Building an AML/CTF Program for a Legal Practice: The Two Parts You Need | AML/CTF Law Firms Australia 2026
If your firm provides designated services, you need a written AML/CTF Program. Under the changes brought in by the 2024 reforms, that program is built from two parts: a ML/TF Risk Assessment and a set of AML/CTF Policies. Together they replace the older "Part A / Part B" structure that long-time reporting entities will remember.
This is a plain-English practice guide to how the two parts fit together and what regulators tend to look for early on. It is general information, not legal advice — your program should be built to your firm's actual circumstances.
Part one: the ML/TF Risk Assessment
The risk assessment is the foundation, and everything else flows from it. It is where your practice identifies and assesses the money-laundering, terrorism-financing and proliferation-financing risks it may reasonably face — looking across the designated services you provide, the types of clients you act for, the way you deliver services, and any jurisdictions involved.
The point is not to produce a document that says "we are low risk" and file it. It is to think honestly about where your practice is exposed — property settlements with unfamiliar parties, corporate and trust structures, client funds moving through the firm — so the controls you build are aimed at your real risks. The risk assessment must be kept up to date, particularly before you take on new types of designated services.
Part two: the AML/CTF Policies
The policies are how you act on the risk assessment. This is the operational half of the program — the procedures, systems and controls your people actually follow to manage the risks you have identified and meet your obligations. In practice that covers things like: how and when you carry out customer due diligence and enhanced CDD; how you monitor matters and client activity; how suspicions are escalated and reported; how records are kept (the regime requires retention for seven years); how you train staff; and how the compliance officer reports to the governing body.
Who approves it, and who oversees it
The reforms put real weight on governance, and the roles are distinct:
- A senior manager must approve the risk assessment and the policies in writing — with their name, role and date — before the firm provides designated services. Material changes need senior-manager approval too.
- The governing body (in a small firm, that may be the principals or partners) holds ongoing oversight — it receives the risk assessment, oversees how risk and compliance are managed, and must receive reports from the compliance officer at least once a year. The governing body oversees; it does not sign off every document.
Getting this split right matters: approval and oversight are different jobs, and conflating them is a common drafting slip that stands out in any inspection.
What regulators look for in a first compliance cycle
AUSTRAC has signalled a supportive posture for newly regulated practices in the early phase — while being clear that not knowing the rules will not be a defence. In a first cycle, the things that tend to matter are:
- A program tailored to your firm's real risk — not a template with the name changed.
- Evidence the program is actually being used: CDD performed before acting, monitoring happening, suspicions escalated, records kept.
- A compliance officer appointed, resourced and genuinely active, reporting up.
- Staff trained so fee-earners know when a matter becomes a designated service and how to escalate.
- A built-in review rhythm, rather than a set-and-forget document.
The regime's actual cadence: you keep the program up to date as risks change; your compliance officer reports to the governing body at least every 12 months; an independent evaluation of the whole program is required at regular intervals (at least once every three years, phased in over the next few years for newly regulated entities). Plan for all three from the start.
Where Veriqua helps
For most small and mid-sized practices, the failure mode is not intent — it is that the AML/CTF Program becomes a document in a drawer rather than a living system. Veriqua is an Australian compliance operating system designed to keep it live. The platform builds both parts from your firm's own data — a tailored ML/TF Risk Assessment with structured risk scoring across customer, service, channel and geography, and AML/CTF Policies held in a document library with version history and senior-manager sign-off captured on the record. Every obligation has a status, every review has a due date, and the compliance officer's annual report to the governing body is generated from live register data — not assembled by hand.
Two minutes, no login: demo.veriqua.com.au/start.
Frequently Asked Questions
What replaced the Part A and Part B structure in the AML/CTF Program?↓
Does a law firm lodge its AML/CTF Program with AUSTRAC?↓
Who must approve the AML/CTF Program for a legal practice?↓
How often must a law firm conduct an independent evaluation of its AML/CTF Program?↓
Related articles
Is Your Law Firm an AUSTRAC Reporting Entity?
Which legal services trigger AML/CTF obligations and the three foundational steps.
CDD Obligations for Australian Solicitors
Standard, simplified and enhanced CDD — what to collect and when.
When Does a Law Firm Have to Lodge an SMR?
Timeframes, tipping-off, legal professional privilege, and conveyancing red flags.
See how Veriqua handles this
Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.
Disclaimer: This article is general information only and is current as at May 2026. It reflects our understanding of the AML/CTF reforms, the AML/CTF Amendment Act 2024 and AUSTRAC guidance as at that date, all of which may change. It is not legal, financial or compliance advice, and it is not a definitive statement of your program obligations. Your program must be built for your firm's specific designated services and risk profile. Please confirm requirements against current AUSTRAC guidance and the AML/CTF Act and Rules, and with your professional body and advisers, before acting.