What Legal Documents Should Be Updated For The New AML Laws?

Australia’s new Anti-Money Laundering and Counter-Terrorism Financing laws are expected to bring a wider range of businesses into the AML/CTF regime, including certain services provided by lawyers, conveyancers, accountants, real estate professionals, and trust and company service providers.

Many newly regulated “Tranche 2” businesses are expected to comply from 1 July 2026, so affected businesses should start reviewing their legal documents now.

The changes are not just about creating an AML policy. They may also affect the everyday documents you use with clients, customers, staff and contractors - including engagement letters, client terms, privacy policies, collection notices, onboarding forms, contractor agreements and internal compliance policies.

This article explains which documents may need updating and why.

Why Would AML Laws Affect Your Legal Documents?

Australia’s new AML/CTF laws may change how affected businesses onboard clients, collect information and decide whether they can start or continue providing services.

For example, a business may need to verify a client’s identity, understand who owns or controls a client entity, ask questions about the purpose of a transaction, or collect information about source of funds where relevant. If a client does not provide the required information, the business may need to delay, pause or refuse the work.

That is why legal documents matter. Your client terms should support your right to request information and pause services where needed. Your privacy documents should explain how personal information is collected, used and disclosed. Your onboarding forms should collect the right information, and your internal policies should tell staff what to do next.

Not every small business will be affected. The key question is whether your business provides a regulated designated service under the AML/CTF regime. This is particularly relevant for certain services provided by lawyers, conveyancers, accountants, real estate professionals, and trust and company service providers.

The rules are service-specific, so businesses should look at what they actually do - not just what industry they are in.

Engagement Letters, Client Terms And Service Agreements

Your engagement letter, client terms or service agreement sets the rules for your client relationship. If your business may need to conduct AML/CTF checks before starting work, your terms should make that clear.

This may include giving your business the right to request identity, ownership, control, beneficial ownership and other compliance-related information. Your terms may also need to explain that services can be delayed, suspended or refused if a client does not provide the information required.

This is especially important for businesses that provide time-sensitive services. For example, if a business helps set up companies or trusts, a client may expect a quick turnaround. However, AML checks may need to be completed before the work can proceed. Your terms should help manage that expectation.

For law firms, this wording should also be considered carefully alongside confidentiality, tipping-off restrictions and legal professional privilege. Generic AML clauses may not be suitable for every business.

Privacy Policies

AML compliance can involve collecting more personal information than before, including identity documents, dates of birth, residential addresses, beneficial ownership information, screening results and information about the purpose of a transaction or structure.

A Privacy Policy should explain how your business collects, uses, stores and discloses personal information. If your AML/CTF process changes the information you collect, your Privacy Policy should be updated to reflect that.

This is particularly important if you use third-party providers for identity verification, sanctions screening, cloud storage or compliance software. Identity documents and verification results can be sensitive from a privacy and fraud-risk perspective, so businesses should also think carefully about access, storage and retention.

Collection Notices

A collection notice is more specific than a Privacy Policy. It explains why particular information is being collected at the time it is collected, how it will be used, who it may be disclosed to, and what may happen if the person does not provide it.

This can be useful where AML checks require information from people who are not the main client, such as directors, shareholders, trustees, beneficiaries, controllers or beneficial owners.

For example, an accounting firm engaged by a company may need information about the company’s directors or shareholders. A trust and company service provider may need details of beneficial owners or controllers. In those cases, the collection notice should match the onboarding process.

Onboarding And KYC Forms

Your onboarding or KYC form is where AML compliance becomes practical. It should collect the information your business needs to conduct customer due diligence and identify higher-risk matters.

Depending on the service, this may include details about the client’s identity, business structure, directors, shareholders, beneficial owners, controllers, purpose of the engagement and source of funds or wealth where relevant.

The form does not need to be overwhelming. For a small business, a clear and simple form is often better than a long form that nobody completes properly. The key is to collect the right information and connect the form to a clear internal workflow.

For example, if a client identifies an overseas beneficial owner or refuses to provide control information, staff should know who reviews the matter and what happens next.

Staff And Contractor Agreements

AML compliance is also a team issue. If employees, contractors, offshore support, admin staff or third-party providers help with onboarding, document collection or client administration, their agreements may need to be reviewed.

These documents may need to cover confidentiality, data security, secure handling of identity documents, compliance with internal AML procedures, training obligations, escalation obligations and return or deletion of client information when the relationship ends.

This matters because AML risks often appear early in the client journey. Staff and contractors should know how to handle sensitive information, when to escalate unusual matters and what they can say to clients if a matter is paused for compliance reasons.

Internal Compliance Policies And Procedures

Client-facing documents are important, but they need to be supported by internal policies and procedures.

Affected businesses may need an AML/CTF policy or program, a risk assessment, a client due diligence procedure, an escalation and reporting process, record-keeping rules and staff training materials.

The goal is not to create paperwork for the sake of it. The goal is to make sure the business has a clear, repeatable process that matches its services, risk profile and legal obligations.

For a small business, this does not necessarily mean creating a bank-style compliance framework. But it does mean knowing which services are in scope, what checks are required, who performs them, when matters are escalated and what records are kept.

How These Documents Work Together

Your AML documents should support the same client journey.

For example, your onboarding form collects the information, your collection notice explains why it is being collected, your Privacy Policy explains how it is handled, your client terms give you the right to request information or pause work where needed, and your internal policies tell staff what to do next.

If these documents do not line up, the process can become confusing for clients and difficult for staff to apply. For example, your internal policy might say that identity checks must be completed before work starts, but your client terms might promise fast turnaround times without mentioning compliance checks.

That is why affected businesses should usually review these documents together, rather than updating one document in isolation.

What Should Small Businesses Do Now?

The best first step is to check whether your business provides any designated services under the AML/CTF regime. If it does, you can then map your client journey and identify which documents need updating.

Affected businesses may need to review client-facing documents such as engagement letters, client terms, service agreements, privacy policies, collection notices and onboarding or KYC forms. They may also need to review internal documents such as AML/CTF policies, risk assessments, due diligence procedures, escalation procedures, record-keeping policies and staff training materials. If staff or contractors handle onboarding or client information, employment contracts, contractor agreements, confidentiality agreements and data handling policies may also need a closer look.

However, updating legal documents is only one part of AML readiness. It does not, by itself, make a business AML/CTF compliant. Affected businesses may also need to enrol with AUSTRAC, appoint a compliance lead, conduct a risk assessment, implement an AML/CTF program, train staff, keep records and report suspicious matters where required.

For businesses with higher-risk services, complex structures, cross-border clients or ongoing nominee, trustee, registered office or company administration services, specialist AML/CTF compliance advice may also be needed.

FAQs

Do I Need To Update My Privacy Policy For The New AML Laws?

You may need to update your Privacy Policy if your business will collect new types of personal information for AML/CTF purposes. This could include identity documents, beneficial ownership information, screening results or information about the purpose of a transaction or structure.

Do My Client Terms Need AML Clauses?

If your business is affected by the AML/CTF regime, your client terms may need to explain that you can request information, conduct checks, delay services, refuse to proceed or stop acting where required for compliance reasons.

What Is The Difference Between A Privacy Policy And A Collection Notice?

A privacy policy explains how your business handles personal information generally. A collection notice explains a specific collection of information at the time it happens, such as when a client or related person provides identity details during onboarding.

Is An AML Policy Enough?

Usually, no. An AML policy is important, but your client-facing documents, privacy documents, onboarding forms, staff agreements and internal workflows should also support the process.

Should Small Businesses Get Legal Advice?

Yes, if your business may be affected. The new AML laws can have different impacts depending on your industry, services, clients and risk profile. Legal advice can help you understand which documents need updating and how they should work together.

How Sprintlaw Can Help

If your business is affected by the new AML laws, Sprintlaw can help review and update the legal documents that support your compliance process.

This may include engagement letters, client terms, service agreements, privacy policies, collection notices, onboarding forms, contractor agreements and internal compliance policies.

For businesses that need a full AML/CTF program, risk assessment or specialist operational compliance advice, you may also need support from an AML/CTF compliance specialist. We can help make sure your legal documents align with the process you adopt.

Need help reviewing your legal documents before the new AML laws commence? You can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.