Why Tranche 2 matters beyond compliance

Australia is a member of the Financial Action Task Force (FATF), the international body responsible for setting global standards to combat money laundering, terrorism financing and proliferation financing. In its last assessment of Australia, FATF identified serious gaps in the regulation and supervision of “designated non-financial businesses and professions” including lawyers.

That finding matters. Criminals do not move illicit funds at random. They deliberately seek out professional services that can add legitimacy to transactions, obscure beneficial ownership, move money through trust accounts or provide advice that cloaks activity in respectability. Without reform, Australia faced a genuine risk of being placed on FATF’s so-called “grey list” – a designation that signals elevated money-laundering risk and carries real economic and reputational consequences.

An outcomes-based regime

Rather than simply imposing a bank-style compliance regime on law firms, the reformed AML/CTF framework adopts an outcomes-based approach. The legislation sets out the regulatory outcomes firms must achieve, while more detailed obligations sit in the AML/CTF Rules and guidance. Importantly, firms are given flexibility to design controls that are proportionate to their size, structure and risk profile.

For legal practices, this approach presents both an opportunity and a challenge. Firms are not expected to implement complex, highly automated systems. But they are expected to exercise professional judgement and to be able to explain – and defend – why their controls are appropriate for the risks they face. Compliance is no longer a matter of ticking boxes; it requires informed, documented decision-making.

Who is caught – and why many firms will be

Tranche 2 obligations are not triggered by professional title, but by whether a firm provides a “designated service”. For lawyers, this includes activities such as assisting with real estate transactions, company or trust formations, managing client funds through trust accounts, facilitating equity or debt transactions, or acting as a director, trustee or nominee.

This means many firms that do not consider themselves transactional will still fall within scope. Conveyancing, estate and succession planning, trust work, company restructures and certain litigation-related fund movements can all trigger obligations. The key question is not “are we a law firm?”, but “which of our services are designated services, and when do we provide them?”

Why risk assessment is the foundation

AUSTRAC has been clear that a firm’s money laundering, terrorism financing and proliferation financing (ML/TF/PF) risk assessment sits at the heart of compliance. In enforcement activity across other sectors, weak or generic risk assessments have consistently been the starting point for regulatory action, with deficiencies cascading into customer due diligence, transaction monitoring, reporting, personnel due diligence and governance.

For legal practices, risk is often contextual rather than transactional. Australia’s National Risk Assessment highlights vulnerabilities such as misuse of trust accounts, obscured sources of funds through loans or settlements, complex ownership structures, cross-border matters and third-party payments. In most cases, lawyers are not complicit – they are unwitting facilitators. A meaningful risk assessment requires firms to consider not just what services they provide, but how those services could be misused.

What firms should be doing now

With commencement approaching, firms should be taking practical steps. The first is to clearly identify which services constitute designated services. For many practices, only a subset of matters will be captured – but that distinction needs to be documented and kept under review.

Firms will also need to enrol with AUSTRAC, a process that opens on 31 March 2026. Enrolment requires accurate business information, nominated contacts, details of designated services and confirmation of key roles, including an AML/CTF compliance officer. Failure to enrol is likely to be treated as a serious red flag.

A tailored ML/TF risk assessment should then inform the firm’s AML/CTF program, covering customer due diligence, monitoring, reporting, training, record-keeping and independent evaluation. Policies must be more than theoretical – they need to be approved, implemented and followed in practice. Governance is critical. While a compliance officer manages day-to-day obligations, ultimate accountability rests with partners and senior leadership.

A defining moment for the profession

AUSTRAC has indicated it does not expect perfection on day one, but tolerance will be limited for firms that fail to engage at all, ignore enrolment obligations or appear wilfully blind to risk. Beyond regulatory consequences, AML/CTF failures can undermine client trust and expose firms to broader ethical and reputational harm.

Tranche 2 represents a moment of change for the legal profession, formally recognising lawyers as gatekeepers to the financial system. Firms that engage early, take a proportionate approach and embed AML/CTF into their broader risk management frameworks will be best placed to navigate the transition. Those that delay may find scrutiny arrives sooner than expected.