Why AML/CTF is more than just an ID check: Understanding the full life cycle for Tranche 2 businesses

If you’ve been hearing a lot about Tranche 2 lately, depending on your industry, you may also have heard people say, “We already do ID checks - we’re pretty much covered.”

It’s an easy assumption to make. In many industries, including real estate and conveyancing, identity checks have been standard practice for years now. Lawyers and conveyancers are used to working under the VOI requirements set by their regulators and land registries. Accountants routinely capture client ID for tax file numbers, company setups and trust work.

So, it’s understandable that many businesses think AML/CTF is simply an extension of what they already do.

The reality though is that your upcoming AML/CTF obligations are not ‘just ID checks.’ Verification of Identity (VOI) is only one small part of a much bigger compliance picture, and Tranche 2 introduces a whole lifecycle of obligations that go far beyond onboarding a client. To understand the role of what many currently know as VOI in the wider AML process, AUSTRAC has broken it down in greater detail on their website.

In this blog, we’ll unpack that life cycle to help you understand what your AML/CTF compliance really involves… and why you can’t rely on VOI alone to meet your obligations come 2026.

MYTH 1: “AML/CTF is basically just identity verification.”

REALITY: ID checks are just one small part.

Identity verification is a part of the Customer Due Diligence (CDD) element of AML/CTF compliance. Depending on whether you’re dealing with an individual or a company, you will need to conduct KYC (Know Your Customer) and KYB (Know Your Business) checks on each party involved.

Just like VOI, CDD involves knowing who your client is, and it is conducted before you provide a designated service. But AML/CTF regulations go much further. The identity data you collect during your CDD process feeds into your risk assessment, your ongoing monitoring, your reporting obligations, and your evidence trail.

If you stop at a simple one-off ID check, you’re only doing 5% of what AUSTRAC expects. If you operate under one of the Tranche 2-impacted industries, VOI alone doesn’t cut it. For example:

• VOI just seeks to confirm their ID. Put simply - they are who they say they are. It doesn’t assess whether they or the transaction poses a ML/TF risk.
• Checking ID doesn’t help you detect unusual transaction patterns, structuring, or beneficial ownership concerns.
• ID checks don’t reveal unusual behaviours, suspicious activity, or red flags in how clients structure transactions, companies or trusts.

AML/CTF requires you to go further to know your client, understand the purpose of their transaction, assess their risk and then actively monitor their activities and report any suspicious matters. On top of this, you’re expected to retain all the evidence from these activities for seven years.

Put simply? VOI is step one… and then the real work begins.

MYTH 2: “I only need to worry about clients when they first sign up.”

REALITY: AML/CTF requires ongoing monitoring. It’s not a once-off box ticking exercise.

Under Tranche 2, you must monitor clients throughout the entire relationship, not just at onboarding. Let’s just clarify what we mean here - you’re not expected to check in on every transaction daily, putting it under a microscope. Instead, it means being alert to changes, inconsistencies, or behaviours that don’t fit the expected pattern of that kind of transaction or that particular client.

For example:

• A real estate buyer providing conflicting source-of-funds information.
• A conveyancing client adding or removing parties mid-transaction without clear explanation.
• A legal client requesting company or trust structures that don’t align with their financial profile.
• An accounting client suddenly moving funds through complex entities with no commercial rationale.
• During the course of a longer-term business relationship, a client or the country they are a resident of, is placed on a sanctions list. It is expected that periodic checks are made to ensure that any changes like this are identified.

Ongoing monitoring sits at the heart of the 2026 AML/CTF changes. AUSTRAC expects you to monitor behaviour, escalate concerns, collect additional information where needed, and document your reasoning.

This is one of the biggest differences between VOI and AML. VOI is a one-off event. AML is a complete life cycle.

MYTH 3: “Once I write my AML/CTF program, the job is done.”

REALITY: Your program must be lived, reviewed and updated (and you’re expected to refer to it regularly)

Every Tranche 2 business must have a written AML/CTF program. However, in order to maintain your compliance, this program isn’t just a document that can be written once and then filed away on the server, never to see the light of day again.

Your AML/CTF Compliance program must be:

• Tailored to your specific industry and unique business risk profile
• Approved by senior management
• Implemented through real processes, which are heavily documented to support your team’s adherence to them
• Supported by ongoing, targeted staff training
• Independently reviewed regularly

An off-the-shelf template downloaded online may not necessarily meet AUSTRAC’s expectations for your business. Similarly, you won’t be able to rely on AI to generate your program. Instead, you must ensure that your AML/CTF program reflects your business’ unique services, your real customers, the jurisdictions you operate in, and your risks.

MYTH 4: “Suspicious Matter Reporting is only for big banks. I’m no detective.”

REALITY: Every Tranche 2 business must report suspicious activity (and quickly).

Suspicious Matter Reports (SMRs) are one of the most powerful tools AUSTRAC uses to detect financial crime.

Under Tranche 2, every reporting entity - real estate agencies, conveyancers, law practices, accountants, TCSPs, precious-metal dealers - must lodge an SMR when there are reasonable grounds to suspect:

• A person is not who they claim to be
• A transaction may involve criminal proceeds
• A person may be attempting to evade reporting requirements
• The transaction or behaviour is unusual or inconsistent
• There may be links to ML/TF activity

SMRs must be submitted within 3 business days of forming the suspicion (or 24 hours for terrorism-related matters). This is far beyond the scope of VOI. Suspicious activity may occur long after identity has been verified. VOI at client onboarding doesn’t eliminate AML risk and this is exactly why the ongoing monitoring provisions exist.

MYTH 5: “Record-keeping is just storing the ID documents.”

REALITY: AML/CTF requires comprehensive, secure, long-term record retention.

AUSTRAC requires you to keep AML/CTF records for at least seven years, including:

• Customer identification and verification
• Risk assessments
• CDD/EDD outcomes
• Monitoring activities
• SMR decisions (even when you decide not to file)
• Staff training records
• Version-controlled policy and program documents

For SMEs, this is often the part that causes the biggest administrative burden, especially for paper-based or ad-hoc systems. Good record-keeping is an essential part of proving your compliance if AUSTRAC ever comes knocking.

MYTH 6: “Training is just an annual tick-box exercise.”

REALITY: AML/CTF training must be risk-based, role-specific, and ongoing.

AUSTRAC expects your staff to:

• Understand the AML/CTF risks of your business
• Know what red flags look like
• Recognise when they should escalate concerns
• Follow internal procedures consistently
• Participate in refresher training

Training should be about creating awareness and embedding good habits, across reception, sales, admin, partners, directors, and even casual staff. Training needs to be unique to the staff member’s position, depending on the types of work they are completing and how involved they are with your clients. Off-the-shelf modules and even AUSTRAC webinars are not enough to meet your compliance obligations when it comes to AML training.

So… if AML is more than ID checks, what is it?

It’s the entire life cycle of your client relationship. A full AML/CTF life cycle includes:

• Governance & oversight (including nominating a Compliance Officer for your business)
• ML/TF risk assessment and your business’s resulting AML/CTF Program
• Customer due diligence (which we’ve established is more than VOI)
• Ongoing monitoring
• Reporting (SMRs, threshold transactions, international transfers)
• Comprehensive record-keeping
• Tailored, ongoing staff training
• Independent reviews and continual updates as risks evolve

VOI sits only at step 3. Understanding this life cycle now gives you the head start you’ll desperately want by the time March enrolment and July go-live roll around.

How easyAML supports the full AML life cycle (without the overwhelm)

While many SMEs think they’ll need to build a compliance function from scratch, the reality is that you can streamline the entire life cycle with the right tools. easyAML helps across every single step of the AML life cycle, by providing:

• Customer due diligence workflows including KYC, KYB, PEPs and Sanctions screenings, as well as UBO identification, which all goes far beyond a simple ID check
• Ongoing monitoring tools and alerts to streamline your compliance
• Built-in record-keeping and evidence logs, with comprehensive audit trails
• Pre-drafted SMRs ready for review and submission to AUSTRAC
• Clear governance to help your Compliance Officer with oversight and management of your AML obligations
• Role-specific training modules that your team will actually enjoy completing
• Support for multi-entity groups and high-volume businesses
• An outsourcing option for businesses that want specialist support

It’s everything you need to manage the life cycle, without needing a compliance department.

Ready to understand AML beyond the ID check?

AML/CTF is much bigger than most people realise, but the earlier you understand the full picture, the easier 2026 will feel. Join our next easyAML webinar for a simple, clear breakdown of the full AML life cycle and what it means for your business.

You’ll walk away knowing:

• What’s changing
• What your responsibilities are
• What you can start doing now
• How to avoid overwhelm in 2026

Register today and get ahead before the rush.