For the AML/CTF environment a reporting entity's risk management framework may deal with ML/TF risks in the context of:

1. regulatory risk
2. business risk.

Regulatory risks are associated with breaches of the AML/CTF Act and AML/CTF Rules. A robust compliance plan will encompass relevant legislative obligations and define the control and review mechanisms needed to ensure compliance. Such obligations include reporting suspicious matters, customer identification requirements and record keeping obligations, including details of the reporting entity's AML/CTF program to demonstrate compliance with the AML/CTF Act and AML/CTF Rules.

Business risk is the risk that designated services may be used to facilitate money laundering or terrorism financing. AUSTRAC's Risk management and AML/CTF programs guidance note catagorises business risk as:

1. inherent risk (see paragraphs 3.5 and 3.6)
2. residual risk (see paragraphs 3.7 and 3.8).