As Australia's AML/CTF Tranche 2 reforms approach their 31 March 2026 implementation date, one question keeps surfacing in conversations with reporting entities: "Do we need to redo customer due diligence (CDD) and identity verification for all our existing customers?"

The short answer is: No, in most cases you won't need to.

AUSTRAC has provided transitional arrangements that recognise the significant work reporting entities have already done to verify their customers. However, there are important exceptions and ongoing obligations you need to understand.

The Good News: Transitional Relief for Existing Customers

If you were a reporting entity before 31 March 2026 and conducted the applicable customer identification procedure (ACIP) on your customers, you're generally considered compliant with the new initial CDD obligations. This means you can continue servicing these customers without re-doing their identity verification.

This transitional relief applies to:

• Customers verified under ACIP: If you completed ACIP on a customer (or the trustee of a customer trust) before 31 March 2026, you're considered compliant with initial CDD requirements
• Pre-commencement customers: Customers in ongoing business relationships involving certain designated services can continue to be serviced without new initial CDD
• Transferred customers: If you acquired customers through a business transfer and received their CDD records, you generally don't need to redo initial CDD

Pre-Commencement Customers: Special Considerations

A customer qualifies as a "pre-commencement customer" if, on 1 July 2026, you had an ongoing business relationship (not just occasional transactions) involving:

• Purchase or sale of precious metals, stones or products for $10,000+ in physical currency or virtual assets
• Real estate brokering or direct sale/transfer services
• Professional services (lawyers, accountants, trust and company service providers)

Or if, before 12 December 2007, you started providing them with:

• Financial services
• Bullion services
• Gambling services

These customers can continue being serviced without initial CDD under the new rules.

When You MUST Conduct Initial CDD on Existing Customers

While transitional relief is generous, there are critical triggers that require you to complete initial CDD even for existing customers:

1. Suspicious Matter Report (SMR) Obligation Arises

If you identify unusual transactions or behaviours that trigger an SMR obligation for an existing customer, you must complete initial CDD before continuing to provide designated services.

2. Significant Change in Business Relationship

You must conduct initial CDD if there's a significant change in the nature and purpose of the business relationship that results in the customer's ML/TF risk becoming medium or high.

Key points to understand:

• It doesn't matter what their previous risk rating was
• The change must be significant enough to alter the nature and purpose of your relationship
• The new risk level must be medium or high

Example: A customer who previously only used your platform for low-value domestic transactions now requests to facilitate high-value cross-border transfers involving high-risk jurisdictions. This significant change triggers initial CDD requirements.

3. Missing or Inadequate Records

For transferred customers, if you didn't receive complete CDD records from the previous reporting entity, you must conduct initial CDD before providing services.

Ongoing CDD: Still Required for All Customers

Here's what many reporting entities miss: even if you don't need to redo initial CDD, you still have ongoing CDD obligations for all existing customers.

For all customers, including those covered by transitional arrangements, you must:

1. Monitor for unusual transactions and behaviours that may give rise to SMR obligations
2. Review, update and re-verify KYC information at appropriate frequencies, particularly if you have doubts about its adequacy or accuracy
3. Monitor for significant changes in the nature and purpose of the business relationship that could elevate ML/TF risk to medium or high
4. Keep KYC information current and verify it using reliable and independent data appropriate to the customer's risk level

Foreign Compliance Recognition

AUSTRAC also recognises CDD conducted under equivalent foreign regimes. You're considered compliant with initial CDD obligations if:

• You're providing services through a permanent establishment in a foreign country, and
• Before 31 March 2026, you complied with that country's laws giving effect to FATF recommendations on CDD and record keeping

Similar recognition applies for customers previously onboarded by your reporting group's foreign entities, provided you hold (or can immediately access) the relevant KYC information and verification data.

Practical Implications for Your Business

What You Should Do Now

1. Identify your customer segments:
   • Customers verified under ACIP before 31 March 2026
   • Pre-commencement customers
   • Transferred customers with complete records
   • New customers onboarded after 31 March 2026
2. Strengthen your ongoing CDD processes:
   • Implement robust transaction monitoring
   • Establish clear triggers for KYC information reviews
   • Define what constitutes a "significant change" in your business context
   • Set appropriate review frequencies based on customer risk
3. Update your AML/CTF policies to clearly document:
   • How you'll handle each customer segment
   • Triggers requiring initial CDD on existing customers
   • Ongoing CDD procedures and frequencies
   • Escalation procedures for unusual activities or significant changes
4. Prepare for edge cases:
   • Customers whose ACIP may be incomplete or questionable
   • Situations where business relationships are evolving
   • High-risk customers requiring enhanced monitoring

What You Don't Need to Do

• Blanket re-verification of all existing customers
• Immediate collection of additional KYC information for compliant existing customers
• Immediate application of new beneficial ownership verification to customers already verified under ACIP

The Bottom Line

The Tranche 2 reforms don't require wholesale re-verification of your existing customer base. AUSTRAC has recognised the substantial compliance work already undertaken by reporting entities through practical transitional arrangements.

However, this is not a "set and forget" situation. Ongoing CDD is mandatory, and specific triggers can require you to conduct initial CDD even on long-standing customers. The key is understanding which customers fall into which category and having robust processes to identify when circumstances change.

As the 31 March 2026 deadline approaches, focus your efforts on:

• Strengthening ongoing monitoring and review processes
• Clearly documenting your transitional arrangements in your AML/CTF program
• Training your team to recognise triggers for initial CDD
• Building systems that flag significant changes in customer behaviour or risk

The reforms represent a shift toward risk-based, ongoing vigilance rather than one-time verification exercises. Reporting entities that embrace this approach will find themselves better positioned to manage ML/TF risks effectively while maintaining compliance with the new regulatory framework.

Need help navigating the Tranche 2 reforms or updating your CDD processes? Contact bronID to learn how our technology can streamline your compliance obligations while ensuring robust AML/CTF protection.