DIA’s Message to Law Firms Is Getting Louder: AML/CFT Compliance Must Work in Practice

Elaine Ramsay
Apr 30
6 min read

Why recent enforcement action should make every law firm pause and ask: could we evidence what our AML/CFT programme actually does?

There is still a quiet assumption in some professional circles that AML/CFT breaches are something that happen elsewhere.

Money remitters. Casinos. Real estate agents. High volume cash businesses.

Not law firms.

The public enforcement record tells a different story.

On 24 April 2026, the Department of Internal Affairs announced that Hamilton law firm Foster & Milroy had been fined $60,000 after pleading guilty to criminal breaches of the AML/CFT Act. The breaches included failures to undertake a compliant risk assessment, establish, implement or maintain an AML/CFT programme, maintain proper records, and wilfully obstruct an AML/CFT supervisor in the exercise of its powers. DIA described the offending as serious, prolonged, intentional and systemic.

This matters because it is not just another regulatory notice. It is a legal sector case. It involved a criminal prosecution. It involved a guilty plea. It involved a financial penalty. And it involved the kind of foundational AML/CFT failures that no reporting entity can afford to treat lightly.

But Foster & Milroy does not sit in isolation.

In 2021, DIA issued a formal warning to Kidd Legal for AML/CFT non compliance. DIA said the firm failed to meet obligations relating to the establishment, implementation and maintenance of its AML/CFT programme, could not demonstrate how staff compliance would be ensured, and failed to adequately understand or assess money laundering and terrorism financing risk within the business. DIA described that warning as the first formal warning issued to the legal sector under the AML/CFT Act.

In 2024, DIA issued a formal warning to lawyer Peter S Brinsley, trading as PSB, after finding failures relating to the establishment, implementation and maintenance of an AML/CFT programme, ongoing customer due diligence, and reporting obligations. DIA also made the point that reporting entities range from large organisations to sole traders, and that the size of a practice does not remove AML/CFT obligations.

Taken together, these cases answer a question that still comes up from time to time.

Can law firms be found in breach of AML/CFT obligations?

Yes. They already have.

The better question is this:

If DIA walked in tomorrow, could your firm show that its AML/CFT framework is not only documented, but understood, followed and evidenced in practice?

This is not just about having documents

One of the strongest messages from DIA’s legal sector enforcement history is that a risk assessment and compliance programme cannot simply exist on paper.

They need to work.

They need to reflect the firm’s actual services, clients, delivery channels, countries, institutions and transaction types. They need to guide staff decisions. They need to be reviewed when risks change. They need to be supported by records. They need to be visible in file practice.

That is where many firms become vulnerable.

The issue is not always that a firm has no AML/CFT documents. Often the issue is that the documents are out of date, too generic, poorly understood, or disconnected from what actually happens on files.

A beautifully formatted programme will not assist much if staff do not know when to escalate a matter.

A risk assessment will not carry much weight if it does not reflect the firm’s real exposure.

A file note will not satisfy scrutiny if it does not explain the reasoning behind a risk rating, source of funds decision, or suspicious activity threshold assessment.

A policy will not protect a firm if there is no evidence that it has been applied.

The legal sector risk is real

Law firms are not banks, and they should not be treated as if they are. But law firms do sit in important positions of trust.

They may act on property transactions, trusts, companies, estate matters, relationship property settlements, lending arrangements, asset transfers and funds passing through trust accounts. They may see information that other gatekeepers do not see. They may notice inconsistencies in a client’s explanation, unusual third party involvement, unexplained wealth, or funds that do not align with the stated transaction.

That does not mean every matter is suspicious.

It does mean the AML/CFT framework must be practical enough to help staff identify when something needs a closer look.

A risk based approach is not a licence to do less. It is a requirement to think properly, document the reasoning, and apply controls in a way that matches the risk.

The small firm argument does not remove the obligation

The PSB warning is particularly important for smaller practices.

DIA made it clear that the businesses it supervises range from large organisations to sole traders, and that all businesses with obligations under the AML/CFT Act need to comply. DIA also said sole traders are not immune from being manipulated by criminals, nor from monitoring and oversight by the Department.

That is a useful reminder.

A smaller firm may have a simpler structure, a smaller client base and fewer captured services. Those factors may affect the level of risk and the scale of the programme. But they do not remove the need for a current risk assessment, an effective AML/CFT programme, staff understanding, proper CDD records, ongoing CDD where required, and reporting processes that are understood.

In other words, the programme can be proportionate.

It cannot be absent.

It cannot be stale.

And it cannot be invisible in practice.

The real regulatory test is evidence

For law firms, the practical question is not simply:

Do we have an AML/CFT programme?

The better questions are:

Can we show how it works?

Can we show who follows it?

Can we show when decisions were made, why they were made, and what was done next?

That means being able to produce more than the risk assessment and compliance programme. It means being able to show:

current risk assessment methodology
clear client and matter risk rating rationale
CDD and ECDD records
source of funds and source of wealth reasoning where required
ongoing CDD triggers and review notes
suspicious activity reporting considerations
prescribed transaction reporting processes
staff training records
AMLCO approvals and escalations
audit findings and evidence of remediation

The key word is evidence.

Not intention.

Not verbal assurance.

Not “we usually do that”.

Evidence.

What law firms should take from Foster & Milroy

The Foster & Milroy case should not be read as a one off headline.

It should be read alongside Kidd Legal and PSB as part of a wider message to the legal sector. DIA has taken public action against law firms and lawyers before. The regulator is prepared to scrutinise whether AML/CFT obligations are being met. And where failures are serious, prolonged or systemic, the consequences can move beyond a warning.

For firms, the lesson is practical.

Do not wait for a supervisor, audit report or enforcement notice to discover that the AML/CFT framework is not working.

Look now.

Ask whether the risk assessment still reflects the firm.
Ask whether the compliance programme matches actual practice.
Ask whether staff know what to do when a matter does not feel right.
Ask whether risk ratings are supported by proper reasoning.
Ask whether ongoing CDD is being triggered when it should be.
Ask whether reporting decisions are recorded.
Ask whether audit findings have actually been embedded into the programme.
And most importantly, ask whether the firm could evidence all of this if DIA requested it.
A health check is not a luxury

This is where a practical AML/CFT health check can be valuable.

Not because every firm is in trouble.

But because most firms are busy. Documents age. Processes drift. Staff change. File habits become inconsistent. New guidance is issued. Audit findings sit unresolved. Risk rating forms are completed, but not always with clear reasoning. Source of funds notes are recorded, but not always in a way that explains the decision.

A focused review can help identify those gaps before they become regulatory findings.

For law firms, the goal should not be a heavier AML/CFT process. The goal should be a clearer one.

A good framework should help the firm answer three simple questions:

What are our risks?

What are we doing about them?

Can we prove it?

Final thought

DIA’s message to law firms is getting louder.

AML/CFT compliance cannot sit in a folder. It must be current, understood, followed and evidenced.

The legal sector is already on the public enforcement record. Foster & Milroy, Kidd Legal and PSB show that AML/CFT breaches in law firms are not hypothetical.

The firms best placed to respond are not necessarily the largest firms or the firms with the most complex documents.

They are the firms that can show their programme works in practice.

There is still a quiet assumption in some professional circles that AML/CFT breaches are something that happen elsewhere.

Money remitters. Casinos. Real estate agents. High volume cash businesses.

Not law firms.

The public enforcement record tells a different story.

This matters because it is not just another regulatory notice. It is a legal sector case. It involved a criminal prosecution. It involved a guilty plea. It involved a financial penalty. And it involved the kind of foundational AML/CFT failures that no reporting entity can afford to treat lightly.

But Foster & Milroy does not sit in isolation.

Taken together, these cases answer a question that still comes up from time to time.

Can law firms be found in breach of AML/CFT obligations?

Yes. They already have.

The better question is this:

If DIA walked in tomorrow, could your firm show that its AML/CFT framework is not only documented, but understood, followed and evidenced in practice?

This is not just about having documents

One of the strongest messages from DIA’s legal sector enforcement history is that a risk assessment and compliance programme cannot simply exist on paper.

They need to work.

They need to reflect the firm’s actual services, clients, delivery channels, countries, institutions and transaction types. They need to guide staff decisions. They need to be reviewed when risks change. They need to be supported by records. They need to be visible in file practice.

That is where many firms become vulnerable.

The issue is not always that a firm has no AML/CFT documents. Often the issue is that the documents are out of date, too generic, poorly understood, or disconnected from what actually happens on files.

A beautifully formatted programme will not assist much if staff do not know when to escalate a matter.

A risk assessment will not carry much weight if it does not reflect the firm’s real exposure.

A file note will not satisfy scrutiny if it does not explain the reasoning behind a risk rating, source of funds decision, or suspicious activity threshold assessment.

A policy will not protect a firm if there is no evidence that it has been applied.

The legal sector risk is real

Law firms are not banks, and they should not be treated as if they are. But law firms do sit in important positions of trust.

That does not mean every matter is suspicious.

It does mean the AML/CFT framework must be practical enough to help staff identify when something needs a closer look.

A risk based approach is not a licence to do less. It is a requirement to think properly, document the reasoning, and apply controls in a way that matches the risk.

The small firm argument does not remove the obligation

The PSB warning is particularly important for smaller practices.

That is a useful reminder.

In other words, the programme can be proportionate.

It cannot be absent.

It cannot be stale.

And it cannot be invisible in practice.

The real regulatory test is evidence

For law firms, the practical question is not simply:

Do we have an AML/CFT programme?

The better questions are:

Can we show how it works?

Can we show who follows it?

Can we show when decisions were made, why they were made, and what was done next?

That means being able to produce more than the risk assessment and compliance programme. It means being able to show:

current risk assessment methodology

clear client and matter risk rating rationale

CDD and ECDD records

source of funds and source of wealth reasoning where required

ongoing CDD triggers and review notes

suspicious activity reporting considerations

prescribed transaction reporting processes

staff training records

AMLCO approvals and escalations

audit findings and evidence of remediation

The key word is evidence.

Not intention.

Not verbal assurance.

Not “we usually do that”.

Evidence.

What law firms should take from Foster & Milroy

The Foster & Milroy case should not be read as a one off headline.

For firms, the lesson is practical.

Do not wait for a supervisor, audit report or enforcement notice to discover that the AML/CFT framework is not working.

Look now.

Ask whether the risk assessment still reflects the firm.

Ask whether the compliance programme matches actual practice.

Ask whether staff know what to do when a matter does not feel right.

Ask whether risk ratings are supported by proper reasoning.

Ask whether ongoing CDD is being triggered when it should be.

Ask whether reporting decisions are recorded.

Ask whether audit findings have actually been embedded into the programme.

And most importantly, ask whether the firm could evidence all of this if DIA requested it.

A health check is not a luxury

This is where a practical AML/CFT health check can be valuable.

Not because every firm is in trouble.