Preparing Law Firms for the 2026 AML Regulatory Changes
If you’re a law firm gearing up for Australia’s Tranche 2 AML/CTF reforms, your ML/TF risk assessment is the very first building block of your Program. AUSTRAC is explicit: risk assessment comes first and it determines the measures you must include in your AML/CTF Program.
Below are five pitfalls we see legal practices fall into—plus simple, audit-ready ways to avoid them.
Get started now: Download the Free Legal-Sector AML/CTF Risk-Assessment Template to follow along as you read
1) Using a generic, copy-paste assessment (and not mapping your designated services)
The mistake: Lifting a template unchanged and failing to map exactly what your firm does—e.g., conveyancing and settlements, operating a trust account, holding client money, establishing structures into the assessment.
Why it matters: AUSTRAC expects you to assess every designated service, rank it Low/Medium/High, and build your controls from that analysis.
Fix it fast:
List the services you actually provide (by matter type).
For each service, assess risk through the AUSTRAC lens (see Mistake #2), score it, and document why.
Tie each service to specific controls in Part A (e.g., EDD triggers, approvals) and to customer identification procedures in Part B.
What good practice looks like (example):
A property conveyancing matter involving a trust-account deposit of A$10,000 or more from a foreign company with unclear ownership.
Inherent risk: High (Likelihood 4 × Impact 4).
Controls applied: Verify ultimate beneficial ownership (UBO), collect source-of-funds and source-of-wealth evidence, conduct PEP and sanctions screening, and obtain senior-level approval.
Residual risk: Medium, with rationale documented and supporting evidence securely stored.
This approach aligns with AUSTRAC’s requirement to measure and manage risk per service.
2) Leaving out key AUSTRAC risk categories
The mistake: Focusing only on “customers” and “services” while overlooking other key AUSTRAC risk factors that regulators expect to see in every assessment.
What AUSTRAC expects: Your risk framework should cover four core elements:
Customers (including PEPs),
Designated services,
Delivery channels (face-to-face vs online), and
Foreign jurisdictions your firm deals with.
When setting CDD measures, also consider beneficial ownership, PEP status, source of funds and wealth, the nature and purpose of the client relationship and control structures for non-individual clients.
Fix it fast: Build your matrix with these categories as rows. For each, record:
Inherent Likelihood × Impact (with a short rationale),
Specific controls you apply,
Residual risk (with a reason you accept it).
Tip: It’s fine to add firm-specific categories (e.g., transaction/activity patterns or emerging risks like digital assets)—AUSTRAC expects you to take relevant guidance and evolving risks into account.
3) No clear logic from inherent → controls → residual (and no link back to your Program)
The mistake: Scoring everything “Medium” without explaining why—or listing controls without showing how they reduce risk.
Why it matters: AUSTRAC expects you to identify risks, put in place controls to mitigate them, and reflect that logic in your AML/CTF Program (Part A & B).
Fix it fast:
Use a simple, consistent model (e.g., Likelihood 1–5 × Impact 1–5) → Inherent score.
Describe preventive (e.g., UBO ID&V, SoF/SoW, approvals) and detective controls (e.g., event-based reviews, internal SAR process).
Recalculate Residual after controls, and write a one-line justification (why residual is acceptable under your risk appetite).
Ensure alignment: Your risk assessment should drive the content of Part A (e.g., EDD rules, event-based ongoing due diligence, transaction-monitoring approach for a law firm) and Part B (ID&V procedures). AUSTRAC
4) “Set and forget” (no ongoing review or triggers)
The mistake: Treating the assessment as a one-off compliance tick-box.
What AUSTRAC expects: Keep your methodology flexible and review when things change—new designated services, new delivery methods/tech, or new jurisdictions—and when customer circumstances change (e.g., ownership/control or nature of relationship).
Fix it fast:
Add an annual review line in your assessment, and list event triggers (e.g., new conveyancing workflow; new cross-border client type; material change in a client’s structure).
Track AUSTRAC’s latest guidance and sector updates and fold them into your review.
5) Not wiring the assessment into reporting, record-keeping, training & independent evaluation
The mistake: Great risk assessment and matrix but no operational follow-through.
Non-negotiables to embed:
SMR timing: within 24 hours for terrorism-financing suspicions; within 3 business days for other matters (e.g., money laundering).
Record-keeping & training: Keep CDD/program records and deliver risk-aware training; your Program should explain how.
Independent evaluation: Under Tranche 2, you must undertake an independent evaluation at least every three years (and more often if your risk profile warrants it).
Fix it fast: In your assessment, add a final column that points to:
the internal SAR → SMR workflow and statutory timing,
where evidence is stored (7-year retention), and
who is responsible for reviews and independent evaluation.
How My Databoss helps law firms pass the compliance test ?
Risk assessment builder with AUSTRAC categories pre-loaded—map your legal services, customers, delivery channels and jurisdictions; attach rationales and evidence.
CDD/EDD workflows: digital ID&V + biometric check; automated PEP/sanctions/adverse-media screening; risk-tiering with High routing to EDD and Compliance sign-off.
Ongoing due diligence & event triggers: re-screening and prompts when ownership, control or jurisdiction changes.
Reporting: internal SAR register and SMR helper to meet AUSTRAC 24-hour/3-day timing, with audit trails.
Governance: dashboards for Board/Principals; training register; document versioning; independent-evaluation evidence logging—aligned to AUSTRAC’s Program expectations.
A quick, law-firm-specific starter checklist
List your designated services (e.g., conveyancing, trust-account operations). Score each service and write one-line rationales.
Rate the AUSTRAC categories for your firm: customer types (incl. PEPs), delivery channels, foreign jurisdictions; plus BO/SoF/SoW, purpose of relationship and control structures.
Document controls that actually operate in your matters (pre-settlement SoF/SoW checks, UBO verification, senior approvals). Link them to your Program clauses.
Wire in reporting & records: internal SAR → SMR timing; how/where you keep evidence; staff training cadence.
Set review cadence & triggers: at least annually—and when services, delivery methods, jurisdictions or client structures change.
Plan the independent evaluation timetable (and scope) so you’re ready by the Tranche 2 commencement timetable.
Final word
A solid, law-firm-specific ML/TF risk assessment is not long for the sake of it—it’s focused, evidenced and integrated with your Program and workflows. If you avoid the five pitfalls above, you’ll be aligned to AUSTRAC’s expectations and ready for Tranche 2 supervision on 1 July 2026. For timelines, enrolment and obligation summaries for newly regulated sectors, AUSTRAC’s Tranche 2 hub is your primary reference.
This blog is general information, not legal advice. Always check AUSTRAC’s latest guidance and the AML/CTF Act & Rules for your specific circumstances.
Ready to put this into practice?
✔ Free Risk-Assessment Template (Excel) Download Template
✔ Book a Free Implementation Session to receive your full Legal-Sector Compliance Guide Book Free Implementation Session