Home » IT Security & Technology Blog » What AML/CTF Tranche 2 Means for Your Microsoft 365 Setup
By — IT Specialist |

If your firm provides legal, accounting, or financial advisory services, AUSTRAC's Tranche 2 reforms are not an abstract compliance matter. They are a practical IT project with a hard deadline of 1 July 2026.

From that date, an estimated 70,000 additional businesses, according to AUSTRAC, come under the Anti-Money Laundering and Counter-Terrorism Financing Act. Enrolment with AUSTRAC opened on 31 March 2026. Whether your firm is already enrolled or still working through what applies, the same question keeps coming up: is your Microsoft 365 environment actually set up to support what compliance now requires?

Most are not. Here is what needs to be in place.

What AML/CTF Tranche 2 actually requires from your IT environment

The obligations themselves are well-documented by AUSTRAC. What is less discussed is how much of the implementation work sits in your technology stack rather than your compliance policy documents.

Tranche 2 entities must, among other things:

  • Conduct initial and ongoing customer due diligence, including identity verification and risk rating
  • Monitor customer activity for unusual behaviour and suspicious transactions
  • Report suspicious matters and threshold transactions to AUSTRAC
  • Retain records for seven years in a form that can be produced on request
  • Appoint a compliance officer with documented oversight responsibility
  • Maintain an AML/CTF program that can be presented during an audit

Each of these obligations has a direct dependency on how your Microsoft 365 tenant is configured. A policy document stored in a shared folder with no access controls or retention settings does not constitute a compliant record-keeping environment.

The Microsoft 365 settings that matter most before 1 July 2026

Record retention that holds up under audit

Microsoft Purview, which is included in most Microsoft 365 Business Premium and enterprise plans, allows you to apply retention labels to documents, emails, and Teams conversations. For AML/CTF purposes, you need to demonstrate that compliance-related records are retained for seven years and cannot be deleted or altered during that period.

If your firm has not yet configured retention policies in Purview, this is the first thing to address. The default Microsoft 365 settings do not preserve records in a way that satisfies regulatory record-keeping requirements.

Identity verification and access controls

Knowing who accessed what, and when, is a core part of any AML/CTF audit. Microsoft Entra ID (formerly Azure Active Directory) logs sign-ins, role changes, and access events. Those logs need to be retained and reviewable. If you do not have a defined process for reviewing access logs, you are not meeting the spirit of ongoing due diligence obligations.

Multi-factor authentication is also non-negotiable. MFA should already be enabled across every account in your tenant. If it is not, that is an immediate gap.

Defined ownership of compliance documentation

Your AML/CTF program document, risk assessment, and compliance officer nomination all need to live somewhere with clear version history, defined access, and a documented approval trail. SharePoint with version control enabled is a practical starting point. What does not work is a PDF emailed around and saved in multiple places with no audit trail of changes.

Suspicious matter reporting workflows

AUSTRAC requires firms to report suspicious matters promptly. That means your team needs a defined process for escalating concerns internally and documenting what action was taken. Microsoft Teams or Outlook can support this, but only if the workflow is deliberate and the communications are retained. Ad hoc conversations in personal inboxes do not constitute a documented escalation trail.

What to do right now if your firm is not ready

The AUSTRAC transitional rules give some existing reporting entities room to implement new obligations in a structured way. They do not give anyone a pass on managing money laundering and terrorism financing risks in the meantime. AUSTRAC has been direct: if your systems are not ready by 1 July 2026, you need a documented implementation plan showing how you will get there and how you are managing risk while you do.

For firms using Microsoft 365, a practical starting point is a gap assessment across four areas:

  • Retention policies Are they configured, applied, and tested? Default Microsoft 365 settings do not preserve records in a way that satisfies regulatory requirements.
  • Identity and access Is MFA enforced across every account? Are Entra ID access logs being retained and reviewable?
  • Document governance Is your AML/CTF program stored with version control and a clear approval trail? A PDF emailed around does not count.
  • Workflow documentation Does your team know what to do when a suspicious matter arises, and is that process documented in a way that can be shown to a regulator?

None of this requires building new systems from scratch. Microsoft 365, configured properly, can support all of it. The issue for most firms is not capability but configuration.

How All IT can help

All IT works with financial services firms, accounting practices, and professional service providers across Sydney, Melbourne, and Brisbane. We understand the compliance frameworks your business operates under, including APRA CPS 230 and 234, the Privacy Act, and now the AML/CTF reforms.

We can assess your Microsoft 365 environment against your current and upcoming compliance obligations, identify what needs to change, and implement the configuration changes with clear documentation you can present to your compliance officer, board, or regulator.

If you want to know where your Microsoft 365 setup actually stands before 1 July 2026, talk to us. You will get a straight answer, not a sales presentation. Contact All IT Services.

Frequently asked questions about AML/CTF Tranche 2 and Microsoft 365

Does Microsoft 365 Business Basic meet AML/CTF compliance requirements?

Business Basic does not include Microsoft Purview compliance tools, which are needed for record retention and data governance. Most firms will need Microsoft 365 Business Premium or an equivalent plan with Purview included to meet their retention obligations.

How long do we need to retain AML/CTF records?

AUSTRAC requires relevant records to be retained for seven years. Retention labels in Microsoft Purview can enforce this automatically, preventing deletion or modification during the retention period.

What happens if our Microsoft 365 environment is not compliant by 1 July 2026?

If your firm cannot meet the new obligations by the deadline, AUSTRAC expects you to have a documented implementation plan in place. Failing to manage money laundering and terrorism financing risks remains a serious regulatory concern regardless of the transition period, and AUSTRAC has indicated that civil penalty proceedings remain possible for firms that do not meet their obligations.

Does All IT work with accounting and legal firms, not just financial services?

Yes. All IT works with professional services firms across all three Tranche 2 sectors. If your firm will be subject to AML/CTF obligations from 1 July 2026, we can help you assess your readiness and close the gaps.

Sources

All IT works with financial services firms and accounting practices across Sydney, Melbourne, and Brisbane to make Microsoft 365 compliance-ready before the 1 July 2026 AML/CTF deadline.

Have A Question About This?

If this article raised questions about your own setup, we can help you make sense of it.

What You'll Get

  • A look at your actual environment, not a generic answer
  • Clear priorities — what matters now and what can wait
  • Straight advice, even if the answer is "you're already on track"
Start a Conversation With Us

Get an assessment 

We’ll assess where you should be based on the information you hold, the people you serve, and the regulations that apply to you. 

Not a generic checklist. An honest assessment of your actual risk and the controls that make sense for your business. 

    Related Guide

    Microsoft 365 Services

    See how Microsoft 365 can transform the way your team works.

    Read the Full Guide →
    Posted in Finance Security Strategic

    About All IT Services

    We’re a leading IT specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At All IT Services, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in IT solutions.

    CONTACT US