‍This article is for informational purposes and does not constitute legal advice. Law firms should seek independent legal counsel regarding their specific AML/CTF compliance obligations.

Sovereign Washing: What Is It?

There is a conversation happening across Australian law firms right now that is costing firms time they do not have. It goes something like this: "We want an AML compliance solution, but we need our client data to stay fully within Australia."

It is an understandable instinct. But there is a significant problem: no commercially available AML or identity verification platform can deliver it. Not one. And some providers are actively misleading law firms by implying they can.

This practice has a name in cloud computing circles: sovereign washing. It’s the art of marketing data residency as though it were true data sovereignty, when the underlying reality is far more complex. The defining question of true data sovereignty is not "Where are the servers?" but "Who has ultimate control over my data at every stage of processing?" And when you ask that question of every AML platform in the Australian market, including those that loudly advertise local data hosting, the answer reveals a pattern of sub-processing that crosses borders as a matter of technical and commercial necessity.

All AML compliance providers in the market delivering services to law firms in Australia rely on third-party sub-processors to deliver their services. This is not a scandal. It is an industry-wide structural reality. The scandal is that some providers are not being as transparent as they should be with Australian law firms about the nature and use of third-party sub-processors.

What the Sub-Processor Evidence Actually Shows

Let us be specific, because specificity matters here. Not all AML compliance or IDV vendors publish lists of their sub-processors. Many are explicit that the personal and biometric information may be transferred to service providers across regions like the United Kingdom and Europe. Sometimes further information can be found in the Privacy Policies where it is often acknowledged that sub-processors and contracts are situated outside of Australia and New Zealand. The very nature of the services that are being delivered e.g. the verification of documents of overseas entities or individuals, involve touching systems that sit outside of Australia. 

The pattern is consistent and unavoidable: every IDV and AML platform serving the Australian market uses sub-processors located outside Australia. Some are more transparent about this than others. The firms that have been told otherwise have often been misled.

To be very clear, Legl does leverage sub-processors to deliver a best-in-class client lifecycle management platform that enables firms to accelerate client onboarding, maintain robust AML compliance standards, take compliant payments from clients and more. We are transparent and explicit about this, and will share more on this below.

Why True Data Sovereignty Is Not a Commercially Available Product

The reason for this is structural, not incidental. Modern identity verification depends on cross-border infrastructure by definition.

To verify that a passport is genuine, a platform must query document verification services connected to issuing country databases, many of which are hosted outside Australia. To screen a client against PEP and sanctions registers, a platform must access global watchlists maintained by OFAC, the UN Security Council, FATF member states, and others, none of which are Australian. To verify an international address, the platform must query overseas data sources. To check an international bank account for source of funds purposes, it must interface with non-Australian financial infrastructure.

Even AWS's Sydney and Melbourne regions, the default answer of every "Australian data" marketing claim, are part of a global infrastructure with support teams, failover systems, and management tooling located across multiple jurisdictions. True data sovereignty, in the absolute sense that no data ever crosses a border or touches a system not under Australian legal control, is not something any commercially viable AML compliance provider can offer today.

Law firms that wait for this hypothetical solution will arrive at 1 July 2026 with no compliant system at all.

Why Doing Nothing Is Not an Option

Before addressing what law firms should look for in a provider, it is worth confronting a temptation that some firms still harbour: the idea that manual processes can substitute for technology, at least temporarily.

They cannot. And not primarily for reasons of efficiency, but because there are things manual processes structurally cannot do.

Passport and document authentication. A manual process can record that a passport was sighted. It cannot verify that the passport is genuine. Only automated document verification technology, querying real-time databases and applying forensic document analysis, can identify sophisticated forgeries, expired or revoked documents, or fraudulently altered identity documents. The AML/CTF framework requires reliable verification, not just sighting.

PEPs and sanctions screening. There are over 1,100 real-time PEP and sanctions lists globally, updated continuously by governments, international bodies, and regulators. No manual process can keep pace with this data. A firm that screens a client against a static spreadsheet downloaded six months ago is not meeting its ongoing customer due diligence obligations. It is creating a documented record of inadequate screening that would be devastating in any subsequent AUSTRAC enforcement action.

International proof of address. For clients with addresses outside Australia, manual address verification is not just slow, it is often impossible to execute reliably. Electronic verification services query overseas address databases in real time, delivering results that a manual process simply cannot replicate.

Source of funds for international accounts. Tranche 2 obligations require law firms to understand the source of funds for client transactions above certain thresholds. For clients with international bank accounts, manual source of funds verification requires the client to produce documentation that is difficult to authenticate, creates friction in the onboarding experience, and provides no assurance against fabricated bank statements. Technology-driven source of funds verification, using open banking connections and financial data analysis, delivers verified, real-time financial information that is genuinely defensible.

Ongoing monitoring. AML/CTF compliance is not a one-time onboarding event. It requires continuous monitoring including flagging when a previously clean client subsequently appears on a sanctions list, when their risk profile changes, or when unusual transaction patterns emerge. No manual system can do this at scale across a firm's full client base.

The regulatory floor has moved, and manual processes do not meet it.

Point Solutions vs. a Client Lifecycle Management Platform

There is a second important distinction that Australian law firms need to understand as they evaluate the market: the difference between an identity verification point solution and a genuine client lifecycle management platform.

Many of the providers competing for Australian law firm business in the lead-up to July 2026 are, at their core, IDV tools i.e. solutions built to verify a person's identity at the point of onboarding. They may do this well. But identity verification is one component of AML/CTF compliance, not the whole of it.

The AML/CTF Amendment Act 2024 requires law firms to do considerably more:

• Conduct and document client and matter risk assessments that evaluate the specific risk profile of each engagement
• Screen against PEP and sanctions registers, not just at onboarding, but on an ongoing basis
• Undertake enhanced due diligence for high-risk clients, including politically exposed persons, clients from high-risk jurisdictions, and complex ownership structures
• Verify and document source of funds and source of wealth for relevant transactions
• Maintain audit-ready records for seven years, accessible to AUSTRAC on demand
• File suspicious matter reports when required
• Conduct ongoing customer due diligence, updating risk assessments when client circumstances change

A point solution that handles identity verification addresses one item on that list. It leaves the rest to manual processes, spreadsheets, and the kind of informal risk management that the Tranche 2 reforms were specifically designed to replace.

Legl is built as a client lifecycle management platform, not an identity verification tool. The distinction matters. Legl's platform for Australian law firms incorporates:

• Identity and biometric verification — electronic verification against Australian and international document databases, including biometric liveness checks
• Client and matter risk assessments — customisable risk frameworks that allow firms to build their own risk logic, scoring, and escalation workflows, fully aligned to their AML/CTF program
• PEP and sanctions screening — continuous monitoring across global watchlists, with instant notifications when risk profiles change
• Source of funds verification — clients share bank transaction data including via open banking, giving firms verified, real-time financial information and AI-powered tools for fast analysis and grouping of high risk transactions
• Enhanced due diligence workflows — structured processes for high-risk clients that document the additional steps taken
• Compliant payments — integrated payment infrastructure that connects compliance and billing, reducing friction while maintaining regulatory oversight
• Ongoing monitoring — continuous review of the client base against updated risk data, not just a one-time check at onboarding
• Audit-ready record-keeping — complete, timestamped audit trails for every check, assessment, and decision

This is not an incremental improvement on a point solution. It is a categorically different approach to compliance, one that treats AML/CTF obligations as an ongoing client relationship management function, not a one-time identity check at the front door. This comprehensive approach has been adopted by over 500 law firm in the UK, who are very experienced with managing robust AML compliance processes like those now required by Australian law firms.

What Australian Law Actually Requires

The AML/CTF Act and its associated Rules, as amended in December 2024 and operative from July 2026, do not require that client data be held exclusively on Australian soil. They require that reporting entities take a risk-based approach to client due diligence, implement appropriate systems and controls, and remain accountable for the functions they outsource.

AUSTRAC's guidance on outsourcing is unambiguous: "If you outsource AML/CTF functions, you remain responsible for complying with your obligations under the AML/CTF Act and AML/CTF Rules. Your business will remain legally liable for any breach of its AML/CTF obligations, even under outsourcing arrangements."

The regulator requires firms to conduct due diligence on service providers, maintain senior management oversight of outsourcing arrangements, and monitor ongoing performance. Nowhere in the Act, the Rules, or AUSTRAC's guidance is there a requirement for data localisation.

The relevant privacy instrument is Australian Privacy Principle 8 (APP 8) under the Privacy Act 1988, as amended by the Privacy and Other Legislation Amendment Act 2024. APP 8 requires that before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the recipient does not breach the APPs. This is a due diligence obligation, not a prohibition on overseas data transfer.

The critical phrase is "reasonable steps." A law firm that engages a digital onboarding platform with robust sub-processor governance, published sub-processor lists, contractual data processing agreements, and independently certified security controls is, on any reasonable reading, taking reasonable steps. A law firm that has been told its data never leaves Australia may find itself in a more difficult position when the true structure of its vendor's data processing becomes apparent.

The Certification Framework: Where Scrutiny Should Actually Focus

Given that sub-processing across borders is unavoidable, the right question for Australian law firms to ask is not "Does this data stay in Australia?" but "How well is this data protected, and by what independently verified standard?"

ISO 27001 is the international standard for information security management systems. It requires organisations to implement a comprehensive, risk-based framework for protecting the confidentiality, integrity, and availability of information regardless of where that information is processed. Certification is granted by accredited third-party auditors and requires ongoing surveillance audits.

SOC 2 Type II provides independent attestation, issued by a licensed CPA firm, that a service organisation's security controls have operated effectively over a defined period. Where ISO 27001 certifies the existence of a security management system, SOC 2 attests to its operational effectiveness over time.

For example, Legl is an ISO 27001 certified entity. In addition, Legl's identity verification sub-processor, FrankieOne Pty Ltd, holds both SOC 2 Type II certification and ISO 27001 certification. Legl publishes its complete sub-processor list at legl.com/sub-processors and maintains formal data processing agreements with each sub-processor, imposing APP-equivalent obligations throughout the processing chain.

This is the framework that matters. Not where the servers sit, but whether the data protection controls around those servers have been independently verified to a recognised standard, and whether the contractual chain of accountability runs all the way from the law firm's data processing agreement with Legl, through to every sub-processor that touches client data.

What Firms Should Actually Ask Their Vendor

For law firms evaluating platforms before the July 2026 deadline, due diligence should focus on the following:

Does the platform go beyond IDV? Can it handle client and matter risk assessments, PEP and sanctions screening, source of funds verification, enhanced due diligence, and ongoing monitoring — or does it only verify identity at the point of onboarding?

Sub-processor transparency: Does the vendor publish its full sub-processor list? Is it updated when sub-processors change? If a vendor claims data never leaves Australia, ask them to show you the sub-processor list and the data processing agreements. The evidence will tell a different story.

Security certifications: Does the vendor hold ISO 27001 certification? Are sub-processors also independently certified?

Breach notification: What is the contractual notification timeline if a breach occurs? Does the vendor have a documented incident response plan?

AUSTRAC alignment: Has the platform been designed to support the specific requirements of the AML/CTF Act, including beneficial ownership verification, ongoing monitoring, and audit-ready record-keeping, or is it primarily a KYC tool adapted for an Australian audience?

Ongoing compliance support: Does the vendor provide ongoing guidance as AUSTRAC updates its rules and guidance?

A vendor that can answer all of these questions clearly, in writing, and with current certifications to back them up, is a vendor with whom a law firm can build a defensible, AUSTRAC-compliant program. The country in which its servers sit is a secondary question. The strength of the governance around those servers, and the depth of the compliance functionality beyond identity verification, is the primary one.

The Clock Is Ticking

Australia's Tranche 2 reforms are a watershed moment for the legal profession. The AML/CTF Amendment Act 2024 closes loopholes that have allowed lawyers to remain outside the AML regulatory perimeter for years, gaps that FATF has repeatedly flagged as a systemic vulnerability in Australia's financial crime defences.

Law firms have until 1 July 2026 to be compliant. Developing a written AML/CTF program, appointing a compliance officer, implementing customer due diligence procedures, training staff, and establishing suspicious matter reporting workflows takes time. A client lifecycle management platform with deep AML/CTF expertise compresses that timeline significantly, delivering the verified identity data, automated risk assessments, PEP and sanctions screening, source of funds capabilities, and audit-ready record-keeping that compliance demands.

The firms that get this right will be those that focus their energy on what the law actually demands: robust outcomes, well-documented processes, and genuine senior engagement with their compliance obligations. Not chasing a promise of data sovereignty that no commercially available provider can deliver.

Start asking the right questions and get  your firm's compliance strategy.

‍

‍This article is for informational purposes and does not constitute legal advice. Law firms should seek independent legal counsel regarding their specific AML/CTF compliance obligations.