3 key signs you need to add headcount to your AML compliance team

As Australia marches towards the 1 July 2026 start date for the new anti-money laundering (AML) regime, many law, accounting, and real estate firms are starting to strengthen their AML/CTF compliance programs for the first time. For some, this raises a critical operational question: When do you actually need more people in compliance?

While compliance should ultimately be workflow-driven, tech-enabled and proportionate to risk, there are some moments in the AML lifecycle that require an intense human lift. This isn’t about building bloated teams. It’s about recognising when people power is essential to protect your business, meet regulatory expectations and get through periods of high AML volume.

Let’s explore the key scenarios where ramping up a team makes sense and how to approach it smartly.

When more people make sense right now

1. You’re onboarding a large number of clients quickly

Whether it’s a merger, acquisition, seasonal demand or a big marketing push, client onboarding spikes can easily overwhelm a lean compliance team.

Typical onboarding processes include risk assessments, identity checks, beneficial ownership verification and source of funds/wealth analysis. And each new matter brings compliance overhead. Multiply that by hundreds of clients in a short window and suddenly you have a bottleneck that affects revenue, client satisfaction and risk exposure.

In these situations, throwing people at the front line can be the difference between meeting deadlines and grinding to a halt. You might:

• Add more compliance analysts to handle document reviews and escalations
• Temporarily reassign team members from other areas
• Bring in outsourced support to run verifications in parallel

The key is to keep your process consistent. Adding people should improve throughput, not dilute standards.

2. You’re trying to set up your compliance program from scratch

For newly regulated firms, the first six to twelve months of AML compliance can be deceptively resource-intensive. Even with the right tools and external support, you still need people to:

• Build out internal procedures and workflows
• Run training and awareness sessions
• Configure risk models and client segmentation
• Test and refine your approach in real-time

Often, this foundational work is done by a small team that wears many hats: part compliance, part operations, part change management.

Neglect this phase and you risk building something that looks good on paper but doesn’t work in practice. Throwing people at the early build phase can accelerate progress, reduce long-term risk and help ensure you meet your obligations from day one. 

3. You’ve outgrown the part-time compliance model

Early on, many firms run their AML program as a bolt-on to someone’s day job. That might be the managing partner, practice manager or a senior operations lead.

But as your volume of clients and matters grows, so does the complexity and risk profile of your AML obligations. There’s a tipping point where:

• Ad hoc reviews aren’t scalable
• Risk decisions need escalation paths and better auditability
• The ongoing 'back and forth' of requests for information and answering questions is becoming all encompassing
• Clients demand faster onboarding but you need to deliver it without cutting corners
• Staff need consistent guidance and coaching on what’s required

At this point, you don’t just need more people. You need dedicated people. That might mean a full-time AMLCO, an internal compliance team or embedded compliance champions across the business.

Scenarios to plan for later

These situations may not apply right away, but are worth anticipating. If your AML program runs into these scenarios in the future, you’ll likely need to bring in more people to manage them effectively.

1. You’re facing a major remediation effort

One of the clearest cases for throwing people at AML is remediation.

For firms that have been informally managing AML obligations without a structured compliance program, a lookback or risk-based remediation project may be needed to bring legacy files up to standard. This could involve:

• Re-verifying clients without sufficient documentation
• Identifying gaps in historical due diligence checks
• Reassessing client risk levels based on updated risk models
• Documenting decision and audit trails to meet record keeping requirements

These aren’t jobs that can be fully automated. You need skilled reviewers who understand what “good” looks like, can assess the materiality of gaps and apply judgment about what to do next.

Remediation is often time-bound and high-pressure, especially if regulators are involved. Depending on the scale of your client base and the depth of the issues, you may need to second staff from across the firm, bring in temporary reviewers or outsource to a specialist team to clear the backlog efficiently.

2. You’ve had a trigger event, such as a suspicious matter or a regulator contact

If your firm flags a suspicious matter, comes under regulatory scrutiny or receives media attention about a client or transaction, the AML workload can spike overnight. Suddenly, you need to:

• Review the full client file and associated matters
• Document your risk decisions and any escalation paths
• Notify AUSTRAC and cooperate with potential law enforcement inquiries
• Reassess related clients, entities and counterparties

These events often require rapid mobilisation of skilled people who can respond under pressure, make clear decisions and document defensible actions. It’s not about building a team to sit idle. It’s about knowing who you can pull in when needed.

Doing it right: structure, not sprawl

Throwing people at your AML program can be the right move, but only if done with intent. A few principles to follow:

• Define roles clearly. Make sure everyone understands what they’re responsible for and how decisions should be made
• Use people to manage exceptions. Automate the predictable tasks and reserve human judgment for complex or high-risk cases
• Document and train. Every uplift in people should come with guidance, templates and escalation logic to ensure consistency
• Plan for scale, not just fire drills. Use resource spikes to test what your steady-state model should look like in future

Many firms are using technology to automate parts of their AML program, such as ownership structure builds, document collection, client risk assessments, identity verification and workflow triggers. This reduces manual load and allows your team to focus where their expertise matters most.

In summary

AML isn’t something you can always solve with software or policy. Sometimes, it really is about rolling up your sleeves and getting the work done, especially when you’re fixing the past, handling a spike or building from scratch.

Knowing when to throw people at the problem and how to structure that effort is what separates firms that muddle through from those that confidently manage their compliance risk.

As regulation looms, don’t just ask, “How much will AML cost us?” Ask instead, “What will it take to do it right?"