Part 4: Staying compliant: Setting up a robust AML programme for your law firm.
In the last article, we reviewed the LCA’s submission against Tranche 2 and offered counter arguments to their worries about LPP. As noted, almost every other law firm in the world strikes a balance and adheres to AML legislation. In this article, we assume Tranche 2 will proceed and, using the Tranche 1 legislation as a guide, look at what it will likely mean for creating an AML programme at a law firm.
For a full guide to setting up an AML compliance programme download the AML Compliance Guide.
For Australian law firms, the concept of Tranche 2 AML/CTF legislation is becoming a matter of ‘when’ not ‘if’. Prudent firms are implementing comprehensive AML compliance programmes, allowing them to be compliant while still upholding sacred duties like client confidentiality and legal professional privilege. It’s a difficult balancing act but can be done.
Although legislation has not been passed, we assume when it does it will be similar to what is already in place for Tranche 1 entities. Namely, it requires:
- Developing a written AML/CTF Programme
- Collecting and verifying client details before providing services – often
referred to as ‘know your customer’ (KYC) information. - Reporting certain transactions over monetary thresholds, international transfers, information about carrying or shipping physical currency and any suspicious transactions or interactions.
- Keeping and securely storing AML/CTF records.
- Submitting compliance reports when requested.
The AML/CTF Programme has two parts:
- Part A includes processes and procedures that help you identify and manage ML/TF risks.
- Part B is focused on the procedures of identifying customers and beneficial owners, and verifying identities.
To meet obligations under the Act as it currently stands for Tranche 1 entities, law firms will likely need to:
- Appoint an AML/CTF Compliance Officer.
- Conduct a Risk Assessment to identify and determine the ML/TF risks they may encounter in the course of business.
- Develop and implement an AML/CTF Compliance Programme.
- Implement a Customer Due Diligence (CDD) System.
It’s a balancing act, but achievable. Let’s look at these in a bit more detail.
AML Compliance Officer (AMLCO) – more than just a title.
At the heart of a firm’s AML compliance programme is the AMLCO. This role has significant responsibilities including implementing and maintaining the AML/CTF programme, providing advice and training, and acting as the liaison with regulators.
In many firms the AMLCO is also a Partner or senior executive with practice managers playing a significant supporting role.
AMLCOs need strong technical knowledge of AML regulations, strong interpersonal skills, risk management skills and the authority to follow external auditors’ recommendations. It’s a weighty role carrying substantial accountability, so firms must ensure AMLCOs have sufficient resources and empowerment to succeed.
Risk-based approach
AUSTRAC is clear that reporting entities must take a risk-based approach to their AML programmes. For law firms, this entails scrutinising the likelihood of them being used for money laundering or terrorist financing based on:
- Types of engagements
- Business size and nature
- Customer profiles
- Services provided
- Service delivery channels
- Foreign jurisdictions involved
- Payment methods utilised
This critical first step entails identifying vulnerabilities, facilitating a risk-based model concentrating resources on higher-risk areas demanding enhanced due diligence.
“The risk-based approach is all about designing a compliance framework that’s responsive to the risks in your business,” Alice Molan, Partner at Herbert Smith Freehills notes. For example you’ll treat a low risk client with a low risk transaction (e.g. a long time client buying a family home) very differently to a new client, based in a high risk country conducting a high value transaction.
Clear policies and procedures
For Tranche 2 entities, UK and NZ regulators emphasise needing evidence that firms followed a sound risk assessment process when onboarding clients, rather than scrutinising specific intake decisions. For Tranche 1, AUSTRAC stresses throughout the Act they want defined procedures consistently implemented, rather than questioning the decision-making itself. “Maintaining clear audit trails is crucial,” notes Jessie Mao, Global head of compliance, First AML.
Updated client intake forms
At client intake, firms should make clear anti-money laundering checks will occur as part of compliance. This may mean amending engagement letters or terms. Getting clients buy-in early is vital – the more prepared they are, the smoother verification and onboarding proceeds. Their cooperation is paramount.
Client identity procedures and transaction monitoring.
The well-known ‘Know Your Customer’ (KYC) task is part of the verification process, but depending on risk, firms may also need to collect and check:
- Beneficial ownership
- Electronic identity verification (eIDV)
- Identity documents
- Address or date of birth
- Source of wealth evidence
- Politically exposed persons (PEPs)
“You need defensible evidence justifying client intake or exit decisions,” explains Jessie Mao. Enhanced due diligence such as source of wealth checks is necessary for higher-risk cases.
For transaction monitoring, larger firms may use systems flagging outliers such as unusual transfers. But these can be overkill for smaller firms. Human inputs remain vital – during onboarding, staff can spot odd behaviour or answers that just don’t add up.
“There’s a difference between an unusual activity that requires more questions in order to get comfort versus an activity that’s suspicious and requires you to report to AUSTRAC,” explains Alice Molan. “If what you’re being told doesn’t pass the smell test and none of it is making sense, then it might be the right time to say that these are instructions that you can not currently accept.”
Continuous training and empowered personnel
Based on Tranche 1 requirements, we assume Tranche 2 reporting entities will also need to provide regular AML/CTF risk awareness training to relevant staff.
The training will likely need to cover ML/TF risks the firm faces, obligations under the AML/CTF Act, consequences of non-compliance, and the firm’s procedures for meeting obligations and managing risks. It should also address evolving money laundering typologies and red flags – essential for keeping staff skills sharp and enabling informed decisions that respect legal privilege.
Staff empowerment through comprehensive, up-to-date training is key for balancing AML compliance within a firm’s professional duties.
Use of technology
Finally, the programme should also note if technology or third-party services are being used and their associated risks. Globally, there is a plethora of technology solutions used to guide, monitor, process, flag and report in order to meet AML obligations while minimising burden, mitigating risk and reducing reliance on subjective judgments.
Conclusion
The most progressive law firms increasingly see comprehensive AML programmes not just as a check-box exercise, but as a competitive advantage demonstrating commitment to financial integrity and corporate ethics.
“In this environment of elevated enforcement, clients want confidence that they’re dealing with diligent, responsible firms,” Mao said. “Having robust compliance systems signals you’re a safe pair of hands to do business with.”