From 1 July 2026, Australian law firms and conveyancers providing certain legal services are required to comply with the AML/CTF Act under Tranche 2. This article explains what applies to your practice — and how Workflow helps you meet those obligations.
This article provides general information only and is not legal advice.
What AML/CTF means for legal professionals
AML stands for anti-money laundering. CTF stands for counter-terrorism financing. These laws require that businesses providing certain services verify who their clients are and assess the risk that they might be using those services to move or conceal illegal funds.
Legal services have been identified as a known vehicle for financial crime — particularly property-related transactions, trust management, and company formation. Tranche 2 brings legal professionals formally into the regulatory framework for the first time.
Which legal services are captured
Not all legal work is in scope. Tranche 2 applies when you are providing a designated service involving:
Buying, selling or transferring property: Helping a client buy, sell or transfer real estate — including handling the planning, paperwork or execution of the transaction.
Buying, selling or transferring a business or legal structure: Helping a client buy, sell or transfer a company, trust or other legal entity — including selling shelf companies (pre-registered companies sold ready to use).
Setting up, restructuring or managing a company, trust or other legal entity: Helping a client create, restructure or reorganise a company, trust or similar legal structure — including acting as a director, trustee or nominee on their behalf, or arranging someone else to take on those roles.
Managing a client's money or assets in connection with a transaction: Receiving, holding or managing funds or property on behalf of a client to assist with any of the transactions listed above.
Arranging finance for a business or legal structure: Helping a client raise money through equity (e.g. issuing shares) or debt (e.g. loans) for a company, trust or other legal entity.
Providing a registered address for a company, trust or other legal entity: Allowing a company, trust or similar entity to use your address as their registered office or principal place of business.
Please see AUSTRAC’s website for more detail here
What you need to do for each covered matter
For each matter involving a designated service, you are required to:
Verify the identity of your client before providing the designated service
Assess their risk level using a documented risk assessment methodology
Keep records of all checks, assessments, and related documents for 7 years
Workflow handles all three steps. You create a case for the matter, add your client, run the verification check, and complete the risk assessment — all in one place.
When to run the check
You must complete identity verification before you commence providing the designated service — not at settlement or file closure, but at the point of engagement.
Best practice: run the check before you open the file or accept the retainer for work involving a designated service. Do not wait until you are deep into the matter.
Do I check individuals or entities?
It depends on who your client is:
Individual client — run a standard identity verification check
Company — run a KYB (Know Your Business) check, which verifies the entity and identifies the beneficial owners (the real humans behind it)
Multiple clients on the same matter — each client requires their own check
Workflow will prompt you for the right information based on the client type you add to the case.
A note on Legal Professional Privilege
Legal Professional Privilege (LPP) is a protection that exists in the AML/CTF Act. This means communications that are genuinely privileged may be protected from disclosure in certain circumstances.
However, LPP is not a blanket exemption from AML obligations. You cannot rely on LPP to avoid running identity checks or risk assessments on your clients. The privilege applies to specific communications, not to the compliance process as a whole.
If you have questions about how LPP interacts with a specific matter, seek specialist legal or compliance advice.
What about ongoing client relationships?
Unlike a property sale (which is often a single transaction), many legal engagements involve an ongoing client relationship — the same client returns for new matters over time.
Under AML/CTF, you have ongoing monitoring obligations for clients where the relationship continues. This means periodically reviewing the client's risk profile, not just at the point of initial engagement but also when there is a material change in the relationship or their risk profile.
Workflow supports this through its case structure and review periods:
Low-risk clients: review every 3 years
Medium-risk clients: review every 24 months
High-risk clients: review every 12 months
What are the risks of non-compliance?
AUSTRAC can issue significant financial penalties for non-compliance. Beyond penalties, failing to conduct proper due diligence exposes your firm to reputational risk and, in serious cases, potential legal liability.
The obligations are new but the process is straightforward with the right system in place. Most checks take under two minutes for the client to complete. Building this into your matter-opening process is the simplest way to stay compliant.
Related articles