Tranche 2: What Australian law firms can learn from the UK’s AML regime

Australian firms have an opportunity to learn from their UK counterparts and get ahead of the curve. We spoke to AML expert Jonathon Bray to get his take. Here are five key lessons he thinks you should consider before Tranche 2 takes effect.

Australia’s long-awaited Tranche 2 anti-money laundering (AML) reforms will bring lawyers, accountants and real estate agents into the scope of AML regulation. This means significant new compliance obligations for law firms - some of which will be familiar to UK firms that have been navigating these waters since 2017.

The UK’s Money Laundering Regulations 2017 (MLR2017) forced law firms to implement risk-based AML frameworks, conduct client due diligence (CDD), and prepare for regulatory scrutiny. Many underestimated the level of enforcement, the operational impact and the cultural shift required to embed AML into everyday legal practice.

Here's what you can learn from.

1. Compliance costs: Budgeting for AML is non-negotiable

Australian law firms concerned about the financial burden of AML compliance are right to be concerned. UK firms quickly found that effective AML compliance comes with real costs, including:

Staffing

The appointment of a full time Money Laundering Compliance Officer (MLCO) or Anti Money Laundering Compliance Officer (AMLCO) as it’s called in Australia  is common in large firms. As is the addition of other or additional compliance staff, such as analysts, is now common for large firmsstandard. Even small firms found that delegating AML responsibilities to existing staff came at a cost - typically, lost fee-
earning time.

Technology

Electronic ID verification tools, client screening software, and AML compliance platforms have become essential. UK firms that tried to handle due diligence manually, especially those dealing with complex entities such as businesses or international clients struggled to keep up.

Training

Regulators in the UK expect ongoing, tailored training for all staff, not just a one-off induction session. Some firms learned the hard way - failing to keep training up to date led to enforcement action. Although AUSTRAC is not expected to come down hard initially, they have previously specified robust training expectations for Tranche 1 entities which will likely be similar for Tranche 2 firms. their expectations of training

Policies and risk assessments

• Every UK firm is required to have a firm-wide AML risk assessment. Many initially underestimated this requirement, treating it as a ‘tick-box exercise’ rather than an evolving document that guides compliance.
• To mitigate costs, some UK firms have found ways to pass on reasonable compliance fees to clients, such as small ID-check or onboarding fees. Australian firms should consider whether similar approaches could be viable within ethical and regulatory constraints.
• In Australia, reporting groups are likely to be allowed in order to share the cost burden. Essentially, “entities in a reporting group share some or all risk management and compliance arrangements including those set out in a group AML/CTF program established by a lead entity of the group. The reporting group concept is currently being finalised through changes to the AML/CTF Rules.”

2. Regulatory enforcement: Inspections and fines will come fast, once the grace period is over.

If there’s one thing UK firms learned quickly, it’s that regulators mean business. The Solicitors Regulation Authority (SRA) has ramped up proactive inspections, with hundreds of law firms facing desk-based reviews and on-site visits each year. While these reviews and on-site visits may not sound like much, they take away your AMLCO from their normal tasks and can place a lot of stress and pressure on a broader group of people. These visits and reviews can last anywhere from 1 day to weeks 

Common AML failures that have resulted in enforcement include:

• Missing or inadequate firm-wide risk assessments
• Poorly maintained AML policies and procedures
• Lack of proper client due diligence records

Firms that assumed enforcement would focus only on ‘bad actors’ quickly realised that even minor technical breaches could result in hefty fines. Fines routinely equivalent to 2% of a firm’s turnover - even where no actual money laundering took place. While there’s no guarantee that will happen in Australia, it’s worthwhile keeping in mind the standards other countries set, which may influence Australia.

Small firms are particularly vulnerable in the UK. The SRA has shown no hesitation in penalising sole practitioners and smaller practices that failed to meet basic requirements. All feedback to date has been that AUSTRAC will not take a tough stance initially, especially if firms can show they made mistakes in good faith. However, if AUSTRAC follows the UK’s stance expect early audits to  target missing policies and risk assessments before moving on to more complex issues and fining based on level of a sliding scale of non-compliance. 

3. Risk management: The ‘risk-based approach’ is more than a buzzword

One of the biggest cultural shifts for UK law firms was moving away from a blanket ‘tick-the-box’ approach to AML compliance. The regulations require a risk-based approach (RBA), meaning firms must:

• Conduct ongoing firm-wide risk assessments
• Apply enhanced due diligence (EDD) for high-risk clients (e.g. politically exposed persons or offshore entities)
• Keep client records and risk assessments up to date - not just at onboarding, but throughout the client relationship

Firms that failed to demonstrate how they identified and mitigated risks often found themselves facing penalties. Simply having a written policy isn’t enough. Regulators want to see that AML procedures are genuinely embedded in everyday decision-making.

For Australian firms, this means early preparation is key. Although the final rules have not yet been released Regulators will expect to see a documented risk framework that reflects the nature of your firm’s work - especially in high-risk areas like conveyancing, trust services and company formation.

4. Client due diligence (CDD.) It’s more than just ID checks

Lawyers who think AML compliance is just a matter of photocopying a passport, or a bit more than a VOI check are in for a rude awakening. UK firms quickly learned that CDD is an ongoing obligation, not a one-off task at client intake.

The UK model applies three levels of CDD:

• Simplified CDD for low-risk clients (e.g., government bodies, publicly listed companies)
• Standard CDD for most clients, requiring ID verification and basic risk assessment
• Enhanced CDD (ECDD) for high-risk clients, requiring deeper due diligence, senior management sign-off, and ongoing monitoring. In the first round of rules released for consultation, AUSTRAC proposed that reporting entities must conduct source of wealth and source of funds for all foreign PEPs and high-risk domestic/foreign PEPs.

While the rules have not been finalised, this is highly likely to be retained.

For existing clients, AUSTRAC is specifying that, “You will not be required to perform initial or ongoing CDD on a pre-commencement customer until: 

• you are required to file a suspicious matter report in relation to the customer 
• there is a significant change in the nature and purpose of the business relationship with a customer which results in the ML/TF/PF risk of the customer being assessed as medium or high. 

This is intended to reduce the regulatory burden of regulating your existing customers, while ensuring that they are subject to appropriate customer due diligence measures when their risk profile changes.” 

To address these levels of CDD, electronic ID verification tools have become the norm in UK law firms. While they save time and improve accuracy, firms also learned that technology alone isn’t enough- lawyers must still apply judgement and properly analyse client risk.

Expect client pushback. Many UK lawyers initially worried about losing business by asking too many questions. However, AML compliance is now seen as a standard part of legal practice and firms that communicated their requirements clearly to clients saw minimal resistance. Australian firms should prepare for similar cultural adjustments.

 5. Making suspicious matter activity reports (SMARs) to the authorities

One of the most challenging aspects of AML compliance for UK law firms has been knowing when to file a Suspicious Matter  Report (SMR) (or Suspicious Activity Report - SAR as it’s called in the UK) with the National Crime Agency (NCA). The obligation to report suspicions of money laundering overrides client confidentiality, except in very limited circumstances.

AUSTRAC has specified that an SMR must be submitted  “When you suspect on reasonable grounds that a person is not who they claim to be or that a matter is linked to criminal activity or proceeds of crime.”

Key lessons from the UK experience include:

• SMRs must be well-documented and detailed - vague reports with missing information slow down law enforcement efforts.
• Law firms are expected to self-police - regulators will not hesitate to impose penalties if they believe a firm has failed to report suspicious activity, which is also an offence in its own right under UK law.
• High-risk areas like property transactions attract more scrutiny - conveyancing has been the subject of many legal-sector SMRs in the UK, as criminals are known to attempt to launder money through real estate.
• Training is key - many firms struggled in the early years because lawyers didn’t fully understand what constituted ‘suspicion.’ It is a pretty low bar. Clear internal reporting processes and ongoing training have improved compliance.
• Australian firms will have to submit SMRs to AUSTRAC. Setting up clear internal escalation procedures - where fee earners can raise concerns with their AMLCO  - will be critical.
• AUSTRAC has specified that the new laws will provide clear protections for legal professional privilege, ensuring the AML/CTF Act does not require disclosure of privileged information. A dedicated form will be available on the AUSTRAC website for asserting privilege, with further guidance to follow in Ministerial guidelines.

Tranche 2 is coming. The time to prepare is now

UK firms that delayed implementing AML procedures found themselves on the receiving end of enforcement action. Although AUSTRAC is expected to offer a substantial grace period, it won’t last forever. Australian firms have an opportunity to learn from the UK’s mistakes and get their house in order for  Tranche 2 now.

Some final thoughts based on the UK experience:

• Budget for AML compliance - staff, technology, training and risk assessments all come with real and opportunity costs.
• Expect real enforcement post grace period - regulators will audit firms and fines for non-compliance will follow.
• Build a strong risk-based approach - firms that engage with risk properly will fare much better than those that rely on checklists.
• Embed CDD into workflows - this is a fundamental part of legal practice under AML rules.
• Get comfortable with SMR reporting - firms will need to report suspicions promptly and correctly.