Compliance · Law firms
Trust accounts, privilege, client confidentiality and now AML reporting. Compliance for a law firm is not a single project. It is a standing set of obligations that the IT stack either quietly supports every day, or quietly undermines. We build it so it supports.
Live right now · law firms
Active regulatory pressures we're already working through with clients in your sector. Each card links to the detailed guide.
Captures law firms providing designated services (trust account operations, real estate conveyancing). Enrolment with AUSTRAC due 29 July 2026, AML/CTF programme in force from 1 July 2026.
Read the full guideWhat's being asked of you · law firms
The compliance landscape for an Australian law firm in 2026 is denser than it has been at any point in living memory. Trust accounting rules have always carried weight; AUSTRAC Tranche 2 enrolment for firms providing designated services from 1 July 2026 adds a continuing obligation that touches matter intake, KYC procedures, record-keeping, suspicious-matter reporting, and the audit trails behind all of it. The Privacy Act Tranche 2 changes widely expected to remove the small-business exemption land in the same window, and conveyancing-specific obligations around PEXA MFA and email-borne settlement fraud are not going anywhere.
Underneath each of these regulations is the same documentation expectation. An auditor, an insurer, or a regulator who asks 'show me your AML/CTF program, your privacy program, your incident-response runbook, your access-review schedule' expects a tangible answer with evidence, not a verbal assurance. Most mid-size law firms cannot produce that evidence on demand today. The work to be able to do so is largely IT and process work, sitting underneath the legal substance.
Client-driven pressure is the third front. Larger corporate clients and listed companies now send their law firms supplier security questionnaires before renewing engagement letters. The questionnaires are not legal-domain documents; they ask about MFA coverage, offboarding, patch cycles, backup testing, vendor management. A firm that cannot answer them in writing within five business days starts losing the work.
What we do · compliance practice
What we do on compliance for a law firm starts before the obligations arrive. We map the regulations the firm is captured by (legal profession rules for your state, Privacy Act, AUSTRAC from 2026 for firms providing designated services, cyber-insurance requirements that now read like audit checklists) against the stack you actually run. We name the gaps, cost the remediation, and stage the work so the firm can show an auditor a program rather than a panic.
Operationally, the weight sits in three places. Identity and access, so the people with matter access match the people who should have it, and offboarding the same day someone leaves stops being a reminder note. Logging and retention, so when AUSTRAC, a regulator or an insurer asks what happened to a file, there is an answer that stands up. And evidence generation: every control the firm claims to have runs through something we can produce a report from. The firms who treat compliance as a reporting problem pass audits. The firms who treat it as a culture statement fail them.
Across the engagement, we run the framework cycle continuously rather than as an annual scramble. Gap analysis at the start, monitoring throughout, remediation when the monitoring surfaces a drift, evidence pipelines that produce the artefact on demand. A standing program rather than a project with a finish line.
We write none of your legal documents. We set up the document-management, identity, monitoring, and retention infrastructure the legal and compliance work actually runs on. That boundary is explicit on every engagement: you own the interpretation, we own the machinery.
The tools and the role · what we bring
Compliance frameworks have converged on roughly the same set of operational expectations. These are the five we run as a service so the framework cycle is a continuing operation rather than an annual scramble.
Log aggregation across your devices, identity, network and cloud services with the alerting that surfaces something unusual while it is still recoverable. The answer to 'are we under attack right now' rather than 'were we under attack last quarter'.
Allowlisting that prevents unauthorised executables from running on managed devices. One of the highest-impact Essential Eight controls and one of the hardest for in-house IT to operate without breaking the business. We run it as a service, including the day-to-day exception handling.
Most providers run a scanner and email you a list. We run the scanner and do the labour-intensive remediation work that actually closes the vulnerabilities inside the thirty-day window most frameworks expect. Scanning without remediation is a list of known problems with no closure.
Annual training your staff actually complete, phishing simulations that escalate rather than scold, and the completion reporting your compliance officer can show to an auditor or insurer. The training is a compliance artefact and a real behaviour-change tool, not a tick-box.
Strategic IT advice, framework gap analysis, board-level reporting, risk register maintenance, vendor management oversight. The compliance-aligned strategic role most firms our size cannot resource internally. See /services/vcio/ for the standalone offering.
More on the vCIO offeringThe risk that matters · for law firms
The risk most law firms imagine compliance saving them from is the easy one: 'we said no to something we should have said yes to, and now we are non-compliant'. The harder risk, and the one that's bitten the firms we have worked with hardest, runs the other way. 'We answered yes to a control question on an insurer renewal or a corporate client's supplier questionnaire because we thought we had the control in place, and then a breach happened and someone asked for the evidence.' If the evidence is not there, the insurer may decline the claim and the corporate client may end the engagement. That is the failure mode worth designing against.
Where it fits · managed IT engagement
Most of the compliance-supporting controls sit inside the Client Security Baseline, which every CCP client is contractually on. MFA on everything that matters, application control, vulnerability management, backups that have been tested, and offboarding discipline. The CSBO is the floor, not the ceiling.
Where a specific regulation needs more (document retention labels for AML records, privileged-access logging for trust-account work, audit-grade evidence pipelines for insurer questionnaires, sensitivity labels for matter files under privilege), we add it per engagement. Compliance is an overlay against the same baseline, not a separate product.
What stays outside our scope: the legal interpretation, the partner-level risk decisions, the AML/CTF program document itself, the law-society reporting. We do not replace your compliance officer, your in-house counsel, or your AML adviser. We provide the IT-and-process expertise externally that most firms cannot resource internally, and we work alongside the people who own the policy and the legal substance.
Common questions · law firms
Can a managed IT provider help us meet AUSTRAC Tranche 2 obligations from July 2026?
Do we need ISO 27001 to win larger corporate clients?
What is the difference between an Essential Eight assessment and a full compliance program?
How does this differ from hiring a compliance officer?
Can you help us answer client-driven security questionnaires?
What evidence will I actually be able to produce after the work?
What about PEXA MFA and conveyancing-specific obligations?
Next step · start with the evidence
The Essential Eight self-assessment takes about ten minutes and gives you a branded PDF report you can hand to your compliance officer, your insurer, or your board the same day. If you want to confirm we're the right shop for the work, the fit check comes next.
