Step 2: Identify and assess your risks: risk assessment (Reform)

Learn about your obligations, our expectations and practical steps you can follow to conduct your risk assessment. 

On this page

You must conduct a risk assessment to identify and assess your business’ money laundering, terrorism financing and proliferation financing risks. We refer to these as your ML/TF risks.

You must tailor your risk assessment methodology to the nature, size and complexity of your business. This means you can develop or adjust your approach to suit your business and comply with your obligations.

Once you have completed your risk assessment, you must put in place AML/CTF policies to appropriately manage and mitigate the ML/TF risks you have identified. This includes, but is not limited to, using your risk assessment to build the system by which you assign ML/TF risk ratings to your customers. 

Learn more at AML/CTF policies and assigning risk ratings

Overview of ML/TF risks

ML/TF risk refers to the potential that a person could exploit your business’ vulnerabilities to enable:

You don’t have to directly witness a person targeting your business to be at risk of this happening.  

Exploitation happens when criminals successfully target your business to:

  • hide money or property to disguise its illicit origins and avoid being caught by law enforcement
  • use money or property to engage in more crime.

Your risk assessment obligations

This section refers to the Act section 26C.

Your risk assessment must identify and assess the ML/TF risks you may reasonably face. This must cover both, when you:

  • provide designated services
  • plan to provide designated services.

You must consider the ML/TF risks that may arise from:

  • Your kinds of designated services. This includes any new or emerging technologies related to those services.
  • Your kinds of customers.
  • Your delivery channels. This includes new or emerging technologies related to how you deliver those services.
  • The countries you deal with. 

You must also assess any planned designated services, customers, delivery channels, or countries that could increase ML/TF risk.

You must consider information communicated by us that identifies or assesses ML/TF risks related to your designated services. 

Learn more about using our risk products.

Tailor your risk assessment

You must tailor the steps you take to complete your risk assessment to your business. For example, a: 

  • small, less complex business may have a simple risk assessment
  • large, complex business is expected to have an in-depth risk assessment.

We expect you to document your risk assessment in a way that’s easy to understand and use by:

  • your governing body
  • your senior managers
  • your AML/CTF compliance officer
  • all staff whose work is relevant to ML/TF risks raised in the risk assessment. 

Conducting your risk assessment

Follow these steps to conduct your risk assessment:

  • Identify – you must identify your ML/TF risks and when the risks may occur. This is to make sure you understand the type of risks you may reasonably face.
  • Assess – you must assess your ML/TF risks. This is to make sure you understand the scale of each risk. This could include assessing the likelihood and impact of the risk occurring.
  • Evaluate – you may then decide to evaluate your ML/TF risks. This is to provide your business with a framework to prioritise how it addresses them. 

Focus on your ‘inherent’ risks

We expect your risk assessment to identify and assess your ‘inherent’ risks. These are the risks you may reasonably face before you apply any policies, procedures, systems and controls to mitigate and manage them. 

This is generally necessary to make sure that you can meet your obligations to: 

  • identify and assess the ML/TF risks that your business reasonably faces
  • develop AML/CTF policies to appropriately mitigate and manage these risks.

This will help you accurately assess your ML/TF risks and ensure that your policies are working to effectively address them. 

Your business may then choose to assess your residual ML/TF risks. This is the ML/TF risk that remains after you’ve implemented your policies.

Step 2.1 – Identify your inherent risks

To begin, identify your business’ inherent ML/TF risks. To do this, we expect you to document each of the following, along with their ML/TF risks:

  • kinds of designated service
  • kinds of customer
  • delivery channels
  • countries.

We explain each of these categories in more detail in the next section. 

We expect you to consider the following in identifying your inherent risks:

Learn more about using our risk products and other information to consider.

You may want to keep your process to identify risks flexible to include new or emerging risks.

Risk categories you must consider

There are different risk categories you must consider in your risk assessment.

Kinds of designated services

We expect that you start by listing all the designated services you provide.

Use our guidance to find out if you offer any designated services.

The below table sets out common designated services along with the reason that they may pose an ML/TF risk. This isn’t an exhaustive list. 

Designated service  Why do they pose an ML/TF risk?
Brokering the sale, purchase or transfer of real estate on behalf of a customer

Real estate is a widely exploited asset type for money laundering in Australia. Criminals can exploit real estate to combine illegal funds into the economy and store value from crime. Criminals do this by:

  • changing property value to quickly launder money
  • using complex ownership structures to hide ownership of property.
Providing a registered office or principal place of business address of a body corporate or legal arrangement Criminals can use this service to appear legitimate and hide connections to illegal activity. This can make it harder to identify who really owns the assets. The service may involve legal structures linked to other countries. This could help criminals move illegal funds to high-risk countries for ML/TF.
Providing a virtual asset safekeeping service (for example, safekeeping or administration of a digital wallet) Storing value through virtual assets make it attractive to criminals because it’s easy to access and hard to trace. Criminals store virtual assets in cold wallets to hide their wealth from authorities.
Exchanging virtual assets for other virtual assets Virtual asset exchanges give criminals a way to move or store value with traditional money laundering methods. This type of service allows criminals to move funds across borders quickly, cheaply and makes it hard to trace.
Providing remittance services (money transfers)

Remittance services are attractive to money launderers. This is because they can move cash offshore quickly, easily, at low cost to launder the proceeds of crime. 

Exposure to high-risk countries also increases the potential for terrorists to exploit these services to finance terrorism or proliferation.
Buying or selling of bullion Criminals can exploit these services by converting illicit cash into stable high-value assets. Criminals can then move these assets easily, overseas. Criminals can also resell these assets or use them to support more illegal activities or proliferation financing. 

When identifying ML/TF risks, we expect you to consider, as a starting point, whether your services involve:

  • high-value transactions (including with physical currency and virtual assets)
  • legal structures and arrangements that help your customers to stay anonymous or disguise the source of their wealth or funds.

These are common ML/TF risk factors that are relevant to a wide range of designated services. If you don’t consider them, it’s likely you won’t meet your obligation to identify the risks your business may reasonably face in providing these services. 

You must also consider new or emerging technologies which could expose your business to sudden risks. 

Kinds of customers

For each kind of customer, your risk assessment could document a:

  • description of the kind of customer
  • summary of the ML/TF risk associated with each kind of customer.

Below are kinds of customers you may have.

Individuals (other than sole trader) – natural persons who can enter into contracts and conduct transactions.

Sole trader – an individual who owns and operates a business. There’s no legal difference between the owner and the business. Sole traders can enter into contracts and conduct transactions.

Registered company (domestic and foreign) – a legal entity incorporated in Australia or overseas and registered in Australia by ASIC. They have a separate legal identity from their owners or members. They also have rights and obligations by law.

Unregistered foreign company – a legal entity incorporated overseas and not registered with ASIC. These are a separate legal identity from their owners or members. Foreign companies must be registered with ASIC to do business in Australia, so there may be a risk this customer type is engaged in unlawful activity. 

Partnerships – partnerships, such as general partnerships and limited partnerships, are legal entities. 

A general partnership is where 2 or more individuals share ownership. 

Limited partnerships consist of at least one general partner and one or more limited partners. These partnerships aren’t a separate legal entity from its owners. 

Incorporated limited partnerships are a type of limited partnership which have a separate legal identity.

Trusts – a legal relationship where the trustee holds and manages assets for the benefit of the beneficiary. The trustee manages the trust in line with the terms of a trust deed. 

Trusts aren’t separate legal entities, with the trustee recognised by law as having rights and obligations. Different types of trusts include:

  • discretionary
  • unit
  • hybrid
  • bare
  • testamentary
  • charitable.

Incorporated association – a legal entity registered under Australian law. They have a separate legal identity from their owners or members. They also have rights and obligations by law. 

Unincorporated association – a group of individuals who combine for a shared goal without forming a company or similar legal entity. The association itself doesn’t have legal rights or obligations.

Registered co-operative – a legal entity, owned and operated by its members for their mutual benefit. They have a separate legal identity from their owners or members. They also have rights and obligations by law.

Government body – a government, or a part of one, or an agency or authority. These are set up and recognised by a government for specific functions and duties. They also have rights and obligations by law. 

Customers and their risk factors

Some kinds of customers will pose a higher risk of ML/TF than others. Especially when combining customer risk factors with higher-risk products/services and countries. 

Considering the risk factors connected with each kind of customer will help you: 

Below are some common types of customer risk factors your business may come across along with a summary of their ML/TF risk. 

Individuals with criminal histories – an individual (including a director, controller or beneficial owner) can: 

  • be involved in criminal activity
  • use criminal proceeds to fund a transaction.

Politically exposed persons (PEPs) domestic – domestic PEPs are either: 

  • individuals who hold a certain Australian public positions
  • their family members or close associates.

PEPs are attractive targets for corruption and bribery. PEPs can influence government spending, budgets and development approvals.

PEPs international organisations – international organisation PEPs are either: 

  • an individual who holds a prominent public position in a public international organisation
  • their family members or close associates.

PEPs are attractive targets for corruption and bribery. PEPs can influence government spending, budgets and development approvals.

PEPs foreign  foreign PEPs are either:

  • individuals who hold a prominent public position in a country other than Australia
  • their family members or close associates.

Foreign PEPs pose a higher risk for bribery and corruption. It’s common for foreign PEPs to launder money overseas to avoid detection by their domestic law enforcement agencies.

Learn more about politically exposed persons.

High-net-worth individuals – high-net-worth individual’s financial affairs are usually more complex, making it difficult to reliably understand the source of funds and source of wealth.

Non-residents of Australia – a non-resident is a person who normally resides overseas. If the person isn’t an Australian resident, it may be harder to: 

  • monitor and verify their identity
  • understand the source of funds and source of wealth.

This increases the potential for illicit activities.

You should consult your country risk assessment and assess these separately as low, medium and high-risk non-residents depending on the country in which they reside.

Complex legal structures – using trusts, companies and other legal structures can hide ownership and source of funds.

Criminals can use complex structures for illicit purposes. This can include:

  • ML/TF
  • bribery
  • corruption
  • sanctions evasion
  • other illegal activities.

Third party – if a customer uses an agent or representative to act on their behalf it can be more challenging to:

  • know who the customer is
  • verify the source of funds, when necessary.   

Customers with significant unexplained wealth – a customer that has wealth that they can’t explain and is grossly disproportionate in value to their known sources of lawfully obtained wealth. 

Wealth that a customer can’t explain is a reliable indicator of money laundering activity in: 

  • money laundering prosecutions
  • criminal asset confiscation matters.

Example: The type of information a small real estate agency could include in their risk assessment

We’ve identified through business data, that many of our customers are individuals. They generally buy properties to invest in and expand their portfolios. 

Of this customer type, we’ve identified that: 

  • 20% live overseas
  • 80% live in Australia.

Our country risk assessment shows that our overseas customers live in low-risk countries.

Individuals who live overseas, even in low-risk countries, can pose a higher risk because: 

  • they might try to hide the origin of illegal funds by moving assets into Australia
  • it might be hard to verify customer information with documents from overseas
  • they might be foreign PEPs.

Note: Understanding the ML/TF risk of a customer is part of customer due diligence (CDD). 

Learn more about CDD.

Delivery channel risk

As a starting point, we expect you to consider if your business:

  • relies on in-person delivery channels
  • uses ways that allow remote delivery (without face-to-face contact)
  • uses methods that allow for remote customer self-service. This is when a customer obtains services without help from a staff member
  • uses any third-party agents to deliver products or services to your customers.

These are common ML/TF risk factors that are relevant to a wide range of delivery channels. If you don’t consider them, it’s likely you won’t meet your obligation to identify the risks your business may reasonably face.

Delivery channels and their risks

Below are some risks your business may face through its delivery channels.

In person - where you provide services to a customer face-to-face. This channel can be a lower ML/TF risk. This allows you to easily identify any unusual customer behaviour. However, it’s not without risk. 

Criminals can use forged or stolen identification to open accounts and perform cash deposits in person. This allows them to avoid detection and move funds quickly.

Remote service delivery (staff assisted) – where you provide services through, for example: 

  • email
  • telephone
  • video chat
  • other online platforms. 

This still requires staff to take steps to provide the services to a customer.

Risk factors include:

  • use of forged or stolen identification to hide identity or source of funds/wealth
  • challenges to identify suspicious or inconsistent behaviour
  • reliance on third party technologies
  • lack of encryption for document transfer
  • criminals can easily deposit illegal funds processed through remote channels.

Remote service delivery (without staff assistance) – self-service delivery methods allow you to transact without staff help. Some examples include 

  • smart ATMs
  • pre-paid cards
  • online banking
  • online remittance services. 

This carries significant ML/TF risks because of the lack of in person contact before you provide a service. 

The risk factors are similar to the remote service delivery above.

This makes it easier for criminals to pose as a customer for financial gain or to transact in secret. Criminals exploit these features to distance themselves from illicit activity.

Third party – providing a designated service to a customer through a third party or intermediary. This makes it more challenging to:

  • know who the customer is
  • verify the source of funds, when necessary.

There may be other factors which can contribute to delivery channel risk. It’s your responsibility to identify these risks in your risk assessment.

Example: Identifying ML/TF risks in a conveyancing using a third-party platform to provide services

Our conveyancing firm relies on a digital third-party platform to provide services. To identify the ML/TF risks, we’ve considered:

  • negative media reports
  • material from industry bodies about emerging risks.

Third-party platforms might be exploited by criminals because of:

  • limited customer interaction
  • reliance on external controls
  • potential for fraudulent transactions
  • cyber-security weakness
  • cross-border transactions.

This poses an ML/TF risk because:

  • the reduced ability to verify our customer face-to-face could increase the chances of fraud
  • the potential for poor controls by the third party may expose our business to unseen ML/TF risks
  • criminals could use the platform to hide ownership to buy or sell property
  • cyber breaches could expose sensitive customer information, which criminals can use for ML/TF purposes.

Country risk 

We expect you follow the steps below to identify and later assess country risk.

Step 1 – List all countries your business deals in or with when you provide designated services. This includes Australia.

When listing countries, we expect you to include countries:

  • you or your customers deal in or with when you provide designated services
  • your customer is a resident of (for individuals)
  • your customer is registered or incorporated in (for body corporates and legal arrangements).

Step 2 – Assess the country risk for each listed country.

Use a reliable method for assessing ML/TF risk. For example, this may include the Basel AML Index. This index incorporates 16 indicators across 5 key areas to assess ML/TF risk. These key areas are: 

  • the quality of the AML/CTF framework
  • bribery and corruption
  • financial transparency and standards
  • public transparency and accountability
  • legal and political risks. 

The Basel AML Index rates countries on a scale of 0–10. It categorises countries as low (0–5), medium (5.01–6) or high risk (6.01–10.00). 

We expect you to also apply a high-risk rating to countries:

To help you check if you deal with high-risk countries, we expect you to use the following:

Example: Our business deals with customers who are residents, or incorporated in, Australia, Country A and Country B. We don’t deal with any other country. 

Using our country risk rating methodology, the country risk is identified and assessed as: 

Country Basel AML index score Is the country on the FATF grey or black list or sanctioned by Australia? Country risk rating
Australia (example) 4.04 (low) No Low
Country A 5.75 (medium) No Medium
Country B  5.25 (medium) Yes  High

Using our risk products

This section refers to the Act section 26C(3)(e).

You must consider information that we communicate that identifies or assesses ML/TF risks relevant to you. This includes:

  • national risk assessments
  • indicators of suspicious activity
  • direct or indirect communications from us.

We may provide feedback directly to you or your sector on relevant ML/TF risks.

Our national risk assessments assess risks across Australia’s economy and may include information about:

  • designated services you provide
  • circumstances of your industry or sector.

Your industry page includes high-risk examples and indicators specific to your industry.

Visit your industry page for guidance on ML/TF risks.

Keep a register of our risk products and feedback 

We expect that you maintain a register to show that you’ve considered the information we’ve communicated. This could be in a table in your risk assessment, like the example below. 

Example: Below is an example register for our communications.

Relevant information from AUSTRAC Date communicated Why is the information relevant? What changes were implemented and how? Date information was considered or implemented Name and role of individual completing review
Proliferation financing in Australia national risk assessment  DD/MM/YYYY Contains information about proliferation financing risks within our industry

Risk assessment updated

See section regarding our assessment of our proliferation financing risks

 DD/MM/YYYY John Doe – AML/CTF compliance officer

Other information to consider

We expect you to consider other information and data that could help identify and assess your ML/TF risks. This could be from internal and external sources.

For those new to AML/CTF regulation, this may include qualitative and quantitative sources, such as:

  • data on trends on the use of your products or channels
  • customer data
  • internal feedback or workshops with staff and stakeholders. This includes those who interact with customers, work in compliance roles or conduct audits
  • reports from industry bodies
  • reports from relevant Australian regulators, including ASIC and the Australian Sanctions Office
  • reports from international organisations and publications by foreign regulators and industry bodies.

For current reporting entities, it could also include:

  • suspicious matter and transaction reporting data on trends
  • findings from any AML/CTF reviews and independent evaluations.

Proliferation financing risk

This section refers to the Act sections 26(C)(1) and 26F(11).

Your risk assessment must assess the risk of proliferation financing.

You don’t need to develop separate policies to address proliferation financing risk if you’ve reasonably assessed that both your:

  • proliferation financing risk is low
  • policies appropriately manage your risk of proliferation financing.

Your business is less likely to face proliferation financing risks if you satisfy all of the following criteria:

  • You only operate in Australia. For example, you’re a sole trader and local business, who operates solely within Australia.
  • You don’t provide designated services to customers located in, or who have connections to, high-risk jurisdictions. This includes individuals and companies.  
  • Your services don't involve moving money, sensitive or dual-use goods or technologies. This includes sending these items to countries or third parties directly or indirectly involved with proliferation financing.
  • You don’t offer a service relevant to proliferation financing.  

Step 2.2 – Assess your inherent risks

Once you’ve identified the ML/TF risks for each risk category, you must then assess these risks. We expect that your assessment of each risk be informed and it must be clearly documented.

To assess your ML/TF risks, we expect you to consider the scale of vulnerability of each risk factor to exploitation. This is how easily criminals could exploit the risk categories you’ve identified to facilitate ML/TF. 

We expect you to consider how each risk category: 

  • could be exploited to conceal the identity or source of wealth or source of funds of a person
  • is easy to access and use
  • allows value to be raised, moved or stored
  • is known to be exploited by criminals or is a common channel for ML/TF.

A good starting point for you to look at is our risk products to help you determine how to assess your risks. For example, the National Risk Assessments, which assesses national ML/TF risks. 

Method 

Your risk assessment could use the following approach to assess the inherent risk for each risk factor. 

Start by assessing the risks you may reasonably face without any controls or mitigation measures in place. You could consider using either: 

  • for medium complexity businesses – the likelihood and impact
  • for smaller, low complexity businesses – just the impact. 

These approaches may not be appropriate for large, high-complexity businesses that have more dynamic risk profiles. These businesses may want to consider more extensive methods to make sure that their risk assessment both:

  • appropriately reflects the nature of their ML/TF risks
  • can be kept up to date as risks change. 

Impact

Impact is the consequence or damage if criminals exploit your ML/TF risks.

When deciding the impact of an ML/TF risk factor, you could break this down into the following: 

Impact ratings  Impact of an ML/TF risk occurrence
High Significant impact – major damage or effect. Serious terrorism or extensive money laundering. 
Medium Moderate level of money laundering or terrorism financing impact. 
Low Minor or negligible consequences or effects. 

Likelihood

Likelihood assesses the possibility of a risk occurring within a given timeframe. Example of likelihood ratings:

Likelihood ratings Likelihood of an ML/TF risk occurring 
Very likely Almost certain to occur or will occur at a high frequency or probability. This might mean it’s a known or recurring issue.
Likely High probability it will occur, but not certain.
Not likely Unlikely to occur, but not impossible. 

Using a risk matrix (Medium complexity business)

If you’re a medium complexity business assessing the likelihood of each ML/TF risk, a risk matrix can help to get a risk rating. You do this multiplying the likelihood by impact of each risk. 

Likelihood x Impact = Inherent risk

Depending on the complexity of your business, you could include more risk levels. However, it should be clear where the cut-off points for low and high risk are. This is central to understanding the nature and impact of the ML/TF risks you identify. 

Example of a risk matrix to establish inherent risk:

  Low Medium High
Very likely Medium High High
Likely  Low Medium High
Not likely Low Low Medium

Using the above risk matrix, a likelihood of ‘very likely’ x an impact of ‘low’ = risk rating of ‘medium’.

This is one way you can simplify, visualise and prioritise your ML/TF risks. You can use any other approach more suitable to your business’ requirements. 

Using impact only (low complexity business)

Smaller, less complex businesses could assess their impact only. This is a simpler assessment. 

It involves asking yourself if your business will reasonably face an ML/TF risk. 

The inherent ML/TF risk rating is determined by assessing the impact of the risk you’ll reasonably face.

Impact = inherent risk

Risk response table

You can use a risk response table to score each of the ML/TF risks you’ve identified and assessed. 

For this guidance, we’ve used low, medium and high.

Example: a simple risk response table 

Inherent risk rating Risk description
High The risk represents a high inherent ML/TF risk. We need to appropriately mitigate with our policies as a priority. 
Medium The risk represents a medium inherent ML/TF risk. We need to appropriately mitigate and/or manage with our policies. 
Low The risk represents a low inherent ML/TF risk. We need to appropriately manage with our policies. 

We expect you to include an explanation of the likelihood and/or impact, a risk may have. Your explanation should be based on data sources you have consulted, such as our risk products. This will help you understand and justify the ratings you assess.

Example: The below is an example of the kind of information a medium complexity business could include in their risk assessment. This shows the difference between 2 delivery channels, assessed by the same business.  

Delivery channel  Description of ML/TF risk  Likelihood and rationale for assessment  Impact and rationale for assessment Inherent risk rating 
Face-to-face   

Our business has minimal face-to-face interactions with our customers.

We use this delivery channel to onboard and deliver services to 5% of our customers.

 Not likely: As we rarely conduct our business in person, this is unlikely to occur. 

Medium: This channel has a potential to be low risk. It allows us to pay more attention during identification checks and to spot any unusual behaviour. 

The impact is medium; criminals can still exploit this channel using forged or stolen identity documents. This could lead to discreet or untraceable transactions.

 Low
Remote service delivery (staff assisted) 

We provide services to our customers using fully remote engagement channels such as, mobile phone, emails, and video chat.

We use this channel to onboard and deliver services to 95% of our customers

Very likely: It’s very likely to occur as we have a remote business model. 

This allows us to service and onboard a wider range of customers that we never meet in person. 

Medium: We have rated this channel as a medium impact. 

We have no physical visibility of our customers to detect suspicious activity in person.

This means criminals can launder money without in person oversight from staff.

This is because criminals can potentially exploit this channel to hide their identity or obscure their source of funds/wealth. 

 High

Step 2.3 – Evaluate and prioritise your risks

You may evaluate and prioritise which risks require the most attention after you assess your inherent risks. This involves deciding how to respond to each risk based on its risk rating (low, medium or high).

For example, after you evaluate your risks as high, you’ll need to prioritise them. These risks will need additional controls to mitigate or manage them. These may include: 

  • limiting the channels and services that high-risk customers can use
  • increasing the monitoring of your customer’s transactions and behaviours. If you can’t appropriately mitigate or manage the risk, we expect you to consider whether to continue to provide designated services to the customer.

You can manage lower risks with simpler measures. 

When you prioritise your ML/TF risks, this helps you to allocate your resources efficiently. They also help ensure mitigation measures are proportionate and targeted to your risks.

Next step

Your next step is to develop your policies. This includes your systems and controls to manage and mitigate your risks.

This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 16 Oct 2025
Page ID: 1293

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.