, written judgment about your business and each client.
- A one-off check is not ongoing due diligence. Sanctions and PEP lists move. A client's circumstances change. The regime expects monitoring, not a single snapshot at onboarding.
- Document preparation is not compliance. Software that sets up companies or trusts, or that adds an ID check to that workflow, is not the same as a compliance program. It is a useful tool sitting next to an obligation, not the obligation itself.
- The responsibility stays with you. Whatever tool you use, the reporting entity is accountable. No vendor's identity check transfers your AML/CTF obligation off your desk.
What to actually check this week
If you have been told you are covered, a short test tells you whether that is true. Can you, today, put your hands on:
- A written AML/CTF program with a risk assessment for your practice?
- The name of your appointed AML/CTF compliance officer?
- A record that you are enrolled with AUSTRAC, or a plan to enrol before 29 July 2026?
- A process for suspicious matter and threshold transaction reporting?
- Seven-year record keeping for all of the above?
If the answer to most of those is no, an identity check has not made you compliant. That is not a criticism of the tool. It is the difference between one control and a program.
The straightforward version
Identity verification is necessary and you should do it well. It is not sufficient, and no one selling it as "AML sorted" is doing you a favour. Tranche 2 asks for a program, not a product feature. The good news is that the program is buildable, and far faster than most firms fear once the pieces are laid out in order.
AML Mate builds the whole of it, not one slice: a tailored AML/CTF program and risk assessment, client CDD and screening, AUSTRAC report drafting, staff training and seven-year records, with your identity verification included rather than sold as the finish line. If you have been told an ID check has you covered, it is worth seeing what the other five obligations actually look like before 29 July.
