AML/CTF Program Guide
for Australian Lawyers

1. Why Lawyers Need an AML/CTF Program

For nearly two decades, Australian lawyers operated outside the reach of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (“the Act”). While banks, casinos, and remittance dealers were subject to rigorous AML/CTF obligations from 2006 onward, the legal profession remained in what was commonly referred to as “Tranche 2” — the second wave of regulated entities that successive governments delayed implementing.

That delay ended with the passage of the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 in October 2024. From 1 July 2026, lawyers and solicitors who provide certain transactional services will be classified as reporting entities under the Act and must comply with the full suite of AML/CTF obligations, including enrolling with AUSTRAC (enrolment opens 31 March 2026), developing and maintaining an AML/CTF program, conducting customer due diligence, monitoring transactions, reporting suspicious matters, and retaining records for seven years.

The rationale is straightforward. The Financial Action Task Force (FATF) has repeatedly identified legal professionals as gatekeepers who can either prevent or facilitate money laundering. Lawyers create companies, manage trust accounts, transfer property, and structure financial arrangements. These are precisely the activities that money launderers exploit to distance criminal proceeds from their origin. Australia's FATF mutual evaluation in 2015 specifically criticised the country for failing to extend AML/CTF obligations to designated non-financial businesses and professions (DNFBPs), including lawyers. The FATF Recommendations 22 and 23 require countries to subject DNFBPs to comprehensive AML/CTF obligations. Australia's Tranche 2 reforms finally bring the country into alignment with these international standards.

Under s6AA of the amended Act, designated services for legal professionals are defined with specificity. The critical question for every lawyer is not whether you practise law, but whether you provide a designated service as defined by the legislation. The obligation attaches to the service, not to the professional title. A solicitor who handles conveyancing, manages funds through a trust account, or assists with company formation is squarely within scope. A barrister providing court advocacy, in most circumstances, is not.

2. Which Legal Services Are Designated Services?

Section 6AA of the amended Act defines the designated services that bring legal professionals within scope. Understanding exactly which services are captured — and which are not — is essential for determining the extent of your obligations.

Services That Are Designated Services

The following services, when provided by a legal practitioner on behalf of a client, are designated services under s6AA:

• Real property transactions: Buying, selling, or transferring real property on behalf of a client. This captures conveyancing, property settlements, and acting in commercial property transactions. It is the single largest area of exposure for most law firms.
• Company formation and management: Organising contributions for the creation, operation, or management of a company. This includes incorporating companies, acting as a registered agent, and advising on the establishment of corporate structures where the lawyer plays a transactional role.
• Trust creation and management: Creating, operating, or managing a legal person or legal arrangement, including trusts. Lawyers who draft trust deeds, act as trustees, or manage trust assets are captured. Discretionary trusts, unit trusts, and self-managed superannuation fund trusts are all within scope.
• Managing client money, securities, or assets: Any management of client funds through trust accounts, or the holding and management of client assets, is a designated service. This captures the core of solicitors' trust account operations.
• Managing bank, savings, or securities accounts: Where a lawyer manages financial accounts on behalf of a client, this constitutes a designated service.
• Buying or selling business entities: Acting for a client in the acquisition or disposal of a business, including share sales, asset sales, and business restructures with a transactional element.
• Financial arrangements: Arranging or facilitating financial transactions on behalf of a client, including structuring investments, arranging finance, or facilitating cross-border payments.

Services That Are Generally Excluded

The following categories of legal work are generally not designated services, provided they do not involve a transactional element described above:

• Pure litigation: Court advocacy, dispute resolution, and the conduct of proceedings. A barrister appearing in court, or a solicitor managing litigation, is not providing a designated service by virtue of that work alone.
• Family law advice: General family law advice and parenting matters are excluded. However, family law property settlements that involve the transfer of real property or the management of substantial assets may trigger designated service obligations.
• Criminal defence: Representing clients in criminal proceedings is not a designated service. However, if a criminal lawyer also manages client funds through a trust account in connection with asset restraint or forfeiture proceedings, that element may be captured.
• General legal advice: Providing legal opinions, regulatory advice, or policy guidance without a transactional component is not captured. The Act targets transactional gatekeeping, not advisory services.
• Employment and workplace law: Advising on employment contracts, unfair dismissal, or workplace disputes is generally excluded.

3. Legal Professional Privilege and AML/CTF

This is the single most misunderstood area of the legislation for legal practitioners, and it warrants careful attention. Many lawyers assume that legal professional privilege (LPP) provides a blanket exemption from AML/CTF obligations. It does not.

The s242 Carve-Out: What It Does and Does Not Cover

Section 242 of the Act preserves LPP in certain respects. Specifically, it provides that nothing in the Act requires a lawyer to disclose a privileged communication — that is, a confidential communication made for the dominant purpose of giving or receiving legal advice, or for use in existing or anticipated litigation. This means that when conducting customer due diligence, you are not required to hand over privileged documents or communications to AUSTRAC. If a client provides you with information in the course of seeking legal advice, and that communication attracts privilege, s242 protects you from being compelled to produce that specific communication during compliance activities.

Practical Application of the LPP and AML/CTF Interaction

The practical effect is as follows:

• CDD and information-gathering: LPP may apply. You are not required to breach privilege when collecting identity documents or conducting due diligence. However, you must still perform the CDD — you simply do not need to disclose privileged materials to AUSTRAC in the process. CDD involves collecting identification documents, verifying identity, and establishing the purpose of the engagement. These are factual and administrative steps that rarely attract privilege in any event.
• Suspicious matter reporting: LPP does not apply. If you suspect money laundering or terrorism financing, you must report it. The privilege does not excuse the reporting obligation, even if the suspicion arose from privileged communications. This is a statutory override of the common law position, and it is deliberate.
• Record keeping: LPP applies to the extent that privileged documents do not need to be provided to AUSTRAC on demand, but you must still maintain records of the CDD and compliance activities you have performed. You can note that certain records are subject to a privilege claim, but you cannot use privilege as a reason to fail to keep records at all.
• AUSTRAC examinations: If AUSTRAC conducts an examination or audit of your practice, you may claim privilege over specific communications. However, AUSTRAC can challenge the claim if it believes the privilege is being asserted improperly. The burden is on the lawyer to establish that the communication meets the dominant purpose test.

Practical Scenarios

Scenario 1: A client instructs you to create a discretionary trust. During the engagement, the client tells you in confidence that the funds to be settled on the trust are from an overseas source that you suspect may be illicit. The communication may be privileged, but the suspicion itself triggers the s41 reporting obligation. You must file an SMR. You are not required to attach the privileged communication to the SMR, but you must report the suspicious matter and the grounds for your suspicion.

Scenario 2: During a conveyancing transaction, you identify that the purchaser's funds are being provided by a third party with no apparent connection to the transaction. This is a red flag. Your suspicion arises from transactional facts, not from a privileged communication. You must file an SMR and should document the basis for your suspicion.

Scenario 3: A client asks you for advice on whether a particular corporate structure would be lawful. You provide that advice. The advice itself is privileged. However, if during the course of providing the advice you form a suspicion that the client intends to use the structure to launder money, the reporting obligation is triggered. The privilege protects the advice from disclosure; it does not protect you from the obligation to report your suspicion.

For a detailed treatment of SMR obligations, see our Suspicious Matter Reporting Guide.

4. Part A: Compliance Procedures for Law Firms

Part 7A of the Act (ss81–83) requires every reporting entity to develop and maintain an AML/CTF program before providing a designated service. Part A of the program covers the systems and controls your practice will use to identify, mitigate, and manage ML/TF risk. It must be informed by your ML/TF risk assessment and must be tailored to the specific risks your practice faces. A generic, off-the-shelf program that does not reflect your actual practice is unlikely to satisfy AUSTRAC.

Customer Due Diligence for Legal Clients (s28–35)

Sections 28 to 35 of the Act set out the customer due diligence (CDD) framework. For lawyers, CDD must be performed before or as soon as practicable after providing a designated service. Your Part A must specify:

• When CDD is triggered: Before providing a designated service to a new client; when you suspect ML/TF regardless of any dollar threshold; when you have doubts about previously obtained identification information; when a client's circumstances change materially; and periodically as part of ongoing CDD consistent with risk rating.
• Individual client identification: Full name, date of birth, residential address. Verification using reliable and independent source documents (passport, driver's licence) or electronic verification consistent with the AML/CTF Rules 2024.
• Entity client identification: For companies: full name, ACN/ABN, registered office, directors, and shareholders holding 25% or more (or exercising effective control). For trusts: the trustee(s), appointor, settlor, and all named beneficiaries (for discretionary trusts, classes of beneficiaries and persons exercising effective control). For partnerships: all partners and any person exercising control.
• Beneficial ownership: You must trace ownership through to the natural person(s) who ultimately own or control the entity. For complex structures with multiple layers of corporate or trust interposition, this may require examining each layer. Where beneficial ownership cannot be determined after taking reasonable steps, you must identify the senior managing official(s) and document why beneficial ownership could not be established.
• Instructing parties: Lawyers frequently receive instructions from accountants, financial planners, or other intermediaries on behalf of clients. In all cases, you must identify both the instructing party and the ultimate beneficial owner(s). Instructions through a third party may increase risk because the intermediary adds a layer that can obscure beneficial ownership.

Ongoing CDD (s36)

CDD is not a one-off exercise. Section 36 requires ongoing customer due diligence throughout the business relationship. Your program must detail how you will keep client identification current, what triggers re-verification (changes in ownership, changes in the nature of the engagement, unusual activity, a change in risk profile), a periodic review schedule calibrated to risk (e.g., annually for high-risk clients, every three years for low-risk), and how you will handle clients who refuse to provide updated information.

Transaction Monitoring for Legal Transactions

Your Part A must include transaction monitoring procedures tailored to legal transactions. For law firms, this primarily means monitoring trust account activity (covered in detail in section 6 below), but it also includes monitoring the nature and frequency of designated services provided to each client. Patterns to watch for include multiple property transactions in quick succession, company formations for clients who do not appear to have a commercial rationale, trust structures with unusual distribution provisions, and transactions involving jurisdictions that are inconsistent with the client's profile.

Risk-Based Approach

The AML/CTF Rules 2024 require a risk-based approach. This means that the intensity of your CDD, monitoring, and reporting procedures should be proportionate to the assessed level of ML/TF risk. Lower-risk matters (such as acting for an established Australian company in a straightforward commercial lease) may warrant standard CDD. Higher-risk matters (such as acting for a foreign client purchasing property through a discretionary trust funded by offshore sources) require enhanced CDD, including detailed source of funds and source of wealth inquiries, senior partner approval to proceed, and more intensive ongoing monitoring.

5. Part B: Employee Due Diligence for Law Firms

Part B of your AML/CTF program addresses the people within your practice. Its purpose is to minimise the risk that staff, partners, or contractors could facilitate, participate in, or fail to detect money laundering or terrorism financing. Part B must cover staff screening, training, ongoing awareness, and the delineation of AML/CTF responsibilities.

Staff Screening

Before assigning AML/CTF responsibilities to any person, you must conduct appropriate screening. This applies to new hires, promotions into compliance-related roles, and contractors with access to client identification data. Screening should include verification of identity, national police checks (particularly for offences related to fraud, dishonesty, or financial crime), reference checks, and verification of professional qualifications and practising certificates.

Training Requirements

All staff who are involved in providing designated services or who have AML/CTF responsibilities must receive training before commencing those duties. Training must be refreshed at least annually. Training content for law firms should cover:

• An overview of the AML/CTF Act 2006 and its application to legal practice
• Your practice's specific AML/CTF program, including CDD procedures, reporting procedures, and record-keeping requirements
• Red flags specific to legal practice: unusual trust account activity, clients who insist on secrecy, pressure to settle transactions quickly, inconsistent instructions, refusal to provide identification, and transactions that do not make commercial sense
• How to recognise and internally escalate suspicious matters
• The tipping-off prohibition under s123 and its particular implications for lawyers
• The interaction between legal professional privilege and reporting obligations
• Trust account monitoring red flags and escalation procedures

Partner Obligations vs Associate Obligations

In a law firm, partners (or principals) carry primary responsibility for the AML/CTF program. They approve the program, authorise changes, and bear ultimate accountability for compliance. However, associates, employed solicitors, paralegals, and trust account clerks all have operational obligations under the program. The program must clearly delineate who is responsible for what. At a minimum:

• Partners/principals: Approve the AML/CTF program, appoint the compliance officer, approve enhanced CDD decisions, review annual compliance reports, and authorise SMR filings (or delegate this to the compliance officer).
• Associates and employed solicitors: Conduct initial CDD on their clients, identify and escalate suspicious matters, comply with the tipping-off prohibition, and complete annual training.
• Paralegals and support staff: Assist with CDD document collection, flag unusual instructions or transactions to the supervising solicitor, and complete training.
• Trust account clerks: Monitor trust account transactions for red flags, escalate unusual patterns to the compliance officer, and file Threshold Transaction Reports (TTRs) for cash transactions of $10,000 or more.

6. Trust Account Monitoring

Solicitors' trust accounts have long been identified by AUSTRAC and the FATF as a significant vulnerability for money laundering. The commingling of multiple clients' funds in a single trust account, the perceived respectability of a law firm as an intermediary, and the existing regulatory framework around trust accounts all create an environment that can be exploited. Your AML/CTF program must include specific, detailed procedures for monitoring trust account activity.

Key Risk Indicators

• Cash deposits: Any cash deposit into a trust account should be treated as high risk. While not prohibited, cash deposits into legal trust accounts are unusual and should prompt immediate inquiry. TTRs must be filed for cash transactions of $10,000 or more under the Act.
• Third-party payments: Payments into the trust account by someone other than the client, or payments out to a party unrelated to the matter, are significant red flags. You must understand and document the reason for any third-party payment.
• Mixed funds and overpayments: Deposits that are substantially larger than the anticipated costs or settlement amounts, particularly where the client requests the excess be returned by a different method (e.g., deposited by bank cheque, returned by electronic transfer to a different account). This pattern is consistent with money laundering.
• Rapid movement of funds: Funds deposited and withdrawn in quick succession without a corresponding legal transaction. This pattern is consistent with layering — a stage of money laundering designed to distance funds from their criminal origin.
• Structuring: Multiple small deposits structured to avoid the $10,000 TTR threshold (“smurfing”). This is a criminal offence in its own right under the Act.
• Unexplained sources: Where the source of funds deposited into trust cannot be adequately explained by the client or does not align with the client's known financial profile.
• International transfers: Funds received from or sent to overseas accounts, particularly in jurisdictions that are inconsistent with the client's profile or the nature of the matter.

Interaction with State Trust Account Rules

Lawyers' trust accounts are already subject to state and territory regulation. The AML/CTF obligations operate as an overlay on top of these existing requirements:

• New South Wales and Victoria: Trust account obligations are governed by the Legal Profession Uniform Law (LPUL) and the Legal Profession Uniform General Rules. Existing trust account audit requirements, including the annual external audit, operate alongside AML/CTF monitoring. The AML/CTF obligation adds a layer of real-time and periodic transaction monitoring that goes beyond what the LPUL currently requires.
• Queensland: Trust accounts are governed by the Legal Profession Act 2007 (Qld) and regulated by the Queensland Law Society and Legal Services Commission. Trust account requirements differ slightly from the LPUL jurisdictions. QLS has signalled it will publish profession-specific AML/CTF guidance to assist practitioners in integrating the two frameworks.
• Other jurisdictions: Western Australia, South Australia, Tasmania, the ACT, and the NT each have their own trust account legislation. The AML/CTF obligations are consistent across all jurisdictions (they are Commonwealth law), but the underlying trust account rules vary. Practitioners must reconcile both sets of obligations.

Your transaction monitoring procedures should include regular (at minimum monthly) reviews of trust account activity, with documented analysis of any unusual transactions. Automated transaction monitoring is strongly recommended for firms with significant trust account throughput.

7. Suspicious Matter Reporting for Lawyers

Sections 41 to 49 of the Act impose the obligation to file suspicious matter reports (SMRs) with AUSTRAC. For lawyers, this is arguably the most significant — and most uncomfortable — obligation under the Act, because it requires you to report your own client to a government agency without their knowledge or consent.

When to Report

You must file an SMR when, in the course of providing a designated service, you form a suspicion on reasonable grounds that a matter may be related to:

• Money laundering (an offence against Division 400 of the Criminal Code)
• Terrorism financing (an offence against Division 103 of the Criminal Code)
• An offence against a Commonwealth, state, or territory law punishable by imprisonment of 12 months or more
• Proceeds of crime within the meaning of the Proceeds of Crime Act 2002

The threshold is suspicion on reasonable grounds, not proof or certainty. You do not need to be satisfied beyond reasonable doubt. A suspicion is sufficient if a reasonable person in your position, with your knowledge and experience, would also form that suspicion.

Filing Timeframes

• 24 hours if the suspicion relates to terrorism financing
• 3 business days for all other suspicious matters

SMRs are filed through AUSTRAC Online. The report must include details of the suspicious matter, the grounds for your suspicion, and any relevant transaction or client information. You should maintain a contemporaneous record of the circumstances that gave rise to the suspicion.

Common Red Flags in Legal Practice

The following are red flags that should heighten your awareness in the context of legal transactions:

• Property transactions: Purchaser unable to explain source of funds; property purchased significantly above market value; settlement funds provided by an unrelated third party; multiple properties purchased in quick succession; nominee purchasers with no apparent commercial rationale; cash or cryptocurrency used to fund part of the purchase.
• Company and trust structures: Client requests a complex multi-layered structure with no obvious commercial purpose; reluctance to provide information about beneficial owners; use of nominee directors or shareholders; instructions to register entities in jurisdictions inconsistent with the client's business.
• Client behaviour: Client is reluctant or refuses to provide identification documents; client changes instructions frequently or without explanation; client expresses unusual urgency to complete a transaction; client provides inconsistent information; client appears to be acting on instructions from an undisclosed third party.
• Financial indicators: Funds received from jurisdictions with no connection to the matter; unexplained round-sum payments; funds deposited and then rapidly withdrawn; requests to pay settlement proceeds to an account in a different name or jurisdiction.

For a comprehensive list of SMR red flags and filing guidance, see our detailed blog article on SMR filing.

8. Tipping-Off: Special Considerations for Lawyers

Section 123 of the Act creates the offence of “tipping off” — disclosing information about SMRs or AUSTRAC investigations that could prejudice those activities. For lawyers, this provision creates one of the most difficult practical challenges under the legislation, because it directly conflicts with the professional duty of candour and loyalty owed to clients.

What Section 123 Prohibits

Under s123, it is a criminal offence to disclose:

• That an SMR has been filed, is being prepared, or will be filed
• That information has been or will be communicated to AUSTRAC under the Act
• Any other information from which the existence of an SMR could reasonably be inferred

The offence carries a penalty of up to 2 years imprisonment. It applies regardless of the motivation for the disclosure. Even a well-intentioned warning to a trusted long-standing client that they are under scrutiny constitutes tipping off.

The Solicitor-Client Relationship Challenge

The tension is acute for lawyers. You owe duties of loyalty, candour, and good faith to your clients under the Australian Solicitors' Conduct Rules. Yet s123 prohibits you from disclosing the filing of an SMR. How do you navigate this?

• Do not tell the client that you have filed, are filing, or intend to file an SMR. This prohibition is absolute.
• Do not alter your behaviour in a way that signals something has changed. Suddenly ceasing to act or refusing instructions without explanation may effectively tip off the client. If you continue to act, maintain normal professional conduct.
• Prepare scripted responses. Develop pre-prepared responses, reviewed by your compliance officer, for situations where a client asks directly: “Have you reported me to AUSTRAC?” You must not confirm. Deflect without confirming or denying.
• Consider carefully whether you can continue to act. In some circumstances, continuing to provide designated services to a client about whom you have filed an SMR may facilitate the very offence you have reported. If you decide to cease acting, do so for a reason that does not disclose or imply the existence of the SMR. Neutral reasons such as “conflict of interest” or “unable to continue due to current workload” are preferable.
• Limit internal knowledge. Only those within the practice who need to know about an SMR should be informed. The tipping-off provisions apply to all persons, not just the reporting entity's principals.

Managing Ongoing Matters After Filing an SMR

Filing an SMR does not automatically require you to cease acting. In many cases, you may be required to continue acting to avoid tipping off the client. However, you should:

• Seek guidance from your AML/CTF compliance officer on how to proceed
• Document your reasoning for continuing or ceasing to act
• Consider whether continued involvement could expose you to criminal liability (for example, if continuing to facilitate the transaction would amount to dealing in proceeds of crime)
• If in doubt, seek confidential external legal advice on your position
• Continue to file further SMRs if additional suspicious indicators arise during the continued engagement

9. Law Society and Professional Conduct Overlays

Lawyers operate in a dual regulatory environment. In addition to the AML/CTF Act (Commonwealth legislation), you are subject to state and territory-based professional conduct rules administered by your law society or regulatory authority. These two regimes can create tensions, but the legislation provides a clear hierarchy.

Key Ethical Obligations and Their Interaction with AML/CTF

The Australian Solicitors' Conduct Rules (which form the basis of professional conduct rules in most jurisdictions) impose duties including:

• Duty to the client (Rule 4): You must act in the client's best interests and maintain confidentiality. This duty must now be read subject to the statutory reporting obligations under the AML/CTF Act. Filing an SMR is a lawful action required by statute; it does not breach Rule 4.
• Confidentiality (Rule 9): You must not disclose confidential client information unless required by law. SMR reporting under the AML/CTF Act is precisely such a legal requirement. Filing an SMR does not breach Rule 9.
• Duty not to deceive (Rule 19): While you must not mislead the client, the tipping-off provisions effectively override this duty in the narrow context of SMR disclosures. Declining to disclose the existence of an SMR, or deflecting a direct question about reporting, does not constitute a breach of Rule 19 because you are acting in compliance with a statutory prohibition.
• Conflicts of interest (Rule 10): Filing an SMR about a client may create a conflict that makes it impossible to continue acting. You should address this conflict in accordance with your professional conduct rules. In many cases, the conflict will be irreconcilable and you will need to cease acting — but the reason you give must not disclose the SMR.

The Hierarchy: Statute Prevails

The key principle is that statutory obligations prevail over professional conduct rules where there is a direct conflict. The AML/CTF Act is Commonwealth legislation and overrides any inconsistent state-based professional obligation by operation of s109 of the Constitution. Your law society's professional conduct rules recognise this — they generally provide that confidentiality obligations do not apply where disclosure is required or permitted by law.

State Law Society Guidance

Most state and territory law societies have published or are developing guidance notes on the interaction between AML/CTF obligations and existing professional conduct rules. You should:

• Monitor your law society's publications for AML/CTF-specific guidance
• Attend any continuing professional development (CPD) sessions offered on AML/CTF compliance
• Ensure your AML/CTF program explicitly addresses the interaction between professional conduct rules and reporting obligations
• Seek ethics advice from your law society if you encounter a genuine conflict that you cannot resolve internally

10. Risk Assessment for Law Firms

The foundation of any AML/CTF program is a thorough ML/TF risk assessment. Under the AML/CTF Rules 2024, this enterprise-wide risk assessment (EWRA) must be documented, reviewed at least annually, and updated whenever there is a material change to your practice. For law firms, the risk assessment must consider risk factors specific to legal practice.

Property-Related Risks

Property transactions represent the highest-volume designated service for most law firms. ML/TF risks in this area include:

• Purchases funded by unexplained cash or third-party sources
• Properties purchased significantly above or below market value
• Use of complex trust or corporate structures to purchase residential property
• Rapid buying and selling (“flipping”) without apparent commercial rationale
• Foreign purchasers acquiring property in contravention of FIRB rules
• Settlement proceeds directed to accounts in names or jurisdictions unrelated to the parties

Corporate and Trust Structuring Risks

• Requests for complex multi-layered structures with no clear commercial purpose
• Use of nominee directors, nominee shareholders, or shelf companies
• Trust deeds with unusual distribution provisions or vesting dates
• Reluctance to disclose beneficial owners or to provide trust deeds for inspection
• Requests to incorporate entities in multiple jurisdictions without a clear operational reason

Geographic Risks

Assess the jurisdictions involved in your clients' matters. Transactions involving FATF-identified high-risk jurisdictions, jurisdictions subject to Australian autonomous sanctions or UN Security Council sanctions, or countries with known corruption indices should receive enhanced attention. This applies to the client's country of residence, the source of funds, the destination of payments, and the location of property or assets involved in the transaction.

Service Delivery Risks

Consider how services are delivered. Non-face-to-face instructions, instructions received through intermediaries, matters conducted under unusual urgency, and transactions where the client's rationale is unclear all present higher risk. Remote client onboarding and digital document execution, while increasingly common, require additional safeguards compared to in-person verification.

11. Building Your AML/CTF Program: Implementation Steps

The following is a practical step-by-step approach to building your AML/CTF program as a law firm. This is not a substitute for the legislative requirements, but it provides a roadmap for implementation.

Step 1: Determine Whether You Are Captured

Review your practice areas and identify which (if any) constitute designated services under s6AA. If none of your services are designated services, you are not a reporting entity and do not need an AML/CTF program. If any of your services are captured, proceed to Step 2. When in doubt, treat the service as captured.

Step 2: Enrol with AUSTRAC

Enrolment opens 31 March 2026. You must enrol with AUSTRAC as a reporting entity before you provide any designated service after 1 July 2026. Enrolment is done through the AUSTRAC online portal.

Step 3: Conduct Your ML/TF Risk Assessment

Before writing your program, conduct a documented EWRA. Assess risk across the four dimensions described in section 10 above: practice area risk, client risk, geographic risk, and service delivery risk. Assign risk ratings and document your findings.

Step 4: Draft Your AML/CTF Program (Part A and Part B)

Draft your written AML/CTF program, covering all Part A elements (CDD procedures under s28–35, ongoing CDD under s36, transaction monitoring, SMR procedures under s41–49, record keeping under Part 10, compliance officer nomination) and Part B elements (staff screening, training, ongoing monitoring). The program must be tailored to your specific practice — not copied from a generic template. Reference your EWRA findings throughout.

Step 5: Appoint Your AML/CTF Compliance Officer

Nominate a compliance officer at a senior level. In a small firm, this will typically be a principal or senior partner. In larger firms, a dedicated compliance manager or general counsel may be appropriate. Document the compliance officer's name, responsibilities, and reporting line in the program.

Step 6: Implement CDD Procedures and Systems

Establish your client onboarding procedures. This includes identity verification checklists, beneficial ownership identification workflows, PEP and sanctions screening procedures, and risk-rating templates. Integrate these into your practice management system where possible.

Step 7: Establish Trust Account Monitoring

Implement trust account monitoring procedures, including regular reviews, escalation protocols, and TTR filing procedures. For firms with significant trust account throughput, consider automated monitoring tools.

Step 8: Train All Relevant Staff

Deliver initial AML/CTF training to all staff who provide designated services or have AML/CTF responsibilities. Training must be completed before staff commence those duties. Document training content, dates, and attendees. Schedule annual refresher training.

Step 9: Obtain Senior Approval

The AML/CTF program must be approved by the practice's principals, partners, or board. Document the approval, including the date and the person(s) who approved it.

Step 10: Establish Ongoing Review and Maintenance

Set a schedule for periodic review of your program (at least annually). Ensure that review triggers are documented (material changes, compliance failures, regulatory updates). Under s82 of the Act, you must update your program whenever there is a material change to the nature or scale of your practice, a change in ML/TF risks, or a regulatory development that affects your obligations. Arrange for an independent review at least once every three years, as required by the AML/CTF Rules 2024.

Step 11: Establish Record-Keeping Procedures

Part 10 of the Act requires retention of all AML/CTF records for a minimum of 7 years. Establish procedures for storing CDD records, transaction records, copies of all AUSTRAC reports (SMRs, TTRs, IFTIs), risk assessments, program versions, staff training records, employee due diligence records, and internal compliance reports. Records must be secure, accessible, and producible to AUSTRAC on request. Ensure your AML/CTF records are linked to relevant legal files but can also be accessed independently. Under s75C, AUSTRAC may request production of compliance records, and you must be able to provide them within a reasonable timeframe.