Trust & Company Service Providers: Your Tranche 2 Playbook

Trust and company service providers (TCSPs) are among the highest-risk entities targeted by Australia's Tranche 2 AML/CTF reforms — and with 68 days until the 1 July 2026 deadline, a wait-and-see approach is no longer viable. If your firm creates companies, establishes trusts, provides nominee directors or shareholders, or administers corporate structures on behalf of clients, you will be a reporting entity under the AML/CTF Act 2006, carrying compliance obligations that have applied to banks and financial institutions for nearly two decades.

Why Are TCSPs a Priority Target Under Tranche 2?

TCSPs sit at the intersection of corporate creation and client anonymity — precisely where financial crime risk concentrates. The companies, trusts, foundations, and partnerships that TCSPs create and manage are the structures most commonly used globally to layer and integrate the proceeds of crime.

The Financial Action Task Force (FATF), whose Recommendations underpin the AML/CTF Act 2006, explicitly identifies TCSPs in Recommendations 22 and 23 as professional gatekeepers requiring customer due diligence (CDD) obligations. Australia's most recent FATF Mutual Evaluation identified inadequate TCSP oversight as a significant vulnerability in our anti-money laundering defences — and AUSTRAC has made remedying that gap a central objective of the Tranche 2 reforms.

High-profile global disclosures — including the Panama Papers and Pandora Papers — demonstrated how TCSP services can, knowingly or otherwise, enable the creation of opaque structures that conceal criminal wealth across jurisdictions. For AUSTRAC, the Tranche 2 expansion of obligations to this sector is long overdue.

Which TCSP Services Are Designated Under the AML/CTF Act?

The Tranche 2 reforms expand the AML/CTF Act 2006 to capture specific TCSP activities as designated services. If your firm provides any of the following, AUSTRAC registration is mandatory — regardless of firm size or annual revenue:

• Forming legal entities — incorporating companies, establishing trusts, foundations, or similar structures for a customer

• Nominee director or secretary services — acting in, or arranging for a third party to fill, these roles on a customer's behalf

• Nominee trustee or beneficiary arrangements — acting in a trustee or equivalent capacity for a customer's structure

• Registered office or business address services — providing an accommodation or correspondence address for corporate clients

• Nominee shareholder services — holding shares on behalf of a beneficial owner

• Corporate administration — managing or administering companies, trusts, or similar structures on an ongoing basis

There is no minimum threshold. A sole practitioner who establishes one company or administers one trust for a single client carries the same registration obligation as a large corporate trustee firm.

What CDD Obligations Apply to TCSP Clients?

CDD for TCSPs is structurally more complex than for businesses dealing directly with natural persons. Your clients are frequently legal entities themselves — and those entities may be owned by further layers of entities spread across multiple jurisdictions.

Standard CDD requires collecting and verifying the identity of your customer, including the entity itself and the natural persons associated with it.

Enhanced due diligence (EDD) must be applied where higher-risk indicators are present, including:

• Politically Exposed Persons (PEPs) and their close associates who use corporate or trust structures

• Clients with connections to jurisdictions on FATF grey or black lists

• Nominee arrangements that lack an apparent commercial rationale

• Unusually complex or multi-layered ownership structures

Critically, your CDD obligations are ongoing. Client information must be periodically refreshed, and beneficial ownership data must remain current and accurate throughout the life of the relationship — not just at initial onboarding.

Why Is Beneficial Ownership Identification the Hardest Challenge for TCSPs?

Identifying the ultimate beneficial owner (UBO) — the natural person who ultimately owns or controls a client entity — is the most technically demanding obligation TCSPs will face under Tranche 2, and the point where inadvertent facilitation of financial crime is most likely to occur.

TCSPs must identify and verify UBOs, generally defined as natural persons holding direct or indirect ownership of 25% or more, or those who exercise effective control regardless of formal ownership percentage.

For a trust structure, this means identifying the settlor, trustee(s), any protector, and all beneficiaries. For a company with multiple layers of corporate shareholders, you must trace through each layer until natural persons are reached. Where a layer sits in a foreign jurisdiction, you must still make reasonable efforts to obtain this information — through certified foreign registry documents, professional certifications, or similar means — and escalate where the structure presents elevated risk.

Where UBO genuinely cannot be determined after reasonable efforts, you must document your reasoning thoroughly. Unresolved beneficial ownership is itself a risk indicator that may warrant filing a Suspicious Matter Report (SMR) or declining the engagement. Platforms like AMLify include structured beneficial ownership mapping and automated refresh workflows to help TCSPs manage this complexity at scale. See how AMLify handles complex entity structures.

What Must a TCSP AML/CTF Programme Include?

A compliant AML/CTF programme for a TCSP must address both Part A (the core risk-based programme) and Part B (the employee due diligence programme). At minimum, it must include:

1. AUSTRAC registration — mandatory before any designated service is provided

2. ML/TF risk assessment — documenting the risks specific to your services, customer types, delivery channels, and geographic exposures

3. KYC and CDD procedures — written processes for customer identification, verification, and UBO mapping

4. EDD triggers — documented criteria for when enhanced scrutiny applies and what it must involve

5. Ongoing monitoring — systems and processes to detect suspicious or unusual activity across your client base

6. Suspicious Matter Reporting — internal escalation procedures and timely AUSTRAC reporting obligations

7. Record-keeping — CDD records and transaction data retained for a minimum of seven years

8. AML/CTF Compliance Officer — a nominated individual responsible for programme governance and AUSTRAC liaison

9. Staff training — initial and refresher training for all staff with client-facing or compliance responsibilities

How Can TCSPs Get Compliant in the Next 68 Days?

Sixty-eight days is a tight window, but enough to achieve a compliant baseline if you begin immediately. Prioritise in this order:

1. Register with AUSTRAC (this week) — the legal prerequisite for everything else; do not delay

2. Scope your designated services (Weeks 1–2) — confirm exactly which activities create reporting entity obligations for your firm

3. Complete your ML/TF risk assessment (Weeks 2–3) — rate each service, customer type, and delivery channel by risk level

4. Draft your AML/CTF programme (Weeks 3–5) — written policies, procedures, and escalation paths tailored to your business

5. Implement CDD and UBO workflows (Weeks 5–6) — build or configure your client intake, verification, and ownership mapping processes

6. Train your team (Weeks 6–7) — prioritise client-facing staff and those responsible for SMR escalation

7. Test and review (Weeks 7–9) — run through your procedures with real or simulated scenarios before go-live

AMLify's guided onboarding and pre-built TCSP-specific templates can compress this timeline considerably, replacing weeks of document drafting with a structured, industry-calibrated setup process. Explore AMLify for trust and company service providers.

Key Takeaways

• TCSPs are explicitly targeted by Tranche 2 because the corporate and trust structures they create are the primary vehicles used globally to layer and integrate criminal proceeds — AUSTRAC's scrutiny of this sector from 1 July 2026 will be substantial.

• Designated services include forming companies and trusts, providing nominee directors, trustees or shareholders, registered office addresses, and ongoing corporate administration — with no minimum size threshold.

• Beneficial ownership identification — tracing through multiple layers of entities to reach controlling natural persons — is the most demanding technical compliance obligation TCSPs face.

• A compliant programme must cover AUSTRAC registration, ML/TF risk assessment, CDD and UBO procedures, ongoing monitoring, SMR reporting, seven-year record-keeping, and staff training.

• With 68 days until the 1 July 2026 deadline, AUSTRAC registration and an initial scoping exercise should begin this week.

Frequently Asked Questions

Q: Do all TCSPs need to register with AUSTRAC, or only larger firms?

Any firm providing a designated service under the expanded AML/CTF Act 2006 must register with AUSTRAC before providing that service. There is no revenue, headcount, or transaction volume threshold. A sole practitioner who forms one company or administers one trust on behalf of a client is a reporting entity and must register before the 1 July 2026 commencement date.

Q: What happens if a TCSP cannot verify the beneficial owner of a client structure?

Inability to verify the UBO after reasonable efforts is itself a significant risk indicator and must be documented in your records. Your AML/CTF programme should specify escalation steps — including whether to apply EDD, whether to file a Suspicious Matter Report, and the circumstances under which you would decline or exit the relationship. Unresolved UBO is not a basis for accepting the engagement as lower risk.

Q: Do Tranche 2 obligations apply to existing clients or only new ones onboarded after 1 July 2026?

Your obligations will apply to ongoing client relationships, not only to customers acquired after commencement. This means you will need to conduct CDD and UBO verification on your existing active client book. A risk-based approach is appropriate — prioritise your highest-risk clients first — but remediation of your existing book should be a defined workstream in your 68-day action plan.

Q: Is a generic AML/CTF programme template sufficient for a TCSP?

A template is a starting point, not a compliant programme. AUSTRAC expects your programme to reflect the actual risk profile of your business — the specific services you offer, the customer types you serve, the jurisdictions you deal with, and your delivery channels. A generic template left unadapted is unlikely to satisfy regulatory expectations. TCSP-specific templates within AMLify are purpose-built to be customised to your firm's profile, not deployed unchanged.

This is general information only and not a substitute for legal advice.