Law firms think they’re prepared for Tranche 2. They’re not, writes Brett Erickson.
They’re drafting internal policies, assigning someone the compliance title, updating onboarding forms, and convincing themselves that’s enough. But most still see this as a legal interpretation exercise. They’re focused on what counts as a “designated service”, what’s protected by privilege, and where liability begins and ends. What they’re not doing is defining the actual risk.
None of that matters if they don’t understand the mechanics.
The law might get them through the first year. The mechanics are what get them through the audit. Or not.
That’s the gap. It’s not theoretical. It’s operational. Most firms won’t see the risk until it’s already inside. Not because they’re negligent. Because they’re disciplined in the wrong places. They know how to interpret regulation. They know how to write policies. What they don’t know, what no one inside knows, is how money laundering actually looks when it happens in real time. Not in banking. In law.
This is the misunderstanding. Banks live in volume. Law firms live in trust. And when criminals use a law firm, it’s not for speed. It’s for legitimacy. That’s what legal services offer.
The most dangerous transactions don’t show up with red flags. They show up with letters of engagement. A nominee agreement. A trustee appointment. A property purchase through a clean trust account. Everything looks right, except the money and where it came from.
That’s not a gap in law. That’s a gap in operational vision.
Right now, firms are trying to close that gap by borrowing from the banks. Frameworks. Typologies. Escalation trees. It won’t work. Law firms don’t have transaction velocity. They have client proximity. Laundering doesn’t happen in batch files. It happens in slow-moving pieces. A restructuring. A trust. A file that moves forward because no one thinks to stop it.
And the truth is, why would they?
Until now, they’ve never had to. Tranche 2 changes that. But not in the way firms think. This isn’t about building a program that looks good. It’s about building judgement. Having someone inside who knows how this works. How money moves. How cover is built. How clean deals get built around dirty intentions.
That part never makes it into the PowerPoint.
A compliance officer can write the policy. But when a client wants to use the trust account for a “simple transfer”, and the partner says yes because it feels routine, that’s where it breaks. That’s when the framework becomes a formality.
The most vulnerable firms won’t be the ones doing business with criminals. They’ll be the ones that think reputation protects them from having to notice.
That assumption, that privilege and polish are enough, is exactly why AUSTRAC is coming. The regulator knows how law firms have been used. Not in theory. In practice. In structures built to look boring. That’s where the risk is. That’s where it’s always been.
The firms that think they’re safe because they’re small are wrong. The risk isn’t scale. It’s specificity. A regional firm with one partner running offshore property deals and no escalation process is more dangerous than a 200-person shop with real review culture. This is about posture, not size.
AUSTRAC will ask about the trust flows. The structuring. The beneficial owner no one could pin down. And when that happens, a lot of firms will reach for their documentation and realise they have no answer to the only question that matters: why did you let it through?
The answer can’t be “we didn’t know”. Not anymore. Not with the guidance public. Not with the timeline set. Not with the FATF playbook in every regulator’s hand.
The firms that get through first will be the ones that built something custom. Not a bank template. Not a recycled tool. Something tailored to legal services. Built by people who’ve actually seen this work.
That’s the shift. Not more checklists. More fluency.
Because this isn’t about whether lawyers can write policies. They can. It’s about whether they can tell the difference between a client who’s complex and one who’s hiding. If they can’t, everything downstream is cosmetic.
Law firms are about to become reporting entities for the first time in history. Some will treat it like a technical update. The smart ones will treat it as a threat profile shift. One they weren’t trained for. One they need help navigating. One that cannot be solved with documentation alone.
Tranche 2 isn’t the hard part.
What comes after is.
Brett Erickson is the managing principal of Obsidian Risk Advisors, an advisory board member at the Loyola University Chicago School of Law – Center for Compliance Studies, Seton Hall School of Diplomacy and International Relations, and the DePaul University Driehaus College of Business.
