Navigating AML/CTF obligations: a practical roadmap for NSW law practices

Align

Right

By Bobbie Wan - April 10th, 2026 11:40 am AEDT

A range of resources are available for law practices seeking to meet their new Anti-Money Laundering/Counter Terrorism Financing (AML/CTF) obligations. In this article, we explain how to apply AUSTRAC’s program starter kits and we outline the qualities that firm compliance officers require. We also flag some of the client profiles that are considered ‘higher risk’ by the regulator.

When it comes to AML/CTF compliance, one message rang loud and clear at the Law Society Annual Conference: we’re all in this together.

Panellists spoke about a range of available resources and support for NSW law practices who provide designated professional services, as defined under the amended Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).

With the effective date of 1 July 2026 fast approaching, attendees at the conference heard from some of the chief instigators behind practical resources for law firms. These included William Morris, Director of Guidance at AUSTRAC, Neil Jeans, Partner, Grant Thornton and Bobbie Wan, Head of Regulatory Policy and Strategy at the Law Society of NSW.

Attendees heard how compliance by legal firms can help prevent criminals from profiting from illegal activity and help stop funds falling into the hands of terrorist organisations.

William Morris provided a stark example of the social stakes at play: “Every year that a criminal network can successfully launder money, their harms increase by 49%. That’s exponential – every year. I’ve seen intelligence where child exploitation networks onshore have successfully laundered through some of the services we’re regulating now, significantly increasing the number of children abused.

Together, the speakers discussed three priority steps for NSW law firms:

•   Crucially, AUSTRAC regulates by service, not by profession, so the first step is to check whether your firm provides designated services.
•   If your firm does, then the second step is to enrol between 31 March 2026 and 29 July 2026.
•   And the third step is to establish your AML/CTF program by 1 July 2026, which can be done using AUSTRAC’s program starter kits.
In the meantime, the priority for AUSTRAC and the Law Society of NSW is to assist law firms to make the necessary adjustments. Which is where Starter Kits come into their own.

AUSTRAC program starter kits

AUSTRAC has designed the program starter kits (Starter Kits) to help small and mid-size firms to build their own compliant AML/CTF programs, as William Morris explained: “The idea is that, as much as possible, we help you build it. If you fit the profile on our website of what a typical ‘small practice’ is, we guarantee our starter kit is suitable for you.”
Morris added that larger or more complex firms can still use the kits as a foundation, adapting programs to suit their line of business.
When developing the Starter Kits, Morris and his colleagues drew upon domestic and international intelligence on money laundering risks specific to the legal profession. They also collaborated with a selection of Australian law firms, to ensure the content was clear, practical and relevant.

Putting the Starter Kits into practice

Neil Jeans from Grant Thornton explained how a firm should apply the starter kit to their business. “The starter kit has been designed to be modular, to be worked through in a logical and structured way,” he said.
Having read the “how to customise” program information, practitioners should then follow a sequence of four steps, in the following order:

1. Risk assessment

Jeans emphasised a fundamental principle to the entire AML/CTF regulatory regime: know who your client truly is, including the individuals behind any legal entity. To that end, he said that the risk assessment was one of the sharpest tools in the starter kit.
It takes practitioners through the designated services, client types, channels of engagement and country risk relevant to their firm. The starter kit provides vulnerability ratings, and the practice confirms how these apply to their clients.
Jeans added that the risk assessment typically takes about an hour to complete.

2. Policy

Derived directly from the risk assessment, the policy is largely pre-written.
The policy covers three areas. First, how you approach due diligence and training of your personnel. Second, how you deal with your clients, and what client due diligence you need to undertake. And third, how you keep your program up to date as your business evolves and as the risks evolve.
Typically, practitioners review, accept and approve the policy. Significant amendments are rarely required, for those firms who fit the Starter Kit profile.

3. Processes

The starter kit includes processes to enable your firm and personnel to consistently apply your AML/CTF program. They provide step-by-step standard operating procedures for tasks such as employee screening and client due diligence (CDD).
CDD screening should be introduced at the point when it is reasonable to conclude a regulated service will be provided (ideally at the outset of the client relationship). Jeans emphasised that this is another one of the sharpest tools in the AML box, and should be undertaken with care.

4. Forms

Firms can use AUSTRAC’s pre-prepared forms to suit a variety of circumstances. However, most forms will rarely be used, according to Morris, who said that a typical low-risk practitioner may only require three forms as part of their regular processes. Early adopters have already started using the forms internally, Morris added: “We’ve seen a number of small firms use our forms essentially on each other, just as practice.”

After the above four modules are complete, principals will be equipped to explain what staff need to do and why. So that will be the time to train up colleagues who work in roles that you have identified pose ML/TF risks (through your employee due diligence).

Appoint a compliance officer in your firm

If you’ve established that your firm provides a designated service, then regardless of the size or type of your firm, you will need to structure your firm’s own AML/CTF compliance function and select at least one compliance officer.

Firms should identify which of their practice areas are regulated, and which specific services within those areas are subject to obligations. For example, Morris said firms with both a commercial law arm and a conveyancing arm should determine which services in each are regulated before deciding how to structure their compliance function.

In smaller practices, the compliance officer does not need to be an AML expert, but firms should select someone with capacity to acquire a meaningful level of knowledge. Importantly, that individual will also need to stay up to date with ongoing AML developments too.
Beyond the standard eligibility criteria (e.g. resident of Australia), there are several qualities that compliance officers require. Morris said the ideal compliance officer will be a trusted individual with good communications skills and access to all relevant colleagues. They also need to be given sufficient resources and authority (e.g. visible backing) by the firm’s principals to deal with problems.

High-risk scenarios

Morris emphasised that genuinely high-risk clients are relatively rare for most typical legal firms, and so the compliance burden scales accordingly. Clients that are considered higher risk include:

•   Foreign politically exposed persons: clients who hold or have held prominent public positions overseas (e.g. a foreign head of state). The concern is that such individuals, if under investigation, typically attempt to move money offshore.
•   Unexplained wealth: a significant disparity between a client's apparent profile and what they are seeking to do (e.g. someone presenting as a student who wants to purchase multiple multimillion-dollar properties in wealthy Australian suburbs).
•   High-value cash transactions: particularly in the context of conveyancing.
•   Residency in a high-risk country: a client who is a resident of a country on AUSTRAC's published high-risk country list.
•   Effective anonymity: where a client asks a lawyer to establish a trust or corporate structure that intentionally obscures who controls it, with no clear economic rationale.

Stronger together

In the fight against organised crime, Morris took a collaborative tone with the audience, emphasising that “we’re all on this mission together”. He said AUSTRAC sees its role as both a partner as well as a regulator, and he added that firms making a genuine attempt to comply will not be the focus of enforcement action.

All the expert speakers in the session encouraged NSW law firms to make full use of the resources and support that is available. AUSTRAC’s resources are available through its website (including but not limited to the starter kit, forthcoming webinars, fact sheets, and contact centre).
Neil Jeans from Grant Thornton, who has been closely involved in developing these resources, reflected: “When I engage with lawyers, [it’s clear] you want to comply – it’s just working through how to do that and what the impact of that is on the business. And we’ve turned that into [resources and support] that’s very practical.

“If you engage with it now and you move through it steadily and slowly over the next two or three months, then you’ll be in a strong position to demonstrate compliance.”