From zero to AI-era AML. What Australia’s Tranche 2 entities are walking into on day one

When the Tranche 2 laws land, many Australian law, accounting and real estate firms will be doing AML/CTF for the first time. But you’re not starting at the beginning of the story. You’re walking into a game that is already in progress… and the other side is using AI, synthetic identities and complex sanctions-evasion networks.

Recent guidance from RUSI, FATF and DFAT paints a clear picture: sanctions evaders (a risk that firms are required to screen against) are moving fast, and they’re using tools that didn’t exist when the original AML/CTF regime was designed. 

For Tranche 2 entities, that means your thinking has to be broader from day 1. It’s not just “learn how to do KYC”. It’s “learn how to do KYC in an environment where AI can generate entire fake clients, documents and corporate networks at scale.”

The world you’re stepping into

RUSI’s recent commentary is blunt: The era of AI as an “emerging technology” is over. AI-enabled sanctions evasion is already here. Criminals are using AI to:

• Generate realistic fraudulent documents
• Build and manage networks of synthetic entities and digital footprints
• Automate complex shell-company structures and trade patterns that are harder to spot

FATF’s June 2025 report on complex proliferation financing and sanctions evasion shows how these structures are used to move dual-use goods, route funds through multiple jurisdictions and hide the real counterparties behind seemingly normal trade or professional-services activity.

Closer to home, DFAT’s Australian Sanctions Office has warned that AI is already being misused to create deepfakes, falsify identification and corporate records and support sanctions circumvention. Their message to regulated entities is simple: sanctions risk is evolving quickly and compliance can’t be treated as a one-off exercise.

That’s the backdrop against which Tranche 2 entities will register, design programs and onboard their first “reportable” matters.

Why “basic AML” won’t be enough for Tranche 2

Because many professional services firms have not previously been regulated, there’s a natural instinct to start small:

• Verify ID
• Keep simple records
• Screen against a sanctions list

All necessary and a good starting point, but not sufficient for the environment you’re entering. Consider stretching your thinking in three directions:

1. Identity in the age of synthetic clients

DFAT highlights the risk that AI can create and manage “extensive networks of false identity (synthetic entities)” with distinct digital characteristics and documentation. For Tranche 2 entities, this means:

• Don’t treat electronic copies as inherently trustworthy. Fraudulent passports, corporate records and payrolls can be generated or altered by AI.
• Higher-risk clients (international PEPs, cross-border structures, high-risk sectors, complex ownership) may need face-to-face or video verification, independent document checks and stronger linkages between the person in front of you and the documents provided.
• Be sceptical of “perfect” documentation – consistently formatted, too clean, always exactly what you asked for. AI is good at making things look right.

2. Structures and matters, not just people

FATF’s work on complex sanctions-evasion schemes shows heavy use of:

• Shell and front companies in multiple jurisdictions
• Trading companies with opaque beneficial ownership
• Seemingly low-risk intermediaries used as cut-outs for sanctioned actors or proliferation networks

While creating your compliance program consider that your client and matter intake needs to ask: “Could this structure, deal or asset be acting as a front for someone we can’t see, including a sanctioned actor?” That is a very different mindset to: “Does the director’s passport match the name on the ASIC extract?”.

3. Ongoing monitoring, not one-and-done onboarding

DFAT’s advisory is explicit that sanctions compliance is “an ongoing obligation rather than a one-time assessment” and that measures and risks are constantly evolving.

For Tranche 2 entities, this is a legal requirement and a cultural shift. You’ll need to build habits and systems that notice change over time, such as:

• A previously low-risk client suddenly using complex cross-border structures
• An entity that starts trading in dual-use or sanctioned-sensitive goods
• A property client that begins cycling assets through multiple related parties

In other words, you’re not just assessing who the client is when they walk in the door – you’re watching how they behave over the life of the relationship.

Priorities for Tranche 2 entities

You don’t need a bank-grade AI lab, but you do need a plan that acknowledges the reality you’re stepping into. Here’s a practical starting point:

1. Write sanctions and technology risk into your first AML/CTF program

   1. Don’t park sanctions and AI in a “future phase”. Your risk assessment and program should explicitly cover: misuse of AI and deepfakes, synthetic identities, shell and front companies, complex trade or asset flows and exposure to high-risk jurisdictions or sectors.

2. Design onboarding for a hostile environment

   1. Use reliable electronic verification, but build in additional checks for higher-risk clients and structures.
   2. Require clarity on beneficial ownership and control, not just legal ownership.
   3. Be prepared to walk away when the client cannot or will not provide a credible picture of who ultimately benefits.
   4. And importantly: modern AML technology needs to do more than match names to documents. Look for capabilities like biometric verification, liveness detection and AI-enabled fraud controls that can detect manipulated IDs, synthetic identities and document tampering - capabilities that traditional EIV providers simply weren’t built for.

3. Build simple, realistic ongoing monitoring

   1. Start with what you can see: changes in client ownership, nature of work, counterparties, jurisdictions or transaction patterns that don’t fit the original story. Build triggers to review matters or relationships when these change.
   2. Your tools should support you here too. Look for platforms that surface changes to risk factors automatically, flag shifts in beneficial ownership and rerun PEP, sanctions and adverse-media screening without manual intervention. That’s the kind of guardrail that lets smaller teams stay compliant under pressure.

4. Train for judgment, not just process

   Your people have never done AML before, but they know their clients and files. Give them typologies, scenarios and examples that link AI-enabled fraud, sanctions risk and professional-services work - and then empower them to escalate when something feels wrong.
   
   Your AML technology should back this up with clear audit trails, decision logs and case management so staff aren’t left guessing or documenting compliance in spreadsheets.