How Australian Law Firms Can Meet CDD Obligations Under Tranche 2 AML/CTF

Reading Time: 14 minutes

Introduction

Australian law firms face significant new regulatory requirements with the introduction of Tranche 2 of the anti-money laundering and counter-terrorism financing (AML/CTF) reforms. Mandated by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth), these changes bring firms providing designated services under stringent customer due diligence (CDD) obligations from July 1, 2026, making compliance crucial for avoiding penalties and managing the risks of money laundering and terrorism financing.

For Australian law firms navigating this new landscape, understanding and implementing effective CDD is essential for AML/CTF compliance. This guide provides a comprehensive overview of the CDD obligations under Tranche 2, offering practical insights to help your law firm prepare for the upcoming compliance requirements and integrate these processes effectively before the 2026 deadline.

Understanding Your Law Firm’s CDD Obligations Under Tranche 2

What is Customer Due Diligence for Law Firms?

Customer Due Diligence (CDD) is a fundamental AML/CTF framework process. For Australian law firms, it essentially means thoroughly knowing your client. This process involves more than just basic identity checks; it’s about understanding the full picture of who you are dealing with.

CDD is the overarching process designed to meet AML/CTF legal obligations. It encompasses several key activities, including:

• Verifying Identity (KYC): Confirming that the client is someone they claim to be using reliable and independent sources. This specific part is called Know Your Customer (KYC).
• Identifying Beneficial Owners: Determining the individuals who ultimately own or control a non-individual client, such as a company or trust.
• Understanding Purpose: Comprehending the nature and purpose of the business relationship or the specific transaction the client is undertaking.
• Screening: Checking if the client, beneficial owners, or related parties are politically exposed persons (PEPs) or listed on sanctions lists.
• Assessing Risk: Evaluating the potential money laundering or terrorism financing (ML/TF) risk associated with the client and the services provided.
• Ongoing Monitoring: Continuously observe client relationships and transactions for unusual or suspicious activity.

It is important to note that KYC is a subset of the broader CDD process. While KYC focuses on verifying a client’s identity, CDD includes this verification alongside understanding beneficial ownership, assessing risk, screening, and ongoing monitoring throughout the client relationship. The proposed legislation, the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth), uses the term “initial customer due diligence” (ICDD) to cover these initial steps.

Why CDD Matters for Your Law Firm Under Tranche 2

Conducting CDD will become critical for Australian law firms providing certain services under the Tranche 2 reforms. There are several compelling reasons why CDD is necessary:

• Legal Obligation: From 1 July 2026, the amended Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) will legally mandate law firms providing ‘designated services’ to conduct CDD. Failure to comply with these obligations can lead to significant consequences, including substantial civil penalties imposed by the Australian Transaction Reports and Analysis Centre (AUSTRAC), regulatory action, and potential criminal charges.
• Risk Management: CDD procedures help law firms identify and mitigate the inherent risks of being exploited for ML/TF. By understanding clients and the purpose of their transactions, firms can avoid becoming unwittingly involved in illicit activities.
• Reputational Protection: Implementing robust CDD demonstrates a law firm’s commitment to ethical conduct and helps safeguard its reputation. Association with financial crime, even inadvertently, can cause severe damage to a firm’s standing and client trust.
• National Security and Crime Prevention: By performing CDD, law firms contribute to Australia’s broader efforts to combat organised crime, terrorism financing, and proliferation financing, thereby protecting the community and the integrity of the financial system.
• Alignment with Global Standards: Tranche 2 brings Australia’s AML/CTF regime for designated non-financial businesses and professions (DNFBPs), including the legal profession, into closer alignment with international standards set by the Financial Action Task Force (FATF). This addresses long-standing regulatory gaps highlighted in international evaluations.

Identify Designated Services Triggering Your Law Firm’s CDD Obligations

AML/CTF obligations, including the requirement to conduct CDD, are not automatically applied to all activities undertaken by a law firm. These obligations are specifically triggered when a firm provides a ‘designated service’ defined under the amended Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).

Law firms must carefully assess their service offerings to determine which activities fall under this definition. Based on the Tranche 2 reforms and supporting materials, designated services relevant to the legal profession are expected to include:

• Real Estate Transactions: Preparing for or carrying out transactions related to the buying, selling, or transferring of real estate (freehold or leasehold interests) for a client.
• Management of Client Money and Assets: Handling client funds, securities, or other assets, including managing client bank, savings, or securities accounts. This generally excludes funds received solely for the firm’s professional fees.
• Creation, Operation, or Management of Legal Entities/Arrangements: Assisting with transactions for the creation, operation, or management of companies, trusts, or other legal persons or arrangements.
• Buying and Selling Business Entities: Facilitating the purchase or sale of business entities for clients.
• Acting in Certain Roles: Serving as, or arranging for another person to act as, a director, secretary, partner, trustee, or nominee shareholder for a client.
• Providing Business Services: Offering a registered office, business address, correspondence address, or administrative address for companies, trusts, or other legal arrangements.

It is anticipated that certain legal work, such as providing general legal advice or representing clients in litigation, may fall outside the scope of designated services as they are considered lower risk for ML/TF purposes. However, firms must consult the final legislation, the updated AML/CTF Rules, and specific guidance from AUSTRAC for the definitive list and precise definitions to accurately identify their obligations.

What is the Core Customer Due Diligence Process for Law Firms?

Adopt a Risk-Based Approach to Law Firm CDD

Australian law firms must adopt a risk-based approach when conducting CDD, tailoring their efforts according to the assessed ML/TF risk. This approach is mandated by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) and emphasised by AUSTRAC.

The risk-based approach requires firms to understand their overall firm-wide risks and the specific risks associated with each client and designated service. Consequently, the depth and types of CDD measures applied will vary based on several risk factors:

• Client type (individual, company, trust, PEP)
• The specific designated services being provided
• Geographic connections (client location, transaction destinations)
• The complexity of ownership structures

Higher assessed risks necessitate more stringent checks, known as Enhanced Customer Due Diligence (ECDD), while demonstrably low-risk situations might permit Simplified Due Diligence (SDD), although this requires careful justification. Throughout this process, firms must document their risk assessments and the rationale for the level of CDD applied.

Perform Initial Customer Due Diligence (ICDD) and ‘Know Your Customer’ Verification

Before providing a designated service, law firms must perform ICDD. A core component of ICDD is KYC, which focuses specifically on verifying a client’s identity. However, ICDD under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) encompasses broader elements beyond identity verification.

Section 28 of the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) outlines the key requirements for ICDD. Law firms must establish on reasonable grounds:

• The identity of the customer
• The identity of any person acting on behalf of the customer and their authority to act
• For non-individual customers, the identity of any beneficial owners
• Whether the customer or beneficial owners are PEPs or subject to targeted financial sanctions
• The nature and purpose of the business relationship or occasional transaction

To achieve this, firms need to collect reliable and independent data. For individuals, this typically involves:

1. Collecting their full name, date of birth, and residential address
2. Verifying the name and either date of birth or address using documents or electronic data sources

Verification involves checking registration details, business addresses, and registration numbers for entities like companies against sources like the Australian Securities and Investments Commission (ASIC) records. Importantly, verification must generally occur before commencing the designated service.

Identify & Verify Beneficial Ownership

A crucial aspect of CDD for non-individual clients (like companies or trusts) involves identifying and verifying their beneficial owners. A beneficial owner is defined under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) as an individual who ultimately owns or controls, directly or indirectly, 25% or more of the customer entity or exercises effective control through other means.

The process requires firms to:

• Identify: Determine the individuals meeting the beneficial ownership criteria. This may involve examining complex ownership structures across multiple layers or jurisdictions.
• Collect Information: Obtain the full name and date of birth or full residential address for each identified beneficial owner.
• Verify: Take ‘reasonable measures’ to verify the identity information collected, using reliable and independent documents or electronic data. The steps considered ‘reasonable’ depend on the assessed ML/TF risk.

Identifying these individuals is vital to understanding who the law firm is truly dealing with and preventing legal structure misuse. Firms must document the steps taken to identify and verify beneficial owners. If, after reasonable efforts, no individual beneficial owner can be identified, the firm must identify and verify an alternative individual, such as a senior managing official.

Implement Ongoing Customer Due Diligence (OCDD)

CDD is not a one-off task completed only at the start of a relationship. Section 30 of the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) mandates Ongoing Customer Due Diligence (OCDD) throughout the business relationship. This requires law firms to implement systems and controls to continuously monitor and manage risks.

Key components of OCDD include:

• Transaction Monitoring: Scrutinising client transactions and activities for anomalies or patterns inconsistent with the known client profile and the purpose of the business relationship. Special attention should be paid to unusually large, complex, or pattern-breaking transactions.
• Information Updates: Keeping customer information current and accurate, including beneficial ownership details.
• Risk Reassessment: Regularly reviewing and reassessing the client’s ML/TF risk profile, particularly when significant changes occur.

Examples of triggers for risk reassessment include changes in ownership structure, expansion into high-risk jurisdictions or industries (like cryptocurrency), or significant shifts in transaction patterns.

OCDD applies to all clients, including those onboarded before the Tranche 2 commencement date of July 1, 2026. While full ICDD isn’t automatically required for these pre-commencement clients, OCDD obligations apply from the start date.

Conduct Enhanced Customer Due Diligence (ECDD) for High-Risk Clients

When a law firm assesses a client or transaction as posing a high risk of ML/TF, standard CDD measures are insufficient. Section 32 of the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) requires the application of ECDD.

ECDD is mandatory in specific situations, including:

• When the firm’s risk assessment identifies a client as high risk
• When the client or a beneficial owner is identified as a foreign PEP
• When a suspicious matter report (SMR) has been submitted regarding the client
• When a transaction involves individuals or entities from prescribed high-risk foreign countries

ECDD involves taking additional, more stringent steps beyond standard CDD. These measures must be appropriate to the identified risks and can include:

• Obtaining additional information to verify identity or understand the client’s circumstances more deeply
• Taking reasonable measures to establish the source of the customer’s and beneficial owners’ wealth and the source of funds for specific transactions (e.g., requesting bank statements, tax records)
• Conducting more detailed scrutiny of transaction patterns
• Implementing more frequent or intensive ongoing monitoring
• Requiring senior management approval within the law firm to commence or continue the business relationship

Implementing CDD Within Your Law Firm’s AML/CTF Framework

Develop Your Law Firm’s AML/CTF Program

Australian law firms providing designated services must develop, document, and implement a mandatory AML/CTF program. This program is the blueprint for managing Money Laundering/Terrorism Financing/Proliferation Financing (ML/TF/PF) risks and ensuring compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and associated Rules. It must be risk-based and tailored to the firm’s specific nature, size, complexity, and the unique ML/TF/PF risks identified through a formal risk assessment.

The AML/CTF program typically consists of two parts:

• Part A (General Risk Management): This section outlines the firm’s framework for managing ML/TF/PF risks. It covers the firm-wide risk assessment, governance structures, the appointment, and responsibilities of an AML/CTF Compliance Officer, employee due diligence and training programs, reporting systems, OCDD procedures, and arrangements for independent review.
• Part B (Customer Identification Procedures): This part details the specific procedures the firm will follow for conducting CDD. It documents the processes for collecting and verifying customer information (KYC), identifying and verifying beneficial owners, identifying PEPs, and handling discrepancies.

The entire AML/CTF program requires formal approval from the firm’s governing board or senior management. Furthermore, it must be kept current, reflecting changes in the firm’s operations, risks, or regulatory guidance, and undergo regular independent reviews to assess its effectiveness.

Appoint an AML/CTF Compliance Officer

A mandatory requirement under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) is the appointment of an AML/CTF Compliance Officer. This individual plays a crucial role in the firm’s compliance framework and must be appointed at a management level to ensure they have sufficient authority.

The Compliance Officer manages and oversees the firm’s AML/CTF program. Their duties include:

• Ensuring the program is effectively implemented
• Providing advice and training to staff
• Acting as a liaison with AUSTRAC
• Ensuring ongoing compliance with all AML/CTF obligations

Firms must ensure their appointed Compliance Officer has the resources, expertise, and empowerment to effectively fulfil these responsibilities.

Ensure Effective Law Firm Staff Training and Awareness

Implementing an ongoing AML/CTF risk awareness training program is mandatory for all relevant partners, employees, and agents within the law firm. Effective training is crucial for fostering a culture of compliance and ensuring staff understand their roles and responsibilities in preventing financial crime.

Training programs must cover key areas, including:

• The specific ML/TF risks relevant to the legal profession and the firm’s practice areas
• The firm’s legal obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and Rules
• The firm’s internal AML/CTF policies, procedures, and controls, particularly those related to CDD
• How to identify potential red flags and suspicious activities or transactions
• The procedures for reporting suspicious matters internally and externally to AUSTRAC, including strict confidentiality and ‘tipping off’ rules

Training should be tailored to different roles within the firm and conducted regularly to reinforce best practices and address evolving risks and regulations. It is essential that training move beyond a simple procedural overview to ensure staff genuinely understand the importance of AML/CTF compliance and feel empowered to escalate concerns.

Meet Your Law Firm’s CDD Record-Keeping Obligations

Comprehensive record-keeping is a fundamental obligation under the AML/CTF regime. Law firms must create and maintain detailed records of all actions to comply with CDD and other AML/CTF obligations. These records serve as an essential audit trail, demonstrating compliance to AUSTRAC.

Firms are required to keep records relating to:

• The AML/CTF program itself, including risk assessments and reviews
• All steps taken during the CDD process, including information collected, verification documents or data used, beneficial ownership identification efforts, and risk assessments
• Details of transactions conducted as part of designated services
• Any reports submitted to AUSTRAC, such as SMRs or Threshold Transaction Reports (TTRs)
• Details of AML/CTF training provided to staff
• Results of independent reviews of the AML/CTF program

These records must be maintained for a minimum of seven years after the business relationship with the client has ended, or the relevant transaction has been completed. Records must be kept in a secure and accessible format, whether physical or electronic, to facilitate potential reviews or investigations by AUSTRAC.

Leverage Technology for Law Firm CDD Compliance

Technology can play a significant role in helping law firms streamline CDD processes and enhance overall AML/CTF compliance, although it cannot replace professional judgment. Various technological solutions can automate tasks, improve accuracy, and manage large volumes of data more efficiently.

Firms can leverage technology for several compliance functions:

• Electronic Identity Verification: Utilising accredited third-party providers or government services (like the Document Verification Service—DVS) to electronically verify client identity information against trusted databases.
• Risk Assessment Tools: Employing software to assist with consistent customer risk scoring based on predefined criteria and the firm’s risk assessment methodology.
• Transaction Monitoring Systems: Implementing automated systems, particularly for trust accounts, to detect unusual patterns or transactions that exceed set thresholds, flagging them for review.
• Workflow Management: Using platforms to manage the CDD process, track progress, store documentation securely, and create comprehensive audit trails.
• PEP and Sanctions Screening: Subscribing to services or using tools that provide real-time screening of clients and beneficial owners against global PEP and sanctions watch lists.

While technology offers significant benefits, firms must carefully select and implement solutions appropriate to their size, risk profile, and specific needs. Ensuring that any technology used is integrated effectively within the firm’s overall risk-based compliance framework and that staff receive adequate training is essential.

Key Considerations When Conducting Law Firm CDD

Navigate Legal Professional Privilege (LPP) in Your Law Firm

A significant consideration for Australian law firms under the Tranche 2 reforms is the interaction between AML/CTF obligations and Legal Professional Privilege (LPP). The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), as amended in 2024, explicitly states that it does not override the common law doctrine of LPP.

This means firms are not required to disclose information or produce documents reasonably believed to be subject to LPP. Specifically:

• Suspicious Matter Reports (SMRs): If the information forming the basis of a suspicion is protected by LPP, the firm is exempt from the obligation to file an SMR with AUSTRAC regarding that specific information.
• Information Requests: When AUSTRAC requests information or documents, a firm can refuse to provide items protected by LPP. However, the firm must submit a prescribed LPP Form to AUSTRAC, outlining the basis for the privilege claim.

It is crucial to understand that LPP protects qualifying confidential communications made for the dominant purpose of legal advice or litigation. However, information collected purely for CDD, such as client identity details and verification documents, is generally not considered privileged. Therefore, firms must establish clear procedures to differentiate between privileged communications and non-privileged CDD information required for compliance.

Manage Law Firm Client Confidentiality and Privacy

While LPP addresses specific legal communications, law firms must also manage broader client confidentiality and privacy obligations when conducting CDD. The collection and handling of personal information for AML/CTF purposes must comply with the Privacy Act 1988 (Cth).

To ensure compliance, firms need to:

• Inform clients about collecting, using, and potentially disclosing their personal information for AML/CTF compliance purposes, and potentially updating engagement letters.
• Implement secure systems and procedures for handling and storing sensitive client data collected during the CDD process.
• Manage client expectations regarding providing information required under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the circumstances under which reporting to AUSTRAC might occur.

Balancing the duty of confidentiality with mandatory AML/CTF reporting obligations requires careful communication and robust data protection practices.

Address Common Law Firm CDD Implementation Challenges

Implementing comprehensive CDD procedures under Tranche 2 presents several practical challenges for law firms, particularly smaller practices. Common difficulties identified include:

• Resource Constraints: The time, cost, and personnel required to develop AML/CTF programs, conduct CDD, train staff, and potentially invest in technology can be significant.
• Verifying Complex Structures: Identifying and verifying beneficial owners can be difficult, especially with intricate corporate structures, trusts (particularly discretionary ones), or clients based in international jurisdictions with limited transparency.
• International Clients: Verifying the identity and background of overseas clients can present unique hurdles due to differing documentation standards and accessibility of reliable data sources.
• Client Friction: Some clients may resist providing the detailed personal or financial information required for CDD, necessitating careful explanation of the legal obligations.
• Keeping Up with Regulations: The AML/CTF landscape is dynamic, requiring firms to stay informed about legislative changes, updated AUSTRAC rules, and evolving guidance.
• Balancing Confidentiality: Managing the tension between client confidentiality expectations and the mandatory requirements of CDD and reporting requires careful handling.

Preparing Your Law Firm for Tranche 2 CDD Obligations

Key Dates and Timeline

Australian law firms need to be aware of several crucial dates as they prepare to commence Tranche 2 AML/CTF obligations. Understanding this timeline is essential for planning and ensuring compliance.

Key milestones in the implementation schedule include:

• November 29, 2024: The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) received Parliamentary approval.
• January 7, 2025: The Financial Transaction Reports Act 1988 (Cth) was repealed, removing previous cash transaction reporting obligations for solicitors.
• March 31, 2025: Amended ‘tipping off’ offence provisions commence.
• Mid-Late 2025: Finalised AML/CTF Rules and specific guidance from AUSTRAC expected following consultations.
• March 31, 2026: Enrolment with AUSTRAC opens for Tranche 2 entities, including law firms providing designated services.
• July 1, 2026: AML/CTF obligations, including CDD, commence for law firms providing designated services.
• July 29, 2026: The deadline for firms providing designated services is from July 1, 2026, to complete their AUSTRAC enrolment (within 28 days of commencement).

Actionable Steps for Your Law Firm’s Preparation

Proactive preparation is crucial for law firms to meet the compliance deadline of July 1, 2026. Firms should not wait for the final guidance before taking action.

Consider implementing these preparatory steps now:

• Assess Service Applicability: Conduct a detailed review to determine which of your firm’s services qualify as ‘designated services’ under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). Document this assessment carefully.
• Conduct Preliminary Risk Assessment: Evaluate the specific ML/TF risks your firm faces. Consider factors such as:
  • Client types
  • Services offered
  • Delivery methods
  • Geographic connections This initial risk assessment will inform your compliance program development.
• Review Current Processes: Analyse existing procedures for:
  • Client intake
  • Matter management
  • Trust accounting
  • Record-keeping Identify necessary modifications to meet CDD, monitoring, reporting, and record-keeping obligations.
• Budget for Compliance: Allocate resources for potential costs associated with:
  • System changes
  • Technology solutions
  • Staff training
  • External advice
  • Independent reviews
  • Dedicated compliance personnel
• Assign Responsibility: Designate an internal lead, likely the future AML/CTF Compliance Officer, to oversee preparation efforts, track developments, and coordinate implementation.
• Stay Informed: Monitor communications from AUSTRAC, the Attorney-General’s Department, and relevant Law Societies. Participate in consultations and industry briefings.
• Plan Staff Training: Identify staff requiring training, determine the scope for different roles, and plan training delivery, including covering the new tipping-off rules.
• Explore Technology: Investigate potential technology solutions for:
  • Electronic identity verification
  • Risk assessment scoring
  • Workflow management
  • Transaction monitoring: Ensure these align with a risk-based approach.
• Seek Expertise: Engage with professional bodies or consider consulting external AML specialists if internal expertise is limited.

Handling Pre-Commencement Customers

Clients onboarded before the commencement date of July 1, 2026, require specific handling under the Tranche 2 reforms. Law firms must understand these nuances to ensure compliance.

Key points regarding pre-commencement customers include:

• Ongoing Customer Due Diligence (OCDD) Applies: From July 1, 2026, OCDD obligations, such as transaction monitoring and ongoing risk assessment, apply to all existing clients involved in designated services.
• Initial Customer Due Diligence Not Automatically Required: Firms are generally not required retrospectively to conduct full ICDD – collecting and verifying identity information – for all clients onboarded before the commencement date.
• Triggers for Initial Customer Due Diligence: Full ICDD becomes mandatory for pre-commencement clients only if specific events occur. These triggers include:
  • An obligation arises to submit an SMR concerning the client.
  • A significant change in the nature or purpose of the business relationship occurs, resulting in the client’s assessed ML/TF risk increasing to medium or high.

Firms must implement procedures to monitor their existing client base for these triggers and perform the required ICDD when necessary. Documenting the risk assessment and any subsequent actions for these clients is essential for regulatory compliance.

Conclusion

Australian law firms providing designated services face mandatory CDD obligations under Tranche 2 from July 1, 2026, requiring a risk-based approach encompassing client identification, beneficial ownership verification, ongoing monitoring, and integration into a comprehensive AML/CTF compliance program. Proactive preparation, including understanding designated services, developing policies, training staff, and navigating considerations like LPP and privacy, is essential for meeting these requirements and mitigating the risks of ML/TF.

To ensure your firm is prepared for these significant changes, contact AML House today for specialised guidance and support in navigating Tranche 2 CDD obligations. Our experts offer tailored solutions to help your practice achieve seamless AML/CTF compliance and transform regulatory challenges into strategic opportunities before the 2026 deadline.

Frequently Asked Questions (FAQ)