AUSTRAC’s Tranche 2 Starter Kit

AUSTRAC has released the long-awaited Starter Kit for Tranche 2 AML reporting entities. It is designed for small practices with 15 or fewer personnel (including administrative staff), covering accountants, lawyers, real estate agents, conveyancers, and dealers in precious metals and stones.

To be eligible, entities must also meet certain low complexity, lower risk characteristics, for example, not offering fully remote self-service options and not regularly dealing with high-risk clients.

This is a genuinely welcome initiative and, in many ways, a unique one in the AML landscape.

Without the Starter Kit, I would imagine that some of the Tranche 2 industry bodies would have probably stepped in trying to bridge the gap, with unknown results. It is encouraging to see AUSTRAC proactively taking ownership of that role and providing much-needed guidance directly to industry, on both the actual templates and how to use them.

The Starter Kit is composed of many documents:

• A customised guide - to help you understand how to use the template

• A risk assessment - to assess your enterprise-wide risks

• A policy document - it sets out expectations, standards, and behaviours in your business

• A process document - it sets out the day-to-day operations of your business

• Several forms collected in the ‘document library’ to help you with client onboarding, escalation, suspicious matter reporting and so on.

As with all great projects, the Starter Kit has some inevitable shortcomings, especially due to its goal of catering to such a wide audience. Here are my thoughts.

Prescriptive Elements in the Policy and Process Documents

Some aspects of the Policy and Process documents are overly prescriptive. For example, both documents specify that reporting entities using the Starter Kit conduct ongoing customer due diligence (CDD) on medium-risk clients every two years.

While this timeframe is not problematic in itself, it is not prescribed by the Act or the Rules. Instead, the AML framework is founded on a risk-based approach, which allows reporting entities to apply flexibility and tailor certain compliance measures (e.g., the frequency of ongoing CDD) based on their individual risk profile and risk appetite.

When developing your own policy, it is therefore important to consciously assess your risk appetite and determine how often ongoing CDD should be conducted. Equally important is the sustainability of the policy and processes you adopt. A prescribed review cycle has little practical value if it cannot be consistently implemented. For example, committing on paper to reviewing medium-risk clients every two years offers limited benefit if, in practice, operational capacity only allows reviews to be conducted every three years.

Policy Gaps That Matter to Small Businesses

The AML Act and Rules are extensive, and in the effort to keep the Starter Kit simple and concise, some important areas appear to have fallen through the cracks.

For example, the Policy document does not adequately address outsourcing CDD. As I have been speaking with many business owners in this space, many small businesses are actively considering outsourcing CDD to simplify and cut compliance costs.

As the Starter Kit does not cover this scenario, reporting entities will likely need to develop additional tailored policies to address it.

Processes: From High-Level to Real-World Practice

Unsurprisingly, the Process document lacks detailed, practical guidance on day-to-day implementation. Phrases such as “monitor the behaviour” or “identify the risk” are largely used throughout the document, which is understandable given the Starter Kit’s broad audience.

However, once a reporting entity becomes subject to the AML regime in July 2026, much more granular questions must be answered, including:

• Who collects CDD information?

• Are we going to do CDD on all new clients or only for designated services?

• If the latter, what controls are we going to have to ensure that unverified clients will not access designated services?

• How are we going to review the trust account from an AML perspective?

These operational details are crucial, and they will need to be worked through carefully.

Conclusion

The AUSTRAC Starter Kit has one undeniable benefit: it empowers small, low-complexity reporting entities to take ownership of their AML compliance.

Even where an external consultant is engaged, the availability of freely accessible Risk assessment, Policy, and Process templates significantly reduces the risk of excessive fees being charged for intellectual property that is now publicly available.

That, in itself, is a meaningful step forward. However, simply downloading the Starter Kit will not be sufficient. Reporting entities will still need to undertake important work to tailor the templates to their specific business model, risk profile, and operational realities. 

What’s Next?

If you’re unsure whether the Starter Kit applies to your business, or how to use it effectively, I can help with:

✅ Train your team to prepare for the AML reforms commencing 1 July 2026

✅ Taylor the Risk Assessment and Policy documents to your business

✅ Translating high-level processes into practical, day-to-day steps

Get in touch if you’d like to talk through your next steps.