Step 2: Use your legal profession program

Learn how the legal profession program you’ve developed from the starter kit works and how to use it in your practice. 

On this page

How the program works

Once you've completed Step 1: Customise your legal professional program with the starter kit, the documents and forms you tailored work together as your anti-money laundering and counter-terrorism financing (AML/CTF) program. 

From here, you’ll follow your program and use your systems to manage AML/CTF tasks and guide how to respond to your money laundering, terrorism financing and proliferation financing risks. We refer to these as ML/TF risks. 

In practice, your program operates across 2 key areas:

  • how you deal with clients
  • how you manage personnel.

Dealing with clients

You’ll use your program in your day-to-day operations to manage the ML/TF risks of your clients. 

Your program scales the level of controls you use to the risk of your clients. 

If you have, low-to-medium risk clients you’ll take less steps and generally only need to use a few forms to screen your clients. If you have more complex and higher risk clients, you’ll take additional steps and use more forms to manage the risk. 

Your program sets out how to:

  • apply customer due diligence (CDD) to understand who your clients are before you provide them a service
  • collect client information and how to verify it
  • identify the risk of each client based on risk factors to assign risk ratings as low, medium or high
  • detect and respond to risk indicators. 

Your program then outlines:  

  • the level of CDD you apply for low-, medium- and high-risk clients
  • when additional verification or monitoring applies
  • when to escalate or report activity
  • when to report to us.

This table provides a summary of risk ratings, risk factors and how the controls you apply scale based on your clients risk rating. 

Risk rating  Criteria  Client risk factors  Controls  Review ongoing client’s information 
High 
  • One or more high-risk factors, or
  • You identify other reasons the client is high risk 
  • Unusual physical currency transactions (for example Australian dollar notes or foreign currency equivalent), including paying with more than A$50,000 in physical currency for real estate
  • Unusual virtual asset transactions, including using a virtual asset (e.g. cryptocurrency) to pay for part or all of a real estate transaction
  • Requesting a service that has no apparent economic or legal purpose or involves unusually large or complex transactions
  • Information suggests client has engaged in criminal activity.
  • Unexplained wealth.
  • Residents or other persons located in a high-risk country.
  • Foreign politically exposed persons (PEPs) – the client onboarding form includes definitions for each type of PEP
  • Use of body corporate or legal arrangement structures which effectively hide who owns or controls property
  • Delivery channels which make it difficult to establish the client is who they claim to be
  • Enhanced CDD
  • Source of funds and source of wealth check
  • Adverse media check
  • Verify business relationship
  • Senior manager approval 
  • Annual 
Medium 
  • Two or more medium-risk factors, or
  • You identify other reasons the client is medium risk 
  • High value transactions, including real estate over A$1.5 million purchased without a mortgage
  • Domestic or international organisation PEPs
  • A third party that isn’t enrolled with AUSTRAC is representing the client
  • Operates a charity or other non-profit organisation
  • Initial CDD (simplified CDD not appropriate) 
  • Every 2 years 
Low 
  • Doesn't meet high or medium-risk criteria. 
  • Client isn’t medium or high risk
  • Simplified CDD 
  • Every 3 years 

Learn more about these risk factors and other indicators of unusual or criminal behaviour in the risk assessment(s) that you customised at step 1. 

Dealing with clients – examples

Read our examples showing how this process works in practice for a low-, medium- and high-risk client.

Client forms 

At Step 1: Customise your legal professional program with the starter kit you tailored the relevant client forms from our document library

Now that you’ve customised them to your practice or integrated them into your existing processes, they can be used to:

  • engage a new client
  • undertake initial customer due diligence
  • escalate significant issues
  • act on escalations
  • undertake ongoing monitoring throughout the client relationship and keep information up-to-date.

Client lifecycle 

These steps summarise how you’ll follow your program to deal with clients over the full client lifecycle, from first contact through to the end of the business relationship. 

We refer to the relevant client forms in italics to show when and how you use them when using your program.

  1. Identify the kind of client  

When a client seeks a designated service, you first identify the: 

  • kind of client - if they’re an individual or an entity (such as a trust or body corporate)
  • type of service they want. 

This determines which onboarding form applies and what information must be collected. 

  1. Collect client information 

Collect information about your client in the onboarding form

The level of information required is based on the: 

  • kind of client
  • nature of the service
  • their ML/TF risk factors.
  1. Verify client information 

Follow the steps in the relevant initial customer due diligence form to complete verification. 

This is to confirm the information you collected and that it can be relied on for AML/CTF purposes. It supports your assessment of client risk and if you can provide the designated service. 

  1. Identify and assess triggers 

Certain triggers may occur, such as: 

  • inconsistencies in information
  • unusual behaviour that may lead to a suspicious matter report (SMR)
  • higher-risk indicators identified in your risk assessment.

This can happen when first onboarding the client or at any point during the relationship. 

Your policy explains how to assess these triggers and what checks are required. 

  1. Decide how to proceed 

Based on the outcome of your checks, you decide whether to: 

  • proceed with the service
  • apply additional controls
  • escalate concerns or submit a report to us
  • not provide the designated service. 

This decision is guided by your policy and the controls in your risk assessment. 

  1. Provide the designate service 

You can generally only provide the designated service once:

  • required checks are complete
  • identified risks have been addressed in line with your program. 

You can delay completing the checks and addressing identified risks until a later time if you meet the delayed CDD criteria outlined in the initial customer due diligence form.  

  1. Ongoing customer due diligence 

During the business relationship, you continue to monitor the client by: 

  • reviewing changes in behaviour or activity
  • responding to new triggers
  • updating client information where required.

Ongoing due diligence ensures your controls remain appropriate as risk changes. 

  1. End of business relationship 

When the service ends, your program explains: 

  • what records you must keep
  • how long you must keep them
  • how they support future reviews and evaluations. 

Reporting to us

Follow your program which sets out when you must report to us and the timelines, including:

  • Suspicious matter reports: if you suspect a person isn’t who they claim to be, or you have information relevant to criminal activity. Due within 24 hours of forming the suspicion if it relates to terrorism financing, or 3 business days for other suspicions.
  • Threshold transaction reports: for transactions involving cash of $10,000 or more. Due within 10 business days after the date of the transaction.
  • Compliance reports: an annual report about how you met your obligations the previous calendar year.

You can also learn more about reporting to AUSTRAC.

Follow your program to withhold information subject to legal professional privilege by a third party. You can also learn more about upholding legal professional privilege.

Managing personnel

The personnel you assign to perform AML/CTF roles are critical to the effective operation of your AML/CTF program. 

Your program covers:

  • who can perform AML/CTF-related roles
  • how to conduct personnel due diligence to assess suitability and competence
  • initial and ongoing training.

The document library includes personnel forms you can use when appointing, reviewing or assessing people who perform AML/CTF-related roles.

These steps summarise how you’ll follow your program to manage your personnel:

  1. Before a person starts 

Before a person performs an AML/CTF-related role, you: 

  • conduct initial personnel due diligence
  • confirm they're suitable and eligible
  • provide role-appropriate AML/CTF training.

This ensures the person understands their responsibilities and can meet them. 

  1. While the person performs the role 

While a person remains in the role, you: 

  • conduct ongoing personnel due diligence
  • provide refresher or updated training as required
  • monitor performance against AML/CTF responsibilities. 

This helps make sure personnel remain suitable for the role, can meet their obligations and any gaps identified are addressed. 

  1. When issues occur 

Your program includes controls for responding to issues that might occur while a person is in an AML/CTF-related role. These controls help you confirm ongoing suitability and address capability gaps in a structured way. 

If you identify concerns, your personnel due diligence and training policies guide how to assess and document your actions. 

  1. When roles change or end 

When a person changes roles or leaves your practice, your policy outlines when to: 

  • update and keep records
  • appoint another person to the role
  • update role-based controls and access. 

Next step

Go to Step 3: Maintain your program.

The program starter kits are intended to be used as a complete package and have been designed for use by those reporting entities who satisfy certain suitability criteria. That suitability criteria is set out in the ‘Getting Started’ web page under the heading “Who the starter kit is for” in each program starter kit. In particular, those Tranche 2 entities who, from 1 July 2026, are for the first time subject to Anti-Money Laundering and Counter-Terrorism Financing legislation (AML/CTF).

 The program starter kits have been designed for the purpose of providing practical guidance to those reporting entities to assist them to build their own AML/CTF programs. The program starter kits represent AUSTRAC’s interpretation and application of the law to the eligible reporting entities only and are not intended to represent an interpretation and application of the law in all circumstances. The program starter kits are not a substitute for legal advice about any reporting entity’s AML/CTF compliance obligations. Australian courts are ultimately responsible for interpreting the AML/CTF Legislation and determining if any provision of these laws are contravened.

This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 29 Jan 2026
Page ID: 1494

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.