From Tick-Box to Harm Prevention: The Shift Every Tranche 2 Entity Must Understand

Before the 2024 reforms, compliance in Australia followed a familiar pattern across almost every regulatory framework. ASIC, APRA, privacy regulators — they all gave you a list. Do this, do this, do this. If you ticked every box, you were compliant. If someone complained, you pulled out your checklist and showed you had done what was asked.

AML/CTF was no different. AUSTRAC provided guidance. You built a compliance program. You had policies. You had a risk assessment. You filed your reports. And unless someone specific raised a concern, the system was largely passive. The compliance program sat in a folder — physical or digital — and the organisation pointed to it as evidence of compliance.

This is what we mean by “tick-box.” The obligation was to demonstrate that you had the right documents, the right processes on paper, and the right training records filed. Whether those processes were actually preventing money laundering was, in practice, a secondary concern.

This worked for organisations regulated by ASIC, where the obligation is fundamentally about investor protection — share brokers, superannuation companies, investment platforms, insurance platforms. These are activities where you hold other people's assets. ASIC tells you what to do, you do it, and unless someone complains, the tick-box is enough.

AML/CTF compliance looked like this too. Until 2024.

The AML/CTF Amendment Act 2024 didn't just extend the regime to Tranche 2 entities. It fundamentally changed the philosophy of compliance. The language shifted. The expectations shifted. The liability shifted.

AUSTRAC's new guidance, the AML/CTF Rules 2025, and the program starter kits all reflect a consistent message: compliance is not a document, it is an ongoing activity. Your risk assessment is not something you write once and file. It is something you review, update, and actively use to inform every decision your organisation makes about its customers and their transactions.

The key differences from the old regime:

This is the single most important change in the new regime, and the one that most businesses do not yet fully understand.

In the old world, following the checklist was your defence. In the new world, following the checklist is the minimum. Your obligation extends beyond the list to actively preventing harm. If you could have reasonably detected or prevented the criminal activity but didn't — because your risk assessment was stale, your monitoring rules were too basic, or your compliance program wasn't connected to what was actually happening in your practice — AUSTRAC can and will hold you accountable.

This is what the compliance community calls the shift from “tick-box compliance” to “harm prevention.” The regulator is no longer asking “did you have a program?” They are asking “did your program actually work?”

Consider the difference. Under the old regime, a penalised entity could say: “We had a compliance program. We had all the documents. We followed the guidance.” Under the new regime, AUSTRAC's response is: “That's the minimum. Did your program actually stop the harm? If not, why not?”

Under the new regime, your risk assessment is not a one-time exercise. It is a living document that must evolve as your understanding of risk evolves.

How Risk Items Work

Each risk in your assessment must be a specific, detailed item — not a generic category. For example, “money launderers can recruit students and pensioners to split large sums into small amounts and send them through remittance channels” is a risk item. It is specific. It describes a criminal method. It can be assessed and mitigated.

Each item is then scored on two dimensions: the likelihood of it happening in your organisation (say, 3 out of 10) and the impact if it does happen (say, 7 out of 10). The score is 21 out of 100. That score tells you how much attention this risk deserves and what controls are proportionate.

Two Phases of Mitigation

For each risk, there are two mitigation points. The same risk reference number appears in both phases:

Worked Examples

Click each risk item to see how likelihood × impact scoring works, and how a single risk item maps to both onboarding controls and monitoring rules:

Learning from the Outside

Your risk assessment must incorporate external intelligence. When AUSTRAC publishes a criminal typology — a real-world case study of how a crime was committed, with names removed — you need to read it, assess whether that risk exists in your environment, and update your controls if it does.

When another organisation is penalised (as Commonwealth Bank was with a $1.3 billion fine for AML/CTF Act breaches), you need to check whether you have the same gap. This is active learning, and it is now part of the obligation.

One of the most common failures in AML/CTF compliance is the disconnect between what the compliance program says and what the organisation actually does. Many businesses have an effective, well-written compliance program — and it sleeps on a shelf, completely disconnected from daily operations.

Under the new regime, your compliance program must be synced with your operations. Three things must be true at all times:

This is why AUSTRAC says “don't cut and paste policies.” Every entity has different risk. A real estate agent operating in Sunnybank, Brisbane has a completely different risk profile from one in the CBD or Surfers Paradise. The customer presentation, the transaction flow, the geographic risk factors — they are all different. Your compliance program must reflect your specific risk, not a generic template.

If you are a Tranche 2 entity preparing for 1 July 2026, the implications are significant:

The shift from tick-box to harm prevention is not a minor adjustment. It requires a fundamentally different approach to compliance — one where your program is alive, your risk assessment evolves, and your technology supports active decision-making rather than passive record-keeping.