Over the past 10 years, AUSTRAC has successfully litigated against major banks and gaming and wagering companies with penalties totalling billions of dollars, and has required enforceable undertakings – which usually mandate costly multiyear remediation programs – from others. From the regulator's perspective, a common theme has been that these organisations have failed to adequately identify and assess the risk of their services being used by criminals to launder money from the proceeds of crime.
A key change to anti-money laundering and counter-terrorism financing (AML/CTF) laws in Australia, which will come into effect in March 2026, is the requirement for organisations to conduct a documented risk assessment and decide what 'triggers', such as a new product offering or expansion into a new jurisdiction, will result in it being updated. The cost of maintaining compliance with AML/CTF regulations can be high in Australia, and the regulator is expecting organisations to invest directly, through technology adoption, workforce planning and operational processes, in response to the specific risks it faces and methodologies that criminals utilise to launder money.
This article outlines the key features of an effective AML/ CTF risk assessment, reflecting on the diverse experiences of organisations in other jurisdictions (including the UK and US), and recent local and global regulatory guidance.
Regulatory changes in Australia
Recent updates to the Australian AML/ CTF regulations place a stronger emphasis on risk-based approaches to managing money laundering (ML) and terrorist financing (TF) risk. Organisations providing ‘designated services’ are now required to undertake more detailed and frequent risk assessments to ensure compliance. These changes are commonly referred to as Tranche 2 changes and they aim to adapt to evolving threats and to enhance the overall effectiveness of AML/CTF measures.
The regulatory changes also introduce new services such as those relating to real estate and some 'gatekeeper' services involving legal advice and accounting services, and these will now require a thorough assessment of ML/TF risk as part of AML/CTF program requirements. For the first time, the regulations also now explicitly cover the concept of "proliferation financing", referring to the financing of the development, sale or use of weapons of mass destruction.
Risk assessments are now explicitly the foundation of an AML/CTF program. They are not a ‘one and done’ or ‘set and forget’ exercise.
AUSTRAC advice and guidance on AML/CTF risk assessments
AUSTRAC, Australia’s financial intelligence agency, provides extensive guidance on conducting AML/CTF risk assessments. AUSTRAC’s position is that institutions must consider a wide range of risk factors, including customer types, geographic locations, products and services offered, and delivery channels. The risk assessment process should be tailored, dynamic and continuous, allowing institutions to respond proactively to emerging risks, and be up to date with published money-laundering and terrorism-financing typologies and trends.
Recognising that there are many Australian entities likely to be caught by the new services definitions in the Tranche 2 amendments, AUSTRAC is expected to provide more explicit guidance on a suggested methodology for conducting risk assessments, such as assessing risk based on an impact/likelihood matrix, and then 'scoring' that risk to provide a high, medium or low risk assessment outcome. This ‘3 x 3’ or ‘4 x 4’ approach is commonly applied to a wide variety of risk types. This simple method of assessing risk, which is consistent with risk management standards, should be relatively easy to implement in most organisations, including those that are new to AML/CTF.
Elements of an effective risk assessment
A well-structured AML/CTF risk assessment typically encompasses the following key elements:
Section 1 Inherent risk identification and assessment
Risk identification involves recognising potential threats related to money laundering and terrorist financing. This step lays the foundation for a thorough risk assessment. AUSTRAC and other regulators have provided guidance to impacted organisations to consider factors such as:
- regulator guidance on specific, industry wide AML/CTF risks that impact the particular services (or products) delivered;
- consideration of both the AUSTRAC National and Sectorial risk assessments should be reviewed and incorporated into the inherent risk assessment ratings;
- specific correspondence or advice provided to the organisation by AUSTRAC, other regulators, or potentially other 3rd parties such as auditors or external experts;
- money laundering and terrorist financing typologies or methods that have impacted similar organisations in Australia, or globally. In many cases, these typologies or scenarios are freely available on regulator websites;
- customer types, such as whether they are domestic or foreign, simple or complex, or are 'Politically Exposed Persons (PEPs)’;
- consideration of 'channels' or means of delivering services. For example, purely online channels represent a higher level of risk than face to face channels; and
- jurisdictions or countries connected to the transactions.
To the extent possible, most regulators consider that quantitative factors should also be examined. In many organisations, this can mean an assessment of transactional data and patterns, such as previous suspicious matters, alert volumes, and so on to provide more insight into AML/CTF risk.
Section 2 Risk mitigation
Risk mitigation strategies are designed to reduce the likelihood and impact of identified risks. This includes rules or procedure-based organisational measures such as governance, staff training and employee due diligence, in addition to customer focussed controls such as "know your customer" processes, detection and monitoring and in higher risk cases, the use of enhanced due diligence processes. If appropriate, employing more advanced transaction monitoring systems may need to be utilised. The intent behind this aspect of the reform is to provide organisations the flexibility to manage ML/TF risks that are directly relevant to them. From an operational standpoint, this means investing in specific system and control uplifts that will reduce the risk levels that have been identified in a meaningful timeframe and in a way that evolves, as do the risks.
Effective risk mitigation ensures that institutions can effectively manage the ML/TF risks inherent in the delivery of the services they provide and allows them to detect and respond to suspicious activities promptly.
3. Assessment of residual risk
In simple terms, residual ML/TF risk is the risk level that remains once the inherent risk is mitigated by controls. AML/CTF controls will be outlined in the AML policy and procedures.
In most organisations, inherent risk levels will typically be assessed as low or medium, once mitigating controls are taken into account, However, where controls are assessed as poor, the residual risk will remain at the same level as the inherent risk. High and medium levels of inherent risk, with poor controls, will typically require immediate remediation, usually by strengthening those controls.
Most importantly, the outcomes of the risk assessment must be shared and acknowledged by the 'governing body' of the organisation. In most cases this is the executive and/or board of the organisation.
4. Regular review and update
Given the dynamic nature of money laundering and terrorist financing threats, a regular review and update of risk assessments is essential. Institutions that are reporting entities should establish a routine schedule for reassessing risks and updating their AML/CTF programs accordingly. This is especially important where there are substantive changes to the business, such as the launch of a new product or service, a change to the customer base and geographical touchpoints, or the adoption of a new method of delivery (such as moving to online services). This ensures that risk management practices remain relevant and effective.
Under the Tranche 2 amendments, a number of new services will be covered AML/CTF regulations, and in many cases organisations providing those services will be dealing with AML/CTF compliance for the first time. Those organisations are unlikely to have all the information to hand to enable them to properly assess residual risk, as many AML/CTF controls will have just been established and are unlikely to have been assessed. In these cases, the risk assessment should focus on inherent risk, detail the controls targeting those risks, explain why these controls reduce the risk, and review the effectiveness of those controls as soon as possible.
5. Documentation and reporting
Proper documentation and reporting of risk assessments are both vital for regulatory compliance and internal governance. Institutions must maintain comprehensive records of their risk assessment processes, scoring methodology, findings with rationale, mitigation measures and socialisation with senior management. Transparent reporting to regulatory authorities, such as AUSTRAC, helps demonstrate adherence to AML/CTF obligations.
What's next? Developing and implementing AML policies
The AML program now includes the RA and the AML policy (which includes any AML specific procedures or controls such as customer onboarding and enhanced due diligence procedures).
The new regulations are clear that the AML policy and procedures must:
- reflect the AML risk outcomes that come from the AML/CTF risk assessment;
- be targeted and proportionate to the level of ML/TF risk;
- be adaptable to any changes to ML/TF risk; and
- be regularly assessed for effectiveness.