What Do I Need to Do to Comply?

If your practice provides a designated service, you may have obligations under Australia’s AML/CTF regime. 

The AML/CTF framework is risk-based, meaning the steps you take to comply should be proportionate to: 

• the services you provide;
• the size and structure of your practice; and
• the level of money laundering and terrorism financing risk proportionate to the service you provide and your practice.

Not all practices will have the same obligations, and not all obligations will apply in every circumstance.

More information about AML/CTF obligations can be found on the AUSTRAC website. 

Step 1: Determine Whether You Are Captured

Before taking any further steps, practices should assess whether they provide one or more designated services. Legal practitioners fall under the definition of ‘professional services’ under the AML/CTF legislation. More information on designated services that fall under the Professional Services definition is available on the AUSTRAC website. 

This assessment should focus on:

• what services are actually provided to clients;
• how those services are delivered in practice;
• whether the services fall within the activities listed in the AML/CTF legislation.

Step 2: Enrol with AUSTRAC 

Practices that provide designated services will be required to enrol with AUSTRAC.

In practical terms, this means: 

• if your practice is already providing designated services on or after 1 July 2026, you will need to be enrolled by that time; and
• if you begin providing a designated service after that date, enrolment must occur before or at the time the service is provided.

Legal practices can commence Enrolment from 31 March 2026. 

Enrolment allows AUSTRAC to: 

• identify reporting entities;
• communicate regulatory information and guidance; and
• undertake supervision and education activities.

Step 3: Develop and Maintain an AML/CTF Program

Captured practices will be required to develop and maintain an AML/CTF program.

An AML/CTF program is a documented framework that sets out how a practice identifies, mitigates and manages money laundering and terrorism financing risks. It should be tailored to the nature of the designated services provided by the practice.

An AML/CTF program typically addresses matters such as: 

• conducting a practice wide risk assessment;
• implementing AML/CTF policies that contain internal controls and procedures;
• periodic reviews of your AML/CTF program to ensure it is appropriate to your overall money laundering and terrorism financing risk; 
• identification of roles requiring due diligence;
• staff awareness and training; and
• establishing AML/CTF record keeping procedures.

The level of complexity of an AML/CTF program should be proportionate to the size and risk profile of the practice.

Step 4: Conduct Customer (Client) Due Diligence

AUSTRAC refers to these requirements as customer due diligence (CDD). In the context of legal practice, these requirements relate to client due diligence, reflecting the way legal practitioners engage with and refer to those for whom they act. 

Practices that provide designated services may be required to carry out customer due diligence to help understand who they are acting for, the purpose of the service being provided, and whether the matter presents an elevated money laundering or terrorism financing risk.

CDD obligations apply in relation to the provision of designated services and are not intended to apply to every client or every matter a practice undertakes.

What Customer Due Diligence Involves

Customer due diligence generally involves taking reasonable steps to:

• identify the client;
• verify the client’s identity;
• identify and verify beneficial owners where relevant; and
• understand the purpose and intended nature of the service being provided.

The level of due diligence required will depend on the circumstances of the matter and the level of risk identified.

When Customer Due Diligence Is Required

Customer due diligence may be required:

• before a designated service is provided;
• when there is a change in the nature of the service or the risk profile (see ongoing due diligence below); and
• where information obtained previously is no longer reliable or sufficient (see ongoing due diligence below).

In some circumstances, customer due diligence may be undertaken on a delayed basis, subject to the requirements of the AML/CTF legislation and guidance.

Note: CDD requirements are linked to designated services, not simply to the existence of a client relationship.

Risk-Based Approach to Due Diligence

The AML/CTF framework adopts a risk-based approach. This means practices should apply a level of due diligence that is proportionate to:

• the type of designated service provided;
• the nature of the client;
• the structure or complexity of the transaction; and
• any identified risk indicators

Lower-risk services may require less intensive due diligence (known as Simplified CDD), while higher-risk services may require enhanced measures (known as Enhanced CDD).

Beneficial Ownership

In some circumstances, practices may be required to identify beneficial owners. This is particularly relevant where services involve:

• companies;
• trusts; or
• other legal arrangements.

Understanding who ultimately owns or controls a client or transaction can be a key part of assessing risk.

Politically Exposed Persons (PEPs)

As part of customer due diligence, practices may be required to consider whether a client or beneficial owner is a politically exposed person (PEP).

PEPs are individuals who hold, or have held, prominent public positions. This can include domestic PEPs, foreign PEPs and international organisation PEPs, as well as certain close associates and family members.

Where a client or beneficial owner is identified as a PEP, this may indicate a higher money laundering or terrorism financing risk. In such circumstances, practices may be required to apply enhanced customer due diligence, which can include additional steps to understand the client and the nature of the service being provided.

Identification of a PEP does not mean a service cannot be provided. It does mean that additional care may be required to assess and manage risk in accordance with the AML/CTF framework.

Sanctions and Targeted Financial Sanctions (TFS) Obligations

As part of customer due diligence, reporting entities are required to collect and verify information to establish whether a client, or any relevant party connected to the matter, is designated for targeted financial sanctions. This includes screening clients, beneficial owners, and persons acting on behalf of a client against the DFAT Consolidated List.

Australian sanctions laws prohibit directly or indirectly making assets available to, or for the benefit of, a designated person or entity. In a legal practice context, this risk can arise in everyday work, such as holding or transferring funds through a trust account, facilitating property transactions, or assisting with the establishment or transfer of companies or trusts.

Importantly, sanctions risks are not limited to direct dealings. A contravention may occur where a legal practitioner facilitates a transaction that ultimately benefits a designated person or entity, even if they are not the immediate client. Care should also be taken where assets may be owned or controlled, directly or indirectly, by a designated person.

Practitioners should ensure that sanctions screening forms part of their CDD processes at onboarding and on an ongoing basis.

Where a potential match or risk is identified, the matter should not proceed until it has been properly assessed, and appropriate steps are taken in accordance with applicable obligations.

For further guidance, see the Australian Sanctions Office guidance note.

Source of Funds and Source of Wealth

In some circumstances, customer due diligence may include consideration of a client’s source of funds and source of wealth.

• Source of funds refers to where the funds for a particular transaction or matter originate.
• Source of wealth refers to how a client has acquired their overall wealth.

Understanding source of funds and source of wealth can assist practices in assessing whether funds involved in a matter are consistent with the client’s profile and the nature of the service being provided.

These considerations are particularly relevant where:

• the matter or transaction is assessed as higher risk.
• large or unusual amounts are involved.
• the client's circumstances are complex or opaque.

The extent of enquiries required should be risk-based and proportionate to the circumstances. Practices are not expected to conduct intrusive or unnecessary investigations where the risk does not justify it.

Ongoing Due Diligence

Customer due diligence is not always a one-off exercise. Practices may need to conduct ongoing due diligence where:

• the matter continues over time.
• the nature of the service changes.
• new risk factors emerge.

Ongoing due diligence supports effective monitoring and compliance.

Relationship with Existing Client Processes

Customer due diligence may overlap with existing client onboarding and file opening processes.

Practices should consider how AML/CTF due diligence requirements can be integrated into existing workflows in a way that is proportionate and practical.

AUSTRAC have provided more information about transitioning existing customers under the new regime.

Reliance on Third Parties for Customer Due Diligence

In some circumstances, a practice may be able to rely on a third party to carry out customer due diligence on its behalf. This is commonly referred to as reliance.

Reliance may be used where another party has already collected and verified customer information for the same transaction or matter. This can help avoid unnecessary duplication, including asking a client to provide the same information multiple times for the same transaction.

Reliance is not automatic and is subject to specific requirements under the AML/CTF framework.

When Reliance May Be Appropriate

Reliance may be available where:

• customer due diligence has already been conducted by another party in relation to the same transaction or service.
• the information collected is relevant, current and reliable.
• reliance is permitted under the AML/CTF legislation and guidance.

Reliance does not remove the need for a practice to understand the client or the nature of the service being provided.

Responsibility Remains with the Practice

Where a practice relies on a third party:

• the practice remains responsible for meeting its AML/CTF obligations.
• reliance does not transfer liability for compliance.
• the practice must be satisfied that reliance is appropriate in the circumstances.

Requirements for Reliance

If a practice intends to rely on a third party to conduct customer due diligence, certain requirements must be met. These may include:

• having appropriate arrangements in place with the third party.
• being able to obtain customer identification information and verification details.
• ensuring information can be provided promptly if requested.

Practices should ensure they understand and meet the conditions that apply before relying on a third party.

Step 5: Ongoing Monitoring and Reporting

AML/CTF obligations may include ongoing monitoring and possible reporting of client matters and transactions. Ongoing monitoring may involve:

• reviewing matters and transactions to ensure they remain consistent with the purpose and nature of the service being provided.
• identifying changes in client behaviour, instructions or transaction patterns.
• reassessing risk where new information becomes available.

Ongoing monitoring is closely linked to ongoing customer due diligence and may trigger the need for further enquiries or enhanced due diligence.

Reporting Obligations

Where required, practices may need to report suspicious matters to AUSTRAC.

A suspicious matter report may be required where there are reasonable grounds to suspect that:

• information relates to the proceeds of crime.
• information may be relevant to an offence or investigation.
• the activity appears unusual or lacks an apparent lawful purpose.

Reporting obligations can arise at different stages of a matter and are not limited to the commencement of a client relationship.

Legal Professional Privilege

The AML/CTF framework recognises legal professional privilege.

Legal professional privilege is not displaced by the AML/CTF regime, except to the extent provided for by the legislation. Practitioners should carefully consider whether information is subject to privilege when assessing reporting obligations.

The interaction between AML/CTF reporting requirements and legal professional privilege can be complex and will depend on the circumstances of the matter.

More information about legal professional privilege and AML/CTF obligations is available on the AUSTRAC website.

Tipping Off

The AML/CTF regime includes prohibitions on “tipping off”.

Tipping off occurs where a person discloses information to a client or another party that is likely to alert them to the fact that:

• a suspicious matter report has been made, or may be made, to AUSTRAC, or
• an AML/CTF investigation, enquiry or reporting obligation may be underway.

These prohibitions are intended to prevent actions that could prejudice investigations or enable the concealment of criminal activity.

More information about tipping off is available on the AUSTRAC website.

Managing Tipping Off Risks in Legal Practice

Practitioners should take care when communicating with clients or third parties in circumstances where:

• a suspicious matter report has been made, or is being considered.
• AML/CTF concerns have arisen during the course of a matter.

While practitioners may continue to provide legal services and communicate with clients in the ordinary course of practice, care should be taken not to disclose information that could reasonably alert a client to the existence of a report or regulatory interest.

Step 6: Record Keeping

Practices that are captured under the AML/CTF regime will be required to make and keep certain records in accordance with the AML/CTF legislation.

Record keeping supports compliance with AML/CTF obligations, enables effective supervision, and assists regulatory and law enforcement activities.

All reporting entities must comply with the Privacy Act 1988. Even if you’re a small business, you have obligations under the Privacy Act because you’re a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act).

What Records May Need to Be Kept

Depending on the designated services provided, practices may be required to keep records relating to:

• customer due diligence, including identification and verification information.
• risk assessments and decisions made in relation to AML/CTF obligations.
• transactions or services provided as part of designated services.
• suspicious matter reporting and internal decision-making processes.

The types of records required will depend on the nature of the services provided and the obligations that apply.

Retention Periods

The AML/CTF framework includes minimum record retention periods. Records must generally be retained for specified periods after:

• a designated service is provided,
• or a client relationship or matter ends.

Retention periods are intended to ensure that information is available for compliance, supervision and investigation purposes.

Practices should ensure they are aware of, and comply with, the applicable retention periods set out in the AML/CTF Act, the AML/CTF Rules and relevant guidance.

Storage and Accessibility

Records should be:

• stored securely;
• accessible when required; and
• capable of being produced promptly if requested by AUSTRAC or another authorised body.

Records may be kept in electronic or hard copy form, provided they are reliable and can be retrieved when needed. 

AML/CTF record keeping does not require you to keep copies of a client's identification documents. The OAIC has confirmed in its Privacy guidance for reporting entities under the AML/CTF Act that the Act does not require scanned copies or photocopies of identity documents, such as a driver's licence or passport, to be retained. Where a practice does collect such a copy, it should take reasonable steps to destroy it, or remove the identifying details, once it is no longer needed. What you generally need to keep is a record of the customer due diligence you carried out, not the underlying identity documents themselves. This may, however, vary on other legislative requirements of your matter. 

Privacy Act Considerations

The introduction of AML/CTF obligations may have privacy law implications for some legal practices.

In particular, some practices that were previously not bound by the Privacy Act 1988 (Cth) due to the small business exemption may now fall within the scope of the Privacy Act as a result of handling personal information for AML/CTF purposes.

Where this occurs, the application of the Privacy Act relates only to work that falls within the scope of AML/CTF obligations, and not to other areas of the practice, assuming the practice otherwise meets the requirements of the small business exemption.

Where the Privacy Act applies, practices will need to ensure that personal information collected, used and disclosed as part of AML/CTF compliance is handled in accordance with privacy obligations. This includes obligations relating to:

• the collection of personal information;
• use and disclosure of that information;
• storage and security; and
• access and correction.

Practices should consider how AML/CTF-related information handling aligns with existing privacy policies, data management practices and security controls.

Guidance on the interaction between AML/CTF obligations and privacy requirements has been released by the Office of the Australian Information Commissioner.

Practices should monitor updates from the Office of the Australian Information Commissioner and ensure privacy considerations are factored into the development and operation of their AML/CTF program.

Using Technology and External Providers

Practices may choose to use technology solutions or external service providers to assist with AML/CTF compliance.

Technology can support activities such as:

• client identification and verification;
• record keeping;
• risk assessments; and
• monitoring processes.

Practices remain responsible for compliance with the AML/CTF regime, even where third-party tools or providers are used.

Step 7: Preparing Early

Although the AML/CTF reforms commence on 1 July 2026, practices are encouraged to begin preparing early.

Early preparation may include:

• assessing whether designated services are provided;
• becoming familiar with AML/CTF concepts and obligations;
• monitoring guidance and education updates; and
• planning how AML/CTF requirements may be integrated into existing practice processes.

Back to AML/CTF Hub