Tranche 2: What small businesses actually need to know
A lot of small businesses are confused about what Tranche 2 actually requires, so here’s the simple version.
1. You need to classify customers by risk.
Low, medium, high. And your checks can’t be the same for all three — regulators expect to see clear differences.
2. You need a written AML/CTF Program.
It should cover how you assess risk, what controls you use, how you monitor transactions, and how you train staff.
3. Australia uses SMRs, not STR/SAR.
You lodge an SMR whenever something feels off. You don’t need proof — suspicion is enough.
4. You must keep records for 7 years.
Customer ID, risk assessments, monitoring notes, SMR‑related info, training records.
5. Common mistakes:
– Same onboarding for all customers
– No documented risk reasoning
– Confusing SMRs with STR/SAR
– No written AML/CTF Program
That’s the practical baseline most small businesses will need to meet under Tranche 2.