7 AML compliance missteps (and how to avoid them)

Align

Right

By Bobbie Wan - April 10th, 2026 11:40 am AEDT

When it comes to regulatory compliance, law firms don’t always need to reinvent the wheel. A prime example is Tranche 2 of the anti-money laundering/counter terrorism financing (AML/CTF) reforms. There are several lessons that can be learned from the rollouts of similar regulation in comparable jurisdictions overseas.

As NSW law firms prepare for Anti-Money Laundering and Counter-Terrorism Financing Act 2006 obligations to become effective from 1 July 2026, it’s worth pausing to reflect on how overseas firms have adjusted to similar legislation.
At the recent Law Society Annual Conference, seasoned AML professionals reflected on some of the most common missteps overseas, and how these can be avoided by legal firms in New South Wales.
In this article we highlight issues to watch out for if your firm provides designated professional services, as defined under the amended Act.

Misstep 1: Failing to spot when your firm provides a designated service

At the conference, Amy Bell described a scenario where a lawyer – eager to assist a valued client – took on an extra service that was out of the ordinary for the firm. In instances like this, it’s essential that the firm clarifies whether this service is categorised as a designated service under the AML/CTF regime.
Without properly assessing the service, the firm could inadvertently create serious compliance exposure. Conference panellists said that firms should build awareness and visibility in their organisations so that any drift into regulated territory is caught early and not discovered after the fact. Having a clear idea of what constitutes a designated professional service is therefore crucial.

Misstep 2: Not understanding your firm’s own risk assessment

The AUSTRAC program starter kit (and resources from the Law Society of NSW) provide a strong foundation for law firms – but your approach must be tailored to your firm’s services and clients, including the all-important AML/CTF risk assessment.
As KordaMentha partner Grace Mason said at the conference: “Your ML/TF/PF risk assessment should reflect the risk faced by your firm and must be tailored to your services. A risk assessment you cannot explain to AUSTRAC – or to your own team – is a liability, not an asset.
Amy Bell, CEO at AML Sorted, suggested asking yourself if a reader of your risk assessment can understand the size, nature and risk exposure of your specific firm. And she recommended using existing data (e.g. your case management system, file records, etc) to ground your risk assessment in actual clients and transaction types.

Misstep 3: Treating your AML program as a one-off exercise

The most common compliance mistake is to think of AML as a one-off exercise, according to Will Morris. “If you’ve just got what we call ‘a program on a shelf,’ then you’ll start being non-compliant from the start,” he said.
Will Morris is Director of Guidance at AUSTRAC. At the conference, he cautioned that even the most carefully drafted program is not a functioning program if it is treated as a “set-and-forget” exercise.
Rather, AML/CTF programs must be embedded in business-as-usual – and they should be regularly reviewed and updated. Will added that your firm should be prepared for AUSTRAC to test the program by asking your team to walk through the program in practice.
To assist firms in their compliance endeavours, AUSTRAC has published a range of resources, support and training.

Misstep 4: Appointing the wrong person as your AML compliance officer

Firms need to appoint their own compliance officer to complete their firm’s AML program – and the conference audience heard some pointers on how to select the appropriate person.
Bobbie Wan, Head of Regulatory Policy & Strategy at the Law Society of NSW, said that for officers in smaller practices, “it's really about their position and their influence on the practice, and the guidance even goes so far as to say that your AML compliance officer doesn't necessarily have to be an AML expert.”
Your compliance officer should be someone senior who is cool, calm and collected under pressure. Also: a good communicator with sufficient authority and backing from the firm’s principals.
For sole practitioners, Amy Bell said the answer is straightforward: it will be you. “While for larger practices, look at who manages risk across your regulated practice areas, and consider whether a deputy should be trained.” Having a deputy helps ensure your firm has continuity and consistency through times of staff leave, staff attrition, etc.
Firms coming under the AML/CTF regime for the first time must notify AUSTRAC of who their compliance officer is by 29 July 2026.

Misstep 5: Buying technology without tailoring it to your firm

Technology can be a powerful tool to streamline compliance obligations but only if it’s carefully configured around your firm’s particular processes.
A recurring failure in other regulatory roll outs has been firms who purchased a system but – later – could not demonstrate how the technology implementation had been tailored to its services and clients.
At the conference, Norton Rose Fulbright partner Jeremy Moller cautioned: “If you outsource any element of your customer due diligence, you remain responsible for the quality of the output. Outsourcing the task does not outsource the obligation.”
Amy Bell recommended testing your technology to actively try and identify any failure points, before you start to rely on it.

Misstep 6: Assuming cash is safe because it’s in a bank account

Banks are already subject to AML obligations, but law firms still need to satisfy their own due diligence obligations when funds pass through the banking system.
KordaMentha’s Grace Mason told the conference audience that cash remains the highest-risk transaction type for money laundering. “A firm’s response to cash – and it’s policy around it – should be clearly documented and consistently applied,” she said.
Amy Bell added that in the UK (where AML compliance has been in place for two decades), many firms have moved to a no-cash or limited-cash policy.

Misstep 7: Being over-zealous with your due diligence

Experts at the conference also emphasised that regulation and compliance is scaled to match the risk profile of different services and clients. So, firms should not apply customer due diligence retrospectively to their entire existing client books. Instead, they should concentrate their efforts on where the risks are.
An illustrative example of this is source-of-funds and source-of-wealth checks. These do not have to be applied to every client and every service. Such checks are only required for high-risk clients, as outlined in the AUSTRAC program starter kit.

Don’t wait – press ahead now

The overseas experience helps cast a spotlight on where the possible missteps could be for NSW law firms, and how to avoid these. In most cases, AML/CTF compliance in other jurisdictions has simply become part of how a good firm operates.
Firms that engage with these now will be in a stronger position than those who begin when the clock is ticking down to 1 July 2026.