AML/CTF Compliance Is Now Available in VeriEzi. Mobile App Coming Soon.
Manage AML reviews, monitor alerts, and streamline your compliance workflow today. Secure mobile access is coming soon.
BlogIndustry Insights

So, You’re the New AML/CTF Compliance Officer: A Guide to the First 90 Days for Tranche 2 Firms

Admin June 24, 2026Industry Insights
So, You’re the New AML/CTF Compliance Officer: A Guide to the First 90 Days for Tranche 2 Firms

All firms captured by Australia’s new Tranche 2 reforms must designate an AML (Anti-Money Laundering)/CTF (Counter-Terrorism Financing) compliance officer by the time obligations commence on 1 July 2026. The statutory deadline is 28 days after the firm first provides designated services.

For the majority of newly regulated practices, that means a principal, practice manager or licensee-in-charge will undertake a role they have never done before, under a regime that didn’t apply to their industry until these new reforms came into place.

If you have been given these responsibilities by your firm, this guide will take you through everything you need to know. It covers the legal requirements of the role, the deadlines that apply to you specifically as well as a realistic plan for your first 90 days.

None of it assumes any prior AML knowledge because AUSTRAC itself doesn’t: in fact, the regulator’s guidance states explicitly that a compliance officer “doesn’t need to be an AML/CTF expert.”

Key takeaways
  • The role involves oversight and coordination, not taking care of everything by yourself. In AUSTRAC’s own words: the compliance officer “must instead oversee and coordinate others.”
  • The officer does not need to be a dedicated hire. The role must be performed by one designated person at management level, but for smaller firms that person will usually be the principal, owner or licensee-in-charge doing additional duties.
  • There are two key deadlines: appointment of an officer within 28 days of the firm providing designated services, and notification to AUSTRAC before whichever is the later of 29 July 2026 or 14 days after the firm enrols.
  • You will need to be assessed and confirmed as a fit and proper candidate before appointment, and your firm must document that assessment.
  • Your first obligations are sending a written report to the firm’s governing body at least every 12 months, as well as the firm’s first annual compliance report to AUSTRAC covering 1 July 2026 to 30 June 2027.
  • AUSTRAC expects effort, not perfection, in the first year. They will concentrate early enforcement on firms that fail to enrol or turn a blind eye to money laundering, not on compliance officers who are new to the role and learning.

What the compliance officer role actually is

What the AML/CTF compliance officer role really is

The AML/CTF Act requires every reporting entity to designate a compliance officer at management level. There are three pillars of eligibility:

Three pillars of eligibility:
  • 1Management level. This is about authority, not headcount. AUSTRAC has made it clear that the person nominated can be at management level without any direct reports. In a small legal practice they will typically be a principal or managing partner; in an agency, the licensee-in-charge; and for a sole practitioner, themselves.
  • 2Australian resident, if the firm provides designated services through a permanent establishment in Australia.
  • 3Fit and proper, assessed by the firm before appointment (more on this below).

As per AUSTRAC’s compliance officer guidance, the role involves four key functions:

Four key functions:
  • 1Communicate with AUSTRAC on the firm’s behalf. You are the regulator-facing contact.
  • 2Oversee and coordinate day-to-day compliance with the Act and Rules. You won’t need to personally perform every identity check or lodge every report; you make sure the people who do so are doing it properly.
  • 3Oversee the effective implementation of the AML/CTF policies, and flag when they need an update.
  • 4Report to the governing body in writing at least once every 12 months. The report should cover the firm’s compliance with AML/CTF policies, whether those policies still align with the risks faced by the firm, as well as compliance with the Act and Rules. AUSTRAC expects any significant findings to be reported to them without being watered down. If someone asks you to change a draft, their request and your reasons for accepting or rejecting it should be recorded in detail.

What the role is not

Three important things are worth getting straight early on because they remove most of the anxiety you might feel about the role:

You are not a shield from accountability for the firm. The governing body (the partners, directors or owner) still has a statutory obligation to oversee risk and take reasonable steps toward compliance, and designating you doesn’t change that.

A separate senior manager should be in charge of approving AML/CTF policies, risk assessment and high-risk customer decisions. For small firms, one person can hold all three roles. AUSTRAC notes that they “don’t need to report to themselves.”

You are not expected to be fully trained from the start. For small businesses, AUSTRAC requires a management-level person to learn the firm’s risks and be willing to build their capability through training and experience.

You are not necessarily an employee. The role can be outsourced to an external compliance officer who’s given the authority, resources and expertise to do the job. Also, one compliance officer can serve other members within a corporate reporting group. Either way, the firm is ultimately responsible.

The fit-and-proper assessment

Before you can be appointed, the firm must confirm you are a fit and proper person, and also keep records showing how they came to that conclusion. This is a considered decision, not a pass/fail checklist.

The mandatory considerations are:
  • 1Competence, skills, knowledge, diligence and soundness of judgement for the role
  • 2Good character, honesty and integrity
  • 3Any convictions for a serious offence
  • 4Any adverse findings by a regulatory body
  • 5Any findings of serious misconduct
  • 6Bankruptcy or personal insolvency
  • 7Conflicts of interest that create a material risk of not acting properly

AUSTRAC accepts open-source searches, reference checks, credit checks and police checks as examples of what firms might document to confirm their officer is fit and proper. It also requires periodic reassessment.

For professionals already subject to practising-certificate or licensing checks, there is a logical development expected in late 2026: AUSTRAC is working with industry bodies on recognising existing fit-and-proper processes.

Your deadlines, precisely

Deadline confusion is a particularly common issue, partly because of the 30 May 2026 notification deadline that was circulated widely earlier this year. However, that deadline only applied to entities already on AUSTRAC’s Reporting Entities Roll by 30 March 2026.

For newly captured firms, the Transitional Rules set the timetable:

EventDeadline
Firm enrols with AUSTRACBy 29 July 2026
Compliance officer appointedWithin 28 days of the firm providing designated services
AUSTRAC notified of the appointmentThe later of 29 July 2026 or 14 days after enrolment
Compliance officer leaves or becomes ineligibleNotify AUSTRAC within 14 days; someone must always be covering the function
First written report to the governing bodyWithin 12 months of commencement
Firm’s first annual compliance report to AUSTRACCovers 1 July 2026 to 30 June 2027; lodged between 1 July and 30 September 2027

Your first 90 days

First 90 days as AML/CTF compliance officer

Here is a workplan that fits what AUSTRAC has said it expects of newly regulated firms by 1 July: enrolled, program and compliance officer in place, staff trained, ready to report.

Days 1 to 30: set the foundations
  • Get the paperwork right. Confirm the firm’s enrolment on AUSTRAC Online, ensure you have your documented fit-and-proper assessment and make the necessary notifications to AUSTRAC.
  • Own the risk assessment. The risk assessment is the document that everything relies on: which services the firm provides, the types of clients it works with, where it provides services and how money moves. If your firm fits the profile for an AUSTRAC program starter kit (15 or fewer personnel, straightforward client base), you can get a structured risk assessment and policy set to customise. AUSTRAC expects the compliance officer to be in charge of that customisation.
  • Book your own training first. AUSTRAC is running a free induction webinar series for new reporting entities until August 2026. This covers fundamentals, risk assessments and quality reporting. Sessions are live, limited to two attendees per firm and aren’t recorded, so book early. Treat it as a foundation rather than a kit walkthrough. Your professional body will almost certainly run sector-specific training as well. AUSTRAC guidance suggests compliance officers refresh every 6 to 12 months.
Days 31 to 60: make the workflow real
  • Enmesh Customer Due Diligence (CDD) into the firm’s intake. Decide who runs verification, at what point it happens in the matter or sale and with what tool. Decide where the records are kept. A file should not be able to progress past a trigger point without the CDD step coming into play.
  • Define your escalation lane. High-risk results, politically exposed people, sanctions hits and unusual patterns all need a documented route to you. Your decisions and reasons should be recorded. If you override a risk rating, write down why; if you clear a false positive, write down why. A strong paper trail protects you and your firm.
  • Run personnel due diligence. Identify which roles involve AML/CTF functions and those that are high-risk (anyone who can override controls, authorise payments, lodge AUSTRAC reports or amend risk ratings), and vet them accordingly.
  • Train the team. Anyone whose role involves the obligations needs training tailored to their function. They should know what the red flags look like in your firm’s actual work, what to do when they see one, and what they should never do (tipping off a client about a report is most important). Keeping a completion register is a great idea. AUSTRAC’s free e-learning can help but cannot be the whole program.
Days 61 to 90: prove it works
  • Dry-run your reporting workflows. Take a hypothetical suspicious matter from a staff member’s first doubt through your review to a lodged report. Use the real deadlines: 24 hours for terrorism financing suspicions, 3 business days for everything else (up to 5 business days where a legal professional privilege claim needs to be assessed). The threshold transaction report is due within 10 business days of receiving $10,000 or more in physical cash.
  • Test retrieval, not just retention. Records must be kept for 7 years, but the practical test is whether you can pull a complete file (verification, screening results, risk decisions and reasons) quickly when necessary.
  • Start the governing-body rhythm. Do not wait 12 months for the first conversation. A standing agenda item at partner or director meetings, along with brief notes, is the type of “good oversight” signal AUSTRAC describes. It will make your formal annual report simple.
Compliance officer checklist
  • Fit-and-proper assessment documented; appointment notified to AUSTRAC on time
  • Risk assessment completed and owned, with a review trigger when the business changes
  • AML/CTF program customised to how the firm actually works
  • CDD part of intake, with a no-bypass trigger point
  • Escalation lane to you documented, with decisions and reasons recorded
  • Personnel due diligence done; high-risk roles identified
  • Training delivered and registered before 1 July; refresh deadlines set
  • SMR and TTR workflows dry-run against real deadlines
  • 7-year record retention confirmed, with fast retrieval tested
  • Standing AML/CTF agenda item at governing-body meetings; first annual report scheduled

Download this guide

A print-ready PDF of this 90-day plan and checklist is available to download and keep as your compliance roadmap from day one.

Download the PDF Guide

Share it with your governing body so they understand the role too, as their oversight obligations sit alongside yours.

Where VeriEzi fits

A compliance officer’s workload is divided into judgement and bookkeeping. The judgement aspect (risk decisions, escalations, the annual report’s conclusions) is yours, but the bookkeeping is what VeriEzi was built to do.

VeriEzi gives the compliance officer a single review queue. Matters auto-calculate a risk level from screening and questionnaire answers, and high-risk matters lock and escalate to you automatically. Risky answers are highlighted so you can see what actually needs your judgement at a glance.

False positives from sanctions and politically-exposed-person screening can be cleared in bulk with a recorded reason, and risk overrides always capture who, when and why. Staff can route completed work to you for sign-off.

When something warrants reporting, the suspicious matter report pre-fills from the matter record, and the annual compliance report compiles electronically instead of from a Word template. Every action sits in a filterable audit log that exports to CSV, which is precisely what you want to hand over when the firm’s records are examined.

There is no subscription and no platform fee; the firm pays per verification. You can get 5 free verifications to run on your own matters, or book your free demo and see the compliance officer workspace before 1 July.

VeriEzi provides identity-verification software to support firms preparing for AUSTRAC Tranche 2 reporting obligations. The information in this article is general in nature and does not constitute legal or compliance advice. Firms remain responsible for their own AML/CTF Program and reporting-entity obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). For advice specific to your firm’s obligations, consult AUSTRAC guidance materials or a qualified compliance adviser.

Related Blogs

More insights from the same category: Industry Insights

Verifying Overseas Property Buyers in Australia: The Tranche 2 Problem Most Firms Haven’t SolvedIndustry Insights

May 26, 2026

Verifying Overseas Property Buyers in Australia: The Tranche 2 Problem Most Firms Haven’t Solved

Verifying overseas property buyers under ARNECC VOI rules, what lawyers and conveyancers must do to meet AML compliance and protect settlement.

Read More
You’re Now a Compliance Officer, Whether You Trained for It or Not: What Ongoing AML Actually InvolvesCompliance

July 6, 2026

You’re Now a Compliance Officer, Whether You Trained for It or Not: What Ongoing AML Actually Involves

So let’s do the calm, practical thing. Here is what ongoing compliance actually involves, day to day, not as legal theory. It is not effortless. But it is manageable, and this article sets out why.

Read More
Ready to Modernize Your VOI Process?