A practical walkthrough of KYC and identity verification obligations under Tranche 2, with technology and workflow recommendations for accountants, lawyers and TCSPs.
Who this guide is for This guide is written for Australian professional services firms — including accountants, lawyers, real estate agencies, and trust or company service providers — assessing how Tranche 2 AML/CTF reforms affect their client onboarding obligations. If your firm already performs informal identity checks, this guide explains what changes under Tranche 2 — and what does not. Understanding the Importance of KYC and ID Verification for Businesses As Australia prepares to extend Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) obligations to Tranche 2 entities, Know Your Customer (KYC) and ID verification will become foundational requirements for many professional services firms. For accountants, lawyers, conveyancers, real estate professionals, and trust or company service providers, this represents a shift in operating expectations.
However, it does not fundamentally change professional judgment or client relationships. This guide explains, at a practical and business-friendly level, what KYC and ID verification mean under Tranche 2, why they matter, and how firm leaders should approach them in a proportionate, defensible way. Why KYC Matters Under Tranche 2 KYC is not a new concept. Most professional firms already perform informal checks when onboarding clients.
What changes under Tranche 2 is that these checks become: Explicit Documented Consistent Defensible to a regulator From AUSTRAC’s perspective, KYC ensures that firms: Understand who they are dealing with Are not inadvertently facilitating illicit activity Can demonstrate reasonable controls if questioned later The goal is risk management, not intrusion. What “KYC” Actually Means in Practice At a high level, KYC involves three core questions: Who is the client? Who ultimately owns or controls them (if applicable)? Do they present a higher-than-normal risk?
For most Tranche 2 entities, answering these questions does not require complex systems. However, it does require a structured approach. Identifying Individual Clients When dealing with individual clients, firms will be expected to take reasonable steps to verify identity using reliable and independent sources. This typically includes: Full legal name Date of birth Residential address Verification using government-issued identification This process is not materially different from identity checks already performed by banks, conveyancers, or professional bodies.
However, it must now be applied consistently. Identifying Business Clients and Entities For companies, trusts, partnerships, and other structures, KYC extends beyond the entity name. Firms should understand: The legal structure Who owns the entity Who controls decision-making This understanding is particularly important because complex structures are frequently used—both legitimately and illegitimately—to obscure beneficial ownership. Understanding Beneficial Ownership A beneficial owner is the individual who ultimately owns or controls a client, even if ownership is indirect.
Examples include: Shareholders behind a company Individuals controlling a trust Persons exercising significant influence over decisions Under Tranche 2, firms are expected to take reasonable steps to identify beneficial owners, especially where ownership is not immediately transparent. The emphasis is on reasonable effort, not forensic investigation. Politically Exposed Persons (PEPs) A Politically Exposed Person (PEP) is someone who holds, or has held, a prominent public position—or is closely related to such a person. PEPs are not inherently problematic, but they present a higher risk profile due to potential exposure to corruption or influence.
Firms should be able to: Identify whether a client is a PEP Apply enhanced scrutiny where appropriate Document the rationale for proceeding Risk-Based KYC: One Size Does Not Fit All A key principle of Australia’s AML/CTF regime is that obligations are risk-based. This means: Not every client requires the same level of scrutiny Low-risk matters can be handled simply Higher-risk matters require deeper checks Risk factors may include: Client type Transaction size Jurisdiction Complexity of structures Unusual urgency or secrecy Documenting why a client was considered low or higher risk is often more important than the outcome itself. When Enhanced Due Diligence Is Required Enhanced due diligence may be appropriate when: Clients use complex or opaque structures Transactions are unusually large or urgent Funds originate from high-risk jurisdictions Clients resist providing basic information This does not mean refusing clients automatically. It means slowing down, asking additional questions, and recording the response.
Timing: When Should KYC Be Performed? Best practice is to complete KYC: Before commencing a regulated service Or as soon as practicable where urgency exists Leaving KYC until after work has commenced increases regulatory and reputational risk. Record-Keeping Expectations KYC is not just about performing checks—it is about being able to prove they were done. Firms should maintain records that show: What information was collected How identity was verified Any risk assessment performed Decisions made in higher-risk cases Records must be: Secure Accessible Retained for the required period Common Mistakes Firms Should Avoid Based on international experience, common pitfalls include: Applying inconsistent checks across teams Over-engineering processes for low-risk clients Relying on memory rather than documentation Treating KYC as a one-off task rather than an ongoing obligation The aim is proportionate consistency, not perfection.
The Role of Technology in KYC Many firms will choose to use digital tools to: Verify identity Screen PEPs and sanctions Maintain audit trails Technology can: Reduce manual effort Improve consis