Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

By Dan Briggs

Dan Briggs, All IT Services

Is Your Microsoft 365 Ready for AUSTRAC Tranche 2? What Law, Accounting, and Advisory Firms Need to Do Before 1 July 2026

If your firm provides legal, accounting, or financial advisory services, AUSTRAC's Tranche 2 reforms are not an abstract compliance matter. They are a practical IT project with a hard deadline of 1 July 2026.

From that date, an estimated 70,000 additional businesses come under the Anti-Money Laundering and Counter-Terrorism Financing Act. Enrolment with AUSTRAC opened on 31 March 2026. Whether your firm is already enrolled or still working through what applies, the same question keeps coming up: is your Microsoft 365 environment actually set up to support what compliance now requires? Most are not. Here is what needs to be in place.


What AML/CTF Tranche 2 Actually Requires from Your IT Environment

The obligations themselves are well-documented by AUSTRAC. What is less discussed is how much of the implementation work sits in your technology stack rather than your compliance policy documents. Tranche 2 entities must, among other things:

  • Conduct initial and ongoing customer due diligence, including identity verification and risk rating.
  • Monitor customer activity for unusual behaviour and suspicious transactions.
  • Report suspicious matters and threshold transactions to AUSTRAC.
  • Retain records for seven years in a form that can be produced on request.
  • Appoint a compliance officer with documented oversight responsibility.
  • Maintain an AML/CTF program that can be presented during an audit.
Each of these obligations has a direct dependency on how your Microsoft 365 tenant is configured. A policy document stored in a shared folder with no access controls or retention settings does not constitute a compliant record-keeping environment.

The Microsoft 365 Settings That Matter Most Before 1 July 2026

Record retention that holds up under audit

Microsoft Purview, which is included in most Microsoft 365 Business Premium and enterprise plans, allows you to apply retention labels to documents, emails, and Teams conversations. For AML/CTF purposes, you need to be able to demonstrate that compliance-related records are retained for seven years and cannot be deleted or altered during that period.

If your firm has not yet configured retention policies in Purview, this is the first thing to address. The default Microsoft 365 settings do not preserve records in a way that satisfies regulatory record-keeping requirements.

Identity verification and access controls

Knowing who accessed what, and when, is a core part of any AML/CTF audit. Microsoft Entra ID (formerly Azure Active Directory) logs sign-ins, role changes, and access events. Those logs need to be retained and reviewable. If you do not have a defined process for reviewing access logs, you are not meeting the spirit of ongoing due diligence obligations.

Multi-factor authentication is non-negotiable. MFA should already be enabled across every account in your tenant. If it is not, that is an immediate gap.

Defined ownership of compliance documentation

Your AML/CTF program document, risk assessment, and compliance officer nomination all need to live somewhere with clear version history, defined access, and a documented approval trail. SharePoint with version control enabled is a practical starting point. What does not work is a PDF emailed around and saved in multiple places with no audit trail of changes.

Suspicious matter reporting workflows

AUSTRAC requires firms to report suspicious matters promptly. That means your team needs a defined process for escalating concerns internally and documenting what action was taken. Microsoft Teams or Outlook can support this, but only if the workflow is deliberate and the communications are retained. Ad hoc conversations in personal inboxes do not constitute a documented escalation trail.


What to Do Right Now If Your Firm Is Not Ready

The AUSTRAC transitional rules give some existing reporting entities room to implement new obligations in a structured way. They do not give anyone a pass on managing money laundering and terrorism financing risks in the meantime. AUSTRAC has been direct: if your systems are not ready by 1 July 2026, you need a documented implementation plan showing how you will get there and how you are managing risk while you do.

For firms using Microsoft 365, a practical starting point is a gap assessment across four areas:

  • Retention policies. Are they configured, applied, and tested?
  • Identity and access. Is MFA enforced, and are access logs being retained?
  • Document governance. Is your AML/CTF program stored with version control and a clear approval trail?
  • Workflow documentation. Does your team know what to do when a suspicious matter arises, and is that process documented in a way that can be shown to a regulator?
None of this requires building new systems from scratch. Microsoft 365, configured properly, can support all of it. The issue for most firms is not capability but configuration.

How All IT Can Help

All IT Services works with financial services firms, accounting practices, and professional service providers across Sydney, Melbourne, and Brisbane. We understand the compliance frameworks your business operates under, including APRA CPS 230 and 234, the Privacy Act, and now the AML/CTF reforms.

We can assess your Microsoft 365 environment against your current and upcoming compliance obligations, identify what needs to change, and implement the configuration changes with clear documentation you can present to your compliance officer, board, or regulator.

If you want to know where your Microsoft 365 setup actually stands before 1 July 2026, talk to us. You will get a straight answer, not a sales presentation.


Frequently Asked Questions

Business Basic does not include Microsoft Purview compliance tools, which are needed for record retention and data governance. Most firms will need Microsoft 365 Business Premium or an equivalent plan with Purview included to meet their retention obligations.
AUSTRAC requires records to be retained for seven years in a form that can be produced on request. This includes customer due diligence records, transaction records, and your AML/CTF program documentation. Your Microsoft 365 retention policies need to reflect this timeframe and must prevent records from being deleted or altered during the retention period.
AUSTRAC's position is clear: if your systems are not ready by 1 July 2026, you need a documented implementation plan showing how you will get there and how you are managing risk in the meantime. Operating without that plan, or without any documented approach to managing AML/CTF risk, leaves your firm exposed to regulatory action. Having a credible, evidenced remediation plan in place is far better than having nothing to show.

Find Out Where Your Microsoft 365 Setup Actually Stands

If this article raised questions about your own setup, we can help you make sense of it. Here is what you will get:

  • A look at your actual environment, not a generic answer
  • Clear priorities: what matters now and what can wait
  • Straight advice, even if the answer is "you're already on track"

Get an assessment 

We’ll assess where you should be based on the information you hold, the people you serve, and the regulations that apply to you. 

Not a generic checklist. An honest assessment of your actual risk and the controls that make sense for your business. 

    Related Guide

    Microsoft 365 Services

    See how Microsoft 365 can transform the way your team works.

    Read the Full Guide →