AML/CTF Rules 2025: AML/CTF programs for law firms

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Understanding AML/CTF Rules 2025 Part 5: AML/CTF programs, and what it means for the law sector

AML/CTF compliance is becoming mandatory for Australian law firms from July 2026. To build a compliant program, you’ll need to understand key terms like ML/TF risk, KYC, PEPs and source of funds. This guide explains the essential concepts and obligations so your firm can meet AUSTRAC’s requirements, strengthen governance and reduce risk.

Useful terms

Before diving in, here are a few key terms you’ll see often:

• ML/TF risk: the risk your firm could be used for money laundering or terrorism financing.
• KYC information: the identification and verification checks you collect on your clients.
• Source of wealth (SoW) and source of funds (SoF): where a client’s overall wealth and the specific funds for a transaction come from.
• Politically exposed person (PEP): someone with a high-profile public role (foreign, domestic, or international organisation).
• Designated services: the specific regulated services under the Act (for lawyers, these include conveyancing, trust account use, company formation, etc.).
• Governing body: the person or group in your firm overseeing AML/CTF compliance.
• Independent evaluation report: a review of your AML/CTF program by an outside expert, such as an AML consultancy.

Risk assessments (Division 1)

Your AML/CTF program starts with a risk assessment. You need to understand where and how your firm could be exploited for ML/TF.

If an independent review finds problems with your risk assessment, you must fix them promptly  -  your governing body (internal oversight group) is responsible for ensuring this happens.

Policies for managing ML/TF risks (Division 2)

Your written policies must cover how your firm will reduce ML/TF risks. This includes:

1. Customer due diligence (CDD)

You need clear rules for:

• Initial CDD: verifying a client before acting.
  Example: A client engages a law firm for conveyancing → collect and verify their ID. If the buyer pays cash or uses funds from a foreign account → also check the source of those funds.
• Ongoing CDD: re-checking if circumstances change.
  Example: An existing family law client now wants to buy property through a company → re-verify directors and shareholders, and confirm source of funds.

2. Targeted financial sanctions

Your policies must make sure that, when providing designated services, you:

• do not give money or assets to any individual or entity on a sanctions list
• do not use or handle assets that belong to or are controlled by any individual or entity on a sanctions list

3. Updating policies

If an independent review shows gaps, your policies must explain how you will update them.

4. Senior manager approval

Certain high-risk situations need senior manager (likely a Managing Partner or CEO) approval before proceeding, such as:

• Acting for a foreign PEP.
  • Special case
    Example: A Sydney firm opens a matter for a client who is a PEP in Fiji. If the service is delivered through the firm’s Fiji office, the client is treated as a domestic PEP for approval.
• Acting for a domestic or international PEP who poses a high ML/TF risk.
• Using “nested services”
  • Example: A law firm wants to send client funds overseas. Instead of dealing directly with a bank, it uses a fintech that relies on a global bank. Because the service passes through multiple layers (law firm → fintech → bank), a senior manager must approve it before funds can be sent.
• Relying on another party’s KYC checks

AML/CTF policies related to governance and compliance, management (Division 3)

Reporting to the governing body (i.e. your internal oversight individual or group)

Your policies must set out how AML/CTF information flows up to your governing body.

Reports from the AMLCO

Your AMLCO must provide at least annual reports on:

• Whether policies are being followed.
• Whether risks are being managed effectively.
• Whether the firm is complying with the law.

Personnel due diligence

Staff working on AML must be checked for skills, honesty and integrity  -  both when hired and during their employment.

Training

Staff must receive tailored AML training.

• Example: A junior assistant should know how to spot unusual deposits.
• Example: A partner must understand how to approve or reject high-risk PEP clients.

Independent evaluations

Every AML/CTF program must be independently reviewed at least every three years. The evaluator will test whether your policies are adequate, whether your firm is following them, and whether risks are being managed properly.

Quality of reports

Your AML/CTF policies must ensure reports to AUSTRAC are accurate, complete and untampered with. This includes:

• Suspicious matter reports (SMRs)
• Threshold transaction reports (TTRs)
• International value transfer reports

Your AML/CTF policies must give you time and processes to review information that could trigger a suspicious matter report (SMR).

Your AML/CTF policies must stop staff or contractors from warning customers that an SMR might be, or has been, lodged.

AML Compliance Officers (AMLCOs) (Division 4)

Your AMLCO must be fit and proper. This means they have the right skills, integrity and no disqualifying history (e.g. bankruptcy, serious convictions, regulatory bans). For law firms, this is usually a partner or senior lawyer with compliance or risk expertise.

AML program documentation (Division 5)

Your AML/CTF program must be written down  -  including risk assessments and policies  -  before you start offering designated services. Updates must be documented within 14 days.

Policies related to lead entities (in reporting groups) (Division 6)

If your firm is part of a reporting group (for example, a national network of offices), the lead entity must keep accurate and updated membership records.

Real estate transactions (Division 8)

For conveyancing and other property matters, you must ensure your AML/CTF policies explain how you will verify your customer’s identity before settlement.

Exception -  reliance clause

Law firms can sometimes rely on another reporting entity (such as a conveyancer or another law firm in a reporting group) to complete client verification. But it must be covered by a written agreement, finished within 15 days of contract exchange (or settlement, whichever comes first), and your firm still carries ultimate responsibility.

What doesn’t apply (Division 7)

Rules for “transfers of value” (like banks processing payments) generally don’t apply to law firms. The only time they might is if you step into financial services territory (e.g. moving money through fintech platforms). In that case, extra approval processes apply.

Why this matters for law firms

For law firms, the AML/CTF program is not just a regulatory formality. It will:

• Reshape how you onboard and engage clients.
• Require new governance, training and reporting processes.
• Place personal accountability on partners and senior managers.

The good news is that many requirements build on processes you already have  -  like conflict checks, trust account rules and client due diligence. The challenge will be documenting, formalising and proving compliance.