Australia's AML/CTF framework is changing fundamentally. The "2+2 safe harbour" is being replaced with risk-based CDD and for the first time, the depth of your verification must match the actual risk profile of each customer. FrankieOne has built reform-ready workflows for both existing reporting entities (transition from 31 March 2026) and Tranche 2 industries entering AML/CTF obligations for the first time (1 July 2026). Here's what you need to know.
AUSTRAC’s reforms introduce six obligations. FrankieOne directly supports your Customer Due Diligence (Obligation 4) and risk assessment documentation (Obligation 2). For enrolment, staff readiness, reporting, and record keeping, seek independent legal counsel and refer to austrac.gov.au.
The AML/CTF reforms roll out in two waves, each with different obligations.
This kicks off a 3-year transition period. From this date you can run your current ACIP (Applicable Customer Identification Procedure) or the new risk-based CDD approach until 30 March 2029. That matters because it gives you time to test the new approach on a portion of applications while staying compliant on the rest.
One important note: ongoing CDD requirements kick in immediately with no grace period. If a customer’s risk profile changes mid-relationship, whether they appear on a PEP list, trigger adverse media, or show unusual transaction patterns, you need a process to handle that from day one.
Compliance officer notification is due by 30 May 2026. If you already have an AUSTRAC enrolment, you must also update your registration details to include any new designated services you provide from
31 March 2026. Your existing enrolment does not automatically cover newly regulated services.
This is when Tranche 2 compliance obligations start for lawyers, accountants, real estate agents, buyer’s agents, property developers, conveyancers, trust and company service providers (TCSPs), and precious metals dealers. New virtual asset services and the crypto travel rule for VASP-to-VASP transfers also apply from this date.
Enrolment and registration is due by 29 July 2026. Two things worth knowing if you’re a VASP operator: new virtual asset service providers can enrol with AUSTRAC from 31 March 2026, but obligations don’t start until 1 July 2026. And if you’re an existing digital currency exchange registered before the reforms, your registration rolls over automatically.
All entities must use risk-based CDD exclusively. The ACIP safe harbour is gone.
The reforms replace the current Part A/Part B program structure with a single consolidated AML/CTF program. This is a significant internal lift that goes beyond updating onboarding workflows. Your new program must include:
FrankieOne’s platform supports the risk assessment component by producing auditable, explainable risk decisions with documented logic. It does not constitute a complete AML/CTF program. You will need legal counsel to restructure your program documentation ahead of the March 2026 deadline.
The shift from prescriptive to risk-based CDD sounds abstract until you break it down.
The old approach: Verify two forms of ID against two independent data sources, run a credit bureau match, confirm, move on. The same process for every customer regardless of risk. Follow the prescribed steps and you’re covered. That was safe harbour.
The new approach: Assess risk signals throughout the customer relationship and adjust verification depth based on what you find. Low-risk customers get a faster, lighter process. High-risk customers get stepped up. Every decision needs to be defensible, risk-proportionate, and auditable.
In practice, risk-based onboarding means three things:
Initial CDD applies more broadly than just the customer. You must establish the identity of the customer, their representatives, any person on whose behalf they’re receiving a service, and any beneficial owner. You must also screen all of these persons against targeted financial sanctions lists and PEP registers.
You won’t need to perform initial or ongoing CDD on existing customers until you are required to file a suspicious matter report in relation to them, or there is a significant change in the business relationship that results in their ML/TF risk being assessed as medium or high. This reduces the burden of re-verifying your entire existing customer base while ensuring elevated-risk customers are captured when their profile changes.
FrankieOne’s AU Banking Risk-Based Onboarding workflow runs two parallel paths based on real-time risk signals. Here’s how it plays out with real customers.
Every decision is logged with the specific risk factors that drove it. That’s exactly what AUSTRAC will look for during audits: not just the outcome, but the reasoning behind it.
FrankieOne has packaged reform-ready configurations you can test today:
Each workflow produces structured, auditable outcomes with explainable risk factors attached to every decision.
Miss the deadlines and the consequences are real. No transition plan by 31 March 2026 costs you the 3-year runway. Unregistered Tranche 2 entities face criminal penalties after 29 July 2026. Ongoing CDD failures trigger AUSTRAC enforcement. And gaps in 7-year record keeping will surface in any audit. The reputational damage when compliance failures become public is often more costly than the fines themselves.
Risk-based CDD (Customer Due Diligence) means tailoring the depth of your identity verification to the actual risk level of each customer, rather than applying the same checks to everyone. Low-risk customers go through a lighter, faster process. High-risk customers, such as politically exposed persons, non-residents, or those from high-risk jurisdictions, trigger enhanced verification including source of wealth checks and adverse media screening. Under Australia’s AML/CTF reforms, risk-based CDD replaces the old prescriptive “2+2” safe harbour from 31 March 2026.
These are the three verification tiers under risk-based onboarding. Simplified CDD applies only where you have a documented low ML/TF risk assessment and involves minimal friction for the customer. Standard CDD is the baseline for most customers and includes government ID verification, credit bureau matching, and AML/PEP screening. Enhanced CDD applies to high-risk customers and adds biometric verification, source of wealth checks, adverse media screening, and in some cases manual review. The decision about which tier to apply must be documented and defensible.
Not automatically. The reforms include a practical relief provision for pre-commencement customers. You won’t need to perform initial or ongoing CDD on existing customers unless you are required to file a suspicious matter report in relation to them, or there is a significant change in the business relationship that results in their ML/TF risk being assessed as medium or high. This means you don’t need to re-verify your entire customer base from scratch, but you do need a process to catch elevated-risk customers when their profile changes.
Tranche 2 compliance refers to the extension of Australia’s AML/CTF obligations to a new group of industries that were previously unregulated. From 1 July 2026, lawyers, accountants, real estate agents, buyer’s agents, property developers, conveyancers, trust and company service providers, and precious metals dealers will be required to enrol with AUSTRAC, implement an AML/CTF program, perform customer due diligence, and report suspicious matters. Enrolment is due by 29 July 2026.
No. During the transition period (31 March 2026 to 30 March 2029), you can choose either ACIP or reformed risk-based CDD, but once you formally switch to the new approach, you must apply it fully to all new customers from that date. You cannot pilot reformed CDD on a subset of customers while running ACIP on the rest. Plan your switchover date carefully, test your workflows in a non-production environment first, and make sure your compliance team is trained before you make the change.
AUSTRAC will want to see that every verification decision is logged with the specific risk factors that drove it. It is not enough to show the outcome. You need to demonstrate that your risk logic is documented, repeatable, and proportionate to the customer’s risk profile. This means maintaining an auditable trail of why each customer was routed to Simplified, Standard, or Enhanced CDD, what signals triggered any step-up, and how manual review decisions were made and recorded.
Get started
Book a demo to walk through the AU Banking Risk-Based Onboarding workflow and see how FrankieOne handles the transition from ACIP to risk-based CDD.