Thursday 12th March 2026
Even long-standing clients can create unexpected AML risk
Many advisers believe long relationships are their best defence against financial crime risk. Under the new AML framework, familiarity is no substitute for proving you truly understand who sits behind the client in front of you.
There’s a moment in almost every Anti-Money Laundering (AML) conversation when someone says, usually quite confidently, “but I know my clients.” I understand that instinct, but if you think client due-diligence is just another identification check, then you’re already behind.
As advisers, accountants and lawyers, relationships are the foundation of the businesses. Many have worked with the same families for decades and guided them through growth, succession, exits and crises, and with that the trust is earned over time.
Under the new Anti-Money Laundering/Counter Terrorism Fraud (AML/CTF) regime, familiarity is not a substitute for due diligence. In fact, it can sometimes be the very thing that clouds it.
What we are moving into is not just an expansion of obligations but a shift in mindset. Client due-diligence is no longer about whether you collected the right documents or completed the right form. Instead, it is about whether you can demonstrate, on reasonable grounds, that you genuinely understand whom you are dealing with, who ultimately controls the structure in front of you, and whether the risk of acting for them is acceptable.
That is a very different question from, “did I actually see the driver’s licence?”
From 31 March, existing reporting entities must comply with the new framework in full. For advisers, accountants, lawyers and others captured under Tranche 2, the adjustment will be even more significant. Many will be moving from an environment in which AML felt peripheral, and into one where it sits squarely within governance and risk management.
One of the reasons this feels confronting is that the regime has deliberately moved away from prescription. Historically, compliance in this area has been checklist-driven and there was comfort in the idea that if you followed the steps, you could feel relatively safe.
The new model is outcomes-based and risk-driven which means the regulator is not just interested in what you did, but why you did it, and whether it made sense in the context of the risk.
To understand how this plays-out in practice it helps to zoom out.
AML risk operates at several levels. At the top is your enterprise-wide risk assessment, which looks at your firm assessing things like the services you provide, how you deliver them, and the types of clients you deal with (including where they are located or undertake business). If you advise clients with complex structures, that carries a different risk profile from a practice focused solely on individuals. If you work with clients who operate in defence-adjacent industries, ‘proliferation financing’ risk (the risk of financing the proliferation of weapons of mass destruction) may not be as remote as you think.
Then, there is personnel risk. Who within your firm has authority? Who has access? What controls exist internally?
And finally, there is client risk. This is where most of the practical work sits and where many long-held assumptions need to be challenged.
I still hear advisers say, “I’m just setting up the structure,” or “I’m just the adviser.” That distinction is becoming increasingly irrelevant and the expanded AML regime views professional service providers as gatekeepers. So, if you are facilitating the establishment of companies, trusts, transactions or movement of money, you are part of the controls ecosystem.
Another common refrain is that long-standing clients are low-risk by default. Longevity can certainly provide insight, but it can also create blind spots. We have seen, a number of times, that respectable individuals and businesses can be used as fronts, sometimes knowingly, sometimes not. Criminal activity rarely announces itself and it often hides behind legitimate-looking structures.
Under the new framework, you are required to establish certain matters on reasonable grounds. That includes the identity of your client, anyone acting on their behalf, and where the client is not an individual, the beneficial owners. Beneficial owners are the natural persons who ultimately own or control 25 per cent or more, directly or indirectly, or who otherwise exercise effective control.
In practice, that can mean tracing ownership through layers of corporate entities, identifying appointors of discretionary trusts, and asking questions about who really has the power to direct decisions. It also requires screening for politically exposed persons and sanctions exposure, including associates and immediate family members. Importantly, self-certification is not enough, and independent and reliable sources must underpin your conclusion.
What has changed most significantly is the expectation that you document your reasoning. If AUSTRAC were to review your file, could you explain why you assessed the client as low-, medium- or high-risk? Could you demonstrate what information you relied upon, and why it was proportionate?
Simplified and enhanced due-diligence are no longer mechanical categories. Simplified due-diligence still requires you to establish all required matters; it simply reflects a lower level of risk and therefore proportionate verification. Enhanced due-diligence applies where the risk is elevated, whether due to complex structures, high-risk jurisdictions, politically exposed persons (PEP) involvement or other red flags. There is no one-size-fits-all checklist for enhanced due-diligence. It depends on the risk you have identified.
Overlaying this is the ‘suspicious matter’ reporting regime, which extends beyond money laundering and terrorism financing to serious offences more broadly, including tax evasion and fraud. The obligation to report can arise even if the person never formally becomes your client and tipping-off remains strictly prohibited.
For firms that are considering outsourcing aspects of their AML framework, it is critical to remember that responsibility cannot be outsourced. You may engage a service provider to assist with processes, but accountability sits with you and governance, oversight and understanding remain essential.
It would be easy to characterise all of this as regulatory burden, and yes, there is work involved, but I would encourage a different lens.
As advisers and professional services providers, you are already trusted custodians of your clients’ financial lives. The community expectation is that you exercise that position responsibly. Robust AML controls are not about turning you into investigators, they are about ensuring your firm and services cannot be inadvertently used as a vehicle for harm.
When done properly, due-diligence strengthens your practice. It forces clarity around whom you act for and why. It embeds risk awareness into culture and protects your brand, and in an industry where trust is everything, that matters.
The greatest risk in this new environment is not the obviously complex offshore structure that triggers all your internal alarms. It is complacency and the quiet assumption that just because someone has been a client for 20 years, the questions no longer need to be asked.
Catherine Evans is Founder and Head of Legal at Adelaide-based law firm Kit Legal. She has a passion for helping financial services businesses understand and manage their regulatory obligations and risks.
