Navigating Tranche 2.
Australia's AML/CTF reforms bring over 80,000 new businesses under AUSTRAC regulation from 1 July 2026. Here is what that means — and how ARCIS helps.
What is Tranche 2?
In December 2024, the Australian Parliament passed the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024. This legislation represents the most significant expansion of Australia's AML/CTF regime since its inception.
The original AML/CTF Act (2006) — known as "Tranche 1" — regulated financial institutions, remittance providers, casinos, and digital currency exchanges. The 2024 amendment extends regulation to a second wave of professions and services, known as "Tranche 2."
These reforms align Australia with the Financial Action Task Force (FATF) standards for regulating designated non-financial businesses and professions (DNFBPs) — a gap that has been identified in multiple FATF mutual evaluations of Australia's regime.
Who is affected?
From 1 July 2026, AML/CTF obligations apply to businesses providing designated services in the following sectors:
Real estate professionals
Real estate agents, buyer's agents, and property developers involved in buying, selling, or transferring real property.
ARCIS reduces CDD friction for real estate professionals by enabling portable verified credentials — clients verify once, present to every agent and developer in the transaction.
Legal professionals
Lawyers, solicitors, and conveyancers providing services related to property transactions, company formation, trust structures, or financial arrangements.
ARCIS lets lawyers and conveyancers accept cryptographic proof of identity without running independent checks — meeting CDD obligations in seconds, not days.
Accounting professionals
Accountants, tax agents, and auditors providing services related to financial transactions, company formation, or trust structures.
ARCIS credential types map directly to accounting CDD needs — from initial identity verification to beneficial ownership and source of funds declarations.
Trust and company service providers
Businesses that create, manage, or administer companies, trusts, and other legal structures.
ARCIS Beneficial Ownership Credentials document the ownership and control structure of an entity — exactly what trust and company service providers need for enhanced CDD.
Dealers in precious metals and stones
Businesses dealing in high-value goods where transactions exceed prescribed thresholds.
ARCIS Source of Funds Declarations support enhanced CDD for higher-risk transactions — presented by the client at the point of engagement, not collected after the fact.
AUSTRAC estimates that approximately 100,000 businesses will be newly regulated under Tranche 2. Enrolment opened on 31 March 2026, with obligations commencing on 1 July 2026.
Preparing for July 2026? Join the ARCIS waitlist
What are the obligations?
Newly regulated Tranche 2 entities must meet the following core obligations under the reformed AML/CTF Act:
- Enrol with AUSTRAC.
- All reporting entities must be enrolled by 29 July 2026. Enrolment opened on 31 March 2026.
- Establish an AML/CTF program.
- You must have a documented program that identifies and assesses your money laundering, terrorism financing, and proliferation financing risks, and establishes policies and controls to manage them. This program must be in place before you begin providing designated services.
- Appoint a compliance officer.
- A fit and proper AML/CTF compliance officer must be appointed and notified to AUSTRAC by 29 July 2026.
- Conduct customer due diligence (CDD).
- Before providing a designated service, you must verify the identity of your client using reliable and independent sources. This includes initial CDD, ongoing CDD, and enhanced CDD for higher-risk clients such as politically exposed persons. ARCIS addresses this obligation directly — portable verified credentials give you cryptographic proof of a completed verification, with an auditable record, without running the check from scratch.
- Report to AUSTRAC.
- Reportable matters include suspicious transactions, threshold transactions (above prescribed monetary amounts), and international transfer instructions.
- Keep records.
- You must maintain records of your CDD procedures, risk assessments, transaction monitoring, and reporting for the periods specified in the legislation. ARCIS provides this automatically — every credential presentation is time-stamped, cryptographically signed, and logged.
AUSTRAC has stated that it does not expect perfection immediately, but it does expect to see enrolment, a documented program, and genuine effort to manage risk from day one.
Need a CDD solution that meets the standard from day one? Talk to us about ARCIS
How ARCIS addresses Tranche 2
Each CDD obligation in the reformed Act maps to a specific capability in the ARCIS credential architecture. The core value is simple: instead of every reporting entity running their own identity check on every client, clients verify once and present cryptographic proof to any entity that accepts it.
Without ARCIS — a typical property transaction
- Client provides ID documents to real estate agent → agent verifies manually
- Client provides same ID documents to conveyancer → conveyancer verifies again
- Client provides same ID documents to solicitor → solicitor verifies again
- Client provides same ID documents to accountant → accountant verifies again
4 separate identity checks. 4 sets of records. 4 opportunities for error or breach.
With ARCIS — the same transaction
- Client verifies identity once through ARCIS-supported process
- Client receives a single W3C Verifiable Credential
- Client presents credential to real estate agent, conveyancer, solicitor, and accountant
- Each entity validates the credential instantly — cryptographic proof, auditable record, obligation met
1 verification. 4 entities served. Every record automatically audit-ready.
Portable identity verification.
A client verifies their identity once through an ARCIS-supported process and receives a W3C Verifiable Credential. They present that credential to any reporting entity that accepts it. Each entity gets cryptographic proof of a completed verification — without running their own check from scratch.
Record keeping that meets the standard.
Every credential presentation is time-stamped, cryptographically signed, and logged. Reporting entities receive an auditable record of the verification event — who was verified, when, by what method, and with what result. This directly supports the record-keeping obligations under the reformed Act.
Risk-appropriate CDD support.
ARCIS credentials are typed by verification level. An Identity Verification Credential confirms initial CDD. A Beneficial Ownership Credential documents the ownership and control structure of an entity. A PEP/Sanctions Screen Credential confirms a clean screening result at a point in time. A Source of Funds Declaration supports enhanced CDD for higher-risk engagements.
Designed for the Australian regulatory environment.
ARCIS is built specifically for the AML/CTF Act, the AUSTRAC reporting framework, and the Trusted Digital Identity Framework. It is not a foreign product adapted to local rules — it is Australian infrastructure for Australian regulation.
Standards and regulatory alignment
ARCIS is built on internationally recognised open standards and designed to align with Australian regulatory frameworks:
W3C Verifiable Credentials (VCs)- The World Wide Web Consortium standard for portable, tamper-evident digital credentials. ARCIS credentials are interoperable and not locked to any proprietary format.
Decentralised Identifiers (DIDs)- The W3C standard for cryptographic identifiers that operate independently of any central authority or registry.
Trusted Digital Identity Framework (TDIF)- The Australian Government's framework for digital identity services. ARCIS is designed with TDIF alignment as a target for future accreditation.
AML/CTF Act 2006 (as amended 2024)- ARCIS credential types map directly to the CDD obligations established by the reformed Act and the AML/CTF Rules 2025.
FIDO2 / WebAuthn- Passwordless authentication using device-native biometrics or security keys. Phishing-resistant by design.
Preparing for July 2026?
ARCIS is onboarding early-access reporting entities now. See how portable identity credentials can simplify your compliance workflow and reduce client onboarding friction.