Australia’s AML/CTF regime is expanding. Under Tranche 2 reforms, law firms now fall within the scope of AUSTRAC’s regulatory framework, meaning legal practitioners face the same anti-money laundering obligations that have applied to financial services for years. If you haven’t started building a law firm AML compliance program, the window to get ahead of enforcement is closing fast.
The requirements aren’t optional, and they aren’t light. Law firms will need to identify, mitigate, and manage money laundering and terrorism financing risks across their practice. That covers everything from client onboarding and identity verification (KYC) to ongoing transaction monitoring and suspicious matter reporting. For firms already stretched thin on admin, bolting on a manual compliance process, or worse, a disconnected piece of software, creates more problems than it solves.
This is where a tool like StackGo’s IdentityCheck becomes relevant. Rather than forcing your team onto a separate platform, it lets you run KYC/AML verification directly inside your existing CRM, such as HubSpot or Salesforce. No tab-switching, no duplicate data entry, no PII sitting exposed in systems it shouldn’t be in. But technology is only one piece of the puzzle. You still need a properly structured compliance program underneath it.
This guide walks you through how to build one, step by step. We’ll cover what AUSTRAC expects, how to structure your risk assessments, what policies you need in place, and how to operationalise compliance so it doesn’t grind your practice to a halt. Whether you’re a solo practitioner or a mid-tier firm, this is your practical roadmap for 2026 and beyond.
What changes in 2026 and what counts as a designated service
Australia’s AML/CTF Act has covered financial services businesses, casinos, and remittance providers since 2006. Tranche 2 reforms now bring a new category of businesses into the regulated space, including legal practitioners, accountants, real estate agents, and trust and company service providers. The changes stem from the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which received royal assent in November 2024. Law firms that meet the threshold for providing designated services must enrol with AUSTRAC and have a compliant AML/CTF program in place before the obligations take effect.
The Tranche 2 reforms explained
The reforms close a long-standing gap in Australia’s AML/CTF framework. Until now, professional service providers like lawyers were considered a soft target for money laundering precisely because they sat outside the regulated perimeter. AUSTRAC and the Australian Government have aligned the framework more closely with Financial Action Task Force (FATF) recommendations, which flagged this gap in Australia’s regime as far back as 2015.
Australia risked falling behind international AML/CTF standards, which has direct consequences for correspondent banking relationships and cross-border transaction access.
The practical effect is that law firms must treat AML compliance as a core operational requirement, not a peripheral concern. Firms have until 1 July 2026 to enrol with AUSTRAC and have their programs in place, though the timeline for certain reporting obligations may vary depending on service type and firm size.
What counts as a designated service for law firms
Not every legal service triggers an AML obligation. The legislation targets specific high-risk activities where the potential for money laundering is greatest. You need to assess whether your firm provides any of the following:
| Designated service | Example in practice |
|---|---|
| Buying or selling real property | Acting for a client in a property purchase or sale |
| Managing client money or assets | Holding funds in trust during a transaction |
| Managing bank, savings, or securities accounts | Operating a client account on their behalf |
| Organising contributions for company creation | Setting up a company and arranging its capital structure |
| Buying or selling business interests | Acting in a business acquisition or sale |
| Trust or company service provision | Providing nominee director, registered office, or trustee services |
If your firm regularly handles property transactions, business structuring, or trust management, you almost certainly provide designated services. Even occasional involvement in these activities requires you to assess your threshold obligations carefully.
What AUSTRAC expects once you enrol
Enrolling with AUSTRAC is just the administrative starting point. What AUSTRAC audits is whether your firm has built and implemented a functioning compliance program that matches the actual risk profile of your designated services. That program needs to cover governance and accountability, a documented risk assessment, customer due diligence procedures, ongoing transaction monitoring, and a clear process for reporting suspicious matters to AUSTRAC.
Building a proper law firm AML compliance program takes time and genuine thought about how your practice operates. Firms that leave it until the final weeks of June 2026 typically end up with a template policy that doesn’t reflect real workflows or client types. AUSTRAC has been clear that a generic, copy-paste policy with no evidence of staff training, risk thinking, or actual implementation will not satisfy the requirements. Your program needs to be specific to your firm’s services, client base, and risk exposure, and it needs to be something your team actually uses day to day.
Step 1. Set up governance and define your AML scope
Before you write a single policy or build a process, your firm needs to establish who owns AML compliance and which services fall within the program’s scope. Without clear ownership, compliance tasks get diffused across staff and nothing gets done consistently. AUSTRAC’s framework requires that your law firm AML compliance program is overseen by someone with genuine authority and accountability, not just a file-keeper.
Appoint an AML compliance officer
Your first action is to formally appoint an AML/CTF Compliance Officer. This person needs to be a senior employee, typically a partner or principal, with the authority to implement controls, escalate concerns, and make resourcing decisions. The role does not need to be full-time, but it does need to be documented and taken seriously.
The compliance officer is accountable to AUSTRAC. If your program fails an audit, the gap trails back to whoever holds this appointment.
At a minimum, the compliance officer is responsible for:
- Maintaining and updating the AML/CTF program
- Signing off on risk assessments and policy changes
- Overseeing staff training records
- Reviewing and approving suspicious matter reports before submission
- Acting as the primary point of contact for AUSTRAC correspondence
If your firm has multiple offices or practice groups, consider naming deputy compliance contacts within each team to keep oversight practical and close to day-to-day work.
Define your firm’s AML scope
Once governance is in place, you need a written document that clearly identifies which services your firm provides that trigger AML obligations under the amended Act. This scoping document forms the foundation of everything that follows: your risk assessment, your customer due diligence procedures, and your monitoring controls.
Work through each practice area and map it against the designated services list from the previous section. The table below gives you a starting template:
| Practice area | Service provided | Designated service? (Y/N) | AML obligation triggered |
|---|---|---|---|
| Property | Acting on residential purchase | Yes | CDD, record keeping, SMR |
| Corporate | Company incorporation | Yes | CDD, record keeping |
| Litigation | Representing a client in court | No | None |
| Wills and estates | Drafting a will | No | None |
| Commercial | Business acquisition | Yes | CDD, record keeping, SMR |
Fill this out based on what your firm actually does, not what your website says. Services you provide only occasionally still need to be captured if they meet the designated service threshold under the Act.
Step 2. Write a practical firm-wide AML risk assessment
Your risk assessment is the analytical core of your law firm AML compliance program. Every control you build in later steps should trace back to it. AUSTRAC does not prescribe a specific format, but it does expect your assessment to reflect genuine thinking about your firm’s actual risk exposure, not a boilerplate document downloaded from a template library. A risk assessment written in an afternoon without reference to your real client base, service mix, or transaction volumes will not hold up to scrutiny.
Identify the risk factors that matter for your practice
Start by mapping risk across four key dimensions: client risk, service risk, transaction risk, and geographic risk. For each dimension, you are looking for factors that increase the probability that a client could use your firm to launder money or finance terrorism.
Use this as a starting framework:
| Risk dimension | Higher risk indicators | Lower risk indicators |
|---|---|---|
| Client | Politically exposed persons, offshore beneficial owners, complex ownership structures | Long-standing domestic clients, simple ownership, known referral source |
| Service | Property transactions, company structuring, trust management | Litigation, wills and estates, general advice |
| Transaction | Large cash involvement, third-party payers, unusual payment sources | Standard invoicing, direct client payment, predictable amounts |
| Geographic | Clients linked to FATF high-risk jurisdictions | Domestic clients with no overseas connections |
The higher the concentration of red flags across these four dimensions, the more rigorous your customer due diligence procedures need to be.
Score and document your risks
Once you have identified the relevant risk factors, assign each a likelihood score and an impact score using a simple three-point scale: low (1), medium (2), or high (3). Multiply the two scores to get a composite risk rating for each client type or service category. This gives you a defensible, auditable basis for calibrating your controls.
Document your findings in a risk register that captures the following for each identified risk:
- The risk description (what could go wrong)
- The likelihood score before controls are applied
- The impact score if the risk materialises
- The composite rating (likelihood x impact)
- The existing or planned control that mitigates the risk
- The residual risk rating after controls are applied
- The review date for reassessing the risk
Your risk register does not need to be complex, but it does need to be specific to your firm and updated whenever your services, client mix, or the regulatory environment changes materially.
Step 3. Build your AML program controls and policies
Your risk assessment tells you where the exposure sits. Your controls close those gaps. A law firm AML compliance program needs documented policies that tell staff exactly what to do, when to do it, and what happens when something looks wrong. Controls that exist only as a vague team understanding are not controls AUSTRAC will accept during an audit.
Customer due diligence procedures
Customer due diligence (CDD) is the process of verifying who your client is before you provide a designated service. For most clients, standard CDD means collecting and verifying full legal name, date of birth, residential address, and the purpose of the legal matter. For higher-risk clients, such as politically exposed persons or those with complex ownership structures, you escalate to enhanced due diligence, which requires source of wealth documentation and senior sign-off before work begins.
Enhanced due diligence is not optional for high-risk clients; it is a mandatory escalation that must be documented and approved before work commences.
Standard CDD checklist for individual clients:
- Full legal name verified against a government-issued photo ID
- Date of birth
- Residential address verified against a secondary document such as a utility bill
- Nationality and country of residence
- Nature and purpose of the legal matter
- Source of funds relevant to the transaction
Ongoing monitoring and suspicious matter reporting
Ongoing monitoring means you treat CDD as a continuing obligation, not a one-time task at onboarding. Review client information when circumstances change, when a transaction looks inconsistent with the client’s known risk profile, or when new information comes to light. Build a written trigger list into your policy so staff know exactly which events require a review rather than relying on individual judgement.
Suspicious matter reports (SMRs) must go to AUSTRAC when you form a reasonable suspicion that a transaction involves proceeds of crime or terrorism financing. Your policy must include a clear reporting pathway, a template for documenting the suspicion internally, and a tipping-off prohibition reminder so staff understand they cannot alert the client that a report has been filed.
Staff training and policy documentation
Your controls are only as effective as the people applying them. Annual training for all staff involved in designated services is a baseline expectation under the AUSTRAC framework. Document each session with a date, attendee list, and topics covered. Keep your written AML policies version-controlled and stored centrally, and schedule a formal review at least once per year or whenever legislation changes materially.
Step 4. Put the program into daily workflows and systems
A documented law firm AML compliance program sitting in a shared drive does nothing if staff skip it during a busy week. The gap between having a policy and actually applying it is where most compliance failures originate. Your job in this step is to close that gap by embedding your controls into the routines your team already follows, at every stage of the client lifecycle.
Embed CDD into your client intake process
Make customer due diligence a hard stop in your onboarding workflow, not a step that happens if someone remembers. The simplest way to enforce this is to require a completed CDD record before a matter can be opened in your practice management system. If a file cannot be opened without a verified ID, your team has no practical path to skip the step.
Below is a standard intake gate you can adapt for your firm:
| Intake stage | Required action | Who completes it | Recorded where |
|---|---|---|---|
| New client inquiry | Collect full name, DOB, address | Receptionist or paralegal | CRM or intake form |
| CDD verification | Verify identity against government ID | Compliance officer or delegate | Identity verification system |
| Risk classification | Assign low, medium, or high risk | Supervising partner | Client file or CRM |
| Matter opening | Confirm CDD complete before file opens | Practice manager | Practice management system |
If your practice management system allows conditional workflows, configure it so a matter cannot progress to billing without a CDD status field being completed.
Connect your verification tools to your existing systems
Manual verification, where staff photograph an ID, email it, and paste outcomes into a spreadsheet, creates error-prone, insecure record-keeping and takes far longer than it needs to. Instead, connect your identity verification process directly to the system your team already uses. Tools like StackGo’s IdentityCheck run KYC verification inside your CRM, pulling client data, running the check, and writing the verified outcome back to the contact record automatically, with no duplicate entry and no PII left sitting in unsecured fields.
Keep records that meet AUSTRAC’s requirements
AUSTRAC requires you to retain CDD records and transaction records for seven years from the date of the transaction or the end of the client relationship, whichever is later. Store records in a system that is access-controlled and auditable, meaning you can show AUSTRAC who accessed a record, when, and what changes were made. Set a calendar reminder at the seven-year mark for each matter so records are disposed of securely when retention obligations expire, rather than held indefinitely.
Next steps
Building a law firm AML compliance program is not a project you complete once and shelve. The July 2026 deadline gives you a clear target, but the obligation runs continuously from that point forward. Start with the four steps in this guide: lock down governance, complete your risk assessment, document your controls, and embed verification into your daily intake process. Each step builds directly on the last, so skipping ahead creates gaps that auditors will find.
Your most practical immediate action is to test whether your current systems can support the verification workflow your program requires. If your team is manually copying ID documents into spreadsheets or switching between platforms to run checks, that process will break under compliance pressure. See how IdentityCheck handles AUSTRAC Tranche 2 verification inside your existing CRM so you can assess whether it fits your firm before the deadline arrives.
