AML/CTF Programme for Australian Law Firms: 2026 Guide

From 1 July 2026, Australian law firms providing designated services under the AML/CTF Act 2006 must have an adopted, approved AML/CTF Programme in writing. With 42 days until the deadline, the programme — a two-part document covering governance and customer due diligence procedures — is the single most important document AUSTRAC will look for when assessing whether a firm has met its obligations.

What Is an AML/CTF Programme?

An AML/CTF Programme is the written framework a reporting entity uses to manage its money laundering and terrorism financing risks. Under Part 2 of the AML/CTF Act 2006, every law firm providing designated services must adopt and maintain one. The programme is not a one-off registration — it is a living document that must reflect how the firm actually operates, be approved by senior management, and be updated when material circumstances change.

What Must Part A of the Programme Contain?

Part A covers governance and risk methodology. A compliant Part A for an Australian law firm must address: - ML/TF risk assessment — a documented analysis of the firm's exposure across client types, designated services, delivery channels, and jurisdictions, which drives all CDD and monitoring decisions - Customer acceptance policy — criteria the firm applies when deciding whether to onboard a client, including any categories it will not accept - AMLCO appointment — the named Compliance Officer, their documented responsibilities, and their reporting line to senior management - Senior management oversight — evidence that the partnership or board has approved the programme and receives regular updates on its operation - Ongoing monitoring policy — how the firm reviews active relationships, including trigger-based CDD refresh and periodic re-screening - SMR procedures — how suspicions are escalated, documented, and lodged with AUSTRAC within three business days, with guidance on the tipping-off prohibition - Training policy — content, frequency, and record-keeping for AML/CTF training across all relevant roles - Independent review schedule — the biennial review obligation and how findings are reported to senior management - Record retention — the firm's approach to retaining CDD files, SMR decisions, programme versions, and training records for seven years

What Must Part B of the Programme Contain?

Part B covers the operational procedures for identifying and verifying clients and beneficial owners. For each designated service the firm provides, Part B must address: - Client identification — what information is collected from individual clients and entity clients such as companies and trusts - Identity verification — the specific documents or electronic data sources accepted to verify each client category - Beneficial ownership — how the firm maps and verifies the natural persons who ultimately own or control an entity client, including layered corporate structures and discretionary trusts - PEP and sanctions screening — procedures for screening at onboarding and at defined intervals thereafter - Simplified CDD — which lower-risk client categories qualify for reduced verification, and the criteria that must be met - Enhanced due diligence (EDD) — additional procedures for high-risk clients including PEPs and clients connected to high-risk jurisdictions, with senior-management approval requirements - Non-face-to-face procedures — any additional measures where the firm cannot meet a client in person

How Should a Law Firm Calibrate Its Programme to Its Risk Profile?

The programme must reflect your firm's actual services and client mix, not simply replicate a generic industry template. AUSTRAC expects the risk assessment to drive the procedures: a residential conveyancing practice operates differently from a commercial firm advising on cross-border acquisitions. Common calibration decisions include tighter scrutiny of third-party settlement payments for conveyancing practices, more rigorous beneficial-ownership mapping for corporate transaction work, and — for litigation-only practices with no transactional services — a careful documented analysis of whether designated-service obligations arise at all.

Who Must Approve the AML/CTF Programme?

The programme must be approved by a senior officer with authority to bind the firm — typically the managing partner, the partnership collectively, or the board of the incorporated legal practice. Approval must be documented through a resolution, a signed cover page, or formal meeting minutes. A version history should be maintained so AUSTRAC can trace when each version was adopted, who approved it, and what changed. An unapproved draft does not satisfy the obligation.

How Often Must the Programme Be Reviewed?

The AML/CTF Act 2006 requires the programme to be reviewed at a stated cadence and whenever material circumstances change. For law firms, material triggers include adding or exiting a designated service, a significant shift in client mix or jurisdictional exposure, a new AMLCO appointment, an AUSTRAC inquiry or SMR that reveals a programme gap, and any change in FATF risk classifications affecting jurisdictions relevant to the firm. Beyond trigger-based reviews, best practice is an annual desktop review by the AMLCO with written sign-off by the managing partner.

What Happens to a Law Firm Without a Programme From 1 July 2026?

Providing a designated service without an adopted AML/CTF Programme is a contravention of the AML/CTF Act 2006 that can attract civil penalties of up to $18.5 million per contravention for a corporate entity. Operating without a programme also means operating without any compliant CDD or SMR workflow — each client onboarded and each reportable matter missed becomes a separate potential contravention. Law firms that have not yet begun should prioritise programme drafting above all other Tranche 2 workstreams. The AMLify legal practice module includes a guided programme builder calibrated to AUSTRAC expectations.

Key Takeaways

• Part A covers governance — risk assessment methodology, customer acceptance policy, AMLCO appointment, oversight, monitoring, SMR procedures, training, independent review, and record retention
• Part B covers CDD procedures — client identification, identity verification, beneficial ownership mapping, PEP and sanctions screening, and simplified or enhanced due diligence for each designated service
• The programme must be approved by senior management, version-controlled, and reviewed whenever material circumstances change or at least annually
• Generic templates are not sufficient — the programme must reflect your firm's actual client mix, services, and delivery channels to be defensible under AUSTRAC scrutiny
• 42 days remain — most practices can draft, review, and approve a compliant Part A and Part B within two to three weeks of focused effort

Frequently Asked Questions

Q: Does a small two-partner law firm need a full AML/CTF Programme?

Yes. The AML/CTF Act 2006 applies by reference to the designated services a firm provides, not by firm size. A two-partner conveyancing or corporate services practice has the same programme obligation as a national firm. The programme can be proportionate in length — a smaller firm with a narrower service range does not need a 60-page document — but Part A and Part B must both be present, approved, and operational from 1 July 2026.

Q: Can we use a law society template for our Part A and Part B?

Templates produced by the Law Council of Australia or state law societies are a useful structural reference. However, the programme must reflect your firm's specific client base, service mix, and delivery channels. An unmodified template that does not describe your actual operations does not satisfy the obligation. Customise the template to your firm, have the customised version reviewed by the AMLCO, and obtain written partner or board approval before the deadline.

Q: What is the difference between the ML/TF risk assessment and the AML/CTF Programme?

The ML/TF risk assessment is an input to the programme — it is the documented analysis of your firm's exposure across clients, services, delivery channels, and jurisdictions. The AML/CTF Programme is the output: the policies and procedures the firm adopts in response to that exposure. Both documents must exist separately. AUSTRAC will read them together to assess whether the programme's CDD procedures are genuinely calibrated to the risk the assessment identified.

Q: Do we need a separate programme for each office or practice group?

A single programme can cover multiple offices of the same legal entity, provided it accurately describes the procedures used across all offices and the risk assessment accounts for any material differences by location. Where different offices serve materially different client segments or deliver services in materially different ways, those differences must be reflected in the risk assessment and the relevant Part B procedures. A programme that describes practices as they exist only at the main office may not satisfy the obligation for a branch that operates differently.

Q: How long does it take to draft and approve a law firm AML/CTF Programme?

Most small to mid-sized law firms can produce a fit-for-purpose Part A and Part B document in two to three weeks of focused effort — assuming the AMLCO is available to lead the drafting and a partner with sign-off authority is accessible for review. The common bottleneck is not the writing but the internal consultation: mapping all designated services, confirming the AMLCO appointment, and obtaining partnership or board approval. Firms should begin that process immediately with 42 days remaining.

This is general information only and not a substitute for legal advice.

Related articles