Australia AML/CTF

Australia AML/CTF Risk Assessment (ML/TF Risk Assessment)

The short version

Under the Australian regime, a reporting entity must identify, assess, manage, and mitigate the money-laundering and terrorism-financing risk it faces, and the ML/TF risk assessment is the document that does the identifying and assessing. It is the foundation of the Part A program. AUSTRAC expects it to weigh four factors: the entity's customer types, the designated services it provides, the methods or channels by which it delivers them, and the foreign jurisdictions it deals with. The 2024 reforms make a business-wide risk assessment an explicit obligation, with the new AML/CTF Rules required to be implemented by 31 March 2026.

The Australian AML/CTF regime is risk-led by design. The Part A program is the general part of a reporting entity's AML/CTF Program, and its job is to identify, assess, manage, and mitigate ML/TF risk. The risk assessment is where that begins. Without it, the controls in the program have nothing to be calibrated against. This guide covers what the assessment must weigh, the four factors AUSTRAC expects, how the 2024 reforms sharpen the obligation, and where these assessments fall short.

Where the obligation comes from

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and the AML/CTF Rules require a reporting entity to have an AML/CTF Program, and the Part A program must identify and assess the ML/TF risk the entity reasonably faces, then manage and mitigate it. AUSTRAC, the regulator, publishes guidance on how to assess that risk. The risk assessment is the named first element of a complete Part A: governance, ongoing customer due diligence, transaction monitoring, employee due diligence and training, and independent review all sit on top of it.

The four risk factors

AUSTRAC frames ML/TF risk assessment around four factors. A complete assessment rates each and combines them into an overall view of the risk the business carries.

FactorWhat it captures
Customer typesThe nature of the customer base, including any higher-risk customers such as politically exposed persons or customers with opaque ownership.
Designated servicesThe specific designated services the entity provides, since each carries its own ML/TF exposure.
Delivery channelsThe methods by which services are delivered, including non-face-to-face and intermediated channels.
Foreign jurisdictionsThe countries the entity deals with, weighting higher-risk jurisdictions.

What the 2024 reforms change

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 reforms the regime, and one effect is to make a business-wide ML/TF risk assessment a more explicit, standalone obligation rather than an assumed input to the program. Existing reporting entities were required to implement the new AML/CTF Rules by 31 March 2026, and the newly covered Tranche 2 sectors come into the regime on the same reform timeline. The practical point is that the risk assessment is moving from good practice to a clearly named requirement, so an entity should be able to point to a current, documented business-wide assessment. Confirm the exact obligations and dates against current AUSTRAC guidance.

How to conduct it

Step 1: Map customers, services, channels, and jurisdictions

Catalog the four factors for the business: who the customers are, which designated services are provided, how they are delivered, and which foreign jurisdictions are involved.

Step 2: Rate the inherent risk of each factor

Assess the level of ML/TF risk each factor carries before controls, weighting higher-risk customers, services, channels, and jurisdictions.

Step 3: Combine into an overall ML/TF risk rating

Bring the factors together into a business-wide view of the entity's ML/TF risk.

Step 4: Calibrate the Part A controls to the rating

Use the assessment to size the program: due diligence, monitoring, and the rest of Part A are set against the risk it identifies.

Step 5: Review and keep it current

Refresh the assessment on a regular cycle and when the business changes, and have it covered by the independent review of Part A.

Where it goes wrong

One distinction worth keeping clear: the ML/TF risk assessment is business-wide, a view of the risk the whole entity carries, while the customer risk rating is the per-customer score applied during due diligence. The business-wide assessment sets the framework; the customer rating applies it case by case. The ML/TF risk assessment is the foundation of the Part A program and, after the 2024 reforms, an obligation an entity should be able to evidence directly. For the wider regime, see the Australia AML/CTF compliance guide and the Australia AML/CTF glossary; for the underlying method, see the BSA/AML risk assessment guide.

Primary sources

Common questions

What is an ML/TF risk assessment under the Australian regime?
It is the assessment a reporting entity uses to identify and rate the money-laundering and terrorism-financing risk it faces, across its customer types, the designated services it provides, its delivery channels, and the foreign jurisdictions it deals with. It is the foundation of the Part A program.
What four factors does AUSTRAC expect a risk assessment to weigh?
Customer types, the designated services provided, the delivery channels used, and the foreign jurisdictions the entity deals with. A complete assessment rates each and combines them into an overall view of ML/TF risk.
How do the 2024 reforms affect the risk assessment?
The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 makes a business-wide ML/TF risk assessment a more explicit obligation. Existing reporting entities were required to implement the new AML/CTF Rules by 31 March 2026, so an entity should be able to point to a current, documented assessment. Confirm the exact dates against current AUSTRAC guidance.
Who reviews the ML/TF risk assessment?
AUSTRAC supervises the regime and can examine the program, and the independent review of Part A is expected to cover the risk assessment. The accountable AML/CTF compliance officer is responsible for keeping it current.
From the team behind this guide

An ML/TF risk assessment AUSTRAC accepts

Compliance Command Center builds the business-wide ML/TF risk assessment the Part A program is calibrated to, weighing customers, services, channels, and jurisdictions with the reasoning documented. Practitioners build it, with a human reviewing every deliverable, so it stands up to AUSTRAC and to the independent review.

See Compliance Command Center Talk to a Practitioner