AML/CTF reforms: the legal profession prepares for change

The legal profession has weathered many changes over the course of its long history. As a profession, we have witnessed how advancements in technology have revolutionised the way we work, making word processing, billing, communication and other tasks easier and more efficient.

More recently, lawyers have witnessed a shift towards online court appearances, hearings and registry services. Settlement checklists and physical cheques became a quaint memory as property transactions transitioned online.

Despite the positive changes we have witnessed, there is a downside. As society and technology continue to evolve, criminals have become more advanced in the ways they commit crime, and this can cause devastating ripple effects throughout society.

According to the Australian Transaction Reports and Analysis Centre (AUSTRAC), Australia’s AML/CTF regulator and financial intelligence unit, money laundering can be linked to a range of heinous offences including child exploitation, drug and sex trafficking, terrorism, proliferation of weapons of mass destruction, scams and fraud. 

On 29 November 2024, the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Amendment Bill was passed, amending the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). 

Amendments to the legislation

The reforms will place greater obligations on different sectors, including the legal profession. So, what has changed?

According to the explanatory memorandum for the Bill, the reforms will “ensure Australia’s AML/CTF regime continues to effectively deter, detect and disrupt illicit financing, and protect Australian businesses from criminal exploitation.”

One of the central goals of the Bill was to expand the existing AML/CTF regime to services deemed to be ‘higher risk’ services, including real estate professionals, lawyers, conveyancers, accountants, trust and company service providers, and dealers in precious stones and metals. These are referred to as ‘tranche two’ entities.

From 1 July 2026, tranche two entities will need to, among other things: enrol and register with AUSTRAC, develop and maintain an AML/CTF program, train staff to implement/carry out their AML/CTF obligations, perform initial and ongoing Customer Due Diligence (CDD), report suspicious activities and certain transactions to AUSTRAC, and keep records.

If you provide a designated service, you need to enrol with AUSTRAC. The enrolment portal will open for tranche two entities on 31 March 2026.

To ascertain whether your legal practice will be captured by the reforms, it is important to conduct a self-assessment and ask yourself: do you offer legal services to help a client plan or carry out a transaction involving the purchase, sale or transfer of real estate? Do you receive money from, or hold assets or property from, a client, to carry out a transaction? Are you involved in the planning or execution of the creation or restructuring of a body corporate or legal arrangement? Do you provide a registered office address or principal place of business address of a body corporate or legal arrangement?

The first step is to check the current guidance issued by AUSTRAC. If you answered ‘yes’ to any of the above questions, you may fall under the definition of a ‘designated service’, and you may be subject to the new obligations in the AML/CTF Act.

Risks and why Australia is a desirable destination for criminals

Financial crime remains an important issue around the world. The European Union, United Kingdom, and New Zealand have implemented, and are reviewing, their own AML/CTF regimes to address money laundering as an issue. Prior to the expansion of Australia’s AML/CTF regime, AUSTRAC regulated business activities in the banking, financial, bullion, and gambling sectors.

Jamie Lynch, head of AML at Gilbert + Tobin, says the risks in relation to lawyers lie in our function as gatekeepers. He explains that lawyers can be used as a “conduit” through which money can trickle into the financial system. He says lawyers regularly assist in the “movement, transfer [and] creation of assets. That is something that lawyers do … on a regular basis.

“We also allow the restructuring of corporate entities to allow bad actors … who shouldn’t necessarily have access to funds or assets … and allow them access to an avenue to move money through those vehicles.”

In its 2024 report, the Australian Institute of Criminology found that money laundering, and the harm from organised crime, cost Australia up to $60.1 billion between 2020 and 2021.

Similarly, AUSTRAC, in its Money Laundering in Australia National Risk Assessment 2024, identified several ways money laundering can negatively affect society. The Assessment stated that money laundering contributes to serious crime by allowing criminals to use funds in further criminal activity.

Source: austrac.gov.au

According to the Assessment, AUSTRAC found that criminals persist in their efforts to find and capitalise on new opportunities to launder funds. With the evolution of technology, criminals have swiftly embraced and abused new methods to their advantage. 

So, what constitutes money laundering? Anton Moiseienko, Associate Professor of Law and Research Director at the Australian National University, explains that money laundering refers to the use of proceeds of crime. “There is a bit of a misconception … that money laundering needs to involve some sophisticated deception, effort and some complicated cover story as to how the criminal came up with the money, but that’s really not part of the legal definition of money laundering,” he says.

When a person is using the proceeds of crime, even hiding the money under a mattress may constitute money laundering. Moiseienko explains that proceeds of crime can be derived from different criminal activities, and money laundering is pertinent to fraud, corruption, drug trafficking, arms dealing and so forth. “[T]he reason why that matters for the legal profession is that legal professionals will have a range of obligations related to detecting money laundering which they didn’t used to have in the past,” he says.

Prior to the passage of the Bill, arguments were advanced by bodies, such as the Law Council of Australia (LCA), stating that the legal profession is already one of the most regulated professions, and lawyers are subject to stringent conduct rules. The LCA’s then President-Elect Juliana Warner called for the laws to be “balanced and proportionate to the real risk, targeted and carefully drafted to ensure vital foundations of our legal system, including access to justice and client legal privilege, are not weakened,” she said.

Moiseienko adds that another argument made at the time was “the obligation to file a suspicious matter report might conflict with legal professional privilege and the broader duty of client confidentiality”. 

Following these concerns being raised, the Government made some amendments in relation to legal professional privilege and confidentiality, which addressed some of the practical concerns of the legal profession.

“[T]he reality is that international experience and [the] Australian experience suggests that criminals do try to take advantage of legal advice when they carry out money laundering schemes,” Moiseienko says.

Australia has been a member of the Financial Action Task Force (FATF) since 1990. The Anti-money laundering and counter-terrorism financing measures – Australia – Mutual Evaluation Report (2015) identified Australia’s legal framework to tackle terror financing as ‘comprehensive’ and noted that Australia had successfully undertaken a number of terror financing investigations and prosecutions, including three convictions for terror financing offences.

The report noted that Australia had adopted a “risk-based approach to supervision” and greater “supervision and enforcement” of reporting entities’ compliance with AML/CTF in different sectors was needed.

But the previous regime only covered certain sectors, meaning ‘gatekeeper’ professions were not included.

And Moiseienko points out, “the international standard set by the Financial Action Task Force has long required countries to implement this kind of regulation for the legal profession. Australia was one of the few remaining hold ups and now, in anticipation of a new round of evaluation … it was decided that it was time to bring the legislation into compliance with those international requirements.”

Other sectors, such as banking, are already subject to the obligations. Moiseienko gives the example of a person opening a bank account. He says the bank would want to know who you are and what the source of your funds is. If the bank perceives risk or activity that seems ‘suspicious’ or questionable, then they have an obligation to report that to AUSTRAC. He explains that, following the legislative reforms, lawyers will be required to take similar steps to what banks currently do, and they will be bound by CDD obligations. “[A]nd very importantly, and somewhat controversially, the obligation to file suspicious matter reports if they believe that a client is involved in money laundering or terrorist financing,” he says.

Lynch adds that while AML legislation has been around for a while, technology and the growth of virtual assets like cryptocurrency has enhanced the ability of criminals to move money across borders, jurisdictions and structures more easily. Lynch explains that law firms are involved in “giving advice, writing advice and setting structures to create cryptocurrency exchanges and businesses. They have an obligation … to monitor potential sanctions involvement around these sorts of things … they need to be looking where the income and where the funds are coming from to create these structures and if they are coming from areas they shouldn’t be,” he says.

Legal profession preparing for change

With only a few months to go until the obligations commence on 1 July, the legal profession is doing what it can to prepare itself for the reforms. 

How firms prepare for the changes and fulfil their obligations will depend on the size of the firm, and the type of services it provides.

Moiseienko tells the Journal that the first step that lawyers should take is to check the website of their local Law Society. He says law societies across the country have done an “excellent job getting up to speed with what the new regulation entails … and putting out guidance and advice. So, I think that ought to be the first point of call.”

One of the concerns previously identified by the LCA and other bodies was the cost and the amount of resources required to develop and implement compliant AML/CTF programs. 

Speaking before the launch of AUSTRAC’s Program Starter Kits, which are aimed at assisting smaller law firms, experts predicted that medium and BigLaw firms will most likely develop their own AML/CTF programs. Firms can also appoint AML/CTF consultants to develop programs for them. Proforma programs may not suit larger firms, and they may need specialised programs customised to their needs and the types of services that they provide.

Moiseienko acknowledges that some law firms might choose to engage some form of outsourcing. This could involve a service provider assisting with the creation of AML policies and implementing processes for certain obligations, such as suspicious matter reports. He recognises that there may be challenges for boutique firms and sole practitioners. “[I] would really encourage them to take advantage of the guidance being offered by their local law societies …,” he says.

Lynch believes the changes will provide an opportunity for firms to evaluate and better “allocate” their staffing, as well as an opportunity to examine how they train their staff. “You could really revitalise a few of the roles or repurpose a few of the roles in the business, give people a new string to their bow and I think that’s another positive for the business in the sense that you are creating career pathways which didn’t exist previously,” he says.

He acknowledges that some firms may be “pushed to the margins” but says “there will be a settling of how client due diligence is delivered and achieved and worked through. “There’ll be a competitive advantage to doing it well and doing it effectively,” he says.

Haille Paine, a regional firm in the Southern Highlands established in 1879, has already embarked on their journey to become compliant by 1 July. The firm’s solicitor director David Allen tells the Journal the firm is using its practice management software to help create a risk profile and a picture of what the firm’s ‘usual’ client looks like. “In doing a risk profile, we need to identify how we look at what clients we have, and whether any new client is normal or unusual and if it’s unusual then we probably need to know, to ask, more questions,” he says.

The firm’s main area of practice is property law, but they also practice in other areas. The firm is contemplating the way they onboard clients. As a firm with eight employees, Allen says that everyone in the team will be involved once they have devised a checklist.

Allen acknowledges that things might look differently for firms depending on their size and the volume of matters they have. However, he is confident that lawyers will be up to the challenge. “We’ve been through [the] transition to GST, we’ve been through the various things … [like] foreign vendor clearance certificates … all of those things we’ve sort of managed to get through.

“[E]ven the transition to digital titles and electronic conveyancing … they’re all big things that have occurred over the last 10 to 15 years … we think that we will be able to manage this process,” he says.

Allen points out that a proper risk profile will help the firm create policies and checklists to ensure the firm will meet their obligations under the Act. “[T]he checklist will come back to our day-to-day operation and that’s how we onboard people. That’s how we conduct our continuing review, that’s how we identify any red flags and then we have a process if there’s a red flag as to what to do next,” he says.

Many of Haille Paine’s clients are existing clients or have some relation or connection to existing clients. “We have clients who are out of [the] area, but often they’re within a family relationship [with] existing clients. So, mum and dad are here … they’ve moved away, [and] they want us to do things for them,” he says.

Allen believes that firms need to customise their programs based on their needs. “It’s not as simple as … ‘here’s your checklist, here’s your policy, job’s done.’ You’ve actually got to apply yourself and come up with something that’s specific for what your firm does and monitor it…,” he says.

The regulator’s perspective

As the legal profession braces itself for the reforms, it is also turning to the regulator for guidance on how to navigate the new laws and avoid prosecution or enforcement action.

“[I]n terms of compliance for new regulated businesses, the date that we’re really focusing on is the first of July. That’s when the obligations start …,” says Katie Miller, Deputy CEO at AUSTRAC.

She tells the Journal there are five key steps that lawyers need to take, and the first thing that lawyers need to do is to enrol with AUSTRAC. “So that’s actually telling AUSTRAC that they provide the designated services and that we will be regulating them,” she says.

Miller explains the online portal will be available sooner. “We encourage people from the 31^st of March to get on and enrol. It’s [a] very straightforward process,” she says.

The next step for legal practices is to appoint an AML Compliance Officer (CO). “Now, if you’re a small practitioner … that might actually be yourself … it might actually be the principal of the firm.

“If it’s a medium or larger sort of firm, then they might actually want to appoint somebody to be the dedicated AML Compliance Officer. And that might also help them with bringing in some capacity and … experience around managing AML obligations,” says Miller.

The next step is an AML program. As she explains, this is a document containing an assessment of the risks that the business encounters or faces from money laundering, terrorism financing and proliferation financing. The document “will also then provide the policies and procedures to mitigate, manage [and] control those risks,” she says.

On 29 January, AUSTRAC released its Program Starter Kits for the legal profession. AUSTRAC has different guides and kits for different sectors, including conveyancers, real estate agents, and the legal profession. As Miller explains, “[the Program Starter Kits] will basically provide guidance to lawyers and other newly regulated businesses on how to develop a program, and we give them a starter program that can be adapted and customised to the individual, business or firm.”

She acknowledges that, for a lot of businesses, comprehending what the risks are, and how to manage those risks, will be novel to them. “Most law-abiding citizens do not spend a lot of time thinking about how they can launder money,” she says.

Red flags and other signs for the legal profession

What are some of the common red flags or signs of money laundering or suspicious transactions that legal practitioners should watch out for? Moiseienko believes that “every firm would need to understand the risk profile of its customers and once it does that … enhanced due diligence will have to be applied to higher risk customers and that might include … customers from high-risk jurisdictions,” he says. 

Common ‘red flags’ include activities that don’t seem to make “commercial sense,” according to Moiseienko. “What that might look like in practice is, for example, very swift transfers of significant amounts of money. …

“In the context of a law firm, an obvious instance of what might be suspicious would be someone turning up with money they have no explanation for …,” he says.

There may be other instances or scenarios that might give rise to a closer scrutiny of the situation. There might be “something about the nature of the business or the profile of their activity, or the amount of money that they’re making that is simply out of touch with what they claim to be.

“That might give rise to a suspicion that is reportable,” says Moiseienko.

There may be different types of red flags detectable by the lawyer, particularly during the onboarding process. Lawyers often get the opportunity to ask the client questions about their instructions, including any motivations and rationale for their decisions.

Miller says it is about understanding or knowing who your client is. “So, knowing the circumstances of the customer, their identity … but … what’s their job? What’s the transaction that they’ve come to talk to you about today or the advice they’re asking for?

“One of the biggest red flags is transactions that don’t seem to have any legitimate purpose,” she says.

Miller gives the example of a client going to a law firm with instructions to set up a company or a family trust. “So usually, when somebody comes and asks for a company to be set up or a family trust to be set up, they’ve got a reason for it.

“‘I want to provide for succession planning for my children, or I am about to actually start a business.’ There’s usually something that is explainable,” she says.

Responses that are ambiguous, misleading or “overly complicated,” can often be a sign, as criminals often use these types of structures to hide who is controlling or benefitting from the transaction, in Miller’s view.

“[T]ransactions or services that have no apparent economic or legal purpose, things that are overly complicated … significant unexplained wealth, it’s just not matching up with what you understand about the client’s circumstances,” she says.

Miller acknowledges that while large sums of money or significant virtual assets can be a sign of a high-risk transaction, there may be plausible explanations as to where the money or assets are from. 

She points out there are steps lawyers and law practices can take to detect red flags, and whether a particular transaction (or client) is setting off warning bells. For instance, are there large amounts of money or virtual assets involved? Can the person provide a satisfactory explanation, or demonstrate, where the assets or money came from? 

Role of technology

AUSTRAC has perceived a mix of opportunities and challenges when it comes to the use of technology. “[W]e’re absolutely seeing that in the money laundering space,” says Miller.

“[T]he use of technology by some of our currently regulated businesses is really impressive. It’s actually being used to control some of the money laundering risks. But equally, we know … organised criminals … adopt the technology even more quickly,” she says.

Members of the legal profession are widely regarded as ‘gatekeepers’ and are in a prime position to detect suspicious transactions.

According to Miller, the first step when onboarding a new client is to gauge the level of risk. “If they’re low risk … [if they are] sort of mum and dad consumers, if they’re coming in to sell a property or they want to set up a family trust or something like that, that might be assessed as a … pretty low risk sort of customer.”

In this digital age, there are concerns that artificial intelligence or deepfakes may be used to generate identification to obscure or mislead the true identity of the person approaching the legal practice.

Miller points out where a client comes to a lawyer, if they are known or they don’t have a lot of odd or suspicious circumstances, and generally match the profile of the client, the AML/CTF Rules 2025 set out the information that needs to be checked. For instance, if the legal practitioner sights a passport, or a driver’s licence, or a cheque, there is no need to keep a copy of the ID, but it would be prudent to retain a record of the numbers. She acknowledges that while there is a risk of deepfakes or fake identification being used, that is a particular challenge that society is grappling with.

“I think that is something that lawyers just need to keep an eye on and if they’re looking at something and they’re saying, ‘yeah, look it just doesn’t feel right, I don’t think this ID is valid’, they do need to submit a suspicious matter report if they’re not satisfied about the ID …,” she says.

Miller concedes that AML/CTF compliance is a skill, but she believes, with practice, lawyers will improve and feel more at ease with it. While AUSTRAC does not expect “perfection” on day one, it does expect legal practitioners to get on board and enrol with the regulator. It also expects firms to have a program, an AML Compliance Officer, train staff members and attempt to ask questions and report.

“If lawyers are doing that and they are applying reasonable effort to it, then they should not expect a visit from our enforcement teams,” says Miller.

However, she warns that “if they stick their head in the sand, or if they just say ‘look … it’s not for me.’ They’re the people that we’re going to be concerned about.”

Looking to overseas jurisdictions: What lessons can Australia learn?

Australia is not the first jurisdiction to introduce AML/CTF obligations. Looking to overseas jurisdictions like New Zealand and the United Kingdom, there are things Australia can learn from their experience. Lynch says New Zealand got on board early and rolled out programs as efficiently as possible despite the initial “best guesswork”. “[S]upervisors didn’t necessarily have the lived experience of the new reporting entities … it took a while for it to be revealed what it could look like in that context, and it was largely industry driven,” he says.

Across the Tasman, it took a while to adopt the idea of governance and accountability at a senior level. Lynch explains that it was perceived as an “administrative process” carried out by the team with minimal oversight and input from the board. 

“Subsequent regulatory investigations and findings … suggests that AML/CTF only works in the business when the board, the SLT (senior leadership team), the manager, the CFO are plugged in … engaged and it becomes a standing topic to be considered and discussed,” he says.

Lynch believes the benefit of Australia coming into it a bit later is that there are a lot more training resources available, both in Australia and overseas, and there are options to outsource. “If you can’t afford an experienced compliance officer to be brought in as a hire, you should focus on where your training budget is and how you can uplift people internally …,” he says. 

“There is an argument to be made that this is an opportunity to review how you do your work,” observes Lynch. “[I]s there an opportunity to streamline what you are doing? Because I would gamble that most of the sole practitioners are doing a great job. They want their businesses to succeed. They want to know who their clients are … and they want to make sure they’re not at risk from regulatory enforcement.”

From AUSTRAC’s perspective, Miller says the regulator will be prioritising their attention on those who are “wilfully non-complying.” AUSTRAC has a broad range of powers and can take a range of enforcement action. “[W]e can direct a regulated business to appoint an external auditor to review their management of money laundering risk, or their compliance with their obligations, or to undertake a money laundering terrorism financing risk assessment.

“We can also issue infringement notices or [give] remedial directions … and then there’s the civil penalties,” she says. 

As Miller explains, provision of a designated service without a compliant program can often lead to a significant penalty. “Obviously when AUSTRAC makes a decision to seek a civil penalty, it’s a decision that involves a lot of consideration. It’s not something that we do lightly,” she says. 

The AUSTRAC Program Starter Kits contain a suite of documents and forms to help firms, particularly small firms, get started. According to Miller, this is the first time that a regulator has attempted to supply or share resources to help regulated businesses. “So, I would say that it’s a reflection of our commitment to try and keep the regulatory burden as low as possible. …” she says.

They are mainly aimed at firms with 15 staff or less. Miller hopes that medium sized firms have been keeping track of the developments and recommends they review the core guidance AUSTRAC published in October last year.

The Law Society of NSW has a dedicated AML and CTF hub available on its website. It contains key information about the obligations and some suggested steps to help firms prepare for compliance.

Miller acknowledges AUSTRAC’s guidance is not designed or intended to be read cover to cover like a piece of legislation. “It’s something that you dip in and out [of] based on where you are on your AML journey,” she says.

She encourages the profession to peruse the online resources, including free webinars on AUSTRAC’s YouTube channel. “That can be a good entrée or entry point for the businesses themselves … but also their staff,” she says. Miller says when it comes to engaging an external AML/CTF provider, practitioners should use the same level of discretion as with any other third-party service. “[B]e really clear about what assistance you want … remember that while you can get assistance, the obligation still sits with the firm.

“You can outsource the doing and the execution, but you can’t outsource the liability and responsibility,” she warns.

Lawyers are encouraged to peruse, utilise and provide feedback on the Program Starter Kits. “[It’s] an invitation to lawyers. We want them to use it. We want their feedback about it because this is the first time anyone’s done it. … We’re sure that we can continue to iterate it and improve it with feedback from actual users.”