How to practically achieve AML/CTF compliance for the Legal Industry

Law firms must enrol as reporting entities with AUSTRAC from 31 March, before providing any designated services. This is a legal obligation and must be kept up to date. Failure to enrol can result in significant daily fines. 

Create a formal AML/CTF programme that includes: 

• A comprehensive risk assessment (covering services, client types, engagement methods, and jurisdictions). 
• Policies and procedures tailored to the firm’s risk profile. 
• Clear documentation of how risks are identified, mitigated, and managed. 

• Firms must establish clear governance: a governing body (board or risk committee), a responsible senior manager, and a compliance officer (the “glue” of the program).
• Appoint a compliance officer (fit and proper) to oversee day-to-day compliance. 
• Establish a clear governance structure, including a governing body (board or risk committee) and a responsible senior manager. 
• Train all relevant staff on AML/CTF obligations, designated services, and how to identify and escalate suspicious activity. Staff must be trained to understand when CDD is required, how to conduct it, and how to recognise when a client’s risk profile may have changed (triggering ongoing or enhanced CDD).

• Only firms providing “designated services” are captured by the regime. It’s critical to map out exactly what services your firm provides, when, and to whom, as scope creep can trigger AML obligations unexpectedly. 
• Designated services include: assisting with real estate transactions, M&A, managing client money, equity/debt financing, selling shelf companies, and acting as a director or power of attorney, among others. Each service must be analysed for its AML/CTF implications.

CDD must be performed before providing a designated service, and may require ongoing or enhanced due diligence for higher-risk clients.  

The way you conduct CDD can significantly affect the client experience and your ability to service clients efficiently. Well-designed CDD processes should balance compliance with minimal disruption to clients. 

• Initial CDD:  Collect and verify client information, and assess the risk the client presents before any designated service is provided. 
• Ongoing CDD:  For ongoing client relationships (not just one-off matters), you must periodically review and update client information to ensure it remains accurate. 
• Enhanced Due Diligence:  For higher-risk clients, you must collect more information and conduct deeper risk assessments.

Robust record-keeping is essential. You must keep records of all CDD activities, including what information was collected, how it was verified, and the rationale for risk assessments. This is vital for demonstrating compliance to AUSTRAC. 

There is a tension between CDD (and related reporting) and legal professional privilege. The legislation provides mechanisms for managing this, including a 10-day window for suspicious matter reporting to allow for privilege considerations.

• Implement processes for transaction and compliance reporting (including suspicious matter reporting, with a 10-day window for legal professionals). 
• Maintain robust records to demonstrate compliance—record keeping will be a focus of AUSTRAC’s supervision. 

• Use robust project management to ensure timely and effective implementation. 
• Apply change management and stakeholder engagement to embed compliance into the firm’s culture and daily operations.