Australia’s Anti-Money Laundering and Counter-Terrorism Financing regime has expanded, and law firms are now squarely in scope. If you’re searching for guidance on AML/CTF compliance for law firms in Australia, the reality is straightforward: AUSTRAC expects legal practitioners to verify client identities, assess risk, and maintain ongoing compliance programs, obligations that were previously limited to financial institutions and reporting entities.
For many practices, this means building entirely new processes from scratch. Client identification, document verification, risk assessments, and record-keeping all need to be formalised and repeatable. Done manually, these tasks are slow, error-prone, and pull fee earners away from billable work. Done well, they protect your firm from regulatory penalties and strengthen your client relationships through demonstrated professionalism.
This guide walks through what the AML/CTF regime requires of Australian law firms in 2026, how to build a compliant program, and where common mistakes happen. We also cover how tools like StackGo’s IdentityCheck, which runs KYC verification directly inside your existing CRM, can help firms meet their obligations without bolting on yet another standalone platform or relying on manual workarounds that don’t scale.
What changed and who must comply in 2026
Australia’s AML/CTF framework expanded significantly when the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 received Royal Assent in November 2024. The legislation brought lawyers, accountants, real estate agents, and other professional service providers into scope as reporting entities for the first time. This is the reform commonly called "Tranche 2," and it fundamentally changes how law firms must operate when handling client matters that touch money, property, or corporate structures.
The Tranche 2 reforms explained
For over a decade, Australia lagged behind international standards set by the Financial Action Task Force (FATF), which had repeatedly identified legal professionals as a high-risk vector for money laundering. The 2024 reforms corrected this by amending the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 to include a new category of designated services. Law firms providing certain services now carry the same core obligations as banks and other financial institutions, including customer due diligence, suspicious matter reporting, and maintaining a formal AML/CTF program registered with AUSTRAC.
Australia’s FATF Mutual Evaluation Reports consistently flagged the exclusion of legal professionals as a significant gap in the national framework. The 2024 reforms directly address that finding.
Previously, a law firm could onboard a client, receive funds into a trust account, and complete a conveyance without any formal identity verification obligation under the AML/CTF Act. That is no longer the case. Firms that continue operating without a compliant program after the commencement date face civil penalties, enforceable undertakings, and potential reputational damage from AUSTRAC’s public register of non-compliant entities.
Which legal services trigger obligations
Not every piece of legal work brings your firm into scope. AML/CTF compliance for law firms in Australia applies specifically when your firm provides "designated services" as defined in the amended Act. You need to map your practice areas against that definition clearly, because the obligations attach to the service, not just the client.
The following services trigger reporting entity obligations:
- Receiving, holding, or managing funds or property on behalf of a client
- Buying or selling real property on behalf of a client
- Managing client funds, securities, or other assets
- Company and trust formation, including acting as a registered agent or nominee director
- Providing a registered office or principal place of business address for a company or trust
If your firm handles conveyancing, estate administration, commercial transactions, or corporate structuring, you almost certainly provide at least one designated service. Even if only one practice group crosses that line, the whole firm must enrol with AUSTRAC and implement a compliant program that covers those services.
Key dates and transition timeline
The Act received Royal Assent in November 2024, with a phased commencement schedule designed to give firms time to build their compliance infrastructure. Core obligations, including AUSTRAC enrolment, program implementation, and customer due diligence, apply from 1 July 2026. Record-keeping and reporting obligations commence on the same date, which means firms without a functioning program by that point are immediately non-compliant.
AUSTRAC has signalled that firms demonstrating good-faith, documented progress toward compliance before the deadline will be treated more favourably during any supervisory engagement. Waiting until June 2026 to begin building your program is not a workable approach. You need a governance structure, a written risk assessment, and an operational CDD workflow ready before that date, not scrambled together in the final weeks.
Step 1. Identify your designated services and exposure
Before you build any policies or enrol with AUSTRAC, you need a clear picture of which parts of your practice are in scope. This step matters more than most firms realise. AML/CTF compliance for law firms in Australia does not apply to every file you open, but it does apply to every file where a designated service is provided. Getting this mapping wrong early creates gaps that are difficult to fix later.
Map your practice areas against designated services
Start by listing every service type your firm offers, then cross-reference it against the designated services in Schedule 1 of the amended Act. The table below gives you a practical starting point.
| Practice area | Likely designated service triggered | In scope? |
|---|---|---|
| Residential conveyancing | Buying or selling real property on behalf of a client | Yes |
| Commercial property transactions | Buying or selling real property, managing funds | Yes |
| Estate administration | Receiving and managing client funds or assets | Yes |
| Company or trust formation | Forming legal persons or arrangements | Yes |
| Nominee or registered office services | Providing registered office for a company or trust | Yes |
| Family law (property settlement) | Managing funds or property on behalf of a client | Often yes |
| Litigation (no funds managed) | None typically triggered | No |
| Employment law advice only | None typically triggered | No |
If your firm provides even one designated service, you must treat the entire firm as a reporting entity and build a program that covers all client work connected to those services.
Assess your exposure level
Once you know which services are in scope, rate your exposure by client type and transaction size. A firm doing high-volume residential conveyancing for individual purchasers carries a different risk profile than one structuring commercial trusts for offshore investors. Your risk assessment in Step 3 will formalise this, but starting with a rough exposure map now lets you prioritise where to focus your CDD resources and staffing.
Walk through your last 12 months of matter files, flag every file that involved one of the designated services above, and note the client type, transaction value, and jurisdiction. That exercise gives you a concrete evidence base to build your risk assessment on, rather than working from assumptions.
Step 2. Set up governance and enrol with AUSTRAC
Governance comes before paperwork. Before you can submit your enrolment to AUSTRAC, your firm needs a designated compliance officer and a clear internal structure that defines who owns AML/CTF obligations day-to-day. Without that foundation, even a well-written program will break down in practice because nobody is accountable for keeping it current, actioning alerts, or making sure staff follow the right procedures.
Appoint your AML/CTF Compliance Officer
Your compliance officer does not need to hold a law degree, but they do need genuine seniority, decision-making authority, and protected time to perform the role. AUSTRAC expects this person to sit at a level where they can escalate concerns to partners or directors without friction. In most firms, that is a senior partner, practice manager, or dedicated risk and compliance manager, depending on the firm’s size.
Their core responsibilities include:
- Maintaining and updating the AML/CTF program annually or after material changes
- Reviewing suspicious matter reports before submission to AUSTRAC
- Overseeing staff AML/CTF training and keeping records of completion
- Acting as the primary point of contact for all AUSTRAC correspondence
Appointing a compliance officer in name only, without real authority or dedicated time, is a common failure point that surfaces quickly during AUSTRAC supervisory reviews. Give this role genuine ownership from the start.
Enrol with AUSTRAC
Once governance is in place, you register your firm on the AUSTRAC Online portal as a reporting entity. Enrolment is a legal requirement for every firm providing designated services, and you must complete it before obligations commence on 1 July 2026.
The enrolment process asks for the following:
| Field | What you need |
|---|---|
| Business legal name and ABN | Your firm’s registered details |
| Designated services provided | Mapped from Schedule 1 of the Act |
| Compliance officer name and contact | Role title, email, and phone |
| Principal place of business | Registered address |
After submitting, AUSTRAC assigns your firm a reporting entity ID that you will use for all future lodgements, including threshold transaction reports and suspicious matter reports. Proper AML/CTF compliance for law firms in Australia involves ongoing interaction with AUSTRAC well beyond initial enrolment, so store your reporting entity ID where your compliance officer and practice management team can access it immediately when needed.
Step 3. Write your risk assessment and AML/CTF program
Your risk assessment and your AML/CTF program are two separate documents, but they work together. The risk assessment tells AUSTRAC how you identified and rated the money laundering and terrorism financing risks specific to your firm. The program then sets out the controls, procedures, and responsibilities you have put in place to manage those risks. Neither document needs to be lengthy, but both need to be specific to your practice rather than copied from a generic template.
Build your risk assessment
Start by documenting the risk factors relevant to your firm across four dimensions: client risk, service risk, delivery channel risk, and jurisdiction risk. A residential conveyancing firm in a metropolitan area dealing with individual buyers carries a different risk profile from a firm that forms trusts for clients with offshore interests. Your assessment should reflect your actual client base and matter mix, not a theoretical one.
For each risk dimension, assign a rating of low, medium, or high, then record your rationale. The table below gives you a working template.
| Risk dimension | Factors to assess | Your rating |
|---|---|---|
| Client risk | Individual vs. corporate, PEP status, high-risk industries | Low / Medium / High |
| Service risk | Trust formation, property transactions, fund management | Low / Medium / High |
| Delivery channel risk | In-person vs. remote onboarding, third-party referrals | Low / Medium / High |
| Jurisdiction risk | Domestic only vs. transactions with high-risk countries | Low / Medium / High |
AUSTRAC expects your risk assessment to be reviewed and updated at least annually, or sooner if your services or client base changes materially.
Structure your AML/CTF program
Under the amended Act, your program must cover Part A (your risk-based systems and controls) and Part B (your employee due diligence and training procedures). For AML/CTF compliance for law firms in Australia, AUSTRAC publishes its program requirements on its official website. Use those requirements as your structural checklist to make sure nothing is missing.
Your Part A document should cover customer due diligence procedures, transaction monitoring, suspicious matter reporting, and record-keeping. Part B must include how you screen staff who have access to sensitive client data and how you will deliver and record annual AML/CTF training. Keep both parts version-controlled, dated, and signed off by your compliance officer.
Step 4. Build a CDD workflow that staff will follow
A written program means nothing if your fee earners and support staff do not know what to do when a new client contacts the firm. AML/CTF compliance for law firms in Australia requires your customer due diligence (CDD) workflow to be practical enough that staff follow it every time, not just when they remember to. Design it around your existing intake process rather than alongside it, so CDD becomes a default step rather than an extra one imposed on top of their normal work.
Define your three-tier CDD approach
Your CDD requirements vary depending on the risk level you assigned to each client and matter in Step 1. Standard CDD applies to most clients; simplified CDD is available for lower-risk situations like a listed public company with a straightforward transaction; and enhanced CDD applies whenever your risk assessment flags elevated risk, such as politically exposed persons (PEPs), complex trust structures, or transactions involving high-risk jurisdictions.
Applying simplified CDD without documented justification is one of the most common errors AUSTRAC identifies during supervisory reviews. Always record your reasoning before you reduce your verification requirements.
| CDD tier | When it applies | Minimum requirements |
|---|---|---|
| Simplified | Low-risk clients, listed public companies | Confirm identity category, document rationale |
| Standard | Most individual and corporate clients | Photo ID, proof of address, beneficial ownership |
| Enhanced | PEPs, high-risk jurisdictions, complex structures | Additional documentation, senior sign-off, ongoing monitoring |
Build the new client intake checklist
Give every staff member who opens a new matter a single-page checklist they complete before the file is activated. Keeping it to one page reduces friction and improves completion rates across your team. Your checklist should cover the following steps in sequence:
- Confirm whether the matter involves a designated service
- Assign a risk tier: simplified, standard, or enhanced
- Collect the required identity documents based on that tier
- Record verification outcomes in your practice management system
- Obtain beneficial ownership details for any corporate or trust client
- Flag any PEP status or adverse media findings to the compliance officer before proceeding
Store completed checklists on the matter file so your compliance officer can audit them during the annual program review.
Step 5. Reporting, record keeping, privilege, and privacy
Completing CDD is not the end of your compliance obligations. AML/CTF compliance for law firms in Australia requires you to actively monitor client activity, submit reports to AUSTRAC when required, and maintain records in a specific way for a set period. You also need to understand where legal professional privilege (LPP) fits, because it does not function as a blanket shield from your reporting requirements.
Know your reporting obligations
AUSTRAC requires you to submit two primary report types once you are a registered reporting entity. Suspicious matter reports (SMRs) must be lodged within 24 hours if you suspect a matter involves terrorism financing, or within three business days for all other suspicious matters. Threshold transaction reports (TTRs) are required whenever you receive or send physical currency of $10,000 or more on behalf of a client.
You must not tip off a client that you have submitted or are considering an SMR. Disclosing that fact to the client is a criminal offence under the AML/CTF Act.
| Report type | Trigger | Deadline |
|---|---|---|
| Suspicious Matter Report (SMR) | Reasonable grounds to suspect ML/TF | 24 hours (TF) / 3 business days (other) |
| Threshold Transaction Report (TTR) | Physical cash of $10,000 or more | By the next business day after the transaction |
Record-keeping requirements
Your firm must retain CDD records, transaction records, and copies of reports submitted to AUSTRAC for a minimum of seven years from the date the record was created or the matter was closed. Store records in a format that lets you retrieve and produce them quickly if AUSTRAC requests them during a supervisory review.
Do not store sensitive client identity documents inside your CRM without controls. Tools like StackGo’s IdentityCheck write verification outcomes back to your CRM while keeping the underlying PII accessible only to MFA-authenticated administrators, which reduces your data breach exposure significantly.
Legal professional privilege and privacy
LPP protects confidential legal advice communications from disclosure, but it does not override your obligation to lodge an SMR. If a transaction you learn about through legal advice raises genuine suspicion, submit the report. Your privacy obligations under the Privacy Act 1988 run parallel to your AML/CTF obligations, meaning you must collect only the identity information you need, store it securely, and dispose of it appropriately once the retention period has passed.
Next steps
AML/CTF compliance for law firms in Australia is no longer something you can defer. The 1 July 2026 deadline is weeks away, and firms without a working program in place will be immediately non-compliant the moment it arrives. Work through the five steps in this guide in order: map your designated services, set up governance and enrol with AUSTRAC, build your risk assessment and program, design a CDD workflow your staff will actually use, and get your reporting and record-keeping procedures confirmed.
Start with your client intake process because that is where most compliance failures begin. Manual identity checks, unverified documents, and inconsistent record-keeping create the gaps that AUSTRAC identifies during supervisory reviews. If you want to run verified identity checks directly inside your existing CRM without adding another standalone platform to your stack, see how IdentityCheck handles Tranche 2 AML/CTF obligations or create a free account to test it against your workflow.
