Tranche 2 Is Real: AML/CTF Enrolment Opens and the Onboarding Identity Bar Rises

After years of consultation, Australia’s expansion of the AML/CTF regime, long shorthanded as “Tranche 2”, has moved from policy debate to operational reality. New reporting entities can enrol with AUSTRAC from 31 March 2026, with obligations commencing on 1 July 2026 and enrolment to be completed by 29 July 2026. For MLROs, Heads of Financial Crime and lending COOs, the date that matters is not the enrolment deadline, it is the moment commencement turns a verification practice into a demonstrable obligation.

What commencement actually triggers

Tranche 2 is widely described as the moment lawyers, accountants, conveyancers, real estate agents and trust and company service providers come into scope. That is true, and it materially widens the population of reporting entities. But for lenders already inside the regime, the more important development is the modernised, risk-based shape of the obligations the reforms bring with them.

From commencement, a reporting entity is expected to:

• Operate an AML/CTF programme proportionate to its assessed money-laundering and terrorism-financing risk.
• Conduct customer due diligence calibrated to that risk, more for higher-risk customers and circumstances, streamlined where risk is genuinely low.
• Be able to show the reasoning: why a given customer was treated the way they were, and why the verification performed was sufficient for the risk.

AUSTRAC has been explicit that its regulatory expectations for 2025 to 26 centre on entities understanding their risk and acting on it, not on mechanical compliance.

Why “we used a recognised data source” is no longer the whole answer

For years, identity verification could be satisfied by a defensible-sounding statement: we checked the customer against a recognised, reliable, independent data source. Under a genuinely risk-based regime, that statement is necessary but no longer complete.

The reason is that the regulator’s question has changed. It is no longer only did you verify identity against an acceptable source? It is was your verification appropriate for the risk this customer presented, and can you demonstrate the judgement behind it? A single document match that is perfectly adequate for a low-risk retail applicant may be plainly insufficient for a higher-risk profile, an opaque ownership structure, a politically exposed connection, a mismatch between stated and observed behaviour.

This reframes onboarding as a chain of decisions rather than a single check:

• Risk assessment first. What is the inherent risk of this customer and product, before any check is run?
• Proportionate verification. Identity, document and biometric assurance scaled to that risk, including liveness and biometric matching where the risk warrants it.
• Resolution of discrepancies. What happened when data did not line up, and what decision was taken as a result?
• A captured rationale. Each of the above recorded so the file explains itself months or years later.

The weakness exposed by a risk-based examination is rarely the absence of a check. It is the absence of a recorded judgement connecting the check to the risk.

The onboarding identity bar, in practice

For lending operations, the practical pressure lands at the point of origination, where speed and assurance are in constant tension. Customers expect to onboard in minutes; the regime expects verification matched to risk and a record that survives scrutiny. Meeting both at once is an orchestration problem, not a single-product one.

Three capabilities separate operations that will handle commencement comfortably from those that will struggle:

• Identity-led, layered verification, document, data and biometric assurance that can be dialled up automatically when a customer’s risk profile warrants it, rather than applying one fixed check to everyone.
• A defensible decision trail, every onboarding outcome captured with the inputs, the risk assessment and the reasoning, so a query about a customer onboarded today can be answered confidently next year.
• Consistency at scale, the same risk logic applied to every applicant across every channel, so the regulator sees a system, not a series of individual calls.

What to do before 1 July 2026

• Re-test your CDD against a risk lens, not a checklist: for a sample of recent onboardings, can you show why the verification performed was appropriate to the risk?
• Confirm your onboarding flow can escalate assurance, for example to biometric and liveness checks, without manual rework.
• Verify that every onboarding decision, including manual overrides, leaves a retrievable record of the rationale.
• Use the window before the 29 July 2026 enrolment deadline to align documentation, not just registration.

Where Credisense fits

This is squarely identity-led onboarding orchestration: layered identity and biometric verification, risk-calibrated automatically, wrapped in an explainable, captured decision trail so each onboarding outcome carries the reasoning behind it. With sense.AI supporting consistent, transparent assessment, lenders can move customers through quickly while keeping a record that answers a financial-crime regulator’s real question, was this verification appropriate for the risk, and can you prove it?

Commencement on 1 July 2026 will not, by itself, change how most lenders verify a low-risk customer. What it changes is the standard of explanation expected when risk is elevated and the file is later examined. The entities that prepare now, treating onboarding as a recorded, risk-based decision rather than a box-tick, will find the rising bar a familiar height rather than a sudden climb.