Legal practices across Australia are preparing for a significant shift as they come under AUSTRAC’s AML/CTF regime. If you’re a solicitor, conveyancer, or practice manager trying to figure out where to start, you’re not alone. The good news? AUSTRAC has released a legal AML starter kit with templates and guidance specifically designed to help you build a compliant program from the ground up. The challenge is knowing how to actually use these resources in your day-to-day operations.
This guide breaks down AUSTRAC’s starter kit into practical steps. You’ll learn what each template covers, how to adapt them to your practice, and where the common pitfalls lie. We’ve focused on making the compliance process less overwhelming and more actionable, because reading a 50-page PDF shouldn’t feel like a second law degree.
At StackGo, we help legal practices integrate identity verification directly into their existing software, which is a core component of any AML/CTF program. While the starter kit gives you the policy framework, tools like our IdentityCheck integration handle the practical execution of client verification, reading contact details from your CRM, running checks, and writing outcomes back without storing sensitive data where it shouldn’t be. But first, let’s walk through what AUSTRAC has provided and how to put it to work.
What the AUSTRAC legal starter kit includes
The legal AML starter kit from AUSTRAC gives you a set of pre-built templates and guidance documents designed specifically for law firms, conveyancers, and legal practitioners. You’ll find everything from risk assessment frameworks to customer identification procedures, all tailored to the legal industry rather than generic financial services. This means you won’t need to start from scratch or try adapting materials meant for banks and remittance providers.
Core templates and forms
Your kit contains four essential templates that form the backbone of your AML/CTF compliance program. These include a firm-wide risk assessment template, which helps you identify and rate the money laundering and terrorism financing risks specific to your practice. You’ll also get a full AML/CTF program template that outlines policies, procedures, and controls for your entire firm.
AUSTRAC has included customer due diligence (CDD) forms and procedures that walk you through verifying client identities and beneficial owners. These forms tell you exactly what information to collect, when to collect it, and how to verify it meets regulatory standards. The kit also provides ongoing customer due diligence templates for monitoring existing clients throughout your professional relationship.
AUSTRAC’s templates are designed to be customised, not copied verbatim. You must adapt them to match your firm’s actual operations and risk profile.
Supporting guidance materials
Beyond the templates, you’ll find practical guidance notes that explain how to complete each document and what AUSTRAC expects to see during compliance reviews. These guides break down complex requirements into plain language and include examples relevant to legal work, like conveyancing transactions and trust account management.
The starter kit also references AUSTRAC’s broader regulatory guidance, including their obligations and sanctions lists, which you’ll need to check as part of your screening processes.
Step 1. Confirm you provide a designated service
Your first task with the legal AML starter kit is working out whether your practice actually needs an AML/CTF program. Not every legal service triggers these obligations. You’ll need to check if you provide designated services as defined under the AML/CTF Act, which covers specific types of legal work rather than all legal advice.
Which legal services trigger AML obligations
Your practice falls under AUSTRAC’s regime if you provide specific transactional services related to property, business structures, or financial arrangements. The most common designated service for lawyers is preparing or settling property transactions, including conveyancing and property settlements. You’re also covered if you create, operate, or manage companies, trusts, or partnerships on behalf of clients.
Managing client funds in a trust account does not automatically make you a reporting entity unless you’re handling those funds as part of a designated service. Similarly, providing pure legal advice, litigation services, or appearing in court won’t trigger AML obligations on their own.
If you only provide legal advice without conducting transactions, you may not need to implement the full AML/CTF program outlined in AUSTRAC’s starter kit.
Check the designated services list in Section 1 of the starter kit template. You’ll need to document which services your practice offers and confirm whether any meet the threshold before proceeding with the remaining steps.
Step 2. Tailor the firm-wide risk assessment
Your firm-wide risk assessment forms the foundation of your entire AML/CTF program. The legal aml starter kit provides a template, but you cannot simply fill in generic answers. AUSTRAC expects you to analyse your actual practice, identifying where money laundering or terrorism financing risks could arise based on your specific clients, services, and geographic reach.
Identify your specific risk factors
Start by listing the types of legal work you perform and the client profiles you typically serve. A practice handling high-value property settlements in metropolitan areas faces different risks than a firm dealing with small commercial leases. Consider whether you work with clients from high-risk jurisdictions, handle complex trust structures, or manage large cash transactions.
Your assessment must cover customer risk, service risk, delivery channel risk, and geographic risk. Document each area with specific examples from your practice rather than theoretical scenarios.
Your risk assessment should reflect real patterns from your client base, not hypothetical situations copied from AUSTRAC’s examples.
Rate each risk category
Assign a risk rating (low, medium, or high) to each identified risk factor using the matrix provided in the starter kit. You’ll need to justify each rating based on factors like transaction values, client verification difficulties, or exposure to politically exposed persons. These ratings determine which enhanced due diligence measures you’ll apply to specific matters.
Step 3. Build your AML CTF program and controls
Once you’ve completed your risk assessment, you’ll use the legal aml starter kit to build the actual policies and procedures that staff will follow. This section of the starter kit contains the AML/CTF program template, which outlines your firm’s approach to preventing money laundering and terrorism financing. You’ll need to adapt this document to reflect your identified risks and the controls you’re putting in place to manage them.
Document your policies and procedures
Your program must include written policies covering customer identification, ongoing monitoring, reporting obligations, and record keeping. Take the template sections and modify them to match your practice’s workflow. For example, if you conduct initial client meetings remotely, document how you’ll verify identity documents electronically rather than in person.
Include these mandatory elements in your program:
- Customer identification procedures for individuals, companies, and trusts
- Enhanced due diligence triggers and processes
- Suspicious matter reporting procedures and thresholds
- Record retention requirements and systems
- Staff training schedules and responsibilities
Set up your reporting structure
Designate an AML/CTF compliance officer who will oversee your program and serve as your AUSTRAC contact point. This person needs decision-making authority within your practice and sufficient time allocated to compliance duties. Document their responsibilities in the program template, including who they report to and how often they’ll review your controls for effectiveness.
Your compliance officer must have the authority to escalate concerns and access to all matter files needed for monitoring and reporting.
Step 4. Run customer due diligence on every matter
Your customer due diligence (CDD) process needs to happen at the start of every matter that involves a designated service. The legal aml starter kit includes specific forms and procedures for collecting and verifying client information before you proceed with any transactional work. You’ll need to integrate these checks into your standard retainer and onboarding workflow so nothing slips through.
When to trigger verification
Run CDD procedures before providing any designated service to a new client or when taking on a new matter from an existing client that involves different beneficial owners or entities. You must also conduct CDD if you suspect money laundering, if you doubt the accuracy of previously collected information, or if two years have passed since you last verified a client’s identity.
Delaying verification until after you’ve started work on a matter puts your practice at risk of breaching AML/CTF obligations.
Your verification checklist
Collect and verify these details for every client:
- Full legal name and any previous names
- Date of birth and residential address
- Document verification (driver’s licence, passport, or similar)
- Beneficial ownership details for companies and trusts
- Source of funds for high-value transactions
Your CDD forms from the starter kit should capture this information systematically, with space to record how you verified each element and who conducted the checks.
Ready to run this day to day
The legal aml starter kit gives you the compliance framework, but running these processes consistently across every matter requires systematic execution. You’ll need to verify identities, screen clients against sanctions lists, and document your checks before starting any designated service work. The challenge isn’t understanding what AUSTRAC expects; it’s maintaining compliance when you’re juggling multiple matters and tight settlement deadlines.
Most practices find the manual verification workload becomes the real bottleneck. Copying client details into separate verification portals, downloading results, and updating your CRM creates friction that slows down retainers and increases the risk of incomplete checks. IdentityCheck handles this verification directly inside your existing software, reading contact information from your practice management system, running AUSTRAC-compliant checks, and writing outcomes back automatically without storing sensitive data where it doesn’t belong. Your staff stay in their normal workflow while maintaining the documentation standards AUSTRAC requires during reviews.
