AML/CTF Tranche 2: What Company Secretaries and Corporate Governance Teams Need to Know

What Is AML/CTF Tranche 2 — And Why Does It Matter for Your Role?

Australia's Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) framework has been through a significant expansion. Tranche 1 (2006) covered financial services — banks, fintechs, remitters. Tranche 2 is the extension to a much broader group of "designated services" previously outside the net.

From 1 July 2026, the following are in scope under Tranche 2:

• Accountants providing trust and company services
• Lawyers conducting designated transactions
• Real estate agents
• Dealers in precious metals and stones
• Trust and Company Service Providers (TCSPs)

That last one — TCSPs — is where it gets serious for in-house governance teams.

If your organisation provides company secretarial services, acts as a registered agent, assists with entity formation, manages shareholder registers, or administers trusts on behalf of clients — you are likely a TCSP. And that means Tranche 2 applies to you.

The rest of the market is talking about this from an accountant's perspective. We're not. This post is for the in-house governance team — the Company Sec, the GC, the CFO — managing 50, 100, or 200+ entities who now has a new compliance obligation sitting squarely on their desk.

The Six Obligations You Need to Understand

AUSTRAC has outlined a clear set of requirements for newly regulated entities. If you're a TCSP or provide trust/company services, here's what you're required to do:

1. Enrol with AUSTRAC

Enrolment for newly regulated entities opened 31 March 2026. If you haven't started this process, start now. Enrolment is the first step — it registers your organisation as a reporting entity under the AML/CTF Act.

Go here: AUSTRAC — How to enrol and register

2. Establish Governance and Oversight Arrangements

You need a designated AML/CTF compliance officer and a governance structure that sits alongside your existing board/audit committee frameworks. For companies with mature governance structures, this is a lift — but not a rebuild. It's a new lane on an existing highway.

For CoSecs already managing board governance processes and register maintenance, you're well-placed to absorb this responsibility. The key is documenting the accountability clearly.

3. Develop and Maintain an AML/CTF Program

This is the big one. Your AML/CTF Program needs to:

• Identify and assess ML/TF risks relevant to your designated services
• Describe how you'll mitigate those risks
• Detail your customer due diligence procedures
• Define your transaction monitoring and reporting protocols
• Include an employee training program
• Be reviewed and approved by senior management

This isn't a one-page policy. It's a living compliance document that AUSTRAC can request at any time.

4. Customer Due Diligence (CDD) — Including Enhanced CDD

Every entity in your portfolio that you provide services to is now a "customer" from an AML/CTF perspective. Standard CDD means:

• Verifying the customer's identity
• Identifying the ultimate beneficial owner (UBO)
• Understanding the nature and purpose of the business relationship

Enhanced CDD applies to higher-risk relationships — foreign entities, politically exposed persons (PEPs), complex ownership structures. If your portfolio includes offshore holding companies, foreign subsidiaries, or entities with complex trust structures, enhanced CDD will be triggered.

This is where the volume problem hits. If you're managing 100 entities, that's 100 CDD files to establish and maintain. Without a central system, this becomes an unmanageable spreadsheet nightmare.

5. Reporting Obligations

From 1 July 2026, newly regulated entities must submit:

• Suspicious Matter Reports (SMRs) — when you identify or suspect ML/TF activity
• Threshold Transaction Reports (TTRs) — cash transactions of $10,000+
• International Funds Transfer Instructions (IFTIs) — if applicable

Reporting goes through AUSTRAC's AUSTRAC Online portal. The accuracy and timeliness of your reports will be assessed during any audit.

6. Record-Keeping

You must retain:

• CDD records for 7 years after the end of the business relationship
• Transaction records for 7 years
• AML/CTF program documentation

For an in-house governance team already managing statutory registers, minute books, and ASIC lodgment histories, this adds another layer of records that need to be maintained, version-controlled, and audit-ready.

Why the Accountant-Focused Coverage Misses Your Problem

Most of what's being written about Tranche 2 right now is aimed at accounting firms — specifically the mid-tier practices that manage client entities through platforms like CAS 360 or NowInfinity. That's a legitimate audience.

But it's not your audience.

You're not an accounting firm. You're an in-house governance team. Your problem is different:

• You're managing your own group's entities, not clients
• Your entity portfolio spans multiple jurisdictions, structures, and risk profiles
• Your CDD obligations relate to who owns and controls each entity — which is a beneficial ownership and register-maintenance question, not an accounting one
• Your audit trail requirements are tied to your central entity register, not a client file

The question isn't "how do we add an AML/CTF workflow to our accounting software?" It's "how do we maintain compliant CDD records and audit trails across our entire entity portfolio in one system?"

That's a fundamentally different problem — and it's one that entity management platforms are built to solve.

What Good AML/CTF Compliance Looks Like for a Corporate Group

Here's what "compliant" looks like operationally for an in-house governance team post-July 2026:

Centralised entity register — Every entity in scope is documented with its structure, ownership chain, UBOs, jurisdiction, and risk classification in one place. Not a spreadsheet. A searchable, version-controlled register.

Beneficial ownership mapped and current — You know the UBO for every entity, updated as share registers change, with a clear audit trail of every ownership change.

CDD records linked to each entity — Verification documents, risk assessments, and enhanced CDD files attached directly to each entity record — not buried in a shared drive folder with no version history.

Audit-ready documentation — Any regulator reviewing your AML/CTF compliance can be given access to your entity register and pull the full compliance file for any entity in minutes, not days.

Change tracking — When an entity's structure changes (new shareholder, directorship change, trust variation), the CDD record is flagged for review automatically.

None of this is aspirational — it's operational hygiene that Tranche 2 is now making mandatory.

The Practical Checklist: What to Do Before 1 July 2026

Here's a prioritised action list for Company Secretaries and governance leads:

Immediate (April 2026)

• [ ] Enrol with AUSTRAC at austrac.gov.au — don't wait
• [ ] Determine whether your organisation qualifies as a TCSP or provides designated services
• [ ] Appoint an AML/CTF compliance officer (can be the CoSec, GC, or CFO with appropriate remit)
• [ ] Brief the board/audit committee on Tranche 2 obligations and timeline

Short-Term (April–May 2026)

• [ ] Map your entity portfolio — identify which entities are in scope
• [ ] Begin UBO identification and verification for each in-scope entity
• [ ] Draft your AML/CTF Program (seek legal advice for this — it's not a DIY document)
• [ ] Assess your current systems: can your entity register support CDD record storage and audit trails?

Pre-Launch (June 2026)

• [ ] Complete CDD for all in-scope entities
• [ ] Train relevant staff on AML/CTF obligations and reporting procedures
• [ ] Test your reporting capability (AUSTRAC Online account set up and tested)
• [ ] Confirm your AML/CTF Program is board-approved and documented

Useful AUSTRAC resources:

• AUSTRAC Tranche 2 guidance for new reporting entities
• AUSTRAC — How to enrol

The System Question: Can Your Current Setup Handle This?

Most corporate governance teams in Australia are managing their entity portfolio across a combination of:

• CAS 360 or NowInfinity (designed for accounting firms, not in-house corporate teams)
• A spreadsheet register maintained by the CoSec team
• ASIC Connect for lodgments
• Shared drives for documents

The honest answer is that most of those setups will not pass an AML/CTF audit. They weren't built for it. They lack the structured UBO tracking, version-controlled record management, and CDD file linking that compliance requires.

Tranche 2 is forcing a conversation that many governance teams have been putting off: do we have the right infrastructure to manage this portfolio at the standard regulators now expect?

That's not a scare tactic. It's a genuine question worth answering before 1 July, not after.

What EntityFlo Does Differently

EntityFlo is built for in-house corporate governance teams managing complex entity portfolios — not for accounting firms processing client ASIC lodgments.

Our central entity register is designed to:

• Track beneficial ownership and UBO chains across group structures
• Store and version-control all entity-level documentation in one place
• Maintain a complete, searchable audit trail of every change across your portfolio
• Give you and your board a real-time view of compliance status across every entity

We're not retrofitting an accounting tool with a compliance checkbox. We're building the governance infrastructure that mid-market Australian companies actually need to operate to a professional standard — and AML/CTF Tranche 2 compliance is a natural part of that.

If you're facing the Tranche 2 deadline and want to see how EntityFlo handles entity-level CDD records and audit trails — book a demo and we'll show you.

The deadline is 1 July 2026. Twelve weeks. Start now.

Nathan Carroll is the founder of EntityFlo, an entity management and corporate governance platform for Australian mid-market companies. Connect with Nathan on [LinkedIn](https://linkedin.com/in/nathancarroll).