AML/CTF · Legal Practice

Building an AML/CTF Program for a Legal Practice: The Two Parts You Need | AML/CTF Law Firms Australia 2026

Published 7 May 2026Last reviewed June 20266 min readBy Paul Wise

If your firm provides designated services, you need a written AML/CTF Program. Under the changes brought in by the 2024 reforms, that program is built from two parts: a ML/TF Risk Assessment and a set of AML/CTF Policies. Together they replace the older "Part A / Part B" structure that long-time reporting entities will remember.

This is a plain-English practice guide to how the two parts fit together and what regulators tend to look for early on. It is general information, not legal advice — your program should be built to your firm's actual circumstances.

Part one: the ML/TF Risk Assessment

The risk assessment is the foundation, and everything else flows from it. It is where your practice identifies and assesses the money-laundering, terrorism-financing and proliferation-financing risks it may reasonably face — looking across the designated services you provide, the types of clients you act for, the way you deliver services, and any jurisdictions involved.

The point is not to produce a document that says "we are low risk" and file it. It is to think honestly about where your practice is exposed — property settlements with unfamiliar parties, corporate and trust structures, client funds moving through the firm — so the controls you build are aimed at your real risks. The risk assessment must be kept up to date, particularly before you take on new types of designated services.

Part two: the AML/CTF Policies

The policies are how you act on the risk assessment. This is the operational half of the program — the procedures, systems and controls your people actually follow to manage the risks you have identified and meet your obligations. In practice that covers things like: how and when you carry out customer due diligence and enhanced CDD; how you monitor matters and client activity; how suspicions are escalated and reported; how records are kept (the regime requires retention for seven years); how you train staff; and how the compliance officer reports to the governing body.

A useful way to think about it: the risk assessment is the diagnosis, the policies are the treatment. A regulator reading a generic, off-the-shelf policy that bears no relationship to a firm's actual risk assessment will notice the disconnect immediately.

Who approves it, and who oversees it

The reforms put real weight on governance, and the roles are distinct:

  • A senior manager must approve the risk assessment and the policies in writing — with their name, role and date — before the firm provides designated services. Material changes need senior-manager approval too.
  • The governing body (in a small firm, that may be the principals or partners) holds ongoing oversight — it receives the risk assessment, oversees how risk and compliance are managed, and must receive reports from the compliance officer at least once a year. The governing body oversees; it does not sign off every document.

Getting this split right matters: approval and oversight are different jobs, and conflating them is a common drafting slip that stands out in any inspection.

What regulators look for in a first compliance cycle

AUSTRAC has signalled a supportive posture for newly regulated practices in the early phase — while being clear that not knowing the rules will not be a defence. In a first cycle, the things that tend to matter are:

  • A program tailored to your firm's real risk — not a template with the name changed.
  • Evidence the program is actually being used: CDD performed before acting, monitoring happening, suspicions escalated, records kept.
  • A compliance officer appointed, resourced and genuinely active, reporting up.
  • Staff trained so fee-earners know when a matter becomes a designated service and how to escalate.
  • A built-in review rhythm, rather than a set-and-forget document.

The regime's actual cadence: you keep the program up to date as risks change; your compliance officer reports to the governing body at least every 12 months; an independent evaluation of the whole program is required at regular intervals (at least once every three years, phased in over the next few years for newly regulated entities). Plan for all three from the start.

Where Veriqua helps

For most small and mid-sized practices, the failure mode is not intent — it is that the AML/CTF Program becomes a document in a drawer rather than a living system. Veriqua is an Australian compliance operating system designed to keep it live. The platform builds both parts from your firm's own data — a tailored ML/TF Risk Assessment with structured risk scoring across customer, service, channel and geography, and AML/CTF Policies held in a document library with version history and senior-manager sign-off captured on the record. Every obligation has a status, every review has a due date, and the compliance officer's annual report to the governing body is generated from live register data — not assembled by hand.

Two minutes, no login: demo.veriqua.com.au/start.

Frequently Asked Questions

What replaced the Part A and Part B structure in the AML/CTF Program?
The 2024 AML/CTF reforms replaced the old Part A (risk-based) and Part B (AML/CTF procedures) structure with two renamed components: the ML/TF Risk Assessment and the AML/CTF Policies. The concepts are similar, but the new structure also requires the program to address proliferation financing risk alongside ML/TF risk, and the governance requirements — particularly around senior-manager approval and governing-body oversight — are more explicit.
Does a law firm lodge its AML/CTF Program with AUSTRAC?
No. You develop and maintain the program internally and produce it to AUSTRAC on request — for example, during a compliance assessment or investigation. The program is not lodged or pre-approved. That also means the obligation to keep it current falls entirely on the firm: AUSTRAC will not tell you when it needs updating.
Who must approve the AML/CTF Program for a legal practice?
A senior manager must approve the ML/TF Risk Assessment and the AML/CTF Policies in writing — with their name, role and the date of approval — before the firm provides designated services. Material changes must also be approved by a senior manager. The governing body (principals, partners or board) then has ongoing oversight of the program, including receiving the compliance officer's reports at least annually.
How often must a law firm conduct an independent evaluation of its AML/CTF Program?
At least once every three years. For newly regulated entities such as law firms, the first independent evaluation cycle is being phased in — but the expectation is that firms build this into their planning from the start, rather than treating it as a future concern. The evaluation must be conducted by someone genuinely independent of the program — which in practice often means an external compliance specialist.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at May 2026. It reflects our understanding of the AML/CTF reforms, the AML/CTF Amendment Act 2024 and AUSTRAC guidance as at that date, all of which may change. It is not legal, financial or compliance advice, and it is not a definitive statement of your program obligations. Your program must be built for your firm's specific designated services and risk profile. Please confirm requirements against current AUSTRAC guidance and the AML/CTF Act and Rules, and with your professional body and advisers, before acting.