AML regulation looms over the profession

It is no exaggeration to say it represents probably the biggest change to the legal services regulatory framework since adoption of the Legal Profession Uniform Law and related state codes almost a decade ago. 

Accordingly, many lawyers and other new Tranche 2 regulated entities may be understandably anxious about the scale of these changes. Some will remain grumpy for a while yet about its infliction upon the profession. But my aim here is not to revisit the debate about that – the direction of political travel was clear throughout 2024, and that battle was lost. Anti-money
laundering (AML) regulation for lawyers is now law, whether we like it or not. 

Instead, my aim in this article is to convey deep experience in the New Zealand profession, and to suggest six initial practical steps that law firms can begin to think about and act upon, now, even in the early stages of planning. 

This might make AML more navigable, and in the process hopefully soothe a few anxieties. Even so, there will be a lot of work to do and uncertainties to navigate before July 2026 when the changes are slated to take effect.

Perspective 

The closest comparison point is New Zealand where, since July 2018, commercial and transactional lawyers have dealt with a very similar AML framework. That includes having to put in place a fully working risk assessment and compliance program for new clients and instructions from that time. My experience advising, training and representing the profession through this transition drew upon a decade with a variety of financial firms, trading or gambling clients – who had been forced to think more deeply about financial crime risks. 

That experience suggests two critical elements will soon become apparent in Australia:

legal and accounting firms need to find ways to adapt and grapple with what is primarily a banking-based version of regulation, now rolled out over different professional services business models; and

a mindset or culture shift is required to help get lawyers comfortable with the changes and conceive of their firm as a regulated quasi-financial business.

It has not been an easy ride for New Zealand law firms, and not without new costs, for sure. But my perspective suggests the anxiety levels do not need to be quite so elevated for the Australian profession. We have seen in the UK, New Zealand, Asia and most countries in Europe, that AML compliance for lawyers can be manageable in the end. 

So, I do not believe the sky will fall in mid-2026, when the AML-CTF Amendment Act 2024 (Act) will come into force. Transactions will still be possible, legal professional privilege will still exist, and legal services will continue to be necessary, profitable and in demand. However, our services are becoming more highly regulated and subject to rigorous compliance processes. 

My main message of caution is that preparing for this will take more time, detail, discussion and documentation than you imagine at the outset. It is not like plugging details into a contract precedent template or filling out a few online forms. Firms that begin the shift into a compliance mindset sooner, and set about making business process systems alterations now, will be better placed to deal with implementation smoothly. 

First, a couple of caveats to mention. While Parliament obviously managed to rush the draft Bill into law shortly before it rose for the summer break, many important details are yet to be seen. AUSTRAC, as AML regulator and Financial Intelligence Unit (FIU) is, at time of writing, starting to consult on what will eventually bring more clarity in delegated legislative form through the AML-CTF Rules. Those will be important because many parts of the Bill/Act set out high-level principles only, with the detail necessary to enable nitty-gritty implementation of compliance coming only in the Rules. 

Also, understand that this process reflects changing international community expectations that lawyers will play a role in preventing criminals from abusing their services and, in particular, Australia remains under the spotlight of overseas Financial Action Task Force (FATF) scrutiny though 2025 and 2026. Potential issues might keep surfacing while the FATF conducts its evaluation of Australia, including:

Australian Federal Police and law enforcement agencies may keep taking cases and highlighting examples where lawyers, trustees or property market players have been caught up in laundering the proceeds of crime, until the reform beds in, and to show the FATF they mean business; and

AUSTRAC, Treasury and others will keep publicising problems with beneficial ownership of legal structures, shell companies, opaque trusts and complex asset arrangements. Those are some areas where lawyers and accountants may end up assisting (unwittingly or wilfully blindly) the criminally-minded to stash assets or evade tax.

Six steps – best to start soon

At this stage, most core principles have been clearly laid out. Serious work and upskilling will be required by those new to the anti-money laundering and counter-terrorism financing (AML-CTF) regime, a multi-layered beast that corporate and financial Australia has wrestled with since 2006. 

The regulator has promised to assist with copious guidance, but to begin I suggest early planning might incorporate the following six practical elements into your approach:

•  Map out the services your firm offers against what is in scope for regulation;
• Decide who will take ownership of the AML jungle and jargon;
• Put real effort into preparing a risk assessment of your legal services;
• Leverage off existing systems already in place, re-purposing for compliance;
• Take the opportunity to update your tech and information management;
• Get comfortable with having a new proactive regulator relationship.

1. Determine what services you offer are in or out of scope, and re-organise client intake

A critical point to understand is that you are not regulated because you are a lawyer or a law firm. The scope of coverage or capture is “activities-based”, which turns upon specified designated services listed in section 6 of the Act, specifically in newly-added tables 5 and 6. As those are not yet in force, check the Amending Act, or AUSTRAC’s website for a handy ‘Future Law Compilation’ incorporating the new real estate and professional services tables. 

The tables contain a list of discrete activities that lawyers and conveyancers, advisory and trustee firms, might offer and engage in.  A person (lawyer, firm or lead of a “reporting group”) who provides any one or more of those designated activities will become a “reporting entity” and therefore be subject to the obligations of the Act. 

To some extent, designated services should be those provided “in the course of carrying on a business” – a phrase likely to engage a number of contextual factors, about which we can expect AUSTRAC guidance. That may afford scope for truly unusual or one-off services to be treated differently. Further, studying the “geographical link” to Australian aspects of what services are within territorial scope of capture, might potentially limit some offshore work (but it aims to capture all matters at or through a domestic office).

Close analysis of the section 5 definitions and section 6 tables is required. Map out the exact services your law firm provides against each part of the tables. Most traditional transactional services which a property law, corporate, banking or mergers and acquisitions team provides are intended to be captured. But sometimes it will not be obvious whether certain scenarios are in or out of scope. For instance, litigation is generally not intended to be a regulated service due to its low risk of money laundering. But holding client funds in a trust account for or upon settling a dispute, particularly if there are unusual or extended payment arrangements, might engage item 3 of table 6 ‘managing client money’ (subject to carve-outs in 5C below the table). 

Since AML coverage will only apply to specified legal services, a full-service firm has a choice of whether to carefully filter and select only those clients where it applies, or only when clients seek a particular transactional service. For other firms, it may prove more straightforward to apply the new compliance procedures to all clients regardless of the service or nature of instruction. 

That could depend on the proportions of work in captured and non-captured practice areas, and what the firm’s lawyers and support staff will find administratively easier or less costly to handle. Simply running all new clients after July 2026 through a new AML compliant system for matter-opening might be more simple, even if over-capturing some. But commercial and business process choices will come about in how you decide to re-organise new client or new matter intake, due diligence and other client-facing steps. Part of your compliance program will have to clearly document those steps, and train staff in what is hopefully not an overly-complex way to determine at the outset which process should apply to which matters.

2. Decide who will own the AML function and learn the language

AUSTRAC has already begun putting guidance on its website for Tranche 2 firms, and all lawyers would do well to check in regularly for updates as the year unfolds. A sound starting point is the ‘Future Law Compilation’ of the Act as it will stand in 2026, and the ‘Summary of Obligations’ for new regulated entities.

Someone within the firm will need to go beyond those introductory materials; read and engage more deeply, lead development of the necessary skills within the firm and move its dial on compliance procedures. An internal AML Champion, if you will. Who that may be is up to each firm to decide. This leads to one of the many broad choices in addressing compliance: develop the expertise in-house, having internal lawyers or staff spend the time to learn and implement changes, or outsource as much as possible to consultants with experience? 

One path entails more billable time cost to the firm, the other more short-term external financial cost. 

Ultimately, AML compliance is a financial and reputation risk management issue for law firms, so a reasonably senior person may be desirable. Since each reporting entity must have an AML-CTF compliance officer, who meets the new fit and proper tests and is employed or engaged “at management level” (sections 26J-26K) and since partners or directors ultimately will remain liable, developing in-house knowledge makes sense. 

Not everything can (or should) be outsourced in any event. Larger firms may assess if they have the size or resources to hire a specialist full time for the role, others may try to engage or share (part time or fractional) a person with experience working alongside a closely interested partner.

Like any area of law or industry, AML is replete with jargon: DNFBP, SMR, FIU, TTR, CDD, IVTS, and don’t even get me started on PF and TFS! It is a surprisingly complex and dense regime, which banks and other Tranche 1 companies have learned the hard way. The AML Champion should take time to penetrate the acronyms and get to know the patchwork of important multi-layered documents, risk assessments, domestic regulations and international materials that set out definitions, exemptions, thresholds and related recommendations. Develop your own working glossary and share it within the firm. 

Time invested now to learn the language and understand the context will help law firm departments and teams see more clearly why something might be considered a risk, and what AUSTRAC expects them to do to mitigate it through compliance procedures.

3. Put real effort into a risk assessment of possible criminal misuse of your services

Your AML-CTF compliance program is made up of two important parts: a risk assessment and a set of compliance policies. The Act requires a risk assessment to be undertaken (sections 26C–26E), and this is the place to start. In terms lawyers will more readily understand, it is a type of internal due diligence report – not about a transaction, property or proposed investment, but of the risks arising from the firm’s own services and clients. If done properly, it becomes a key platform for all AML compliance steps that will follow. And, ultimately, helps you focus only on what matters.

The risks each firm is required by law to assess are the likelihood of criminal misuse of its services. This assessment or due diligence report must be tailored to the money laundering, terrorist financing and sanctions or weapons proliferation risk that each firm could reasonably face – given its client base and sphere of operations. 

This is where the mindset or culture shift begins for lawyers: starting to think about clients not only as wondrous sources of instruction, amusement and billings, but potentially a person who might try to misuse your services or pull the wool over your eyes as to their true owners, intentions or income sources.

A large full-service office of a national firm is of course very different to a small country town practice focused on property law and wills & estates. If licensed to also provide real estate services, the risks might differ slightly again. The aim of the exercise is to identify, list and assess all the possible risks of money laundering and financing of terrorism that your firm (not some other notional firm or template) may reasonably expect might arise (hopefully very rarely) in the course of its business of providing legal services. 

Section 26C of the Act sets out specific requirements of this risk assessment, following a well-established international framework (derived from FATF norms) that includes separately considering:

1. the nature, size and complexity of the business; 
2. the kinds of designated services it offers; 
3. the types of customers it deals with; 
4. the countries it deals with; 
5. the methods or channels by which it delivers services to its clients;
6. any new or emerging technologies it may operate with; and
7. any applicable factors or information produced by AUSTRAC or set out in the AML-CTF Rules.

Each of those main dimensions of possible risk needs to be addressed and explained in the context of the particular firm. Not all dimensions may be relevant to each firm – if not, explain why. For example, if you don’t deal with any overseas clients, work, referrers or recent immigrants, then your “country risk” section may be slim. But at least turn your mind to each of the types of legal service offered in each team, their types of client bases, service delivery or distribution to clients, referrers and institutions dealt with – and their geographic jurisdictions. That can all vary considerably within separate practice areas and departments, let alone across different offices or firms each with their own peculiar practice. This is why it should be a bespoke exercise, not simply ticking through a template. Please don’t skimp on this step. If done thoroughly and well, the firm will better understand its idiosyncratic risk areas. It will avoid wasting time and money on compliance steps not targeted at the risks actually facing that particular firm. 

There is flexibility for the risk assessment to be kept proportionate to your firm, although it must be detailed, reviewed and updated regularly (and available for inspection by AUSTRAC). Remember that a cheap, tick-the-box approach to documentation will be likely to attract more attention from AUSTRAC or an auditor. They tend to look for quality of analysis of your business, over quantity or flashy graphs and tables.

Once armed with an understanding (and a written evaluation) of what the risks really are in its day-to-day operations, the firm can move on to developing helpful process controls that tame some of the risks. 

Those procedures and controls are then described (or created, or beefed-up) in the rest of your compliance
program documents. 

4. Leverage off what you already do

Most lawyers, as they garner experience, develop a keen sense for clients who are risky or less than trustworthy; an informal sense or ‘sniff test’, often heightened around the credit risk of not being paid!  And many existing systems within a firm can be re-deployed with a new AML focus – client or matter-opening processes being an obvious place to start. Try to fine tune those senses, sniff test instincts and current administration systems into high quality client due diligence (CDD) processes. 

Sometimes described as ‘Know Your Customer’ (KYC) steps, this is where you must obtain certain data about every new client and then take steps to verify the data as accurate. Usually, it must occur before starting work on that new instruction (see section 27 onwards in the Act). Think about the history of your firm and its practice areas. What was it that led to disquiet about a particular client or instruction? Was a transaction aborted or changed unexpectedly? Did the client’s peculiar instructions play out in a way that did not make commercial or economic sense? Refine and document those instincts into possible risk factors. Then think about how the firm could have detected and intervened sooner if something was amiss or criminal.

Generally, CDD will not be retrospective (at first) – it does not require all existing clients to be verified according to specific AML-CTF standards from day one. But once the law comes into force CDD will typically have to be rolled out to new client relationships or instructions captured by a designated service. Many law firms already have matter opening forms, online enquiry systems, or aspects of their client care and terms of engagement process that smartly and seamlessly gather the minimum information required for CDD. That might include things like the client’s full name; date of birth; if not the end client, that person’s relationship or beneficial ownership details; company identifier or registration number; and other information. Your AML Champion will have to study part 2 of the Act in detail.

5. Overhaul your data and technology approach

Obtaining basic information is one thing, moving on to verifying that, especially for trusts and more complex offshore or high-risk situations, can be much more challenging. But simple steps like obtaining copies of passports and corporate establishment or incorporation papers at the outset can be worked into existing terms of engagement letters without fuss. Don’t reinvent the wheel, just repurpose to AML risks.

But if your current wheel is broken, or the partnership has been meaning to upgrade IT systems for a while, but the time or budget is never right – this could be the necessary spur to do it.

At risk of oversimplification, AML boils down to an information management problem within the firm. It needs to gather information about new clients and their background, and corroborate or verify it. It then needs to monitor what the clients do using the firm’s services. And, worst case, if something arises which cannot be explained and is criminally suspicious, it may need to retrieve and pass on the information. 

Everything else is really a complex compliance machine built to make sure you handle those three crucial information monitoring and data handling tasks.

There are also detailed record-keeping requirements to get familiar with, and the need to interface with the FIU’s online system to report suspicious transactions or matters when required. There will be a lot more guidance and training sessions on how to do this, but that is the sharp end of the system for most lawyers and the source of many anxieties. 

Whilst hopefully no firm is still operating with Dennis Denuto-style admin systems in the office, if your IT and data management tools are outdated, they could be found wanting in the new AML world. Just beware the many software solution and snake-oil vendors who will spring up. Do your due diligence!

6. Get used to a more intimate regulator relationship

Lawyers should get accustomed to having a closer relationship with a proactive regulator. While the law societies’ self-regulatory model provides an effective ethical control, the nature of that is largely reactive to complaints. AUSTRAC is a big, well-resourced and proactive regulator. It will more regularly supervise and ask questions about how lawyers are noticing and handling their financial crime risks. 

Several contact points with AUSTRAC arise. These include the first step of having to enrol as a reporting entity so AUSTRAC knows who it is regulating and who the designated Compliance Officer is for each firm. From there, you will be making an annual report to the regulator, and every three years you will be engaging an independent report to audit your firm’s application of its AML risk assessment and compliance program (to ensure the firm is actually doing all the good things it says it will do). You may have to respond to a random supervisory check, a request for compliance documents or even a visit to offices. 

Suspicious matter reports are among the most difficult judgement calls a lawyer might have to make. Having to decide to report on a client, and for what aspects or activities, goes against the grain of fundamental training for many lawyers. But it is a key output of the whole AML regime. The clue is in the impersonal label “reporting entity”. From the New Zealand experience, those reports should be a rare and careful step, maybe requiring external advice. Certainly not a daily or weekly exercise as may routinely happen in banks and financial institutions.

Purposive

Whether we agree with it or not, intelligence gathering and reporting to the FIU is core to the AML system. But information that is truly legally privileged does not need to be reported. And, conversely, firms that become caught up in a scandal where services were used for criminal purposes may not survive the reputational damage. I encourage lawyers to try to see the bigger picture: this is a compliance chore, certainly, but one day it may provide a missing detail of financial intelligence that helps break a methamphetamine ring in your town, or pre-empt a terrorist threat in our cities.

Taking a steer from other lawyers or experts abroad who have had to deal with this AML dragon offers practical and risk management pathways through the new regime. Professional firms in New Zealand have eventually worked through initial AML anxiety, resigned themselves to the new annoyances, and made it back to a ‘business as usual’ state – albeit with altered client procedures. It can be done, and I hope solicitors see these tips as a way to minimise the pain. But start soon.

The Law Society of NSW has released a new on-demand interactive course: Preparing your practice for Australia’s anti-money laundering and counter-terrorism financing regime. The course is free to all solicitors and their staff. You can register here.  

Gary Hughes is a barrister at Britomart Chambers, New Zealand, dual qualified in NSW.  He is a regional expert on AML-CTF and Chair of the IBA’s AML & Sanctions subcommittee.