Since 1 July, your firm has been a reporting entity under the AML/CTF regime. If you're like most of the firms I talk to, the last six months have been consumed by the compliance side of that: the risk assessment, the program document, the compliance officer appointment, the AUSTRAC enrolment that closes on 29 July.
All of that work is necessary. None of it is what this post is about.
This post is about the thing sitting underneath the compliance program that almost nobody costed: from last Wednesday, your firm started collecting more identity data than it ever has, and it will keep collecting it for as long as you practise.
Passports. Driver's licences. Beneficial ownership records. Source of funds and source of wealth documentation. Verified, current, and neatly organised — because the legislation requires it to be. Kept for seven years — because the legislation requires that too.
I spent years as the CISO of a global law firm, and I can tell you what that collection looks like from the other side of the fence. To an attacker, a Tranche 2-compliant law firm is no longer just a repository of matter files. It's a repository of ready-made, pre-verified identity kits for every client the firm has onboarded.
You've been handed a compliance obligation. You've also been handed a target profile upgrade. Only one of those came with a deadline.
The Data Problem Inside the Compliance Program
Here's the uncomfortable arithmetic.
Before 1 July, a breach at your firm exposed whatever lived in your matter files and inboxes. Serious, damaging, and reportable — but the identity documents in there were incidental, scattered, and often stale.
After 1 July, a breach exposes something qualitatively different: a structured collection of identity documents that you have verified as genuine and current. That's precisely what identity fraud operations pay for. The verification work your compliance team does to satisfy AUSTRAC is the same verification work a criminal would otherwise have to do themselves.
And the seven-year retention obligation means the collection only grows. Every client you onboard from here adds to it. In three years, a mid-sized firm running a normal conveyancing and commercial practice will be holding thousands of verified identity records — most of them for matters that closed long ago.
The compliance program tells you what to collect and how long to keep it. It says very little about how to protect it. That part is on you.
Where Is It Actually Going to Live?
This is the question I'd put to every managing partner reading this, and I'd want a specific answer, not a general one.
When your team collects a passport scan next week, where does it land?
In most firms I've assessed, the honest answer is: several places at once, none of them chosen deliberately. The client emails it in, so a copy lives in an inbox. Someone saves it to the matter folder, so a copy lives on the document management system or a shared drive. If you're using an electronic verification platform, a copy — or the verification result — lives with a third party. If the file gets forwarded internally for a second opinion, add another inbox.
Every one of those copies is inside the scope of a breach. The mailbox copy is the one that worries me most, because business email compromise remains the most common incident I investigate in the legal sector, and a compromised mailbox with six months of client onboarding traffic in it is now a compromised identity archive.
None of this is hard to fix. It just has to be decided, and most firms haven't decided it yet because the compliance workstream and the IT workstream have been running in separate rooms.
The Third Party You Just Added
One more thing that deserves attention: if you've procured an electronic identity verification platform for your CDD obligations — and most firms have — you've added a new supplier to your supply chain, and that supplier now processes your clients' most sensitive documents.
The questions you'd ask of any critical vendor apply, but with more weight. Where is the data stored, and in which jurisdiction? How long does the platform retain documents after verification? Is retention configurable, or does everything sit there indefinitely by default? What happens to your clients' data if the vendor is breached — and what are their notification obligations to you?
I've reviewed vendor contracts where the answers to these questions were nowhere to be found. That's fine right up until the vendor has an incident, at which point your firm has a notifiable data breach it didn't cause and can't investigate.
Run the Two Projects as One
The good news is that the timing works in your favour, if you act now.
Your AML program is being built right now. The systems are being configured, the processes are being written, the training is being rolled out. Retrofitting security onto a mature process is expensive and political. Building it in while the concrete is still wet costs almost nothing.
Five decisions, made this month, close most of the gap:
1. Choose one home for identity data.
A single, access-controlled location — not inboxes, not general shared drives. Then build the intake process so documents land there and copies get cleaned up. If the process allows a passport to sit in an inbox indefinitely, the process is the vulnerability.
2. Restrict who can reach it.
The number of people who need standing access to identity documents is much smaller than the number of people in your firm. Apply least privilege now, while the collection is small, rather than trying to claw access back later.
3. Set retention — and destruction — deliberately.
Seven years is a minimum, not a filing philosophy. Records that pass their retention date should be destroyed on a schedule, because data you no longer hold is data you can't breach. Your AML program already requires you to document retention; extend the document to cover secure destruction.
4. Turn on the logging that tells you if someone took a copy.
If a mailbox is compromised or a staff account accesses five hundred identity records on a Sunday night, would anything alert you? For most firms the answer is no. Audit logging and a handful of alerting rules are cheap; discovering exfiltration from a ransom note is not.
5. Put the identity data store in your incident response plan by name.
When a breach happens, the first question your insurer, the OAIC, and your clients will ask is whether identity documents were accessed. If your IR plan and your logging can answer that with evidence, you're having a manageable conversation. If they can't, the assumption defaults to worst case — and so do the notifications.
The Deadline That Matters After the Deadline
Enrolment closes on 29 July, and if that's not done, do that first. Nothing here is an argument for slowing the compliance work down.
But enrolment is a form. The data keeps arriving every week after it, for the life of the firm. The firms that will regret this period aren't the ones that filed late. They're the ones that built a beautifully compliant collection process on top of storage nobody thought about — and found out where all the passports lived only after someone else did.
You're going to be asked, eventually, how you protected this data. By an insurer at renewal, by a client's procurement team, or by a regulator after an incident. "The same way we protect everything else" is not a good answer when the legislation that made you collect it also made you a better target.
If you're standing up your AML program right now and want a second set of eyes on where the identity data will live, who can reach it, and whether you'd know if it walked out the door, I'm happy to have that conversation → [Cyber Chat]
The Legal Cyber Brief — monthly cyber intelligence for law firm leaders. Threats, regulatory shifts, and practical tools from the field. No fluff.
Related Posts
The Legal Cyber Brief — monthly cyber intelligence for law firm leaders.