AML CTF Risk Assessment: How to Comply with AUSTRAC

AUSTRAC is shifting AML/CTF from box‑ticking to outcomes. From 31 March 2026, reporting entities must keep a documented, up‑to‑date ML/TF risk assessment that reflects the nature, size and complexity of the business, covers customers, services, delivery channels and jurisdictions, and considers proliferation financing. For many firms—especially those newly captured by Tranche 2—what to assess, how to score risk and how often to review it aren’t yet clear, while penalties for getting it wrong are.

The good news: a practical, risk‑based method can make compliance achievable and useful. By setting governance, using AUSTRAC guidance alongside your own data, assessing inherent risks, testing controls, and embedding results into daily workflows (not a shelf document), you can evidence proportionate mitigation and stay audit‑ready.

This guide walks you through a 15‑step AML/CTF risk assessment process aligned to AUSTRAC’s expectations—covering obligations, governance, methodology, data sources, inherent and residual risk, control effectiveness, documentation, review triggers, group‑wide management and operationalisation in your CRM. It’s written for Australian practitioners who want clarity, consistency and a framework they can maintain.

Step 1. Confirm your AML/CTF obligations and designated services

Before starting your AML/CTF risk assessment, confirm you are a reporting entity and list the designated services you provide under the AML/CTF Act. Include any Tranche 2 services (e.g., certain legal/accounting or real estate). Map each service to delivery channels and jurisdictions, note agents/outsourcing, and confirm obligations at entity or reporting‑group level.

Step 2. Understand AUSTRAC’s risk assessment requirements (from 31 March 2026)

From 31 March 2026, the AML/CTF Amendment Act requires a documented, up‑to‑date ML/TF risk assessment that covers money laundering, terrorism financing and proliferation financing, is tailored to your nature, size and complexity, and directly informs proportionate AML/CTF policies, procedures, systems and controls. You must take AUSTRAC guidance and feedback into account and keep the assessment current.

Scope minimums: customers, designated services, delivery methods and jurisdictions.
Use AUSTRAC guidance: incorporate relevant national/sector insights and feedback.
Review triggers: new services, channels, technology, jurisdictions or material business changes.
Decisions and rationale: record methodology, data, ratings and why.
Before go‑live: assess ML/TF risk of any new service/process prior to offering it.

Step 3. Set governance: board oversight, AML/CTF compliance officer and roles

Set governance early and make it auditable. Your board or governing body must oversee the AML/CTF program and take reasonable steps to ensure ML/TF risks are identified and mitigated, but they are not required to approve each risk assessment change or manage day‑to‑day measures. Appoint an AML/CTF compliance officer at management level to coordinate implementation, ensure program changes are approved by senior management and notified to the governing body. For small firms, one person may hold multiple roles—just document accountabilities, approvals and escalation paths.

Step 4. Define scope and methodology (risk taxonomy, scoring and appetite)

Define scope enterprise‑wide: list all designated services, delivery channels, customer segments (incl PEPs), geographies and counterparties/agents to be rated. Use a simple, defensible approach: score inherent risk via likelihood × impact (3×3 or 4×4), assess control effectiveness, derive residual risk, and set rating scales, thresholds and a written risk appetite.

Risk taxonomy: Customers, Products/Services, Channels, Geography, Counterparties/outsourcing.
Scoring: Use Low/Medium/High or 1–3; define banding and rationale; apply 3×3/4×4 matrix.
Residual rule: Document how you derive residual risk: Residual = Inherent adjusted by control effectiveness.
Appetite: Map ratings to actions—EDD, limits, enhanced monitoring, restrict/exit or decline.

Step 5. Gather sources: AUSTRAC guidance, typologies and your internal data

Before scoring, assemble an evidence pack. AUSTRAC expects you to consider its guidance and feedback, including national/sector risk assessments and typologies, and Australia’s 2022 proliferation financing risk assessment. Add your internal data: customer/product/channel volumes, suspicious matters, monitoring alerts, QA or audit findings, breaches and planned changes (new services, tech, jurisdictions).

Step 6. Assess inherent risk by customer types (including PEPs and high‑risk segments)

Segment your customer base and rate inherent ML/TF risk before controls. Use AUSTRAC guidance and your data to decide which segments present higher exposure, then document the rationale and rating for each segment, not just the overall population.

PEP exposure: Domestic/foreign PEPs and close associates typically increase risk.
Type and complexity: Individuals vs companies/trusts; simple vs complex structures and opacity.
Jurisdiction links: Domestic vs foreign customers; connections to higher‑risk countries.
Industry/segment risk: Sectors flagged as higher‑risk in AUSTRAC guidance and typologies.
Behavioural indicators: Historic SMRs, alert rates or unusual patterns by segment (evidence likelihood/impact).

Step 7. Assess inherent risk by products, services and delivery channels

Assess each designated service and how you deliver it before controls. AUSTRAC expects your AML/CTF risk assessment to cover the nature of services, methods of delivery and any new technology before go‑live, with clear rationale for likelihood and impact. Map services against channels to see where exposure concentrates and where extra mitigation is needed.

Service risk drivers: Value/velocity, cross‑border movement, cash intensity, complexity, third‑party reliance.
Delivery channel risk: Purely online/non‑face‑to‑face tends higher risk than in‑person.
New/changed tech: Pre‑assess remote onboarding or new platforms prior to launch.
Data evidence: Volumes, SMRs and alert rates by service/channel.
Ratings and actions: Assign H/M/L per Service×Channel and note EDD, limits or restriction/exit.

Step 8. Assess inherent risk by geography and counterparties

Geographic exposure and counterparties can amplify ML/TF risk. Rate inherent risk by where customers, beneficial owners and payments originate/land, and your operating jurisdictions. Use AUSTRAC guidance and your own corridor data to flag higher‑risk countries and routes. Assess counterparties (agents, introducers, outsourced providers) that touch onboarding, funds or records. Document volumes and rationale per country/corridor before controls.

Country drivers: residency, UBO location, transaction corridors.
High‑risk cues: weak AML/CTF regimes, AUSTRAC guidance/feedback.
Counterparties: agents/referrers/outsourcers—profile them and record inherent risk.

Step 9. Include proliferation financing and sanctions exposure

Proliferation financing (PF) must be included in your AML/CTF risk assessment. Home Affairs requires you to consider PF and targeted financial sanctions, using AUSTRAC’s 2022 PF risk assessment. Exposure varies; if PF risk is immaterial or already mitigated, document the rationale.

Map PF/sanctions touchpoints: customers, beneficial owners, services, jurisdictions and counterparties linked to UN Security Council sanctions.
Define responses: sanctions screening coverage, escalation for potential matches, and proportionate controls where residual PF risk remains.

Step 10. Evaluate control effectiveness across CDD, EDD, monitoring and reporting

With inherent risks rated, test whether your controls reduce likelihood and impact in practice. The Amendment Act expects proportionate, enterprise‑wide measures and clear internal controls, overseen by the governing body and coordinated by the AML/CTF compliance officer. Assess both design (fit‑for‑purpose) and operating effectiveness (working as intended), using evidence not intent.

CDD coverage: KYC completeness, verification success rates, refresh cycles, record‑keeping.
PEP/sanctions/PF screening: onboarding and ongoing screening scope, hit handling, escalation quality.
EDD application: triggers, depth/quality of source‑of‑funds/wealth, approvals, documentation.
Monitoring performance: alert volumes, tuning/precision, backlog, investigation turnaround.
SMR reporting: decision rationale, timeliness, quality of submissions and feedback uptake.
Governance and training: role clarity, training completion, QA results, breach remediation.
Third parties: reliance controls for agents/outsourcers, testing of data quality and turnaround.

Step 11. Determine residual risk and prioritise mitigations

Translate inherent ratings and control effectiveness into residual risk, using your documented method (e.g. Residual = Inherent adjusted by control effectiveness). Where residual risk exceeds appetite, AUSTRAC expects proportionate, enterprise‑wide mitigation. Record the rating, rationale, and a clear action plan with owners, dates and evidence you’ll use to prove risk reduction.

Triage by appetite: Accept within appetite; treat if at/above threshold; restrict or exit if well above.
Targeted controls: Apply EDD, tighten onboarding, reduce limits/velocity, enhance monitoring, or restrict high‑risk channels/jurisdictions.
Remediation plan: Fix gaps in CDD, screening, monitoring, QA or training; uplift third‑party oversight.
Escalation: Table above‑appetite residual risks and proposed actions to senior management/governing body for oversight.

Step 12. Document, approve and socialise the ML/TF risk assessment

Document your AML/CTF risk assessment as an auditable pack: methodology, data sources, inherent and residual ratings with rationale, control‑testing evidence, and a prioritised action plan with owners and dates. Obtain senior‑management approval, notify the governing body, table material changes for oversight, and maintain version control. Brief first/second line and align policies and CRM workflows.

Step 13. Set review triggers, ongoing monitoring and assurance

Keep your ML/TF risk assessment live. Set a periodic review cadence, event‑based triggers, monitoring indicators and an assurance plan (QA/internal audit) so it stays up to date and reflects AUSTRAC guidance and feedback.

New/changed services, channels or technology (before go‑live)
New jurisdictions, corridors or counterparties/outsourcing
Regulatory guidance/feedback or sanctions/PF updates
Material shifts in customer mix, volumes, typologies or incidents

Version‑control and socialise updates.

Step 14. Operationalise: embed outcomes in your AML/CTF program and CRM workflows

Turn the risk assessment into action by wiring its outcomes into your AML/CTF program, policies and daily workflows. AUSTRAC expects proportionate measures that operate enterprise‑wide, not shelfware. Map ratings to decisions, automate triggers, and ensure every control leaves an auditable trail in your CRM.

Policy-to-control mapping: acceptance/decline, EDD triggers, limits, approvals.
CRM fields: Risk_Rating, EDD_Required, PEP, Country, owner.
Workflow rules: if Risk_Rating = High create EDD task + manager approval.
KYC orchestration: run checks in‑CRM, write outcomes, restrict PII (e.g. IdentityCheck).
Assurance & change: dashboards, QA sampling, versioned procedures, go‑live gates for new services/tech/jurisdictions.

Step 15. Reporting groups, outsourcing and foreign branches: group‑wide risk management

From 31 March 2026, the simplified reporting group replaces designated business groups. Operate one system: consistent method, shared data and clear accountability. The lead entity assesses group risk, runs the program for Australian members, and ensures compliance, while enabling proportionate information sharing and controls across the group.

Automatic/elected groups: Corporate groups automatic; franchises/partnerships may elect.
Related entities and sharing: Add related non‑reporting entities; share CDD/risk data securely.
Outsourcing/reliance: Members may perform obligations; liability remains with the reporting entity.
Foreign branches/subsidiaries: Apply high‑level principles; notify AUSTRAC if host law prevents.
Operating model: Unify taxonomy, scoring and MI; add change gates pre‑go‑live.

Next steps

You now have a practical, auditable path to meet AUSTRAC’s outcome‑focused requirements by 31 March 2026. Move quickly from plan to execution: lock your methodology, complete inherent/control/residual ratings, document rationale, and wire outcomes into policies and your CRM. If you want KYC checks to run natively in your stack with strong privacy, consider StackGo to operationalise onboarding and ongoing due diligence.