Introduction
Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) landscape is undergoing a significant transformation with the introduction of Tranche 2 reforms. These changes, stemming from the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth), extend AML/CTF obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) to new sectors, including law firms, accountants, and real estate agents, effective from 1 July 2026. Consequently, Australian law firms must prepare to navigate these new compliance requirements mandated by the Australian Transaction Reports and Analysis Centre (AUSTRAC).
This guide provides essential information and practical steps to assist law firms in understanding and preparing for their new responsibilities as reporting entities. Proactive planning and implementation are crucial for firms to successfully integrate necessary measures like risk assessments, customer due diligence, and reporting systems into their operations before the 2026 deadline, ensuring compliance and mitigating the risks associated with money laundering and terrorism financing.
Understanding Your Law Firm’s New AML & CTF Obligations
Identify Which Firm Services Trigger Compliance Obligations
Before the 1 July 2026 deadline, law firms must determine precisely which of their services fall under the definition of “designated services” as set out in the amended Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). This critical first step in preparing for Tranche 2 compliance requires a careful review of the firm’s activities against the legislation.
Identifying these services helps define the scope of your firm’s AML/CTF obligations. Examples of services provided by lawyers that are likely considered designated services under the Tranche 2 reform include:
- Preparing for or executing transactions related to buying, selling, or transferring property.
- Handling the purchase, sale, or transfer of legal entities.
- Receiving, holding, or managing client funds, accounts, securities, digital assets, or other property.
- Preparing or carrying out transactions for creating, operating, or managing legal entities or arrangements like trusts.
- Acting in specific roles such as a director, secretary, partner, or trustee for legal entities or arrangements.
- Serving as a nominee shareholder.
- Providing a registered office or business address for a company, partnership, or other legal entity.
Firms should seek confirmation on which specific services trigger these new AML/CTF compliance requirements. Moreover, understanding when these designated services arise during the client lifecycle is essential for effective risk management and compliance planning.
Know the Core Compliance Duties Your Firm Must Fulfil
Once designated services are identified, law firms must familiarise themselves with the fundamental compliance duties required under the Tranche 2 reforms. Being aware of these core obligations is necessary to prepare adequately before July 2026. These duties form the basis of the AML/CTF regime for newly regulated entities.
Key compliance duties that law firms must prepare to meet include:
- Enrolment with AUSTRAC: Firms must formally register with AUSTRAC as reporting entities before the specified deadline.
- Developing and Implementing an AML/CTF Program: This involves creating a documented program tailored to the firm’s specific money laundering and terrorism financing risks. It must address governance, risk assessment, Customer Due Diligence (CDD), often referred to as “Know Your Customer” (KYC), reporting, record-keeping, and staff training.
- Conducting CDD: Procedures must be in place to identify and verify the identity of clients (including beneficial owners) before providing designated services. Ongoing due diligence throughout the client relationship—often referred to as KYC—is also required.
- Reporting to AUSTRAC: Firms need systems to identify and report certain matters, including Suspicious Matter Reports (SMRs) for transactions or activities that raise suspicion, and Threshold Transaction Reports (TTRs) for large cash transactions of $10,000 AUD or more.
- Record Keeping: Practices must be implemented to make and retain specific records—pertaining to customer identification, transactions, the AML/CTF program, and due diligence activities—for at least seven years.
Understanding these core duties allows law firms to begin planning the necessary operational changes and resource allocation required for effective AML compliance.
Consider How Legal Professional Privilege Must Be Handled
A significant consideration for law firms preparing for Tranche 2 is how the new AML/CTF reporting obligations interact with the existing duty of client confidentiality, including legal professional privilege (LPP). Firms must proactively navigate potential conflicts between the requirement to report suspicious matters to AUSTRAC and their professional obligations to clients.
The requirement to file an SMR based on reasonable grounds for suspicion may clash with the duty to maintain confidentiality. While the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) acknowledges LPP, determining whether information is privileged in the context of reporting can be complex—especially when the obligation may arise before a formal lawyer-client relationship is fully established.
Law firms must develop clear procedures for managing situations where reporting obligations might intersect with LPP or confidentiality. This preparation should involve:
- Understanding the scope and limitations of LPP in the context of AML/CTF reporting requirements.
- Establishing internal protocols for identifying and handling potentially privileged information when forming a suspicion.
- Training legal practitioners and relevant staff on how to manage these sensitive situations ethically and legally.
Addressing this tension proactively is crucial to prepare your legal practice for the Tranche 2 reforms, ensuring compliance while upholding professional duties. Seeking specific advice may be necessary to establish appropriate internal policies.
Get Your Free Initial Consultation
Request a Free Consultation with one of our experienced AML Lawyers today.
Developing & Implementing Your Law Firm’s AML & CTF Program
Include All Required Components in Your AML & CTF Program
Law firms must develop and implement a formal AML/CTF program before the 1 July 2026 deadline. It needs to be tailored to the specific money laundering (ML) and terrorism financing (TF) risks identified in your firm’s risk assessment. In essence, this program serves as the documented plan detailing how your firm will manage these risks and comply with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
Your AML/CTF program must comprehensively address several key areas to ensure compliance. These essential components include:
| Component | Description |
| Governance and Oversight | Clearly define roles and responsibilities, appoint an AML/CTF Compliance Officer, and secure a commitment from senior management to support and resource compliance efforts. |
| Risk Management Systems | Incorporate systems and controls for the ongoing assessment and management of ML/TF risks identified in your firm’s specific context. |
| Customer Due Diligence Procedures | Outline processes for identifying and verifying clients (including beneficial owners) before providing designated services. Detail standard CDD, simplified CDD, and enhanced CDD procedures for higher-risk clients. |
| Transaction Monitoring Program | Establish procedures to identify potentially suspicious transactions or activities related to your firm’s designated services. |
| Reporting Procedures | Describe how suspicious matters will be identified, investigated internally, and reported to AUSTRAC within required timeframes (SMRs). Include procedures for reporting TTRs, if applicable. |
| Employee Due Diligence Program | Implement processes for screening prospective employees—particularly those in roles vulnerable to facilitating ML/TF—and managing any employees who fail to comply with the firm’s AML/CTF procedures. |
| AML/CTF Risk Awareness Training | Provide regular training to employees on their AML/CTF obligations, the firm’s specific risks, and internal policies and procedures. |
| Record Keeping | Describe systems for making and retaining required records (such as customer identification, transaction data, and program documentation) for the mandated period, typically seven years. |
| Independent Review | Outline the process for regular independent reviews (audits) of the AML/CTF program to assess its effectiveness and ensure ongoing compliance. |
Appoint an AML & CTF Compliance Officer
A crucial step in preparing for Tranche 2 is appointing a dedicated AML/CTF Compliance Officer at a managerial level. This individual will oversee and manage the firm’s AML/CTF program on a day-to-day basis, acting as the central point of contact for all AML/CTF matters—both internally and with AUSTRAC.
The Compliance Officer’s duties typically include:
- Developing and implementing the AML/CTF program.
- Ensuring adherence to policies and procedures.
- Overseeing risk assessments.
- Managing reporting obligations.
- Coordinating staff training.
- Conducting regular program reviews and updates.
It is vital that this person has the necessary authority, resources, and a solid understanding of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and associated Rules to perform these duties effectively and ensure your firm meets its compliance obligations.
Secure Senior Management Approval for the Program
Before implementation, your law firm’s AML/CTF program must receive formal approval from its board or senior management. This step not only signifies leadership’s commitment to compliance but also ensures the program has the necessary backing and resources to succeed. Under the AML/CTF Rules, senior management oversight is a specific requirement.
Obtaining this approval demonstrates that the highest levels of the firm acknowledge the importance of AML/CTF compliance and support the framework established to mitigate ML/TF risks. Leadership buy-in is essential for fostering a strong compliance culture and integrating the program seamlessly into the firm’s operations.
Integrate Compliance into Existing Workflows
To ensure operational efficiency and successful adoption, law firms must plan how to integrate the new AML/CTF requirements into their existing client onboarding and engagement procedures. Begin by mapping current workflows to identify touchpoints where AML/CTF checks and procedures—such as CDD—can be seamlessly incorporated. Wherever possible, leverage existing processes to minimise disruption.
Consider how the following elements will fit within the typical client lifecycle for different types of matters or designated services:
- Client identification and verification
- Risk assessment
- Ongoing monitoring
By planning integration early, you’ll ensure consistency and make compliance a routine part of service delivery rather than a separate, burdensome task. This practical approach is vital for embedding AML/CTF compliance into the fabric of the firm’s operations before the July 2026 deadline.
Implementing Customer Due Diligence & Monitoring Procedures
Establish Robust Customer Identification & Verification Processes
Law firms must prepare to implement thorough CDD, often referred to as KYC, before the 1 July 2026 deadline. This involves establishing clear procedures to identify and verify the identity of all clients prior to providing any designated service. These processes form a core part of your AML and CTF compliance obligations under the Tranche 2 reforms.
Your firm’s procedures must detail how you will collect and verify identity information. This includes:
- For individuals: Collecting and verifying identity documents such as a driver’s licence or passport. Verification might involve sighting original documents, using electronic verification systems, or engaging third-party services.
- For companies: Gathering company registration details and identifying the ultimate beneficial owners (UBOs)—the individuals who ultimately own or control the company. Verification of these individuals is also required.
- For trusts: Collecting and verifying information about the trust deed, trustees, and settlors.
Crucially, these identification and verification steps must be completed before providing a designated service. Moreover, documenting the entire process and the information gathered is essential for record-keeping under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
Set Up Screening for PEPs & Sanctions
As part of the CDD process, law firms must implement systems to screen clients against relevant sanctions lists and identify Politically Exposed Persons (PEPs). This mandatory step not only helps assess client risk levels but also ensures Tranche 2 compliance.
PEPs include individuals entrusted with prominent public functions domestically or internationally, specifically:
- Politicians
- Senior government officials
- Judicial officers
- Close associates or family members of any of the above
Firms need reliable methods for conducting these checks during client onboarding. Options include:
- Utilising specialised databases or screening services that maintain up-to-date sanctions lists and PEP registers
- Integrating screening tools into client intake workflows to ensure consistency
If a client is identified as a PEP or flagged on a sanctions list, their risk profile significantly increases. Consequently, this triggers enhanced due diligence (EDD) measures—gathering more detailed information and conducting more rigorous verification before proceeding. In some cases, appearing on a sanctions list may require refusing the business entirely.
Institute Ongoing Customer Monitoring Systems
Beyond initial onboarding, law firms must establish procedures for ongoing CDD and monitoring throughout the client relationship. This continuous oversight is a key requirement under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and helps detect potential ML or TF risks.
Effective ongoing monitoring involves:
- Keeping client identification and verification information up-to-date
- Monitoring transactions and activities for anything unusual or inconsistent with the known client profile or business relationship (for example, trust account movements or unexpected requests to transfer funds)
- Defining “red flags” based on your firm’s risk assessment that trigger further investigation by the AML/CTF Compliance Officer
- Applying enhanced monitoring for clients identified as high-risk
Implementing systems such as ComplianceGPT can help automate aspects of transaction monitoring and flag suspicious activity for review. This proactive approach ensures your firm can identify and manage emerging risks effectively before the 1 July 2026 commencement date.
Establishing Reporting & Record Keeping Systems
Prepare Procedures for Submitting SMRs to AUSTRAC
Law firms must establish clear procedures for identifying and reporting suspicious matters to AUSTRAC before the 1 July 2026 deadline. This preparation requires understanding when the obligation to report arises—namely, whenever the firm forms reasonable grounds for suspicion regarding a client, transaction or activity related to a designated service. Procedures should detail how staff escalate concerns internally, typically to the AML/CTF Compliance Officer, who then investigates and determines if an SMR is necessary.
The timeframe for submitting an SMR is strict:
- Within 24 hours if the suspicion relates to TF
- Within three business days for all other types of suspicion
Firms must ensure their systems can meet these deadlines. Furthermore, staff must be trained on the critical “tipping off” prohibition under section 123 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), which makes it a criminal offence to disclose that an SMR has been filed or that a suspicion has been formed.
Prepare for Lodging TTRs for Large Cash Transactions
Firms must also prepare systems to identify and report TTRs to AUSTRAC. This obligation applies specifically to transactions involving physical currency (cash) of $10,000 AUD or more, or the foreign currency equivalent. While such cash dealings may be less common for some legal practices, firms still need procedures to capture any instances— for example, if a large cash retainer or deposit is accepted.
To comply, firms should:
- Flag all cash transactions meeting or exceeding the $10,000 threshold
- Ensure TTRs are lodged with AUSTRAC within 10 business days of the transaction
- Integrate these checks into existing financial handling procedures before the Tranche 2 reforms commence
Prepare for Filing IFTI Reports if Applicable
If your law firm handles international funds transfers on behalf of clients, you must prepare to file International Funds Transfer Instruction (IFTI) reports. This reporting obligation covers instructions to send funds out of Australia or receive funds into Australia. Similar to TTRs, IFTI reports must be submitted to AUSTRAC within 10 business days of the transfer instruction.
Firms need to assess whether their services involve such transfers and, if so, implement procedures to:
- Capture the necessary transfer information
- Meet the 10-business-day reporting timeframe
This ensures compliance with all potential reporting duties under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
Implement Compliant AML & CTF Record Keeping Practices
Establishing robust record-keeping systems is a fundamental requirement for AML/CTF compliance that law firms must address before July 2026. The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) mandates that reporting entities make and retain specific records for a minimum period—typically seven years after the business relationship ends or the transaction is completed. These records are crucial for demonstrating compliance and assisting potential investigations.
Key records that must be kept include:
| Record Type | Description |
| Customer Identification & Verification | Documents and details collected during the CDD/KYC process. |
| Transaction Records | Information related to designated services provided and any associated financial transactions. |
| AML/CTF Program Documentation | Copies of the firm’s AML/CTF program, risk assessments, policies, and procedures, including version histories. |
| Reporting Records | Copies of any SMRs, TTRs, or IFTIs submitted to AUSTRAC. |
| Due Diligence Records | Documentation related to employee due diligence and ongoing customer monitoring activities. |
| Training Records | Logs detailing staff AML/CTF training completion dates and content covered. |
Firms must implement systems—potentially including AML software or secure digital folders—to ensure these records are stored securely, are readily accessible for audit or regulatory requests, and are protected from loss or unauthorised access. Methodical organisation is key for efficient retrieval and effective compliance management.
Ensuring Staff Training & Ongoing Compliance Measures
Implement Mandatory AML & CTF Staff Training
Developing and delivering regular, comprehensive AML and CTF training is a mandatory action law firms must take before the 1 July 2026 deadline. This training ensures all relevant staff understand their obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and are equipped to fulfill their roles in the firm’s compliance efforts.
The AML/CTF program must include provisions for an AML/CTF risk awareness training program for employees. To be effective, training should cover several key areas:
- Legal Obligations: Staff must understand the requirements of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and associated Rules.
- Firm-Specific Risks: Training needs to address the specific ML and TF risks identified in the firm’s risk assessment.
- Internal Policies and Procedures: Employees must be familiar with the firm’s AML/CTF program, including CDD processes, how to identify red flags, and internal escalation and reporting procedures.
- Consequences of Non-Compliance: Awareness of the penalties for failing to comply is also important.
Firms should implement a comprehensive training strategy that includes:
- Initial comprehensive training for all current staff involved in any part of the AML/CTF process before the regulations commence
- Ongoing training, including refreshers (at least annually) and updates for legislative changes
- Training for new hires during their induction
Maintaining detailed records of training sessions, including dates, attendees, and content covered, is crucial for demonstrating compliance and is a required component of record-keeping obligations.
Schedule Regular Independent Program Reviews
Law firms must plan for periodic independent reviews or audits of their AML/CTF program. This is a required component under the AML/CTF Rules and is essential for assessing the program’s ongoing effectiveness and ensuring it remains compliant with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
These reviews provide an objective evaluation of whether the firm’s policies, procedures, and controls are working as intended and are adequately mitigating ML/TF risks. The independent review should cover all aspects of the AML/CTF program, including:
- The firm’s ML/TF risk assessment
- CDD procedures and implementation
- Transaction monitoring systems
- Reporting procedures (SMRs, TTRs)
- Record-keeping practices
- Staff training effectiveness
While specific frequency may depend on the firm’s risk profile, reviews are often suggested annually or biennially. The review can be conducted by a qualified external auditor or an internal auditor who was not involved in developing or managing the program, ensuring impartiality.
Findings, including any identified deficiencies and recommendations for improvement, must be reported to senior management for action.
Get Your Free Initial Consultation
Request a Free Consultation with one of our experienced AML Lawyers today.
Enrol Your Law Firm with AUSTRAC Before the Deadline
A crucial administrative step law firms must take is to formally enrol with AUSTRAC as a reporting entity. This enrolment is a legal requirement under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) for all businesses providing designated services, including those covered by the Tranche 2 reforms.
Enrolment signifies that the firm acknowledges its AML/CTF obligations and allows AUSTRAC to oversee its compliance. The process typically involves completing an online registration form via the AUSTRAC website, providing details about:
- The law firm
- Its ownership structure
- The designated services it offers
It is advisable to complete this enrolment process well before the deadline to avoid any last-minute issues. The specified deadline for enrolment is 31 March 2026, although the compliance obligations commence on 1 July 2026.
Conclusion
To prepare for the AML/CTF Tranche 2 reforms effective 1 July 2026, Australian law firms must understand their specific obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), conduct tailored ML and TF risk assessments, and develop comprehensive, board-approved AML/CTF programs. Implementing robust CDD, ongoing monitoring, compliant reporting and record-keeping systems, alongside mandatory staff training and regular independent reviews, are essential actions before the deadline.
Navigating these significant regulatory changes requires careful planning and proactive implementation to ensure full compliance. Contact AFSL House today to leverage our trusted expertise in financial services regulation and receive specialised guidance tailored for law firms to meet these complex new AML/CTF obligations effectively.
