By Fiona Halsey
Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML CTF) regime mandates a robust, risk-based approach from July 2026 for entities that provide particular designated legal services (Firms).
Central to this framework are two interconnected types of risk assessment: the Firm’s Money Laundering/Terrorism Financing (ML TF) risk assessment and the customer-specific ML TF risk assessment, which forms a critical part of customer due diligence. An understanding of both is essential.
The reporting entity’s ML TF risk assessment: A foundational obligation
The Firm’s ML TF risk assessment is the cornerstone of its entire AML CTF program. It is a mandatory, entity-level requirement that a Firm must identify and assess the risks of money laundering, financing of terrorism, and proliferation financing (ML TF) it may reasonably encounter when delivering designated services. This assessment must be proportionate to the nature, size, and complexity of the Firm’s business. It must be continuously considered and updated as required.
For Firms operating through permanent establishments in Australia, the assessment must consider a range of factors. These include the kinds of designated services offered, the types of customers served, the delivery channels used, the countries with which the entity transacts, and any information communicated by AUSTRAC that identifies or assesses risks associated with the entity’s services.
Non-compliance carries significant consequences. Failing to have an up-to-date ML TF risk assessment before providing designated services constitutes a civil penalty provision. The AUSTRAC CEO also possesses the power to issue a written notice requiring a Firm to undertake, review, or update its ML TF risk assessment if it is found to be absent, out-of-date, or inadequate. Importantly, entities must keep records demonstrating compliance with their obligations, including the ML TF risk assessment, for seven years after they are no longer relevant reporting entity’s compliance with its obligations under Part 1A of the AML CTF Act.
Customer-specific ML TF risk assessment: Integral to due diligence
Complementing the entity-level assessment is the customer-specific ML TF risk assessment, which is a core component of both initial and ongoing customer due diligence (CDD) obligations under the Act.
For initial customer due diligence, a Firm must identify the ML TF risk of a customer before commencing to provide a designated service. This identification is based on Know Your Customer (KYC) information reasonably available to the entity. Factors to consider when identifying customer ML TF risk are directly linked to the entity’s own risk assessment and include the kind of customer, designated services provided, delivery channels, and countries involved. The collection and verification of KYC information must be appropriate to the identified ML TF risk of the customer. While CDD typically occurs prior to service provision, the rules allow for delayed verification in specific, low-risk circumstances to avoid business interruption, provided robust AML CTF policies are in place to complete CDD as soon as practicable and manage associated risks.
Ongoing customer due diligence (OCDD) requires Firms to continuously monitor their customers to identify, assess, manage, and mitigate ML TF risks associated with designated services. This involves monitoring for unusual transactions and behaviours that could trigger a suspicious matter reporting obligation. Crucially, the identification and assessment of a customer’s ML TF risk must be reviewed and updated in response to significant changes in the business relationship or if doubts arise about the adequacy or veracity of KYC information. (Example – if the ownership of a company changes substantially, review and updating would be required.)
The customer-specific risk assessment dictates the level of due diligence applied.
- Simplified customer due diligence measures may be used when the ML TF risk of the customer is low, and no specific high-risk triggers apply. The Firm’s policies must set out how this will work.
- Enhanced customer due diligence (ECDD) measures are mandatory for high ML TF risk customers or in other specified high-risk circumstances. These include situations where a suspicious matter reporting obligation arises, dealing with foreign or domestic politically exposed persons with high ML TF risk, or in specific virtual asset services. For example, ECDD for high-risk politically exposed persons requires collecting information on their source of wealth and source of funds.
Failure to comply with initial or ongoing customer due diligence obligations will also potentially lead to civil penalties, which can be substantial. Reporting entities must retain records of their CDD, including collected data and risk analysis/assessment, for seven years.
Practical – How to do this?
Many smaller firms are likely to be able to use AUSTRACs starter programs, which are expected to include starter risk assessment tools. The Law Society is working to develop training resources for launch in 2026 to help firms undertake risk assessments.
An essential aspect will be Firms and relevant owners and staff adequately understanding modern money laundering and counter terrorism. This raises an immediate question as to how lawyers who have likely had no exposure to either modern laundering or counter terrorism can competently assess risk for either their own firms or their clients.
An obvious example would be a sole practitioner who undertakes real property work. It will be challenging for that practitioner to understand the ML TF risks of their practice.
It is likely many firms will in practice use a “sniff test”. This is likely to be inadequate, but probably inevitable given that a large group of people with no background in this complex and unfamiliar subject area are expected to make risk assessments.
It will be essential that AUSTRAC provides substantial and specific guidance as to how the example practitioner will assess the ML TF risks of both their own overall practice, and of their existing and prospective clients.
Interplay and conclusion
The two types of risk assessment are intrinsically linked. The overarching reporting entity’s ML TF risk assessment provides the strategic context and framework for the customer-specific ML TF risk assessment. The entity’s general risk profile directly informs the considerations for assessing individual customer risks.
How this works in practice remains to be seen.
This article is part of a series on AML CTF. Do you have a particular topic or question on AML CTF you would like Fiona to cover? Email us at brief@lawsocietywa.asn.au.
This is a broad summary of the law and has been condensed for readability. You must consider the law yourself before making decisions.
