Under the Australian regime, a reporting entity must identify, assess, manage, and mitigate the money-laundering and terrorism-financing risk it faces, and the ML/TF risk assessment is the document that does the identifying and assessing. It is the foundation of the Part A program. AUSTRAC expects it to weigh four factors: the entity's customer types, the designated services it provides, the methods or channels by which it delivers them, and the foreign jurisdictions it deals with. The 2024 reforms make a business-wide risk assessment an explicit obligation, with the new AML/CTF Rules required to be implemented by 31 March 2026.
The Australian AML/CTF regime is risk-led by design. The Part A program is the general part of a reporting entity's AML/CTF Program, and its job is to identify, assess, manage, and mitigate ML/TF risk. The risk assessment is where that begins. Without it, the controls in the program have nothing to be calibrated against. This guide covers what the assessment must weigh, the four factors AUSTRAC expects, how the 2024 reforms sharpen the obligation, and where these assessments fall short.
Where the obligation comes from
The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and the AML/CTF Rules require a reporting entity to have an AML/CTF Program, and the Part A program must identify and assess the ML/TF risk the entity reasonably faces, then manage and mitigate it. AUSTRAC, the regulator, publishes guidance on how to assess that risk. The risk assessment is the named first element of a complete Part A: governance, ongoing customer due diligence, transaction monitoring, employee due diligence and training, and independent review all sit on top of it.
The four risk factors
AUSTRAC frames ML/TF risk assessment around four factors. A complete assessment rates each and combines them into an overall view of the risk the business carries.
| Factor | What it captures |
|---|---|
| Customer types | The nature of the customer base, including any higher-risk customers such as politically exposed persons or customers with opaque ownership. |
| Designated services | The specific designated services the entity provides, since each carries its own ML/TF exposure. |
| Delivery channels | The methods by which services are delivered, including non-face-to-face and intermediated channels. |
| Foreign jurisdictions | The countries the entity deals with, weighting higher-risk jurisdictions. |
What the 2024 reforms change
The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 reforms the regime, and one effect is to make a business-wide ML/TF risk assessment a more explicit, standalone obligation rather than an assumed input to the program. Existing reporting entities were required to implement the new AML/CTF Rules by 31 March 2026, and the newly covered Tranche 2 sectors come into the regime on the same reform timeline. The practical point is that the risk assessment is moving from good practice to a clearly named requirement, so an entity should be able to point to a current, documented business-wide assessment. Confirm the exact obligations and dates against current AUSTRAC guidance.
How to conduct it
Step 1: Map customers, services, channels, and jurisdictions
Catalog the four factors for the business: who the customers are, which designated services are provided, how they are delivered, and which foreign jurisdictions are involved.
Step 2: Rate the inherent risk of each factor
Assess the level of ML/TF risk each factor carries before controls, weighting higher-risk customers, services, channels, and jurisdictions.
Step 3: Combine into an overall ML/TF risk rating
Bring the factors together into a business-wide view of the entity's ML/TF risk.
Step 4: Calibrate the Part A controls to the rating
Use the assessment to size the program: due diligence, monitoring, and the rest of Part A are set against the risk it identifies.
Step 5: Review and keep it current
Refresh the assessment on a regular cycle and when the business changes, and have it covered by the independent review of Part A.
Where it goes wrong
- Treated as assumed, not documented. The program is risk-led in spirit but there is no current, written business-wide assessment to point to.
- One or more factors missing. The assessment rates customers and services but never reaches delivery channels or foreign jurisdictions.
- Disconnected from Part A. The assessment exists but the program's controls are not visibly calibrated to it.
One distinction worth keeping clear: the ML/TF risk assessment is business-wide, a view of the risk the whole entity carries, while the customer risk rating is the per-customer score applied during due diligence. The business-wide assessment sets the framework; the customer rating applies it case by case. The ML/TF risk assessment is the foundation of the Part A program and, after the 2024 reforms, an obligation an entity should be able to evidence directly. For the wider regime, see the Australia AML/CTF compliance guide and the Australia AML/CTF glossary; for the underlying method, see the BSA/AML risk assessment guide.
Primary sources
- Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the AML/CTF Rules: The Part A program must identify, assess, manage, and mitigate the ML/TF risk a reporting entity faces.
- AUSTRAC guidance on ML/TF risk assessment: The supervisor's guidance on assessing money-laundering and terrorism-financing risk across customer types, the designated services provided, delivery channels, and jurisdictions.
- Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth): The reforms that make a business-wide ML/TF risk assessment an explicit obligation; existing reporting entities were required to implement the new AML/CTF Rules by 31 March 2026.