top of page

KYC Requirements for Law Firms Under Tranche 2: What Principals Need to Know

  • Feb 9
  • 3 min read

Updated: Feb 19

Introduction (Principal-Focused, Obligation-Led)

Under Australia’s Tranche 2 AML/CTF reforms, law firms providing certain services will be subject to formal client due diligence obligations for the first time.

For many principals, the uncertainty is not whether ethical client checks already exist — but when those checks become regulated KYC, and which legal services actually trigger Tranche 2 obligations.

This guide explains how KYC requirements apply to law firms under Tranche 2, what changes in practice, and how principals can assess readiness without compromising professional judgement or client relationships.


When Do Tranche 2 Obligations Apply to Law Firms?

Tranche 2 does not apply to all legal services.

KYC and broader AML/CTF obligations are triggered where a law firm provides designated services, including:

  • Assisting with the creation, management, or administration of companies, trusts, or other legal arrangements

  • Acting as a nominee director, trustee, or shareholder

  • Managing client funds or assets in certain circumstances

  • Providing registered office or similar administrative services

Advisory work, litigation, and many traditional legal services may fall outside scope, depending on how services are structured and delivered.

Understanding this boundary is critical.


What KYC Means for Law Firms in Practice

For law firms, Know Your Customer (KYC) requirements are focused on understanding the client relationship — not replacing legal judgement or professional obligations.

KYC requires firms to take reasonable steps to establish:

  • The identity of the client

  • The ownership or control structure (where relevant)

  • Whether the matter or client presents elevated ML/TF risk

In many cases, this aligns with information already collected during client onboarding. Tranche 2 requires that these checks are explicit, documented, and applied consistently where obligations apply.


Individual vs Entity Clients

Individual Clients

Where the client is an individual, firms are expected to verify identity using reliable and independent sources, typically confirming:

  • Full legal name

  • Date of birth

  • Residential address

The method used should be proportionate to risk.

Companies, Trusts, and Other Structures

Where the client is an entity, firms must be able to identify:

  • The legal structure

  • Directors or trustees

  • Individuals who ultimately own or control the entity

For complex structures, a risk-based approach applies. Firms are not expected to trace ownership indefinitely, but they must be able to justify where they reasonably stop.


How KYC Interacts With Professional Obligations

A common concern for principals is whether Tranche 2 KYC obligations conflict with existing legal duties.

In practice:

  • KYC does not override legal professional privilege

  • It does not require firms to investigate clients beyond reasonable steps

  • It does not mandate disclosure of privileged communications

What it does require is clarity around who the client is and whether the relationship presents elevated risk.


The Role of Risk Assessments for Law Firms

KYC does not operate in isolation.

Under Tranche 2, law firms must also complete a firm-wide AML risk assessment, which considers:

  • Types of legal services offered

  • Client profiles

  • Delivery channels

  • Geographic exposure

This assessment informs when standard, simplified, or enhanced KYC is appropriate.

Treating KYC without this context weakens defensibility.


Common Pitfalls for Law Firms

Law firms most often encounter issues where they:

  • Assume ethical client checks automatically satisfy KYC

  • Apply identical checks to all matters regardless of risk

  • Lack documentation explaining why checks were considered sufficient

  • Confuse client due diligence with firm-wide risk assessment

From a regulatory perspective, reasonable, documented judgement is what matters.


What the Regulator Is Looking For

AUSTRAC does not expect law firms to operate like financial institutions.

What it does expect is that firms can demonstrate:

  • Awareness of when Tranche 2 obligations apply

  • Proportionate controls aligned to risk

  • Consistency between policy, practice, and documentation

Clear separation between KYC and risk assessment — and evidence that they inform each other — is central to this.


Tranche 2 Readiness Assessment (15 mins)

If you are unsure whether your firm’s current onboarding and client checks meet Tranche 2 expectations, a short readiness assessment can help clarify:

  • Whether obligations apply to your legal services

  • Which KYC requirements are relevant

  • What is already sufficient vs what needs refinement

No obligation. No demos. No sales discussion.



Comments

bottom of page