AML/CTF for Law Firms: What Tranche 2 Means for Your Practice

9 min read · General information, not legal advice · Updated 2026-06-12

If you are a principal at a small or mid-sized Australian law firm, you have probably heard the phrase ‘Tranche 2’ mentioned in passing and quietly hoped it was a problem for the big end of town. It is not. From 1 July 2026, certain legal services become regulated under Australia’s AML/CTF regime, and the decision in front of you now is whether your firm starts preparing in an orderly way or scrambles at the deadline.

The honest position is that you do not need to panic, but you do need a plan. This article walks through what Tranche 2 actually covers for lawyers, which of your services are likely to be caught, how trust accounts and client money fit in, and the concrete steps to build an AML/CTF program that will stand up to scrutiny. It is general information rather than legal advice, and exactly what applies to your firm will depend on the specific designated services you provide.

What Tranche 2 is, in plain terms

Australia has run an anti-money-laundering regime for years, but until now it has applied mainly to banks, casinos and other financial businesses. Tranche 2 refers to reforms under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which extend that regime to a set of new sectors often called ‘tranche 2 entities’.

The new sectors are: real estate professionals; dealers in precious metals and precious stones; and certain professional service providers — including lawyers, conveyancers, accountants, and trust and company service providers — but only when they provide specified ‘designated services’. That last point matters enormously. Tranche 2 does not regulate ‘being a law firm’; it regulates particular activities. The regulator is AUSTRAC (the Australian Transaction Reports and Analysis Centre), and enrolment and reporting happen through AUSTRAC Online. The new obligations are due to commence on 1 July 2026.

Which legal services are likely to be caught

Because the test is whether you provide a designated service, the first job for any principal is to map your firm’s work against the activities that bring you into scope. As the AUSTRAC rules are finalised, the categories that legal practitioners should watch most closely are the ones where you act on money, assets or entity structures rather than purely giving advice or appearing in court.

• Handling client money and assets — receiving, holding, controlling or managing funds, including activity that flows through your trust account.
• Real property transactions — acting in the buying or selling of real estate on behalf of a client.
• Forming and managing entities — setting up companies, trusts or similar structures, or acting as (or arranging) a nominee director, shareholder or trustee.
• Managing client affairs — managing bank, savings or securities accounts, or organising contributions for the creation, operation or management of a company.

Traditional litigation advice and court advocacy sit further from the regulated activities, but the boundary is determined by the finalised designated-service definitions, not by how a firm describes its own practice. If a meaningful share of your matters touch property, client funds or entity structuring, you should assume you will be a reporting entity and plan accordingly.

Trust accounts and client money: why lawyers are exposed

Trust accounts are precisely the feature that makes law firms attractive to someone trying to move illicit funds. A lawyer’s trust account carries professional respectability, sits outside ordinary banking scrutiny, and can layer a transaction through a trusted intermediary. That is the risk Tranche 2 is designed to address, and it is why principals who run busy trust accounts should treat AML/CTF as a core operational issue, not a box-ticking afterthought.

In practical terms, this means knowing who is really behind the money moving through your firm, why the funds are moving, and whether the explanation makes commercial sense. Red flags that already trouble experienced practitioners — a client who is strangely indifferent to cost, funds arriving from an unexpected third party, instructions to pay money out shortly after it lands, or reluctance to explain the source of wealth — become matters you may be obliged to assess and, where warranted, report. The discipline you build around your trust account becomes the backbone of your compliance program.

The core obligations you will need to meet

Once your firm is a reporting entity, the obligations are reasonably consistent across all regulated businesses. The shape of them is well established under the existing regime, so you can plan against them with confidence even while the detailed rules are finalised.

• Enrol with AUSTRAC via AUSTRAC Online, so the regulator knows you are a reporting entity.
• Develop and maintain an AML/CTF program — this is the central document. It sets out your governance, an ML/TF risk assessment, and the policies, procedures, systems and controls you use to manage that risk.
• Conduct customer due diligence (CDD/KYC) — identify and verify your clients before you provide a designated service, understand beneficial ownership, and carry out ongoing CDD and transaction monitoring through the life of the matter.
• Report to AUSTRAC — submit suspicious matter reports (SMRs) where you form a relevant suspicion, and threshold transaction reports (TTRs) for physical currency of AUD 10,000 or more.
• Keep records — generally for seven years, covering identification, transactions and your program.
• Appoint an AML/CTF compliance officer (AMLCO) — a named, suitably senior person responsible for the program.

Failing to meet these obligations can expose a firm to significant civil and criminal penalties, so the program is genuinely worth getting right rather than treating it as paperwork.

A practical checklist to get program-ready

You do not have to do everything at once. The sensible approach for a small or mid-sized firm is to sequence the work so that each step makes the next one easier. Use this checklist as a working plan in the months before 1 July 2026.

• Scope your services. Map every practice area against the likely designated services and decide, on the record, whether the firm is in scope.
• Appoint your AMLCO. Name the person now and give them the authority and time to do the role properly.
• Run a risk assessment. Assess your ML/TF risk by client type, the services you offer, delivery channels and jurisdictions, and write it down.
• Draft the AML/CTF program. Turn the risk assessment into clear policies, procedures, systems and controls that your team can actually follow.
• Set up CDD workflows. Decide how you will identify and verify clients and beneficial owners, and how files capture that evidence.
• Define your monitoring and reporting path. Agree internally how staff escalate concerns and how SMRs and TTRs are prepared and lodged through AUSTRAC Online.
• Sort out record-keeping. Confirm where records live and that they are retained for the required period.
• Train your people. Make sure fee earners and support staff recognise red flags and know the firm’s procedures.
• Enrol with AUSTRAC when required, and diarise a regular review of the whole program.

Common mistakes firms make

The firms that struggle are rarely the ones acting in bad faith. They are usually the ones who underestimate the work or treat compliance as a document to be filed and forgotten. A few patterns come up again and again.

• Assuming ‘we don’t touch dirty money’ is a defence. The obligations attach to the service you provide, not to whether a problem has occurred.
• Buying a generic template and never tailoring it. An AML/CTF program that does not reflect your firm’s actual risk profile and procedures offers little protection.
• Treating CDD as a one-off. Verifying a client at onboarding and then never looking again misses the ongoing monitoring obligation entirely.
• Leaving the AMLCO without support. Naming someone but giving them no time, budget or authority sets the role up to fail.
• Waiting until June 2026. Building a workable program, training staff and embedding new file workflows takes months, not days.

Where a ready-made template kit fits

You can build everything from scratch, and some firms with in-house expertise will. For most small and mid-sized practices, though, the value of a well-structured, audit-ready template kit is simply time: an editable AML/CTF program, risk-assessment framework, CDD checklists and registers give you a credible starting structure you then tailor to your firm rather than facing a blank page. The discipline still has to be real — a template is a head start, not a substitute for understanding your own risk — but starting from a sound, properly organised baseline can save weeks of drafting and reduce the chance you miss a required element.

Whatever route you take, remember that this article is general information, not legal advice, and that your precise obligations depend on the specific designated services your firm provides. Confirm the detail against AUSTRAC’s finalised guidance or with a qualified adviser before you rely on any single approach.