Developing Your Firm’s AML/CTF Program: A Risk-Based Framework For Legal Practice

The impending inclusion of Australian lawyers and conveyancers within the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime. Effective from 1 July 2026, this represents the most profound shift in legal practice compliance in decades.

This is not a box-ticking exercise; it is a fundamental governance overhaul necessitated by international obligations and the need to protect the profession from criminal misuse.

Firms that provide “designated services” such as assisting with property transactions, creating legal entities, or managing client funds. Must now develop a formal, written, and risk-based AML/CTF Program.

Adopting a risk-based approach is the foundation of compliance. It requires every law firm, regardless of size.

To look beyond simply meeting minimum requirements and instead implement controls that are directly proportional to the specific Money Laundering and Terrorism Financing (ML/TF) risks they face.

Phase 1: Conducting The Core ML/TF Risk Assessment

The AML/CTF Program is meaningless without a robust ML/TF risk assessment; this is the first and most critical step. The assessment must be a documented process that identifies, assesses, and understands the risks facing the firm. AUSTRAC mandates consideration of four key risk elements:

1. Customer Types

Consider the inherent risk posed by clients. High-risk customers include Politically Exposed Persons (PEPs).

Those from high-risk foreign jurisdictions, clients with complex, opaque ownership structures (e.g., layered trusts or shell companies), or those dealing in cash-intensive businesses.

2. Designated Services

Identify which of your services are most vulnerable. For lawyers, this often includes conveyancing, the formation or restructuring of companies/trusts. And the receipt, holding, or management of client funds outside of a standard trust account.

3. Delivery Channels

Assess how you interact with clients. Remote onboarding, online transactions, or reliance on third-party identity verification can introduce different vulnerabilities than face-to-face engagements.

4. Foreign Jurisdictions

Evaluate the risk posed by any international dealings. Particularly those involving regions with known high levels of corruption or weak AML controls.

The outcome of this assessment should be a clear categorisation (low, medium, or high) of the ML/TF risk for each designated service and customer type. This ranking dictates the intensity of the controls required.

Phase 2: Establishing A Governance Framework

A compliant program demands formal internal oversight, often referred to as Part A of the program.

● Senior Management Oversight

The firm’s governing body (the Board, Partners, or Chief Executive Officer) must formally approve the AML/CTF Program and must be kept continually informed of the ML/TF risk profile.

● Compliance Officer

A management-level employee, who may be a partner or the sole practitioner themselves, must be appointed as the AML/CTF Compliance Officer. This person is responsible for the overall management and reporting of the program.

● Personnel Due Diligence And Training

The firm must conduct employee due diligence to ensure personnel involved in AML functions have the honesty, integrity, and skills for the role.

Crucially, all relevant staff must undergo ongoing training. This is an area where CPD Lawyers must leverage specialised education to ensure their teams understand their new obligations.

Phase 3: Implementing Client Due Diligence (CDD) Procedures

CDD—or Know Your Customer (KYC), is the operational heart of the program and must be undertaken before providing a designated service.

● Initial CDD

Procedures must be implemented to identify and verify the client’s identity and that of any Beneficial Owners using reliable, independent source data. This goes beyond existing conflict checks; it is a mandated identity verification process.

● Risk-Based CDD

The level of CDD must match the risk. For low-risk clients, Simplified Due Diligence (SDD) may be applied. For high-risk clients (like foreign PEPs or transactions lacking a clear economic purpose), Enhanced Due Diligence (EDD) is mandatory.

This includes obtaining and verifying information about the client’s Source of Wealth (SoW) and Source of Funds (SoF).

● Ongoing CDD

The program must include systems for monitoring existing client relationships for any material changes in risk profile or unusual activity that would trigger a review or EDD.

Phase 4: Reporting And Record Keeping

The final essential components relate to external reporting and internal documentation.

● Suspicious Matter Reporting (SMR)

Firms must have clear policies for identifying and reporting Suspicious Matters to AUSTRAC within three business days (or 24 hours for terrorism financing).

This duty is paramount, but practitioners must also train to navigate the complex relationship between SMR and Legal Professional Privilege (LPP). As the legislation contains specific LPP carve-outs.

● Threshold Transaction Reporting (TTR)

While cash use in legal practice is low, any cash transaction of A$10,000 or more (or foreign currency equivalent) will trigger a TTR obligation.

● Record Keeping

All CDD records, transaction records, internal risk assessments, training logs, and compliance reports must be retained for a mandatory seven years.

To Sum Up The AML/CTF Program

Even though the latest AML/CTF program requirements are not gonna enforced until April of 2026, for all the existing entities. It is important to start the planning process and prepare for compliance with the revised AML/CTF requirements now.

The shift to an AML-compliant legal practice is profound, requiring strategic planning and substantial resource allocation.

Firms must view this not as a burden. But as an opportunity to cement client trust and proactively defend the profession’s integrity against organised crime.

Staying current on guidance released by AUSTRAC and satisfying relevant CPD Points Law requirements on AML will be essential for continuous compliance.

Read Also:

• Which Sector Is Growing Fast In India For Investing In 2025?
• Why Investing In Renewable Energy Is A Good Addition To Your Portfolio?