Failure to enrol with AUSTRAC by 1 July attracts daily penalties of $18,780 for companies. Ex-CBA banker and AML expert John Nguyen breaks down exactly what to do and when.
What’s happening: From 1 July 2026, approximately 80,000 Australian businesses in real estate, legal, accounting, and property sectors will be brought under AUSTRAC’s anti-money laundering and counter-terrorism financing regime for the first time. The change is the most significant overhaul of Australia’s AML laws in a generation.
Australia is about to bring 80,000 businesses under one of the most significant regulatory regimes in a generation. From 1 July 2026, real estate agents, buyer’s agents, property developers, conveyancers, lawyers and accountants will all be required to comply with AUSTRAC’s anti-money laundering and counter-terrorism financing laws for the first time. The penalties for getting it wrong are not a slap on the wrist. Corporate fines reach $31.3 million per contravention. Directors face personal criminal liability. And daily penalties for non-enrolment start accumulating the moment the deadline passes.
With ten weeks to go, John Nguyen, founder of AML Partners and former AML specialist at EY, Westpac, Commonwealth Bank, ANZ and Suncorp, shares what every affected business needs to do right now.
What are the key compliance obligations businesses must prepare for before July 1st?
From 1 July 2026, Australia is bringing roughly 80,000 new businesses — real estate agents, buyer’s agents, property developers, conveyancers, lawyers and accountants — under AUSTRAC’s AML/CTF regime. AUSTRAC CEO Brendan Thomas has called this “the most ambitious overhaul of Australia’s anti-money laundering laws in a generation,” and he’s not exaggerating. Many SMEs I speak with still don’t realise they’re in scope.
There are seven core obligations every captured business needs in place:
- Enrol with AUSTRAC. Enrolment opened 31 March 2026 and must be completed by 1 July 2026.
- Conduct a risk assessment specific to your business — your services, customers, geography and delivery channels.
- Build a written AML/CTF program documenting your policies, procedures and controls.
- Implement customer due diligence (CDD) — initial identity verification, ongoing monitoring, and enhanced due diligence for higher-risk customers and transactions.
- Appoint a compliance officer by 01 July 2026.
- Build suspicious matter reporting (SMR) processes so your team knows how and when to report to AUSTRAC.
- Keep records for seven years.
The piece most SMEs underestimate is that this isn’t a set-and-forget exercise. Your AML program must be independently reviewed every three years, and updated whenever your business model changes — a new service line, a new customer segment, a new geography. Compliance is a living program, not a document that sits in a drawer.
What are the specific director penalties and potential financial liabilities?
The penalties are deliberately severe, and directors cannot hide behind a company structure.
- Corporate penalties reach up to 100,000 penalty units — around $31.3 million per contravention.
- Individual liability can reach $6.26 million.
- Criminal penalties include up to 10 years’ imprisonment for serious breaches, 2 years for recklessly failing to verify customer identity or report suspicious matters, and 5 years for providing false information to AUSTRAC.
- Failure-to-enrol attracts daily infringement penalties — around $18,780 per day for companies and $3,756 per day for individuals. Those numbers compound quickly.
And AUSTRAC has a demonstrated willingness to enforce. Westpac paid $1.3 billion. Commonwealth Bank paid $700 million. In September 2024, AUSTRAC issued infringement notices to 16 businesses simultaneously for non-compliance.
Brendan Thomas has been unambiguous about how the regulator will approach Tranche 2: “There will be no excuses for wilful non-compliance. For any business that turns a blind eye and allows their services to be used to wash the proceeds of crime, we will take action.” AUSTRAC has confirmed it is already working with law enforcement partners to identify businesses heavily exposed to criminal activity — and those businesses will be the starting point for enforcement on day one.
The message for directors is straightforward: you are personally on the hook, and “I didn’t know” won’t cut it after July 2026.
What is the impact of Tranche 2 on SMEs?
The impact on SMEs is significant — both in time and in money — and it’s falling on businesses that have never operated under a financial crime regime before.
The practical burden breaks down into three layers. First, there’s the time required to interpret the regulation itself — working out whether your business is in scope, what you actually need to do, and how to implement it. Second, the time spent assessing and comparing software and vendor options. Third, the direct cost of implementing new systems, training staff, and maintaining the program. Industry estimates put average setup costs at around $28,650 and ongoing costs at roughly $23,250 per year per business — with a projected total industry cost of about $1.85 billion annually over the coming decade.
There are also genuinely difficult edge cases — trust structures, off-market deals, joint buyers, overseas funds — where the legislation requires judgement calls on risk appetite that most SMEs have never had to make.
But the framing I want to push back on is the idea that this is purely a cost. It isn’t. There are three reasons Tranche 2 is a competitive opportunity for SMEs that move early:
First, the stakes of the sector make compliance commercially important. Money laundering through Australian real estate is estimated at tens of billions of dollars a year — some estimates put the broader financial-crime cost to Australia at up to $60 billion annually, and the AUSTRAC CEO has cited $68 billion in serious and organised crime harm. Transparency International ranked Australia dead last among 24 jurisdictions on its Opacity in Real Estate Ownership Index — behind Russia, China, Panama and Mexico. That’s the reputational context agencies are operating in.
Second, compliance is becoming a trust signal. Consumers are becoming compliance-savvy. An agency that can demonstrate robust identity verification, clean trust-account handling and documented risk processes is going to look materially more professional than one that’s scrambling.
Third, non-compliance is an existential risk to an SME in a way it simply isn’t to a major bank. Westpac could absorb a $1.3 billion fine. A suburban real estate agency cannot absorb $18,780 a day, a director’s criminal liability, or the loss of its license. The real threat to SMEs isn’t the cost of compliance — it’s the cost of non-compliance.
The firms that treat Tranche 2 as a business transformation rather than a regulatory burden will be the ones still standing in three years.
What practical steps should businesses take now?
With roughly ten weeks left before 1 July, here’s the realistic pathway I’d suggest:
This week: Decide who in your business will be the Compliance Officer. It can be an existing team member with the right authority and independence, or an external hire. This decision anchors everything else.
By end of April: Complete your Money Laundering and Terrorism Financing risk assessment, and begin drafting your AML/CTF program. AUSTRAC has released starter program kits for low-complexity small businesses that are a useful starting point. In parallel, run a vendor assessment on your software options — compare features, integrations, ongoing costs and support.
May: Select and implement your compliance technology. My strong advice is don’t build from scratch. Purpose-built platforms can compress months of work into days, with proven workflows for KYC, PEP and sanctions screening, ongoing monitoring, and SMR reporting. Trying to DIY your program in Excel and email will cost you more in staff time than a platform ever will.
June: Train every staff member who touches a customer. Run internal testing — simulate a suspicious matter report, walk a mock customer through your screening process, verify your record-keeping holds up. Communicate the changes to your customers before they hit — if a buyer shows up to sign a contract and is suddenly asked for a passport and a source-of-funds declaration without warning, you’ve lost the deal.
The single biggest mistake I’m seeing right now is waiting for perfect clarity before acting — or staying in denial that this actually applies. AUSTRAC itself has said: “We’re not expecting perfection on day one. But we are expecting businesses to take reasonable steps.”
Start imperfect. Iterate fast. A functional compliance program on 1 July beats a perfect program on 1 August — because by 1 August without one, you’re accumulating daily penalties and exposing your directors personally.
The agencies that will thrive aren’t the ones with the fanciest programs. They’re the ones that started early, kept it simple, and treated this as a permanent change to how they do business.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
