Operationalising Australia’s AML reforms in law firms: why every designated service to an existing client needs a fresh matter risk assessment 

TL;DR

• Tranche 2 brings many legal services into scope from 1 July 2026. Initial CDD must occur before a designated service, and ongoing CDD requires monitoring, reviews and updates across the life of the client relationship. 

• AUSTRAC’s legal profession starter kit includes a “Trigger event review and update” form where one trigger is “Client requests a new designated service”—a clear prompt to review KYC and risk post‑onboarding. 

• In banking, transaction monitoring happens at account level; in law, the closest analogue is a matter‑level risk assessment for each new designated service—considering parties, asset/value, structure, jurisdictions and purpose—supported by ongoing CDD obligations and legal‑sector risk indicators. 

The mental models clash: bank‑style “customer monitoring” vs. law‑firm “matter risk”

Banks typically onboard a customer once, complete KYC/AML checks, then monitor ongoing account activity with rules‑driven transaction monitoring—raising alerts when behaviour appears unusual or inconsistent with the customer profile. AUSTRAC codifies these expectations for transaction monitoring in its core guidance. 

Law firms don’t hold consolidated “transaction streams.” Instead, they deliver discrete, variable‑risk designated services (e.g., assisting with real‑estate transfers, entity/trust structuring, equity or debt financings), where risk lives in the matter context: parties involved, value, beneficial ownership, jurisdictions, delivery channel, and the commercial rationale. AUSTRAC’s reforms and legal‑sector guidance make clear that risk management must extend beyond onboarding via ongoing CDD—monitoring behaviour, reviewing/updating risk and re‑verifying KYC when appropriate. 

Implication: For law firms, risk‑assessing every new designated service—even for existing clients—is the closest functional equivalent to bank‑style “transaction monitoring.” It’s how you detect inconsistency with a client profile and identify suspicious activity in a matter‑driven environment. AUSTRAC’s ongoing CDD framework expects you to monitor for unusual transactions/behaviour and to review and, if appropriate, update the client’s ML/TF risk and KYC. 

What AUSTRAC expects under Tranche 2 (in practical terms)

• Initial CDD before providing a designated service (outcomes‑based): identify and verify the customer and understand the risks of providing that service. 

• Ongoing CDD during the relationship: monitor for unusual activity, review and update the customer’s ML/TF risk, and re‑verify KYC where appropriate. 

• SMR obligations apply when you start, propose to start, or are asked about providing a designated service—even if you ultimately do not provide it; timelines remain 24 hours (TF) and 3 business days (other matters). 

• Designated services relevant to lawyers (profession‑neutral Table 6) include assisting with real estate, entity or legal‑arrangement transfers, managing property, equity/debt financings, creating/restructuring entities or trusts, acting as director/trustee/nominee, and providing registered office/principal place of business services—when done in business with an Australian link. 

What the legal profession starter kit actually contains (and what it signals)

AUSTRAC’s legal starter kit—designed for small, lower‑complexity practices—provides a risk assessment, policy, processes and client/personnel forms, all to be customised before use. Two elements are especially relevant to “existing client, new matter” workflows (onboarded from an AML perspective post July 1st): 

1) New‑client onboarding form — completed before a designated service is provided, capturing core purpose/context and how the firm will manage risk for that service. (See the document library for the full set.) 

2) Trigger event review and update form — to be used when certain events occur; one explicit trigger is “Client requests a new designated service.” This prompts a review/update of KYC and the client’s ML/TF risk rating. 

AUSTRAC’s Step 2: Use your program shows how day‑to‑day client dealings should scale controls by client risk, including when to escalate or report. Step 3: Maintain and review sets out how changes to services/clients/jurisdictions trigger program updates. Together, these steps confirm that risk assessment is not a one‑and‑done task. 

The onboarding forms: how much matter context they actually capture

Within the two types of onboarding forms in AUSTRAC’s starter kits, there are only two or three questions that specifically surface matter‑level risk—and they are intentionally concise/open‑ended.

A) Conveyancing:

What service is the customer seeking and why?
For example:
• Conveyancing for the purchase of real estate
• Conveyancing for the sale of real estate

If the customer is buying a property, are they using a mortgage, loan or other finance from a bank or lender?
☐ Yes ☐ No
If YES, Bank/lender name:

If the customer is buying a property, how are you paying for it?
If it is using a mortgage, loan, or other finance from a bank or lender, also indicate how you are paying the deposit. Choose all that apply.
☐ Physical currency (cash) – specify amount to be paid:
☐ Virtual assets – specify amount to be paid:
☐ Electronic transfer
☐ Other (please specify):

B) Other professional services (legal profession):

What service is the client seeking and why?
For example:
• setting up a corporate structure
• assisting in the purchase of a company

Will the service involve the handling of physical cash or virtual assets?Choose all that apply.
☐ Physical currency (cash) – specify amount:
☐ Virtual assets – specify amount:
☐ None of the above 

These prompts are intentionally concise/open‑ended and AUSTRAC expects customisation within practice systems. By design, they do not list every matter‑risk factor.

Where they fall short without expansion:
Left as is, these fields rarely surface the context needed to reach a defensible risk rating (and to set CDD/ECDD and monitoring) because they don’t force answers on structure, parties/UBOs, jurisdictions/delivery channel, sector/PF exposure, source‑of‑funds/wealth, third‑party payers and funds/asset flows. The SRA has fantastic matter risk rating guidance which firms should review to think about what details, context and analysis they should consider when considering the matter risk associated with a designated service to a particular client, a particular asset(s), particular matter parties and a particular context etc.

How can firms fix this? (add a short SRA‑style overlay under the AUSTRAC prompt):

After “What service is the client seeking and why?”, insert these seven short sub‑prompts. They translate the SRA’s matter‑risk template into a lean intake overlay you can standardise across matters:

Is this work typical for us? If not, why are we instructed and how will we mitigate new risks (per our enterpise risk assessment/risk appetite)? Record it.

Parties/UBOs & structure. Who’s involved (incl. third‑party funders/recipients)? Any complex/opaque chains, trusts or nominees—and a genuine purpose? Record it.

Jurisdictions & channel. Any overseas links, sanctions/HRTC exposure associated with matter parties—and what controls mitigate them? Record it.

Sector & PF. Are the matter parties cash‑intensive/high‑risk (e.g., nail bars, high‑value goods dealers?) Any PF touchpoints? Record it.

Funds/asset flow. Who pays what, from where, and when? Evidence source of funds (and source of wealth where appropriate)—even if funds never touch your client account. Record it.

Third parties & digital assets. If a third party funds, confirm relationship/ID; if crypto is used, show provenance checks. Record it. 

Decision. Risk rating (L/M/H) + controls (CDD/ECDD, approvals, review cadence) + monitoring points (instruction → documents → funds‑flow → completion). Record it before acting.

Why this matters now:

AUSTRAC’s ongoing CDD expressly requires you to monitor, and to review/update both customer risk and KYC during the relationship—especially on trigger events such as “client requests a new designated service.” This overlay operationalises that expectation at matter intake. If any of the above matter risk factors are identified, that would indicated an elevated risk associated with the matter/matter parties which would should be monitored closely. Elevating risk factors are not enough in themselves to warrant an SMR however they may warrant and nictitate the use of the “Unusual activity report information form”.

Why designated‑service context matters more than a blanket category risk

AUSTRAC requires firms to assess ML/TF risk across the services you provide and for each customer, then manage those risks with proportionate controls. In legal practice, two matters in the same category (e.g., real‑estate transactions) can carry very different risks based on who the parties are, the value, beneficial ownership, jurisdictions and purpose—precisely the factors AUSTRAC highlights for legal professionals. 

Example: A property transfer between two listed or AML‑regulated entities will usually be lower risk than one between two private, opaque entities with minimal footprint and unusual funding sources. AUSTRAC’s legal‑sector indicators emphasise red flags like complex structures, unexplained wealth, high‑risk jurisdictions and no apparent commercial purpose—each of which are matter‑specific factors. 

Practice note: In many firms, new joiners to the AML function often conflate client risk (e.g., jurisdictions, ownership structure, PEP exposure, business activities) with matter risk (e.g., this counterparty, this asset/transfer of value, this rationale, these jurisdictions). The former can be high while the latter is low and vice versa. Your workflows should make this distinction explicit. 

Operationalising this in a corporate/commercial law firm: a 7‑step model

1. Map your designated services (Table 6) to practice areas and matter types; document where AML applies, who owns it, and required artefacts (intake, risk, approvals). 

2. Embed a matter‑level risk assessment in your new business intake workflow for every designated service—even for existing clients—capturing parties, their beneficial owners/PEPs (where feasible), asset/value, source/use of funds, jurisdictions, delivery channel and commercial rationale. 

3. Tie risk scoring to controls: low/medium/high ratings should drive CDD depth, senior approvals, review cadence and ECDD for higher‑risk scenarios (including after an SMR if the relationship continues). 

4. Codify trigger events (e.g., client requests a new designated service, changes in BO/PEP/sanctions, unusual behaviour) and route them through your Trigger event review and update workflow to refresh KYC/risk (if required). 

5. Define bank‑style monitoring equivalents: build matter review points at milestones (instruction, draft instruments, funds‑flow, settlement/closing) to spot inconsistencies and determine SMR and/or ECDD. 

6. Document decisioning: keep concise notes on risk rationale, information collected/verified, approvals and outcomes to meet AML/CTF obligations/expectations. 

7. Close the loop: use Step 3 of the starter kit as a guide to update your enterprise risk assessment and program controls when service/client/jurisdiction profiles change (e.g., a surge in cross‑border matters). 

FAQs

Do we need to “re‑onboard” existing clients? Not necessarily. Ongoing CDD requires you to monitor, and to review/update the client’s risk rating and re‑verify KYC where appropriate (e.g., on trigger events or material change). For business relationships, AUSTRAC states you must review and, if appropriate, update the customer’s ML/TF risk and KYC information. 

When does SMR liability arise for lawyers? When you start, propose to start, or are asked about providing a designated service—you must lodge an SMR if you suspect on reasonable grounds that the person/transaction relates to ML/TF or other crimes. Timelines: 24 hours if related to terrorism financing; 3 business days for other matters. 

The starter kits are helpful—but think beyond a purely “customer‑centric” template

AUSTRAC’s program starter kits (a world‑first level of practical support) are designed primarily for smaller, lower‑complexity practices to get compliant quickly, developed in close collaboration with industry.  

For corporate/commercial practices, matter‑level controls still need to carry most of the weight: treat each designated service to an existing client as a fresh risk event requiring review, analysis and ultimately a risk decision. AUSTRAC’s legal‑sector risk indicators and ongoing CDD guidance support this approach. 

Quick checklist for “existing client → new matter (designated service)”

• Matter opened and designated service confirmed (Table 6 mapping). 

• Trigger event review initiated; KYC and client risk reviewed/updated; PEP/sanctions screening refreshed as needed. 

• Matter‑level/designated service risk assessment completed (parties, BO, value, source/use of funds, jurisdictions, purpose/structure). 

• Controls scaled to risk (ECDD, senior approvals, review cadence). 

• Red flags checked (no apparent purpose, complex/opaque structures, unexplained wealth, high‑risk geographies). 

• SMR decision documented when suspicion forms; timelines met (24h TF / 3 business days others). 

• Records filed; program metrics fed into Step 3 style review cycle. 

Final thought

Designated services aren’t equally risky—and in law they’re never context‑free. Treat every matter as your unit of risk. That’s how you convert AUSTRAC’s reforms and starter‑kit templates into a living, defensible control environment that actually detects suspicion in time to act. If you are looking for assistance on how to operationalise your firms AML framework, schedule a free 30-minute no-obligation call to see how AML Advisers can assist.