KYC for Lawyers: AML & Verification
Complete guide to KYC obligations for Australian lawyers. State law society requirements, AUSTRAC obligations, legal professional privilege
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokLawyers in Australia are moving towards becoming reporting entities under anti-money laundering legislation. The Australian Government's commitment to extending the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) to "Tranche 2" entities โ including legal practitioners โ will impose formal KYC (Know Your Customer) duties on solicitors and barristers undertaking regulated work. Yet these obligations sit alongside legal professional privilege (LPP), creating a tension that no other regulated profession faces to the same degree. This guide sets out the current and anticipated AML framework for lawyers, the client verification process, and the consequences of non-compliance.
KYC obligations for lawyers โ what the law requires
Australian lawyers face AML obligations through two parallel frameworks: the incoming Tranche 2 extension of the AML/CTF Act, and existing professional conduct obligations under state and territory law society rules. The Law Council of Australia has been engaged in the consultation process on Tranche 2 reforms, and state law societies are preparing guidance for their members.
Currently, while Australian lawyers are not yet formally reporting entities under the AML/CTF Act, they are subject to professional obligations that include client identification requirements under state law society rules. The Legal Profession Uniform Law (applicable in NSW and Victoria) and equivalent legislation in other states impose obligations on practitioners regarding client identification. The Attorney-General's Department has been coordinating the Tranche 2 reform process.
Which activities will trigger AML duties
Under the anticipated Tranche 2 reforms, AML obligations will apply to lawyers performing work within the "designated services" scope. Not all legal work will be in scope.
In scope (anticipated):
- Buying, selling, or transferring real property or interests in land.
- Managing client money, securities, or other assets.
- Creating, operating, or managing companies, trusts, or foundations.
- Acting as a nominee shareholder or director.
- Tax advisory services (outside litigation).
- Financial or investment advice connected to the above activities.
Out of scope:
- Litigation and dispute resolution.
- Criminal defence.
- Employment law advice (not involving financial structuring).
- Family law matters not involving financial arrangements covered by the regulations.
- General legal advice that does not involve the designated activities.
The three pillars of client due diligence
When regulated work is undertaken, the firm must apply customer due diligence (CDD) at three levels:
Standard CDD. Identify the client (and any beneficial owner), verify identity using reliable and independent sources, and understand the purpose and intended nature of the business relationship.
Simplified CDD. Permitted where the client presents a demonstrably low risk โ for example, a listed public company or a government entity. Fewer documents may be required, but the risk assessment must be documented.
Enhanced CDD. Required for politically exposed persons (PEPs), clients established in high-risk third countries, and complex or unusually large transactions with no apparent economic purpose. Additional information on the source of wealth and source of funds must be obtained.
Legal professional privilege vs AML reporting โ the tension
Legal professional privilege is a fundamental right recognised in Australian law and affirmed by the High Court of Australia. It protects communications between a lawyer and client made for the dominant purpose of giving or receiving legal advice (advice privilege) or in connection with litigation (litigation privilege). The tension with AML reporting obligations is not theoretical โ it arises regularly in practice.
Table: which activities trigger AML obligations and which are protected
| Activity | AML obligations apply | SMR required if suspicious | LPP protection |
|---|---|---|---|
| Criminal defence | No | No | Full |
| Civil litigation | No | No | Full |
| Conveyancing (property purchase) | Yes | Yes, to AUSTRAC | Partial โ privilege may not apply |
| Company formation | Yes | Yes, to AUSTRAC | Partial |
| Trust administration | Yes | Yes, to AUSTRAC | Partial |
| Tax planning (non-contentious) | Yes | Yes, to AUSTRAC | Partial |
| Legal advice on AML compliance | Depends on context | No, if purely advisory | Full (advice privilege) |
| Settlement negotiations | No (litigation context) | No | Full (litigation privilege) |
When privilege yields to reporting
Under the anticipated Tranche 2 framework, a lawyer performing designated services who suspects that a person is engaged in money laundering must file a Suspicious Matter Report (SMR) with AUSTRAC. However, information received in "privileged circumstances" is expected to be exempt from the reporting obligation, consistent with international approaches.
Privileged circumstances means information communicated for the dominant purpose of giving legal advice, or in connection with actual or contemplated legal proceedings. The exemption falls away if the lawyer knows or suspects that the information is communicated with the intention of furthering a criminal purpose โ this is the "crime/fraud exception" recognised in Australian law by the High Court.
The crime/fraud exception
The protection of privilege does not extend to communications made with the intention of furthering a criminal purpose. If a client seeks legal advice in order to facilitate money laundering, that communication is not privileged, and the lawyer must report. The assessment of whether the crime/fraud exception applies is one of the most difficult judgements a lawyer must make.
Client verification process โ step-by-step workflow
A structured CDD process reduces both compliance risk and the time spent on manual checks.
Step 1: determine whether the engagement is in the regulated sector
Before any verification, the firm must assess whether the proposed work falls within the scope of designated services. If the work is purely contentious, AML obligations will not apply. If the engagement spans both contentious and non-contentious work, the firm must apply CDD to the non-contentious component while respecting privilege over the contentious elements.
Step 2: identify the client and beneficial owner
For individuals, collect full name, date of birth, residential address, and โ where applicable โ Tax File Number. For corporate clients, obtain the registered name, ACN/ABN, registered office, and the identity of all beneficial owners holding 25% or more of the shares or voting rights.
Step 3: verify identity
Verification must be based on documents, data, or information from a reliable and independent source:
- Individuals. Current Australian passport or driver licence, supplemented by a utility bill or bank statement (dated within 3 months) for address verification. The 100 point identity check system provides the framework.
- Companies. ASIC company extract, constitution or confirmation of replaceable rules, and identification of persons with significant control.
- Trusts. Trust deed, identification of all trustees and beneficiaries, and a structure chart where relevant.
Automated document validation reduces verification time from 30โ45 minutes per client to under 5 minutes, while flagging inconsistencies that manual review might miss.
Step 4: assess risk and apply proportionate measures
Apply the firm's risk assessment framework, considering:
| Factor | Lower risk | Standard risk | Higher risk |
|---|---|---|---|
| Client type | Listed public company, government entity | Australian private company, individual | PEP, trust, overseas entity |
| Geographic risk | Australia, New Zealand | Non-high-risk third country | FATF high-risk jurisdiction |
| Service type | Standard conveyancing | Commercial property | Multi-jurisdictional structuring |
| Transaction value | Below AUD 15,000 | AUD 15,000โ150,000 | Above AUD 150,000 |
| Source of funds | Employment income, verified savings | Business proceeds | Unclear or undocumented |
Step 5: ongoing monitoring and record retention
CDD is not a one-off exercise. Firms must monitor the business relationship on an ongoing basis and update verification records when circumstances change. All CDD records must be retained for at least 7 years from the end of the business relationship or the completion of the occasional transaction.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotSanctions and penalties for non-compliance
Non-compliance with AML obligations carries significant consequences for Australian lawyers, ranging from professional disciplinary action to civil penalties.
State law society enforcement
State and territory law societies have the power to impose sanctions for professional misconduct, including failure to comply with client identification obligations. Sanctions range from fines and conditions on practising certificates to suspension and removal from the roll of practitioners. State legal services commissioners can investigate and prosecute complaints against practitioners.
Criminal penalties under the AML/CTF Act
Under the Tranche 2 framework, failure to file suspicious matter reports or comply with customer due diligence requirements will be an offence. Criminal penalties under the AML/CTF Act include imprisonment for serious offences.
Reputational consequences
Law society disciplinary decisions are published. A firm found to have failed in its AML duties faces not only formal sanctions but lasting damage to its market position, client relationships, and ability to attract talent.
Automating KYC while preserving client privilege
Automation addresses both the efficiency challenge and the compliance challenge, provided the chosen tool respects the boundaries of legal professional privilege.
What a law firm needs from a KYC tool
- Data compartmentalisation. CDD data must be segregated from the legal file. No information from privileged communications should be accessible to the verification system.
- Australian/EU data residency. Client data must be hosted within a jurisdiction that meets Privacy Act 1988 and Australian Privacy Principles standards.
- Full audit trail. Every verification step must be timestamped and logged, producing an evidence file that satisfies law society inspection requirements.
- Sanctions and PEP screening. Real-time checks against the DFAT consolidated list, UN sanctions lists, and international PEP databases.
CheckFile.ai provides automated document validation with European hosting, native file compartmentalisation, and a complete audit trail. View our pricing for a solution scaled to your firm's volume.
For a detailed look at automating KYC in law firms while protecting privilege, read our companion guide on law firm KYC automation and client privilege. You can also explore our industry verification guide for a cross-sector comparison of AML obligations.
The business case
A mid-sized firm onboarding 150 new matters per month spends an estimated 75 to 110 hours on manual CDD. Automated verification reduces this by 70โ80%, freeing practitioners for billable work. Flexible financing and leasing options allow firms to implement without a large upfront outlay.
For a comprehensive overview, see our industry document verification guide. Our data from over 180,000 documents processed monthly across regulated sectors shows a 94.8% fraud detection rate and an average verification time of 4.2 seconds.
Frequently asked questions
Can a solicitor refuse to file a suspicious matter report by claiming legal professional privilege?
Only if the information was received in genuinely privileged circumstances โ that is, for the dominant purpose of giving legal advice or in connection with litigation. If the work is transactional (conveyancing, company formation, trust administration), privilege does not shield the lawyer from the obligation to report. The crime/fraud exception also removes privilege protection if the communication is intended to further a criminal purpose.
What is the difference between an SMR and a consent order?
A Suspicious Matter Report (SMR) informs AUSTRAC that a person may be involved in money laundering or terrorism financing. Under certain circumstances, a reporting entity may need to seek consent from AUSTRAC before proceeding with a transaction that may involve the proceeds of crime.
How long must CDD records be kept?
A minimum of 7 years from the date the business relationship ends or the occasional transaction is completed, consistent with the AML/CTF Act retention requirements.
Will the state law societies supervise lawyers for AML compliance?
The supervisory model for Tranche 2 is still being determined. Options include direct AUSTRAC supervision, supervision delegated to state law societies, or a hybrid model. The Law Council of Australia has been engaged in consultations on the preferred approach.
What happens if a firm has no AML policy in place?
Under the anticipated Tranche 2 framework, reporting entities will be required to maintain a written AML/CTF programme. Failure to do so will be a compliance failure that may result in enforcement action even if no actual money laundering has occurred.
Strengthen your firm's AML compliance
AML compliance is a legal obligation and a mark of professional credibility. Automating client verification with a tool designed for the legal sector saves time, reduces error rates, and produces the audit trail that regulators expect. Contact us for a demonstration tailored to your firm's requirements.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.
Take action
CheckFile verifies 180,000 documents per month with 98.7% OCR accuracy. Test the platform with your own documents โ results within 48h.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.