Review and update your ML/TF risk assessment

You must review your risk assessment at least once every 3 years and also in the circumstances outlined below. Your review must be appropriate to the nature, size and complexity of your business.

You must also conduct a review if there’s a significant change to any of the following:

• your designated services
• how you deliver your designated services
• your customer types
• the countries you deal with
• any new or emerging technologies related to your designated services or how you deliver them.

You must also conduct a review if either: 

• we communicate information to you, including to your sector more generally, that identifies or assesses risks associated with the provision of your designated services
• an independent evaluation report has adverse findings about your risk assessment.

What’s a significant change 

A significant change is a change to any of the factors in your risk assessment that could have a significant impact on your ML/TF risks. 

Significant changes may be within or outside your control. 

Examples of significant changes within your control may include:

• offering a new designated service to customers
• providing your services through new channels – such as expanding from in-person service to online services
• introducing a new technology to deliver your designated service
• providing a service to new customer types – such as to corporations when you previously only served individuals
• providing a service that involves dealing with a new country.

Examples of significant changes not within your control may include changes in the ML/TF risk of a country you deal with, such as those affected by targeted financial sanctions. 

You don’t need to review or update your risk assessment in response to changes that don’t have a significant impact on your ML/TF risk. For example, an update to your website that doesn’t change the way you deliver your services.

When you must review and update your risk assessment

The table below describes when you must review and, if required, update your risk assessment.

Updating your risk assessment

You must update your risk assessment if you identify any issues in your review. For example, if you identify new or changed ML/TF risks.

A senior manager must approve any updates to your risk assessment. You must notify your governing body in writing as soon as practicable after making any updates to your risk assessment.

If you’re a sole trader, learn more about governance and oversight for sole traders and micro businesses for information on senior manager obligations.

You must also have AML/CTF policies to review and, if required, update your AML/CTF policies in response to a review of your risk assessment.

You must document the updates to your risk assessment in your AML/CTF program within 14 days after making the update. This means you must record these updates in writing, along with the dates these changes were made.

Example: Review due to changes within the business’s control

A business offers in-person service delivery only. The business plans to expand how they provide designated services to include delivering the service online via a website. Because this change is within the business’s control, they must review and update the risk assessment before making the change.

The business reviews and updates their risk assessment to include any new ML/TF risks associated with the new delivery method. They identify additional ML/TF risks in relation to potential identity fraud. For example, customers may use online services to pose as someone else to hide the origin of, or movements of funds.

The AML/CTF compliance officer notifies a senior manager and seeks approval for changes to the risk assessment.

The business must review and update its AML/CTF policies following this review to make sure they appropriately manage and mitigate these risks. 

The business must also document the updates, including the date they were made, to its AML/CTF program within 14 days after making the update 

Example: Review due to information communicated by AUSTRAC in relation to ML/TF risks

A business provides a range of designated services. They have a risk assessment and AML/CTF policies in place, which they review periodically.

We publish a new financial crime guide that highlights new ML/TF risks facing their sector and we notify affected businesses by email.

The business must review their risk assessment as soon as practicable after receiving the email. The updated information from us is of a general nature rather than highlighting an imminent threat. The AML/CTF compliance officer schedules time to conduct the review in the upcoming week.

The following week, the AML/CTF compliance officer reviews the information and the business’s risk assessment. They update the risk assessment to reflect the information from us, and record that they considered our communication.

The business must also review and, if required, update its AML/CTF policies as soon as practicable following the review of their risk assessment. 

The business must also document the updates, including the date they were made, to its AML/CTF program within 14 days after making the update.

Review and update your AML/CTF policies

You must review and, if required, update your AML/CTF policies in any of the following circumstances:

• at a minimum, at least once every 3 years
• following a review of your risk assessment
• following an independent evaluation report that contains adverse findings in relation to your AML/CTF policies.

Your AML/CTF policies must set out how you’ll review and update your policies when required. These policies must:

• be appropriate to the nature, size and complexity of your business
• appropriately manage and mitigate the ML/TF risks your business may reasonably face. 

You must document the updates to your AML/CTF policies in your AML/CTF program within 14 days after making the update. This means you must record these updates in writing, along with the dates that these changes were made.

For example, if you update an automated transaction monitoring system used for detecting high ML/TF risk transactions, you then need to document what changes were made within 14 days. 

Once you complete your review and update, we expect that you communicate and implement any updates to your AML/CTF policies across your business.

Example of reviewing your AML/CTF policies following an independent evaluation

We expect you to prioritise reviewing any adverse findings identified by an independent evaluation. This makes sure that you’re taking steps to keep your AML/CTF program up to date and appropriately mitigate and manage your ML/TF risks. 

For example, if an independent evaluation identifies that your transaction monitoring system isn’t flagging transactions for review, you’d prioritise these issues during your review and update. 

For a business with manual transaction monitoring processes, this may include any of the following:

• reviewing and updating your thresholds for flagging a transaction
• updating your AML/CTF training to staff on your thresholds, and what staff need to do if they identify transactions outside your thresholds
• implementing AML/CTF policies to regularly check which transactions are flagged for review, to make sure your transaction monitoring is working as intended.

For a business with automated systems in this example, it may include any of the following:

• reviewing and making changes to thresholds in the transaction monitoring system
• implementing processes to test transaction monitoring thresholds against sample data to make sure it’s flagging the appropriate transactions
• implementing processes to test any changes to the system before operationalising them to make sure reporting isn’t affected
• implementing processes to review the transaction monitoring system regularly to make sure it’s working as expected.

Learn more about independent evaluations.

Scope of your review of your AML/CTF program

The scope of your review will depend on what triggered it. Your review may cover all aspects of your risk assessment and AML/CTF policies or focus on specific areas. At a minimum, you must review your entire risk assessment and all AML/CTF policies at least once every 3 years. 

For example:

• if you receive adverse findings in an independent evaluation report, we expect you to prioritise addressing those findings in your AML/CTF policies
• following a review of your ML/TF risk assessment, we expect you to prioritise reviewing AML/CTF policies dealing with any new or changed risks before you review other aspects of your policies.

Who can conduct a review

The person who conducts your review isn’t required to have specific qualifications. Your AML/CTF policies must make sure that the person or team that conducts the review has sufficient knowledge of your AML/CTF obligations and ML/TF risks, such as your AML/CTF compliance officer. 

Otherwise, there’s a high risk that your AML/CTF program won’t effectively manage and mitigate ML/TF risks and comply with your AML/CTF obligations.

Next step

Go to Step 5: Conduct an independent evaluation

Related pages

• AML/CTF program
• ML/TF risk assessments
• AML/CTF policies
• Independent evaluations of your AML/CTF program