AML/CTF compliance in Law App: KYC, risk ratings and VOI

Contents

    From 1 July 2026, Australian law firms have AML/CTF obligations for the first time. Law App builds AML/CTF compliance into your normal file and contact workflow — flagging the matters that are caught, verifying client identity, assessing each client’s risk, and keeping the records the law requires. This guide walks through how the whole process fits together.

    On the matter — Files area

    Flag and track

    On the file you mark the matter as a designated service, record the source of funds, and watch the AML status column. The file is where AML starts and where you keep an eye on it.

    On the contact — Contacts area

    Verify each client

    The verification itself happens on the contact, under Contacts: the KYC questionnaire, identity verification (VOI), the risk rating, and the periodic reviews.

    Setting up AML/CTF compliance on a matter

    AML/CTF obligations only apply to matters that involve a designated service under the new legislation, so Law App doesn’t apply the requirements to every file — only the ones you flag. You set this on a new file, or at any time on an existing file’s Details tab.

    Flagging a matter as a designated service

    1. Set Designated Service (AML/CTF) to Yes.
    2. Choose the relevant Designated Service Type.
    3. Record the Source of Funds. This is multi-select — record more than one if it applies (for example, Savings and Gift), and choose Other to free-type anything not listed.

    Law App File Details tab with the Designated Service (AML/CTF) section and source of funds highlighted, and an AML: Legacy status pill at the top

    Legacy matters. Matters opened before 1 July 2026 show a Legacy status and sit outside the AML requirements unless you choose to opt them in. Matters that aren’t designated services show a dash in the AML column — nothing is required.

    Verifying identity and KYC — the Identity & AML tab

    Identity verification happens on the contact, not on the file. Open the client in the Contacts area and go to their Identity & AML tab — this is where you complete and track everything the legislation requires for that person or organisation: the Know Your Customer questionnaire, the calculated risk rating, identity verification (VOI), and the review schedule.

    The Identity & AML tab for a contact in Law App, showing the VOI document list, the individual KYC questionnaire, the calculated low-risk rating and the review schedule

    Completing the KYC questionnaire

    The questionnaire adjusts depending on whether the contact is an individual or an organisation. It captures PEP (politically exposed person) status, source of wealth and funds, and occupation — and, for organisations, entity type, country of registration and industry. Once it’s answered, Law App calculates the risk rating for you; you don’t score it manually.

    How the risk rating is worked out

    The rating is calculated from the KYC answers and shown as Low, Medium or High. Until the questionnaire is completed, the contact shows as Not assessed.

    For an individual:

    • High — a domestic, foreign or international-organisation PEP, or 3 or more risk questions answered “Yes”.
    • Medium — a family member or close associate of a PEP, or 1–2 “Yes” answers.
    • Low — not a PEP, with no risk flags.

    For an organisation (the PEP question doesn’t apply):

    • High — 3 or more “Yes” answers.
    • Medium — 1–2 “Yes” answers.
    • Low — no “Yes” answers.

    If your professional judgement differs from the calculated rating, you can override it. A reason is mandatory and is recorded against the contact for your audit trail.

    The Override Risk Rating dialog in Law App, with an override rating dropdown set to Medium and a mandatory reason field

    Periodic review dates

    Law App schedules the next review date automatically, based on the risk rating:

    • Low risk — review every 3 years.
    • Medium risk — review every 2 years.
    • High risk — review every year.

    The Confirm periodic review dialog in Law App, showing the current low-risk rating and the next review scheduled 3 years from now

    Identity verification (VOI)

    The Identity & AML tab is also where you manage identity verification — both documents captured in person and electronic VOI checks run through InfoTrack. For AML you use InfoTrack for identity verification and for ASIC or other company and person searches; you don’t need to go beyond that for AML purposes.

    Requesting an InfoTrack VOI

    1. On the contact, click Request InfoTrack VOI, then select the matter to link the verification to. InfoTrack opens pre-filled with the client’s name, email, phone and address.
    2. The client completes the VOI.
    3. Once you’ve reviewed and finalised it, the finished report flows back into Law App and attaches to the contact automatically.
    4. If it can’t be matched automatically, the report appears on the matter’s InfoTrack list — use Assign to contact to attach it.

    The Select Matter for InfoTrack VOI dialog in Law App, with a file selector used to link the verification request to a matter

    One VOI covers one person. The order opens pre-filled with the current contact’s details, so finish that contact’s VOI first, then come back and start the next contact.
    Enter the VOI expiry date. When a VOI is returned, record the expiry date on the document record — a VOI only counts toward compliance while it hasn’t expired. For now this is entered manually; InfoTrack is working on sending the expiry date automatically.

    Running your AML searches from Law App

    Run your identity, ASIC and other searches from inside Law App rather than going direct to InfoTrack. Law App handles the day-to-day AML tracking for you, which is what keeps your records — and your firm’s AML policies — in order.

    Search from the file, or the cost is lost. Law App only records the disbursement and imports the transaction when the search is run from Law App. If you run searches outside Law App, we have no visibility of them — the cost isn’t captured and won’t reach the file or your accounting.
    Everything is logged. Every change to a contact’s Identity & AML tab — KYC answers, risk-rating changes and VOI records — is recorded with who made it and when, giving you a clean audit trail for regulators.

    Understanding AML status — Required, Review and OK

    Every contact and matter shows a live AML status. Here’s exactly what each one means:

    • OK — all three conditions are met: a current (non-expired) VOI or ID document is on file, the KYC questionnaire is completed, and the next review date is set and still in the future.
    • Review — the contact is compliant, but a review is due within 30 days, or a VOI document is expiring within 30 days. The alert tells you which of these is the reason.
    • Required — one or more of those three conditions is missing: no valid VOI, KYC not completed, or the review date is overdue or not set.
    • Not assessed — the KYC questionnaire hasn’t been answered yet.

    A new or partly set-up contact shows Required until all three steps are done — that’s expected, not a problem. A matter’s status rolls up from its clients: if any client on the matter is Required, the matter is Required. It only turns OK once every client is compliant.

    Admin override

    Sometimes a client can’t complete the standard ID or KYC process. Where that happens, and depending on your firm’s policies, an admin can mark them as AML-satisfied directly from the matter’s AML alert.

    • A reason is mandatory and must be recorded at the time of the override.
    • The matter shows an Overridden status, so anyone on the file can see what’s happened at a glance.
    • The override record shows who made it, when and why — visible on the matter for anyone who needs to review it.

    Where AML status appears in Law App

    You’ll see AML status in four places, so it stays in front of the people who need to act on it:

    • File list — an AML status column shows at a glance which matters need attention. Non-AML matters show a quiet dash.
    • Clients grid on a matter — per-client AML status, with non-compliant rows flagged.
    • Contact list — a risk-rating column across all your contacts.
    • Identity & AML tab — the full detail view: the status pill, an alert banner when action is needed, and a complete history of changes.

    Law App file list showing the AML status column, with an AML: Legacy pill on one matter and dashes on non-AML matters

    This article covers how AML/CTF compliance works inside Law App. It isn’t legal advice on your firm’s obligations under the AML/CTF legislation. For help using the tools, email support@lawsupport.com.au — email is the best way to reach us and keeps the phone line free for urgent matters — or call 07 3040 3036.

    Updated on 30 June 2026
    Tagged: , , , , , , , , , , , , , , , , , , ,

    Related Articles

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Contents