Risk-Based Onboarding: A Practical Guide to Australia's AML/CTF Reform

Vanessa Fierens - Senior Product Manager KYC and Data

 Australia's AML/CTF framework is changing fundamentally. The "2+2 safe harbour" is being replaced with risk-based CDD and for the first time, the depth of your verification must match the actual risk profile of each customer. FrankieOne has built reform-ready workflows for both existing reporting entities (transition from 31 March 2026) and Tranche 2 industries entering AML/CTF obligations for the first time (1 July 2026). Here's what you need to know. 

 

FrankieOne and the AML/CTF reforms: what we help you solve

AUSTRAC’s reforms introduce six obligations. FrankieOne directly supports your Customer Due Diligence (Obligation 4) and risk assessment documentation (Obligation 2). For enrolment, staff readiness, reporting, and record keeping, seek independent legal counsel and refer to austrac.gov.au.

Key dates for your compliance calendar

The AML/CTF reforms roll out in two waves, each with different obligations.

31 March 2026: Existing reporting entities (banks, fintechs, casinos, wagering)

This kicks off a 3-year transition period. From this date you can run your current ACIP (Applicable Customer Identification Procedure) or the new risk-based CDD approach until 30 March 2029. That matters because it gives you time to test the new approach on a portion of applications while staying compliant on the rest.

One important note: ongoing CDD requirements kick in immediately with no grace period. If a customer’s risk profile changes mid-relationship, whether they appear on a PEP list, trigger adverse media, or show unusual transaction patterns, you need a process to handle that from day one.

Compliance officer notification is due by 30 May 2026. If you already have an AUSTRAC enrolment, you must also update your registration details to include any new designated services you provide from
31 March 2026. Your existing enrolment does not automatically cover newly regulated services.

1 July 2026: Tranche 2 compliance obligations begin

This is when Tranche 2 compliance obligations start for lawyers, accountants, real estate agents, buyer’s agents, property developers, conveyancers, trust and company service providers (TCSPs), and precious metals dealers. New virtual asset services and the crypto travel rule for VASP-to-VASP transfers also apply from this date.

Enrolment and registration is due by 29 July 2026. Two things worth knowing if you’re a VASP operator: new virtual asset service providers can enrol with AUSTRAC from 31 March 2026, but obligations don’t start until 1 July 2026. And if you’re an existing digital currency exchange registered before the reforms, your registration rolls over automatically.

30 March 2029: End of transition

All entities must use risk-based CDD exclusively. The ACIP safe harbour is gone.

Obligation 2: Your AML/CTF program needs to be restructured

The reforms replace the current Part A/Part B program structure with a single consolidated AML/CTF program. This is a significant internal lift that goes beyond updating onboarding workflows. Your new program must include:

  • A documented risk assessment identifying and assessing your ML/TF and proliferation financing risks
  • AML/CTF policies covering procedures, systems and controls to manage those risks
  • Senior manager sign-off on the program
  • Independent evaluation at least every 3 years. For Tranche 2 businesses, first evaluation deadlines are staggered based on your AUSTRAC account number, no earlier than 1 July 2029.

FrankieOne’s platform supports the risk assessment component by producing auditable, explainable risk decisions with documented logic. It does not constitute a complete AML/CTF program. You will need legal counsel to restructure your program documentation ahead of the March 2026 deadline.

Obligation 4: What’s actually changing in CDD

The shift from prescriptive to risk-based CDD sounds abstract until you break it down.

The old approach: Verify two forms of ID against two independent data sources, run a credit bureau match, confirm, move on. The same process for every customer regardless of risk. Follow the prescribed steps and you’re covered. That was safe harbour.

The new approach: Assess risk signals throughout the customer relationship and adjust verification depth based on what you find. Low-risk customers get a faster, lighter process. High-risk customers get stepped up. Every decision needs to be defensible, risk-proportionate, and auditable.

In practice, risk-based onboarding means three things:

  • Assess passive signals before requesting documents. Before asking a customer to upload their licence or take a selfie, check what you already have. Email domain, age, phone number validity, IP geolocation, device fingerprint, and AML screening results all give you a risk picture before the customer does anything.
  • Route customers to the right verification tier. Based on those signals, decide whether this customer needs Simplified CDD (low risk, minimal friction, only where you have a documented low ML/TF risk assessment), Standard CDD (baseline checks), or Enhanced CDD (additional verification, source of wealth, adverse media screening). The key word is “decide”, not “guess.” Your risk logic needs to be documented and repeatable.
  • Only request what the risk profile warrants. Biometric verification, source of wealth checks, and enhanced screening should be reserved for customers who actually trigger elevated risk signals.

Initial CDD applies more broadly than just the customer. You must establish the identity of the customer, their representatives, any person on whose behalf they’re receiving a service, and any beneficial owner. You must also screen all of these persons against targeted financial sanctions lists and PEP registers.

Pre-commencement customers: a practical relief provision

You won’t need to perform initial or ongoing CDD on existing customers until you are required to file a suspicious matter report in relation to them, or there is a significant change in the business relationship that results in their ML/TF risk being assessed as medium or high. This reduces the burden of re-verifying your entire existing customer base while ensuring elevated-risk customers are captured when their profile changes.


How risk-based onboarding works in practice: AU banking example

FrankieOne’s AU Banking Risk-Based Onboarding workflow runs two parallel paths based on real-time risk signals. Here’s how it plays out with real customers.

  • Standard path (baseline): Government-issued ID check via DVS, credit bureau and electoral roll matching, AML/PEP screening. Outcome: pass, review, or fail. Most customers go through this path and are verified in minutes.
  • Risk-based step-up (when elevated signals are detected): Same baseline checks plus fraud signal analysis. If risk thresholds are breached, the workflow automatically triggers biometric verification, adverse media checks, or routes to a manual review queue for a human decision.

 

What triggers are step-up?

  • Entity profile signals: Non-resident status, passport from a high-risk jurisdiction, inconsistent document types. These trigger automatic escalation to Enhanced CDD.
  • AML and screening signals: PEP Level 1 match, sanctions list hit, adverse media mention. These route to a manual review queue with source of wealth verification required.
  • Fraud signals: Email domain less than 30 days old, IP geolocation mismatch, VPN or proxy detected. These trigger mandatory biometric verification.

Every decision is logged with the specific risk factors that drove it. That’s exactly what AUSTRAC will look for during audits: not just the outcome, but the reasoning behind it.

Why this approach works for the AML/CTF reforms 2026

  • You have a 3-year switchover window. From 31 March 2026, you can continue using ACIP until you formally switch to reformed CDD. Once you switch, the new obligations apply in full to all new customers from that date. You cannot run both methods in parallel, so plan your switchover date carefully.
  • Risk tiers are configurable, not fixed. What triggers Simplified versus Enhanced CDD is your call, based on your risk appetite, customer segments, transaction patterns, and jurisdiction exposure.
  • Everything feeds one risk view. KYC results, fraud signals, and screening outcomes all contribute to a single auditable risk score. No toggling between five vendor dashboards.
  • Tranche 2 sectors work the same way. Beneficial ownership structures and source of funds workflows are supported within the same framework.


Pre-built workflows for every deadline

FrankieOne has packaged reform-ready configurations you can test today:

  • AU Standard KYC, Banking (live now): Maintains ACIP compliance during the transition period.
  • AU Risk-Based KYC, Banking (reform-ready): The new CDD approach, ready to test ahead of the 31 March deadline.
  • AU Professional KYC, Tranche 2 (July 2026): Purpose-built for legal, accounting, and real estate sectors entering AML/CTF obligations for the first time.
  • AU Essential KYC, Gaming (live now): Casino and wagering-specific controls with risk-based decisioning already built in.

Each workflow produces structured, auditable outcomes with explainable risk factors attached to every decision.


What to do before the deadlines

For 31 March 2026 (existing reporting entities)

  • Map your current onboarding flows to Standard and Risk-Based CDD. Identify where your existing ACIP process maps to the new framework and where you have gaps.
  • Test ongoing CDD triggers. How will you handle a customer who was clean at onboarding but appears on a PEP list six months later? Build and test these workflows now.
  • Plan your formal switchover date. You need to choose one method and apply it fully to all new customers from the date you switch. Decide when you will switch, test your reformed workflows in a non-production environment first, and make sure your team is ready before you flip.
  • Restructure your AML/CTF program documentation. The Part A/Part B structure is being replaced with a single consolidated program, approved by a senior manager and subject to independent evaluation every 3 years. Start this now as a legal workstream, not a platform workstream.
  • Update your AUSTRAC enrolment to include any new designated services you are providing from 31 March 2026.
  • Train your compliance team on new decision gates, escalation paths, and manual review queue handling.


For 1 July 2026 (Tranche 2 entities)

  • Start with a sector-specific template. FrankieOne’s Professional KYC workflow is built for Tranche 2 sectors.
  • Build source of funds and beneficial ownership workflows. These are new requirements for most Tranche 2 entities and they take time to get right.
  • Establish your governance structure. AUSTRAC requires three clearly identified roles: a governing body, a senior manager who approves key decisions, and an AML/CTF compliance officer who manages day-to-day compliance. Document these roles formally.
  • Get your AUSTRAC registration sorted. Enrolment is due by 29 July 2026. Don’t leave it to the last minute.

The cost of waiting

Miss the deadlines and the consequences are real. No transition plan by 31 March 2026 costs you the 3-year runway. Unregistered Tranche 2 entities face criminal penalties after 29 July 2026. Ongoing CDD failures trigger AUSTRAC enforcement. And gaps in 7-year record keeping will surface in any audit. The reputational damage when compliance failures become public is often more costly than the fines themselves.



Frequently asked questions

What is risk-based CDD?

Risk-based CDD (Customer Due Diligence) means tailoring the depth of your identity verification to the actual risk level of each customer, rather than applying the same checks to everyone. Low-risk customers go through a lighter, faster process. High-risk customers, such as politically exposed persons, non-residents, or those from high-risk jurisdictions, trigger enhanced verification including source of wealth checks and adverse media screening. Under Australia’s AML/CTF reforms, risk-based CDD replaces the old prescriptive “2+2” safe harbour from 31 March 2026.

What is the difference between Simplified, Standard, and Enhanced CDD?

These are the three verification tiers under risk-based onboarding. Simplified CDD applies only where you have a documented low ML/TF risk assessment and involves minimal friction for the customer. Standard CDD is the baseline for most customers and includes government ID verification, credit bureau matching, and AML/PEP screening. Enhanced CDD applies to high-risk customers and adds biometric verification, source of wealth checks, adverse media screening, and in some cases manual review. The decision about which tier to apply must be documented and defensible.

Do I need to re-verify my existing customers?

Not automatically. The reforms include a practical relief provision for pre-commencement customers. You won’t need to perform initial or ongoing CDD on existing customers unless you are required to file a suspicious matter report in relation to them, or there is a significant change in the business relationship that results in their ML/TF risk being assessed as medium or high. This means you don’t need to re-verify your entire customer base from scratch, but you do need a process to catch elevated-risk customers when their profile changes.

What is Tranche 2 compliance and who does it affect?

Tranche 2 compliance refers to the extension of Australia’s AML/CTF obligations to a new group of industries that were previously unregulated. From 1 July 2026, lawyers, accountants, real estate agents, buyer’s agents, property developers, conveyancers, trust and company service providers, and precious metals dealers will be required to enrol with AUSTRAC, implement an AML/CTF program, perform customer due diligence, and report suspicious matters. Enrolment is due by 29 July 2026.

Can I run ACIP and risk-based CDD at the same time during the transition?

No. During the transition period (31 March 2026 to 30 March 2029), you can choose either ACIP or reformed risk-based CDD, but once you formally switch to the new approach, you must apply it fully to all new customers from that date. You cannot pilot reformed CDD on a subset of customers while running ACIP on the rest. Plan your switchover date carefully, test your workflows in a non-production environment first, and make sure your compliance team is trained before you make the change.

What does AUSTRAC look for in a risk-based onboarding audit?

AUSTRAC will want to see that every verification decision is logged with the specific risk factors that drove it. It is not enough to show the outcome. You need to demonstrate that your risk logic is documented, repeatable, and proportionate to the customer’s risk profile. This means maintaining an auditable trail of why each customer was routed to Simplified, Standard, or Enhanced CDD, what signals triggered any step-up, and how manual review decisions were made and recorded.

 

Get started

Book a demo to walk through the AU Banking Risk-Based Onboarding workflow and see how FrankieOne handles the transition from ACIP to risk-based CDD.