A new AML platform seems to launch every week. With Tranche 2 obligations commencing on 1 July 2026, a lot of tools are being positioned as compliance solutions. Some of them are. Many are a customer due diligence workflow with a dashboard and a login screen.
The distinction matters, because the regulator is not assessing whether you bought software. AUSTRAC is assessing whether your program is effective, whether you understand your risks, and whether your controls actually work.
AUSTRAC CEO Brendan Thomas put it plainly in the regulator's July 2025 expectations statement: "We recommend businesses resist the urge to implement programs or processes that may create the impressions of compliance with the AML/CTF Act, but have minimal impact on the risk of money laundering."
That sentence describes a large part of the product being sold into this market. It does not appear in any platform's marketing. So here is what the regime actually asks of you, and three things the tools being sold for 1 July are mostly not telling you.
You're now a reporting entity. Here's what that actually means
From 1 July 2026, approximately 90,000 Australian businesses become reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. Law firms, accountants, real estate agencies and conveyancers move under the same customer identification and verification obligations that banks have operated under for years.
That is a real shift, and it is worth being precise about what now sits on your desk. A KYC workflow is not an AML/CTF program. Collecting a document, running a verification check and storing the result is one component of customer due diligence. A program is something larger: a documented understanding of how your specific business could be used to move criminal proceeds, expressed in policies and procedures built around that risk, enforced by trained people, governed by an accountable compliance officer, and supported by genuine suspicious matter reporting judgement.
None of that can be auto-generated. A sole-practitioner conveyancer faces materially different money laundering risks from a commercial settlement firm processing two hundred transactions a month for overseas buyers. A template serves neither, because the customisation is the substance, not the formatting. An algorithm produces a document. A document is not a risk assessment.
AUSTRAC's program starter kits are the most useful free resource available, and they are explicit about their limits. They are designed for businesses with fifteen or fewer staff, a single designated service, and a primarily low-risk domestic client base. If your business sits outside that profile, AUSTRAC has confirmed you cannot rely on the kit to meet its expectations. A significant proportion of the 90,000 entities now in scope fall outside it. It is worth checking honestly which side of that line you are on, because the platform market is not making the distinction clear.
Trap one: the Privacy Act obligation arriving the same day
Here is the part almost no one is being told. The AML/CTF obligation does not arrive alone.
At the same moment your business becomes a reporting entity, it also becomes subject to the Australian Privacy Principles under the Privacy Act 1988 (Cth), for most of these businesses for the first time. The small business exemption that previously kept organisations with annual turnover below three million dollars outside the Privacy Act disappears the moment you enrol with AUSTRAC. There is no phase-in and no turnover floor. Section 6E(1A) is unambiguous. The Office of the Australian Information Commissioner confirmed in guidance published in early 2026 that where personal information is collected for an AML/CTF purpose and a business purpose at the same time, which describes almost every client onboarding, the Privacy Act applies to all of it.
In practical terms, a small accounting firm subscribing to a KYC platform on 1 July now needs a privacy policy covering that collection, a client-facing collection notice at onboarding, a data breach response plan, a register of the third-party providers receiving client data, and a process for handling access requests. None of those appear in any platform's onboarding flow.
The sharpest edge is data minimisation. The AML/CTF Act requires you to retain extracted identity data: name, date of birth, document type, document number, the verification steps and the outcome. It does not require you to keep a scanned copy or photograph of the document. Yet most KYC platforms are built to capture and retain document images, because that is where audit-trail depth and product value come from.
Privacy Commissioner Carly Kind has been direct about the consequence: "One of the most significant risks to Australians' privacy is the unnecessary retention of ID documents, which are some of the most important pieces of personal information Australians possess. Holding onto copies of ID documents not only creates risks to individuals, it creates risks for businesses, which will be more exposed in the event of a data breach."
This is not a theoretical exposure. In Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, the Federal Court assessed privacy contraventions on a per-person basis, ordering $5.8 million in penalties across roughly 223,000 affected individuals. The current maximum civil penalty per contravention is the greater of $50 million, three times the benefit obtained, or 30 per cent of adjusted annual turnover. A statutory tort of serious invasion of privacy, which commenced in mid-2025, adds a civil litigation pathway that does not even require a plaintiff to demonstrate financial loss. The platforms being sold to newly regulated businesses are generating exactly the data volumes, and the governance gaps, in which that exposure arises.
Trap two: where your verification data actually goes
There is a technical question worth asking your provider, and most businesses have not been prompted to ask it: when you run an identity check, where does it actually go?
Australia's Document Verification Service (DVS) is the national hub operated by the Attorney-General's Department for checking identity document details against the records held by the agencies that issued them. A DVS check against a driver licence is a check against the licensing agency's own data. That is a government-source verification with specific legal standing.
Several platforms in this market do not hold their own DVS Participation Agreement. They route verification through intermediary providers who hold one, or through overseas-headquartered data companies whose sources do not connect to DVS at all. Where a platform routes through an intermediary, the Participation Agreement obligations, including the restrictions on onward sharing of DVS results, sit with the intermediary, not with you. You have no direct relationship with the DVS and no visibility over whether the data flows comply.
Where a platform uses overseas commercial data instead of DVS, the check is against a commercial data set rather than Australian government records. Credit file data, electoral roll data and other licensed sources are not equivalent to a check against the agency that issued the document. If you have been told your platform "provides identity verification" without being told the check is not against DVS, you do not have the information you need to assess whether your procedures meet the Act.
The point to hold onto is this: responsibility for the adequacy of your verification does not transfer to your vendor. It stays with you. So it is a fair and important question to put to any provider: is this check going to DVS directly, or somewhere else?
Trap three: the four-year blind spot
The third thing the market is quiet about is timing. Under the transitional rules, the first independent evaluation of a Tranche 2 entity's AML/CTF program is not due until somewhere between 2029 and 2030, staggered across the cohort.
That sounds like breathing room. It is closer to a blind spot. A business that starts on 1 July with a template program and a subscription audit trail may not face external scrutiny of it for four years or more. The delay does not make the program compliant. It means the gap between appearance and reality can sit undetected until it becomes a regulatory event rather than a fixable oversight. Getting the foundations right now matters far more than the timetable makes it feel like it does.
There's a better model, and it's already live next door
It is easy to read all of this as a problem with no clean answer. It is not. There is a structurally different model, and on the very same day Australia's obligations commence, a comparable jurisdiction is switching it on.
New Zealand's Identity Verification Code of Practice 2026 (IVCOP 2026) takes effect on 1 July 2026, the first update to its AML/CFT identity verification framework since 2013. It introduces a new pathway: verification through an accredited Digital Identity Services Trust Framework (DISTF) service. The legal consequence is precise. A reporting entity that accepts a digital identity credential issued by an accredited service, at the required assurance levels, is taken to have satisfied its obligation to verify the customer's name and date of birth. No document upload. No OCR pass. No database lookup at the point of transaction. The credential, issued after proper identity proofing, carries the verification forward.
The same Code ends repeated verification for known customers. Where you have already verified someone as part of customer due diligence, you do not need to verify them again unless there are specific grounds to doubt the earlier check. Verify once, carry the result forward.
Contrast that with the point-in-time KYC model, where portability is structurally impossible. Each platform holds its own isolated records. A client buying a property might be verified by a law firm, then a real estate agent, then a conveyancer: three times, on the same transaction. Their passport is photographed three times. Their data sits in three separate environments under three different governance arrangements, and none of them can confirm to the others that a verification has already happened.
The credential model resolves this by design. A mobile document, or mDoc, built to the ISO/IEC 18013-5 standard is held by the customer in a wallet on their phone. When a verifier asks for identity information, the customer sees what is being requested and consents to disclose only that. A real estate agent confirming a buyer's name and address receives cryptographic proof that those attributes were signed by the issuing authority, and nothing else. The licence number, the date of birth, the photograph never leave the wallet. That is what the Privacy Act's data minimisation principle requires, achieved technically rather than promised in a policy. The check is of a government-issued cryptographic signature, not optical character recognition run against a photo, and the credential's currency can be confirmed at each presentation rather than frozen at onboarding.
To be clear, accepting an mDoc does not, on its own, constitute an AML/CTF program. You still need a genuine risk assessment, governance, trained staff and suspicious matter reporting capability. What the credential model provides is a sound, privacy-respecting foundation for the identification and verification component, and it sidesteps the DVS routing problem entirely, because the assurance comes from the issuer's signature rather than from intermediary data access.
Where Australia is heading
Australia has not built its own version of this safe harbour yet. The Commonwealth Verifiable Credentials Trust Framework consultation closes on 3 July 2026, and amending the AML/CTF Rules to formally recognise credential-based verification is unlikely to be complete before well into 2027. So there is a genuine gap period to navigate.
But the building blocks are already in the ground. Digital licence adoption shows Australians are ready to hold credentials on their phones: more than 4.5 million digital licence holders in New South Wales, around 1.8 million in Victoria, and over 1.25 million on Queensland's Digital Licence app. The upgrade path from those early digital licences to ISO-standard mDLs is the next step, and it is one jurisdictions have committed to: Queensland's ISO-compliant mDL is live; the Northern Territory, ACT, Tasmania and Western Australia are building ISO-ready programs; New South Wales and Victoria have ISO mDL rollouts underway through 2026 and 2027. The credential scope already reaches beyond the driver licence, too, with the NSW Digital Photo Card and NSW Digital Birth Certificate live as ISO credentials.
The infrastructure that makes these credentials verifiable across jurisdictions already exists: the national trust chain, and the acceptance capability now built into identity providers such as GBG, FrankieOne and Daon. The direction of travel is not really in doubt. The open question is whether the businesses being regulated now, and the platforms serving them, build on foundations that will be recognised, or retrofit later at greater cost.
The choice in front of you
The question is not really which compliance platform to subscribe to. It is what kind of verification you want underneath your business as Australia's regime matures over the next three to five years: something built on standards already proven in a comparable jurisdiction, or something you will have to rebuild once the gap between impression and compliance becomes impossible to ignore.
New Zealand has shown the architecture works. Australia's own building blocks are being laid now. The entities and platforms that start on the right foundations will not need to retrofit. Those that do not will carry the cost later: holding sensitive personal data they were never required to keep, running verification that may never have touched a government record, and operating programs that look like compliance from a distance.
AUSTRAC has already named what it thinks of programs that look like compliance from a distance.
The word it used was impressions.
