From 1 July, AML/CTF customer due diligence becomes a core compliance obligation for law firms and conveyancers across Australia. For many practitioners, the abbreviations have been circulating for months, but what the reforms require in day-to-day practice has remained less clear.
The short answer is that the checks themselves are largely an evolution of what many firms already do. Verifying a client’s identity, understanding the nature of a transaction, collecting matter information: these are familiar steps. What changes is that they now need to form part of a structured, consistent and auditable process, documented in a way that demonstrates compliance if AUSTRAC ever comes asking.
Understanding what that looks like in practice is the most useful thing a firm can do right now.
At its core, customer due diligence (CDD) is the process of confirming a client is who they claim to be and assessing the level of risk they present to your firm. Under the AML/CTF framework, a standard onboarding workflow involves five steps: verification of identity, PEP and sanctions screening, a KYC or KYB questionnaire, a risk assessment, and a final onboarding check that creates an auditable record.
For firms already using digital VOI tools, most of these steps will feel recognisable. The significant change is not the nature of the checks but the way they connect. Onboarding becomes a compliance workflow, not a collection of standalone steps.
The framework draws a clear line between individual and entity clients.
KYC, or Know Your Client, applies to individuals. The standard CDD process covers this well.
KYB, or Know Your Business, applies to companies, trusts, and partnerships. For these clients, firms must go a step further and identify the Ultimate Beneficial Owners (UBOs) behind the entity: the natural persons who ultimately own or control the organisation, including anyone with significant ownership stakes or voting rights. In practice, this can mean tracing through layered company structures to reach the individuals at the end of the chain.
This is where the process becomes more involved, and where having a guided workflow makes a practical difference to how long onboarding takes.
Verification of identity: VOI confirms a client is who they say they are through identity document checks. Both remote and in-person verification pathways are available, which matters for clients who may not be comfortable with fully digital processes.
PEP, sanctions and adverse media screening: These checks run automatically against publicly available databases to identify whether a client is politically exposed, appears on sanctions watchlists, or has adverse media associated with them. The results feed into the client’s overall risk profile.
KYC and KYB questionnaires: The onboarding questionnaires are built around AUSTRAC starter kit requirements and collect information about the client, the transaction, source of funds indicators, and any relevant company or trust structures. For property matters, this typically includes questions about loan amounts, equity contributions, and transaction details.
Risk assessment: Using the information gathered during onboarding, firms complete a risk assessment to determine whether a client presents low, medium, or high risk. Indicators that may push a client into a higher risk category include unusually large cash transactions, cryptocurrency payments, complex ownership structures, and unusual transaction behaviour.
Final onboarding checks and audit record: Every action taken during onboarding, including searches, questionnaire responses, risk assessment outcomes, and any escalations, is stored in a central audit trail. This record is the evidentiary foundation of your compliance posture.
Where a client is assessed as high risk, firms may need to apply Enhanced Customer Due Diligence (ECDD). This can involve verifying source of funds or source of wealth, requesting supporting financial documents, escalating the matter internally to a compliance officer, and conducting additional reviews before proceeding.
The ability to securely collect supporting documents from clients, such as bank statements to substantiate the origin of funds, is part of this workflow. Having this handled within the same platform as the rest of the onboarding process reduces the handling overhead and keeps the audit trail intact.
One of the most important practical points about AML/CTF compliance is that the record of what your firm did is as important as what your firm did.
Every onboarding action needs to be stored in a way that you can retrieve and present if AUSTRAC requests evidence of your compliance activity. Escalation workflows that allow staff to refer higher-risk matters to a compliance officer for review and approval are part of this, providing a documented chain of decision-making that demonstrates your firm took appropriate steps.
InfoTrack’s AML Onboarding and VOI functionality is available from 1 June, giving firms a 30-day window before the 1 July deadline to familiarise staff with the workflow, test onboarding processes on real matters, update engagement letters and client communications, and refine internal compliance procedures.
That 30-day window is genuinely useful if firms treat it as an implementation period rather than a buffer. The firms that will handle 1 July with the least disruption will be those that have already completed several real onboarding matters through the system before the obligation takes effect. There is no substitute for working through the process with actual clients and actual matters before it becomes mandatory.
The most meaningful change under AML/CTF reforms is not the introduction of any single check. Most of what the framework requires will feel familiar to practitioners who already take client identity seriously. The shift is structural: moving from a collection of ad-hoc steps to a documented, consistent, and auditable process that can withstand scrutiny.
For firms, that means building CDD into everyday onboarding rather than treating it as an additional layer on top of existing practice. Standardising KYC, KYB, risk assessments and ongoing monitoring within a single workflow reduces manual handling, improves consistency across staff and matters, and positions the firm to meet AML/CTF obligations with a defensible compliance record.
The 1 July deadline is fixed. The question now is how well-prepared your firm will be when it arrives.
To learn more about our solution, book a complimentary demonstration.
