Outsourcing AML/CTF under Tranche 2: What it is, what it isn’t, and how easyAML can help

From 1 July 2026, Tranche 2 brings lawyers, conveyancers, real estate agents, accountants, TCSPs and precious-metal dealers into Australia’s AML/CTF regime. For most small & medium businesses (SMEs), the big question isn’t what the rules say (that is coming into focus now and over the coming months), it’s how on earth to deliver them without derailing the day-to-day business. That’s where outsourcing can help.

In this article, we’ll explore the general concept of outsourcing in the AML/CTF context (what you can and can’t outsource - hint: accountability), and the practical guardrails AUSTRAC expects, before we look at how easyAML’s outsourcing offer slots in as a low-friction way to get your Tranche 2 compliance done.

What is outsourcing for AML/CTF businesses?

In the world of AML/CTF, outsourcing means engaging a third party to perform particular compliance functions for you. This can be once-off (for example,  writing your program) or ongoing (for example your Customer Due Diligence & KYC obligations, transaction monitoring, or drafting Suspicious Matter Reports). Outsourcing allows you to leverage specialist capability, technology, and scale so your team doesn’t have to build everything in-house.

Crucial point: outsourcing does not transfer your legal obligations. 

In all of this, your business remains responsible and liable for compliance. That means you need oversight, due diligence, and clear contracts. Outsourcing is not a “set and forget” exercise.

Why do SMEs consider outsourcing?

Tranche 2 is a whole different ball game when it comes to AML/CTF compliance. Tranche 1 entities are typically big banks, casinos and other large enterprise businesses. They have the resources to have entire compliance teams, dedicated to managing their AML/CTF obligations. Tranche 2 businesses on the other hand are typically a lot smaller, with less available resources, and so outsourcing affords them:

• Expertise on tap: access seasoned AML/CTF practitioners and sector-specific know-how without hiring full-time.
• Speed & capacity: allows for surges in busy periods, while still meeting turnaround expectations for CDD/EDD, monitoring and reports.
• Cost control: avoid the fixed cost of building a compliance department and only pay for what you need.
• Consistency: standardised processes, audit-ready records, and fewer gaps caused by ad-hoc internal work.

What can you outsource?

• Customer due diligence (CDD/KYC/KYB): verifying individuals and entities, beneficial ownership, PEP/sanctions screening, collecting evidence.
• Enhanced due diligence (EDD): deeper checks for high-risk customers, foreign PEPs, complex structures, source of funds/wealth checks.
• Monitoring & reviews: ongoing activity/transaction monitoring and exception handling.
• Drafting reports & records: pre-drafting Suspicious Matter Reports (SMRs) for your approval and submission, including assembling audit trails.
• Program documentation: writing or refreshing your AML/CTF program, procedures and training material.
• Training: conducting staff training for your team, including at onboarding and ongoing training.

What can’t you outsource?

• Ultimate accountability: in all cases, you own the risk and remain liable for breaches, even if an outsourced provider under-performs.
• Oversight & decisions: you must supervise the provider, review their work, escalate issues, and make final calls (for example, when to file an SMR).
• “One-size-fits-all” programs: AUSTRAC expects your program to be tailored to your size, services, customers, delivery channels, and jurisdictions. Templates or global policies that aren’t adapted to your risks are a red flag.

What are good outsourcing practices?

When it comes to outsourcing, AUSTRAC has included comprehensive information about what they consider to be ‘good practices’, and have broken it down in plain English as part of their reforms guidance.  Some of the practices they mention include:

Identifying outsourcing risks

Being sure to consider both ML/TF risk and compliance risk introduced by outsourcing (for example, generic approaches, under-resourcing and poor tailoring).

Ensure you do real due diligence

Checking qualifications, sector experience, resourcing, information security, willingness to be measured, and how they’ll tailor their services to your unique business. Ways you can do this include asking for demos, references, and examples.

Training the provider on your context

Be sure to give them the inputs they need. Consider sharing information about your services, customer types, jurisdictions, delivery channels, and existing controls, so that the outputs they deliver actually fit your needs.

Minding the legal boundaries

Consider how to manage tipping-off risk when sharing information related to SMRs, as well as how to handle AUSTRAC information and privacy obligations correctly. Get legal advice where needed.

Using a written agreement

Your agreement should spell out scope, performance targets (timeliness, quality, evidence standards), reporting rhythms, data ownership, breach/escalation steps, and business continuity.

Routinely monitoring and reviewing

Continuing to sample work, compare expected vs actual alerts/reports and track agreed SLAs. Document these reviews to ensure board and senior management oversight.

What to avoid when it comes to outsourcing?

When you’re considering an outsourcing partner, there are some ‘red flags’ that should immediately indicate that perhaps that provider is not a good fit for you. Some of the things to be on the look out for include:

• Generic services: Global providers whose policy ignores Australian Rules and your unique business risk profile.
• Limited visibility: Providers who offer little transparency around how they conduct their role, perhaps with no audit trail or no documented SLAs.
• No internal owner: If nobody inside your business is accountable for the provider, there is a much higher risk that issues will be missed. Remember that outsourcing does not negate your accountability requirements.
• Poor data hygiene: Providers who are unclear on their data storage location, access controls, or retention. It is important to remember that your AML records must be kept (and retrievable) for years.

Outsourcing with easyAML: built for Tranche 2 SMEs

easyAML’s outsourcing feature is designed specifically for SMEs entering the AML/CTF regime under Tranche 2, with sector-specific workflows. We’re making outsourced services available across Tranche 2 sectors, including:

• Real estate: High transaction values, large client volumes, and foreign buyers expose agencies to money laundering risks. Outsourcing ensures compliant onboarding without slowing sales.
• Conveyancing: Typically SME firms with thin margins and heavy transaction load. Passing AML costs directly to end-clients via easyAML and outsourcing reduces workload and cash flow pressure.
• Legal: Lawyers engaged in property, trust, or company structuring must comply. Outsourcing ensures specialist compliance without disrupting client service delivery.
• Accounting: Accountants providing tax structuring, company incorporation, or trust services will face new AML obligations. Outsourcing prevents regulatory risk while letting firms stay focused on client advisory.
• Precious metal dealers: High-value goods attract AML scrutiny. Outsourcing ensures rapid ID verification and suspicious activity monitoring without needing in-house compliance officers.
• Trust & corporate services: Often complex structures with high AML risk. Outsourcing ensures accurate beneficial ownership checks, risk scoring, and compliant reporting.

Why do SMEs pick easyAML for their outsourcing?

easyAML handles your AML/CTF obligations end-to-end, so you can focus on your clients (without blowing your budget). Our outsourcing features offer:

• Cost-savings: Outsourcing leverages economies of scale. Building in-house KYC/AML teams takes resources from your core business (hiring, training, systems). easyAML allows businesses to outsource and reduce costs significantly. 
• Speed & efficiency: easyAML Outsourcing can verify in seconds or minutes, vs much longer in-house rates. For high volume firms, speed is critical. 
• Risk reduction: Our team focuses just on collecting and processing KYC/KYB transactions. Compared to a small in-house team, there is lower risk of missing an issue.
• Scalability: As transaction volumes grow, firms don’t need to scale internal teams. Instead, easyAML handles scaling in verification depth and volume.
• Focus on core business: Firms can focus on serving their clients and processing transactions rather than building compliance infrastructure.

What does easyAML’s outsourcing look like? 

easyAML’s outsourcing service is flexible and tailored to the unique needs of your business. Businesses can choose to partner with easyAML to outsource any of the following AML/CTF requirements:

When you work with easyAML, you can be confident, knowing that we keep pace with AUSTRAC regulations, FATF guidance, and Tranche 2 updates, so you don’t need to spend hours tracking rule changes yourself.

We offer tiered service plans, from fully outsourced AML to hybrid models where businesses can review exceptions. And with real-time dashboards, reporting, and integrations with existing practice management and CRM systems, you will have complete transparency over your outsourced AML/CTF obligations.

Just as AUSTRAC expects, you remain the reporting entity. easyAML provides the muscle and the methods while your nominated compliance owner provides oversight and final decisions.

Your next step toward Tranche 2 readiness

Outsourcing AML/CTF isn’t a shortcut around responsibility. Instead, it’s a smart capacity and capability strategy. Done well, it gives your business the expert manpower, speed and expertise to be ready for Tranche 2 (all without building a compliance department from scratch).

If you want to see how this looks in practice join our next easyAML webinar for a live walk-through of our platform plus a live Q&A.