Building an AML compliance platform for Tranche 2? Start with the right infrastructure.

From 1 July 2026, roughly 80,000 Australian professional service firms, accountants, lawyers, real estate agents, conveyancers, and trust and company service providers, become reporting entities under AUSTRAC for the first time. They need AML programs, CDD workflows, ongoing screening, and audit trails. Most of them have none of it.

That's an enormous market. And it's already producing a wave of new compliance products: practice management tools with AML built in, standalone Tranche 2 workflow platforms, advisory firms building tech-enabled service offerings. If you're in that category, you already know the product question that matters most isn't the UX or the workflow design. It's what's running underneath.

Specifically: where does your identity verification come from? Your KYB data? Your PEP and sanctions screening? Your adverse media? And how does all of it hold up when an AUSTRAC reviewer asks your client to produce their audit trail?

These are the questions The Access Group answered before they built EngageAML.

Why platform builders don't build their own data layer

The temptation when you're building a compliance product is to go direct to data providers. Contract an identity verification vendor, a business registry provider, a sanctions list provider. Own the relationships, control the costs.

In practice, that approach has a ceiling. Each provider covers part of the picture. A strong KYC vendor for Australian individuals won't necessarily have the KYB depth you need for company structures, beneficial ownership, and source-of-funds checks. Your sanctions screening provider covers DFAT but not the full range of global watchlists your higher-risk clients require. And ongoing monitoring, the continuous, timestamped, audit-trailed alerting that AUSTRAC expects, is a different product category again.

So you end up with four or five contracts, four or five integrations, and four or five audit trails you have to reconcile when something goes wrong. Your engineering team is maintaining vendor APIs instead of building product. And when one of your clients gets a call from AUSTRAC, you're piecing together evidence from half a dozen systems.

Most serious platform builders reach the same conclusion at some point: the data layer is not where you want to compete. It's where you want coverage.

When AUSTRAC calls, your audit trail is everything

Think about what a regulatory review actually looks like for one of your clients. AUSTRAC asks an accounting firm to demonstrate that their CDD workflow is risk-based, that their monitoring is ongoing rather than point-in-time, and that their screening is current. The firm turns to your platform.

If your data layer is fragmented across multiple providers, that demonstration gets complicated fast. The KYC check happened in one system. The sanctions screening happened in another. The adverse media result came from a third. None of them share a timestamp format. None of them connect to the same case file. Producing a coherent record of what was checked, when, by whom, and what decision was made, takes manual effort your client doesn't have and introduces exactly the kind of gaps that attract further scrutiny.

When your platform runs on FrankieOne, every check, every alert, every decision sits in a single, coherent audit trail. Your client can produce it on demand. It's timestamped, it's complete, and it covers the full lifecycle from initial onboarding through ongoing monitoring. That's not a feature. For a Tranche 2 product, it's the foundation.

Not every client needs the same checks. Your platform needs to know the difference.

AUSTRAC's expectation isn't a checklist. It's a genuinely risk-based program, one where the depth of due diligence reflects the actual risk profile of each client relationship. A sole practitioner serving local small business clients has a fundamentally different risk exposure than a mid-size firm handling complex business structures, international transactions, or clients in higher-risk industries.

If your platform applies the same checks to every client regardless of risk rating, you're either over-verifying low-risk customers, adding friction and cost your clients don't need, or under-verifying high-risk ones, which is a compliance failure waiting to happen.

FrankieOne's orchestration layer lets you configure exactly which checks run at which risk tier. Standard CDD for low-risk clients. Enhanced due diligence, deeper KYB, beneficial ownership analysis, and source-of-funds verification for higher-risk relationships. The logic sits in the platform, not in your code. When AUSTRAC's expectations evolve, or when a new provider offers better coverage for a specific check type, you reconfigure rather than rebuild.

Onboarding is day one. The obligation runs forever.

Most Tranche 2 compliance products are built around onboarding. Get the client verified, get the CDD done, generate the engagement letter, move on. That's understandable. Onboarding is where the immediate deadline pressure sits.

But AUSTRAC's expectation is ongoing monitoring. A client who was low-risk at onboarding can become high-risk twelve months later. A business that cleared KYB verification in January can appear on a sanctions list in October. A PEP status can change. Adverse media can emerge. If your platform only runs checks at the point of onboarding, your clients are exposed to exactly the kind of risk Tranche 2 was designed to address.

FrankieOne’s monitoring runs continuously. Daily screening against the DFAT Consolidated List, PEP registers, and adverse media, timestamped and audit-trailed. Automatic alerts when a customer’s status changes. Your clients don’t run manual searches between annual reviews. The platform does it for them, and the audit trail reflects it.

This is the gap where a lot of Tranche 2 products will fall short at their first regulatory review. It's worth making sure yours isn't one of them.

Bank-grade isn't a marketing claim. It's the same infrastructure.

Westpac, ANZ, and CBA run on FrankieOne. So does EngageAML. That's not coincidence and it's not a compromise. When The Access Group chose our infrastructure for their Tranche 2 product, they chose it knowing their customers would be running the same identity and AML data layer as Australia's largest regulated financial institutions.

For a platform builder, that matters in two directions. First, it means the infrastructure has been stress-tested at scale across Australia’s largest regulated financial institutions, under sustained regulatory scrutiny. It doesn’t break under volume and it doesn’t miss edge cases that only show up in production. Second, it’s a claim your clients can make to their own customers and, when the time comes, to their auditors.

"By embedding FrankieOne's bank-grade infrastructure into EngageAML, every practice, from sole practitioners to the largest firms, has a clear, guided path to 1 July."

David Boyar FCA, The Access Group

If you're building for the Tranche 2 market, let's talk

If you're building a product for the Tranche 2 market, you're making a decision right now about your data layer. You can build it yourself, piece together a handful of direct provider relationships, or connect to 350+ sources through one integration and focus your engineering capacity on the product.

The first two options might work at small scale. At any kind of volume, with any kind of audit risk, they get expensive fast. Not just in engineering time but in the compliance gaps that emerge when your data sources don't talk to each other.

We work with compliance platforms, advisory firms, and practice management tools across Australia. If you want to see how the Access Group integration works and what it would look like for your platform, get in touch.

Talk to our partnerships team.