AUSTRAC's sector-specific starter kits for accountants, lawyers, and conveyancers were released at the end of January 2026, giving firms approximately five months before AML/CTF obligations commence on 1 July 2026. For many small practices, these kits represent a welcome compliance pathway—pre-drafted policies, risk assessment templates, and CDD procedures designed specifically for your profession.

But here's the challenge that many firms are only now discovering before you can determine whether the starter kit is appropriate for your business, you need to understand your ML/TF risk profile. Yet the starter kit itself contains the risk assessment template designed to help you identify those risks.

This isn't a technical glitch in AUSTRAC's guidance—it's a deliberate feature of risk-based regulation that reveals something important about what compliance actually requires.

Understanding AUSTRAC's two-step risk framework

AUSTRAC has structured the compliance sequence intentionally, and understanding this sequence is critical for proper implementation. The regulator distinguishes between two fundamentally different types of risk assessment that happen at different stages of your compliance journey.

First comes your business-wide ML/TF risk assessment. This is foundational work that must happen before you develop any policies or procedures. You examine the types of customers your firm typically serves, the designated services you provide, your delivery channels (in-person versus remote), and the jurisdictions you operate in. Each factor receives a risk rating based on its potential ML/TF impact if that risk were to materialise. This creates your risk methodology—your framework for what constitutes high, medium, or low risk for your specific practice.

Second comes individual customer risk rating during CDD. Only after establishing your business-wide methodology do you begin assessing individual clients. You apply the framework you've already built to determine whether specific customers present elevated risks based on the factors you've identified as material for your business.

The starter kit templates are designed to help with both assessments, but they assume you're approaching them in this deliberate order. The risk assessment template reflects sector-wide risks that AUSTRAC has identified as common across accounting practices, legal firms, or conveyancing businesses—but you still need to customise it to your specific circumstances.

Why "low complexity" requires honest self-assessment

AUSTRAC describes the starter kits as appropriate for "typical low-complexity small businesses" in newly regulated sectors. The critical question every firm must answer honestly is: does that description genuinely fit your practice?

Several factors suggest you may need more than the starter kit provides. If you serve high-net-worth individuals with complex offshore arrangements or trust structures, you're likely beyond the low-complexity threshold. If you regularly work with politically exposed persons or their family members and associates, enhanced due diligence requirements apply that may exceed the starter kit's scope. If you provide services remotely to clients you never meet face-to-face, or serve non-residents from FATF-identified high-risk jurisdictions, your risk profile probably demands customisation beyond the templates.

Industry bodies have offered different interpretations of who qualifies—ranging from "sole practitioners and micro firms" to businesses with "15 or fewer licensed agents" to "small and medium legal practices." This ambiguity isn't necessarily problematic; it reflects the reality that complexity relates more to your risk profile than your size. A sole practitioner specialising in high-value international property transactions faces different ML/TF risks than a 10-person suburban conveyancing practice handling standard residential settlements.

The Law Society of NSW captures this well, noting that "for many firms, particularly smaller practices, the Starter Kit will provide a compliant AML/CTF program, with minimal adjustment required. To be effective, legal practices will still need to make sure the Starter Kit is appropriate for their practice, and that it is properly implemented."

Documentation versus operational compliance

AUSTRAC's enforcement history provides sobering clarity about what compliance actually means. Over 2.5 billion dollars in civil penalties since 2017 tell a consistent story: policies sitting in drawers don't constitute compliance. The regulator has explicitly condemned what it calls "tick and flick" approaches where documentation exists, but genuine risk management does not.

The Crown Resorts case is particularly instructive. That 450-million-dollar penalty centered on AML/CTF programs that were "not based on appropriate risk assessments" and "not subject to appropriate oversight by their Boards and senior management." The programs existed as documents, but they weren't actively shaping how the business actually operated.

For Tranche 2 entities, this distinction matters profoundly. Every reporting entity must undergo independent evaluation at least once every three years. The evaluator examines two fundamental questions: Are your policies suitable for your business? And are you complying with them in practice? If either answer is no, that evaluation records serious deficiencies that must be reported to senior management, and AUSTRAC may be notified.

This means starter kit adoption requires genuine implementation work. Staff need training on the policies and procedures, so they understand what to ask clients and how to identify suspicious activity. The systems described in your documentation must actually exist and function. Your day-to-day practice must align with the processes you've documented. Forms need to be integrated into existing business workflows, so they're completed naturally as part of client onboarding.

What firms should focus on right now

With approximately five months until 1 July 2026, the window for thoughtful implementation is rapidly closing. Compliance experts estimate AML/CTF program development typically requires three to six months, covering needs assessment, documentation, systems implementation, staff training, and pilot testing.

The most productive use of time right now is conducting that preliminary business-wide risk assessment—even before diving deep into the starter kit materials. Examine the types of customers you serve and the services you provide them. Consider your delivery channels and geographic exposure. Identify which factors genuinely present material ML/TF risks for your specific practice. This groundwork allows you to engage with the starter kit templates strategically, recognising which sections apply directly to your circumstances and which require customisation or expansion.

Governance framework establishment is another immediate priority that happens before the starter kit becomes relevant. You need to identify who will serve as your AML/CTF compliance officer, governing body, and senior manager. For sole practitioners, one person may hold all three roles, but the appointments still need to be formalised. The AMLCO must be appointed within 28 days of providing designated services, with AUSTRAC notification required within 14 days of appointment.

Finally, honest assessment of capability gaps will determine whether you can manage implementation internally or need external assistance. Firms with complex service offerings outside the starter kit's scope, international client bases, higher-risk services involving trust establishment or significant asset transfers, or lack of deep regulatory experience in-house should consider engaging AML specialists early. However, remember that while you can outsource compliance functions, you cannot outsource liability. Ultimately, your firm remains responsible to AUSTRAC for the adequacy and implementation of your program.

The path forward

AUSTRAC CEO Brendan Thomas has stated explicitly: "We don't expect perfection on day one. We won't be throwing the book at businesses who are trying to follow the law." This represents a genuinely supportive regulatory posture for firms making good-faith efforts to comply.

However, he also warned: "Be warned—if a business is wilfully ignoring the obligation to enrol, or we suspect a business is complicit with or wilfully blind to money laundering, they will be the focus of our enforcement efforts." The distinction between good-faith implementation challenges and wilful non-compliance will determine regulatory outcomes.

The starter kits are a valuable resource, particularly for genuinely low-complexity small practices. They provide documentation templates that reflect sector-wide risks, avoiding the need to draft programs entirely from scratch. But they cannot substitute for understanding your specific ML/TF risks, actively implementing controls, training staff, and demonstrating genuine compliance culture.

The compliance paradox resolves when you recognise that risk assessment isn't actually circular—it's sequential. You conduct preliminary business-wide assessment to understand your risk methodology, then engage with the starter kit to formalise that thinking into documented policies, then apply those policies to individual customers as they engage your services. Each step builds on the previous one.

For firms approaching this transition thoughtfully, five months provides sufficient time for compliant implementation. For those still waiting for perfect clarity before beginning, July will arrive faster than expected.

Are you prepared for 1 July 2026? VerifiMe specialises in helping professional services firms navigate Tranche 2 AML/CTF obligations with practical, technology-enabled solutions that eliminate data breach risk while ensuring compliance. We understand the regulatory requirements and the operational realities of accounting practices, legal firms, and conveyancing businesses.

If you're still determining how the starter kits apply to your practice, or if you've recognised your risk profile requires more customised solutions, let's discuss how VerifiMe can support your compliance journey. Visit www.verifime.com or reach out directly to explore how we can help your firm meet its obligations efficiently and effectively.