From 1 July 2026, Australian law firms that provide designated services will become reporting entities under the AML/CTF Act, as amended by the 2024 legislative reforms. This includes activities such as:
Conveyancing and real property transactions
Setting up trusts or companies
Managing client funds or assets
Acting as a nominee shareholder, trustee, or director
These firms must assess the money laundering, terrorism financing, and proliferation financing (ML/TF/PF) risk of all new customers before providing a designated service, as part of their Customer Due Diligence (CDD) obligations. This is consistent with Section 28(3)(a) of the AML/CTF Act and AUSTRAC’s risk-based approach outlined in Part 5 of the Second Exposure Draft AML/CTF Rules (ED2).
Realaml’s Risk Rating tool is built to help law firms meet these obligations quickly, affordably, and auditably.
Part 1: Set Up Your Firm’s Risk Profile
Your Risk Profile defines how your firm assesses customer risk and what actions staff should take based on that risk level.
🔒 AUSTRAC requires your CDD procedures, including risk assessments, to be tailored to your firm’s designated services, delivery channels, and risk exposure.
Access via: Compliance → Risk Profile
1.1 Profile & Red Flags
Risk assessments must address AUSTRAC’s three core ML/TF/PF indicators:
Customer Type
Jurisdictional Risk
Purpose of the Business Relationship
Realaml’s seven pre-set sections include:
Customer Type
Customer Engagement & Interaction
Identity Verification & Jurisdiction Risk
Products & Services
Transaction Rationale & Customer Involvement
Financial Movement & Red Flags
Matter Value
All sections can be renamed but not removed. Each section supports:
Custom and default questions
Multiple choice answers, default values, internal notes
High-risk flags that auto-assign a score of 5
AUSTRAC Risk Mapping
These sections are structured to reflect AUSTRAC’s requirements under Part 5 of the Rules — ensuring ML/TF/PF risk is assessed before a business relationship is formed.
Default Risk Rating Disclaimer
Until you confirm your custom Risk Profile, your reports will include:
“The current risk rating is based on the default profile provided by Realaml.”
To remove:
Go to Risk Profile → Confirm Profile → Type “Confirm” → Save
1.2 Recommended Actions
Map internal instructions for each score:
High Risk (5) → Enhanced CDD (ECDD), source of funds, senior review
Medium-High (4) → ECDD or management sign-off
Medium (3) → CDD with documented rationale
Low (1–2) → Standard CDD sufficient
1.3 Compliance Documents
Upload internal AML documentation to support staff and demonstrate preparedness:
AML/CTF Program
Risk Assessments
SOPs and onboarding workflows
Staff training material
Part 2: Running a Risk Rating
2.1 Complete IDV / PEP Screening
Before launching a Risk Rating, Realaml requires one of the following:
Face IDV / Quick IDV / FaceMatch
PEP or Sanctions Check
These results are used to assess jurisdictional risk, identity integrity, and red flags as outlined in Part 5 of the AML/CTF Rules.
2.2 Launch & Complete Risk Rating
From the customer dashboard:
Navigate to the Risk Rating tab → Click “Start New Risk Rating”
Complete all sections (auto-save enabled)
Staff can:
Select predefined or default answers
Add internal notes to support decisions
Trigger auto High-Risk score based on flagged responses
Risk scoring helps identify whether Enhanced Due Diligence (EDD) under Section 32 may be required — for example, due to suspicion, complex arrangements, or high-risk jurisdictions.
2.3 Final Review & Override
Realaml averages scores and rounds up:
1–2 = Low Risk
3 = Medium Risk
4 = Medium-High Risk
5 = High Risk
Staff may override scores with written justification (stored in audit trail).
2.4 Submit & Export
Once submitted:
Rating appears in dashboard and is linked to the IDV
Export options:
Risk Rating PDF
Combined AML Compliance Report
Linked Individuals & Reuse
If multiple individuals relate to the same matter (e.g., co-trustees):
Responses are copied between parties but can be edited
💡 FAQs: Legal Sector Compliance
Is a Risk Rating required for every new customer?
✅ Yes. Section 28(3)(a) of the AML/CTF Act requires risk-based CDD for all new customers before a designated service is provided.
Does this apply to firms only doing property or trust work?
✅ Yes. Conveyancing, trust establishment, company formation, and similar activities are all designated services under Tranche 2.
Can we delay the Risk Rating?
🚫 Generally no. Risk assessments must be conducted pre-engagement. Limited exceptions for delayed verification (e.g., urgent low-risk transactions) exist under Rule 5.6 but require controls and justification.
How does Realaml help us stay compliant?
Realaml:
Embeds AUSTRAC-aligned risk questions
Ensures risk is assessed before engagement
Provides audit-ready documentation
Supports escalation, ECDD, and file review
✅ Summary: What Law Firms Must Do by 1 July 2026
Enrol with AUSTRAC as a reporting entity
Establish and confirm an AML/CTF Program
Perform IDV + Risk Rating on every new customer
Maintain up-to-date records and documentation
Train staff and enforce ECDD processes for High Risk clients
With Realaml, your firm is risk-rated, audit-ready, and compliant — in just a few clicks.