From 1 July 2026, many Australian law firms will be required to comply with anti‑money laundering and counter‑terrorism financing (AML/CTF) laws for the first time.
This is a significant change for the legal sector, but it doesn’t need to be overwhelming. The key is understanding why it’s happening, what is required, and how to get ready without over‑engineering the solution.
Australia’s Anti-Money Laundering (AML) laws have traditionally focused on banks and financial institutions. Regulators now recognise that law firms can be used, often unintentionally (That's my legal disclaimer!) to facilitate money laundering, particularly in areas such as:
Australia has also faced strong international pressure to bring lawyers and other “gatekeeper” professions into the AML regime. Compared to other countries, Australia was behind.
The result is a set of Tranche 2 AML reforms designed to close these gaps and align Australia with global standards. In short: law firms handling certain transactions will soon have obligations similar to banks when it comes to knowing their clients and reporting suspicious activity.
Not necessarily.
The AML obligations apply to firms that provide certain “designated services”, including:
Most litigation and general legal advice is out of scope for AML obligations. However, every firm should review its services to see if any fall under the regulated categories. If you perform even one designated service (for example, a small firm doing occasional property settlements), you’ll likely need to comply.
Affected law firms will need to put several key measures in place:
If your firm provides designated services, you must enrol with AUSTRAC (the government’s financial intelligence regulator) as a reporting entity.
Perform client identity verification for matters that are in scope. This means sighting and recording IDs (like passports or driver licences) and understanding the purpose of the matter (e.g., is a property purchase on behalf of the client, or could it be a front for moving illegal funds?).
Develop an AML/CTF Program for your firm. This is a document (and set of procedures) that explains how your firm identifies money-laundering risks in its work and how you mitigate them. It covers things like staff training, internal controls, and regular reviews of your AML processes.
Keep an eye on client transactions and activities. If something seems off (e.g., a client tries to move a large sum in cash or makes an unusual request), you may need to submit a Suspicious Matter Report to AUSTRAC. Also, any cash transactions over $10,000 must be reported via a threshold transaction report.
You’ll need to retain records of KYC checks and certain transactions for at least seven years, in case regulators ask to see them.
Assign a person (in a small firm, likely a partner or the principal) who is responsible for your firm’s AML compliance. This person oversees the AML program, ensures staff are trained, and acts as the point of contact with AUSTRAC.
For many law firms, the biggest challenge won’t be writing policies - it will be managing data in practice.
AML compliance means you’ll be handling more sensitive client information (IDs, financial details, etc.) and storing it as part of your client files. Currently, in many firms this kind of information is scattered across:
This sprawl of unstructured data creates risk because:
All this is compounded by the need to uphold client confidentiality and privacy. The Privacy Act still applies – you must take reasonable steps to protect personal information. In fact, even small firms that were previously exempt from some privacy rules will have to handle data carefully under these AML obligations.
The bottom line: You can’t manage AML risk if you don’t know where your sensitive data is.
Infotrust has partnered with Cyera, a leading Data Security Posture Management (DSPM) platform, to supercharge the way law firms prepare for these new AML obligations. Together, we focus on practical steps that deliver results fast:
We leverage Cyera’s advanced DSPM to automatically find and classify your sensitive data across all your systems – whether it’s in Microsoft 365 (SharePoint, Exchange, Teams), on file servers, or in cloud apps. Cyera’s platform scans your data and uses AI-driven classification to identify and categorise information assets (like personal IDs, financial records, contracts, and client files) with high precision. This provides a detailed, up-to-date map of your data in a fraction of the time it would take using manual processes or native tools alone.
Because we get a rich inventory of data and its categories from Cyera’s analysis, Infotrust can help you build or refine your data classification framework much faster. In practice, that means defining the right sensitivity tiers (e.g., Public, Internal, Confidential, Highly Confidential) with confidence, because you have real evidence of what kinds of data your firm holds. Cyera’s insights help ensure that nothing important is overlooked – even data types that are unique to your practice (like specific client documents or IP) can be identified. We then use these categories to set up sensitivity labels and policies appropriate to each level.
The goal is not to rip-and-replace your existing systems, but to enhance them. Cyera’s platform works on top of your Microsoft Purview and broader cloud environment, adding a rich layer of visibility and intelligence. This means you can extend Purview’s built-in capabilities: for example, using Cyera’s findings to fine-tune your Microsoft Information Protection labels or to identify gaps that Purview’s out-of-the-box scanners might miss. In short, Infotrust and Cyera together help you make better use of the investments you’ve already made in Microsoft 365 and other data repositories, by ensuring these tools focus on the right high-risk areas.
Designing and refining Data Loss Prevention (DLP) policies can be a time-consuming effort for law firms. Cyera’s OmniDLP capability accelerates this process. By acting as an AI-driven “brain” for DLP, OmniDLP can analyse your identified sensitive data and quickly suggest or implement effective block/enforce rules across your existing DLP solutions (like Microsoft Purview DLP). This means you can move to active data protection (blocking or restricting risky data flows) in a fraction of the time compared to traditional manual rule-building projects. Essentially, OmniDLP helps skip the long trial-and-error phase and gets you to a working set of intelligent DLP controls much faster.
With greater visibility from Cyera’s platform, Infotrust helps you establish an information governance framework to rein in unnecessary data sprawl. We’ll guide you to consolidate or clean up redundant data, move critical documents into secure repositories, and set rules on retention and deletion. This reduces the amount of “toxic” data lying around, lowering your exposure in case of a breach and simplifying compliance with Privacy Act principles about data minimisation.
Our combined approach with Cyera is designed to deliver quick wins. Cyera’s cloud-native platform can often be connected and operational within days, providing actionable insights almost immediately. With Infotrust’s expertise layering on those insights, we can show tangible improvements – like identifying and securing a set of high-risk client files or enabling a critical DLP policy – in weeks rather than months. This fast turnaround helps your firm stay ahead of regulatory deadlines and demonstrates to partners and clients that you are actively managing your data risks.
The new AML requirements are a substantial change for law firms – but they don’t have to be an ordeal. By tackling the data challenge head-on and using smart tools like Cyera’s platform in tandem with Infotrust’s expertise, your firm can meet these obligations efficiently.
Firms that act early, gain visibility into their data, and put strong yet sensible controls in place will be well-positioned to satisfy regulators and protect client confidentiality. With Infotrust and Cyera working together, you’re equipped to get ahead of these changes – rapidly mapping your data, securing it, and confidently navigating the new AML era while maintaining your focus on serving clients. Contact us to help you prepare for the upcoming legislation.