AML Tranche 2 and Cybersecurity: Same Problem, Different Regulator

Australian law firms are spending serious time and money preparing for AML Tranche 2.

And they should be. The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 brings legal practitioners, conveyancers, accountants, and real estate agents into the AML/CTF regime for the first time. Commencement is 1 July 2026. AUSTRAC enrolment opens 31 March. The clock is running.

ALPMA surveys suggest many firms are still in the "awareness only" stage — but they're moving fast. Partners are attending briefings. Compliance committees are being formed. Budget is being allocated. Consultants are being engaged.

The energy, board attention, and budget allocation are appropriate. AML non-compliance carries multi-million-dollar penalties, reputational damage, and potential criminal liability.

But here's the question I keep coming back to: why isn't cybersecurity getting the same treatment?

Because when you lay the two sets of obligations side by side, the structure is almost identical. One is mandated by legislation. The other is effectively voluntary — until something goes wrong. And when something does go wrong in cybersecurity, the consequences look remarkably similar: regulatory penalties, client losses, reputational damage, and operational disruption that can take a firm offline for weeks.

The Obligations Are Remarkably Similar

If you're a managing partner or COO working through your AML Tranche 2 obligations right now, the following table will feel uncomfortably familiar.

Read that table from top to bottom. The governance architecture is almost identical: assess your risk, document your controls, appoint someone accountable, train your people, monitor for problems, get independently reviewed, and keep records that prove you did all of it.

The difference is that AML Tranche 2 comes with a specific date, a specific regulator, and a specific enrolment process. Cybersecurity doesn't — yet. But the regulatory direction is unmistakable, and the consequences of a breach don't wait for a commencement date.

The Technology Crossover

Here's what's interesting from a practical standpoint: the technology infrastructure required for AML compliance overlaps significantly with cybersecurity.

AML Tranche 2 will require firms to implement identity verification (KYC/CDD), screening against sanctions and PEP lists, ongoing transaction monitoring, and structured record-keeping — often across multiple practice areas and client types. That means new platforms, new data flows, and new integrations with practice management and accounting systems.

Cybersecurity, meanwhile, requires identity and access management, multi-factor authentication, endpoint detection, network monitoring, and centralised logging.

The parallels are not abstract:

Client onboarding is where both programs begin. CDD processes that verify a client's identity and assess risk could integrate directly with cybersecurity access provisioning — ensuring that how a client engages with the firm's systems is controlled from day one, not bolted on later.

Risk-based approaches are central to both. AML requires firms to assess the money laundering and terrorism financing risks of their services. Cybersecurity requires firms to assess which data, systems, and processes are most exposed. The methodology is the same — the threat is different.

Audit trails serve both masters. The record-keeping obligations under AML Tranche 2 require firms to demonstrate what they did, when, and why. Cybersecurity log retention serves an identical purpose: if you're ever investigated by the OAIC following a breach, or if you need to notify under the mandatory ransomware reporting regime, your logs are your evidence.

Firms building an AML technology stack right now should be asking: does this infrastructure also serve our cybersecurity program? At minimum, are the two programs sharing data and processes where they overlap? If you're investing in identity verification, monitoring, and record-keeping for AML — and running a completely separate, under-resourced program for cybersecurity — you're paying twice for a problem that should be solved once.

The Regulatory Direction of Travel

If you think cybersecurity is a "nice to have" rather than a compliance obligation, the regulatory signals are saying otherwise.

ASIC has made its position clear. In February 2026, the Federal Court imposed a $2.5 million civil penalty on FIIG Securities for cybersecurity failures — the first time penalties have been applied under AFS licence obligations for inadequate cyber controls. ASIC's Corporate Plan for 2025–2029 explicitly identifies cyber resilience and operational resilience as enforcement priorities. They are not waiting for firms to self-correct.

The OAIC reported 1,113 data breach notifications in the 2023–24 financial year. The Privacy Act penalties for serious or repeated interference with privacy now reach up to $50 million. The first civil penalty under the Privacy Act landed in October 2025 when Australian Clinical Labs was ordered to pay $5.8 million. Professional services — including legal — remains among the most frequently breached sectors.

The Cyber Security Act 2024 introduced mandatory ransomware payment reporting, which commenced 30 May 2025. Phase 1 operated under an "education first" approach. Phase 2 — full compliance and enforcement — commenced 1 January 2026. Any firm with $3 million or more in annual turnover that pays a ransom must report to the ASD within 72 hours.

The direction is clear. Two years ago, cybersecurity for law firms was a matter of good practice. Today, it sits at the intersection of Privacy Act obligations, AFS licence conditions (for firms holding trust funds), mandatory reporting legislation, and increasing insurer scrutiny. Within a few years, it's reasonable to expect the obligations on law firms around cybersecurity will be as prescriptive as AML.

The firms that build strong programs now will be ahead. The firms that wait for a specific enrolment date and a specific regulator will be playing catch-up — just like many are with AML right now.

What Firms Should Do

If you're in the middle of standing up your AML Tranche 2 program, you have a window to get cybersecurity right at the same time. Here's where to start:

1. Give cybersecurity the same governance attention as AML.

That means partner-level oversight, regular reporting to the board or management committee, and a dedicated budget line — not a line item buried inside "IT expenses." If your AML program has a steering committee, your cybersecurity program should too.

2. Appoint someone responsible for cybersecurity.

Under AML Tranche 2, you'll need a designated AML/CTF Compliance Officer. Who is the equivalent for cybersecurity? In most firms, the answer is nobody — or "the IT manager," who may be excellent at infrastructure but isn't trained in risk management, incident response, or regulatory compliance. Even a fractional CISO arrangement gives you an accountable point of contact and strategic direction.

3. Conduct an independent security assessment.

You wouldn't submit your AML risk assessment without external input. Apply the same rigour to cybersecurity. A proper assessment covers your technical controls, governance framework, third-party risk, incident response capability, and alignment to frameworks like the ASD Essential Eight or ISO 27001. This is not a vulnerability scan — it's a structured evaluation of your security posture.

4. Align your AML and cyber programs where they overlap.

Client data management, identity verification, access controls, monitoring infrastructure, and record-keeping all sit in both domains. If you're building new systems and processes for AML, design them with cybersecurity requirements in mind from the start. Retrofitting is always more expensive.

5. Document everything.

This is the lesson from FIIG Securities. They had policies. They had a security framework. What they didn't have was evidence that any of it was being followed. The firms that can demonstrate their approach — with documented controls, training records, assessment reports, and incident response plans — will fare better with insurers, clients, and regulators.

The Parallel Is Not a Coincidence

AML and cybersecurity are both fundamentally about the same thing: protecting the integrity of the systems and relationships your firm depends on.

One protects against financial crime flowing through your trust accounts. The other protects against criminals accessing your client data, disrupting your operations, or leveraging your firm's trusted position for fraud.

Both require a risk-based approach. Both require governance, accountability, and investment. Both carry consequences when they fail.

The only difference is timing. AML Tranche 2 has a date. Cybersecurity doesn't — but the breaches, the penalties, and the regulatory pressure aren't waiting for one.

If you're building an AML program right now and want to assess where your firm's cybersecurity posture stands in comparison, I'm happy to have that conversation → Cyber Chat