If you run a law firm in Australia, you are about to become a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act. Not maybe. Not eventually. From 1 July 2026.
AML Tranche 2 brings lawyers, accountants, real estate agents, and other professional service providers into the same regulatory framework that banks and financial institutions have been operating under for years. It is the single biggest compliance change to hit the Australian legal profession in a generation, and it affects every firm — not just the ones doing conveyancing or handling trust funds.
Is your firm ready to be a reporting entity — or are you waiting until June?
AUSTRAC enrolment opened on 31 March 2026. If you have not started the process, the time is now.
Full AML/CTF obligations begin. Reporting entity status, written compliance programme, customer due diligence, record keeping for seven years, annual reporting, suspicious matter reporting — all required from this date. AUSTRAC has signalled it expects readiness from day one.
What your firm needs to have in place
The obligations under AML Tranche 2 are not optional and they are not vague. Seven concrete things every Australian law firm needs in place before the deadline.
The enrolment portal is open now. This is the first step and it needs to happen before any of your other obligations kick in. The window to leave it until June and still get it right is closing.
Someone in your firm needs to be formally responsible for the AML programme. Not a placeholder name — a person who understands the obligations and is empowered to act on them. For most small to mid-size firms, this will be a partner or senior manager.
This is your firm's documented approach to identifying, mitigating, and managing money laundering and terrorism financing risks. It needs to be tailored to your firm — not a generic template downloaded from the internet. AUSTRAC will expect to see something that reflects your actual practice areas and client base.
Verify the identity of clients before providing designated services. That includes collecting identification documents, verifying beneficial ownership of corporate entities, and conducting ongoing monitoring of the client relationship through the life of the matter.
All AML-related records — enrolment details, client identification, transaction records, compliance documentation — must be retained for a minimum of seven years. That is not a suggestion. It is a legal requirement, and it is the kind of obligation a regulator can ask you to demonstrate at any point.
Each year you will need to report on your AML/CTF compliance. That means your systems need to be able to produce the data AUSTRAC requires — not just store it, but report on it. Spreadsheets cobbled together at the end of the financial year are not going to be enough.
If something does not look right, you are legally obligated to file a suspicious matter report (SMR) with AUSTRAC. This needs to happen promptly, and your staff need to know what to look for. Training is part of the obligation, not optional.
This is a systems problem as much as a legal one
The scale of Tranche 2 is significant. AUSTRAC estimates between 80,000 and 90,000 new reporting entities will come under the regime. That is an enormous number of businesses that have never had to think about AML compliance before, and the regulator has made it clear they expect readiness from day one.
For law firms specifically, the challenge is not just understanding the rules. It is operationalising them. Customer due diligence needs to happen at the start of every new matter. Records need to be stored securely and retrievable for seven years. Compliance reporting needs to draw on real data from your practice, not manual spreadsheets cobbled together at the end of the financial year.
You can do all of this with discipline and a separate AML tool bolted onto the side of your practice management software. Or you can do it inside the system you already use every day. Those are not equivalent options.
The bolt-on trap
Firms are being sold standalone AML compliance tools. Another subscription. Another login. Another system that sits outside your practice management software and requires you to duplicate data entry, manage separate records, and reconcile information across platforms.
This is the same pattern firms have already lived through with trust accounting, with general accounting, with document management. Every time a law firm bolts on a separate system for something that should be built in, it creates more work, more risk, and more cost.
If your practice management software does not handle AML compliance natively, you are going to end up with exactly the kind of fragmented setup that makes compliance harder, not easier. You will have client data in one system, AML records in another, and no simple way to pull it all together when AUSTRAC comes asking questions.
Vendors marketing AML "modules" or "integrations" that turn out to be a separate product with a separate licence fee. Ask whether AML compliance is included in your existing subscription or whether it is going to be the next monthly cost line item on your renewal.
If your provider answers "we integrate with [third party]" rather than "it is built in," that is a fragmented setup that will cost you over time.
Where Law App stands
At Law Support Australia, we believe AML compliance belongs inside your practice management software — not beside it. It should be part of the same workflow you use to open a matter, record your time, manage your trust account, and bill your client.
We are building AML compliance directly into Law App. Customer due diligence, record keeping, compliance reporting — integrated into the platform you already use every day. No separate tool. No extra subscription. No duplicate data entry.
This is still in development, and I want to be upfront about that. But we are building it because we believe it is the right approach — and because the firms we work with have told us clearly that they do not want yet another system to manage. If your firm is on a platform that handles general accounting, trust, billing, and matters in one place, AML belongs in that same place. Not in a thirteenth tab.
If you are about to sign with a standalone AML compliance product, have a quick conversation with us first. Not because we are ready today — we are clear we are not — but because the architecture decision you make in the next three months will shape how AML lives inside your firm for years.
What to do right now
If your firm has not started preparing for AML Tranche 2, here is a short list to start with this week. None of these require waiting on us or anyone else.
The portal is open. The enrolment itself is straightforward. Don't leave it until the last minute — AUSTRAC will be processing tens of thousands of enrolments and you do not want to be in the queue in late June.
Someone needs to own this inside your firm. Make it official, in writing, with the time and authority to actually do the role.
Get advice if you need it — this is not something to leave to chance. The programme needs to reflect your actual practice areas, client types, and risk profile. Generic templates will not survive a regulator's eye.
Can your practice management software store CDD records? Can it produce compliance reports? If the answer is no — or "kind of, with some manual work" — you have a gap to fill before July.
If the answer is "integrate with a third-party tool," ask yourself whether that is really the simplest path forward — or whether you are about to add another subscription and another login to a stack that is already full.
AML Tranche 2 is complex, but it does not have to be chaotic. The deadline is not going to move. But you still have time to get this right.
- AUSTRAC enrolment for Tranche 2 reporting entities — opened 31 March 2026: austrac.gov.au
- Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) — the underlying legislation
- AUSTRAC estimate of 80,000 to 90,000 new reporting entities under Tranche 2
- 1 July 2026 — full AML/CTF obligations commence for Tranche 2 reporting entities
- Record retention — minimum seven years per the AML/CTF Act