Money laundering/terrorism financing risk assessment
New AML/CTF reforms guidance has now been released. Until the laws change on 31 March 2026, we’ll maintain our guidance on existing obligations on these pages.
To understand your obligations from 31 March onwards, please refer to our reforms guidance.
Identifying and assessing the level of money laundering and terrorism financing (ML/TF) risk to your business or organisation is an important part of your AML/CTF program. It is the first thing you must do because it determines what measures you need to include in your program.
Assessing the ML/TF risk your business or organisation faces enables you to develop an AML/CTF program with appropriate measures to protect your business or organisation from being exploited by criminals.
Once you have identified the risks, you need to put in place controls to mitigate and manage these risks. See the risk management process section for more information on mitigating and managing risks.
Insights: Assessing ML/TF risk
Insights: Assessing ML/TF risk provides detailed information about AUSTRAC’s expectations for businesses when assessing and managing risks.
Download Insights: Assessing ML/TF risk (PDF, 439KB).
How to assess your ML/TF risk
Because you understand your business or organisation better than anyone else, you are best placed to identify and assess the level of ML/TF risks it faces.
You must undertake a ML/TF risk assessment so you can develop an appropriate written AML/CTF program, review it regularly and update it when there are changes to your business or organisation.
There are four main elements you need to think about in working out money laundering or terrorism financing risk. They are:
- the types of customers you have, especially if some are politically exposed persons (PEPs)
- the type of designated services you provide
- how you provide those services (for example face-to-face or online)
- the foreign countries or regions – known as foreign jurisdictions – you operate in or do business in.
You must measure the level of risk for every designated service you provide. You should rank each service as low, medium or high risk. Your AML/CTF program should set out how you minimise and manage each level of risk.
When developing your customer identification and verification procedures, you must also consider the risk posed by:
- the beneficial owner/s of your customers
- whether your customers or their beneficial owners are PEPs
- your customers’ source of funds and wealth
- the nature and purpose of your business relationship with your customers
- the control structure of customers who aren’t individuals, such as companies and trusts.
AUSTRAC guidance and feedback on ML/TF risks
You must take AUSTRAC guidance and feedback that is relevant to your ML/TF risks into account when you develop or update your ML/TF risk assessment.
Taking AUSTRAC guidance and feedback on ML/TF risks into account is important because:
- it may alert you to ML/TF risks that you were not aware of
- levels of ML/TF risk are constantly changing, as are the crimes that generate illicit funds for ML/TF activity
- AUSTRAC can provide national and sector-wide views of ML/TF risk based on information not available to individual businesses or organisations
- national or sector-wide ML/TF risks may impact on the particular ML/TF risks faced by your business or organisation.
AUSTRAC publishes a range of guidance products on ML/TF risks:
- National risk assessments provide a strategic overview of the threats and vulnerabilities associated with money laundering, proliferation financing, and terrorism financing in Australia.
- Sector-based risk assessments provide a general summary of the ML/TF risks faced by particular sectors.
- Financial crime guides and threat alerts provide information about particular crime types or activities, and common indicators of suspicious activity.
- Sector-specific guidance pages for your industry include ML/TF risk information, such as common indicators of suspicious activity.
- Typology and case studies reports explain the various methods criminals use to conceal, launder or move illicit funds.
AUSTRAC may also outline relevant ML/TF risks through feedback to your business or sector, either by providing this feedback to you directly or releasing feedback more generally through communications products.
You may also wish to consider resources from relevant authorities in other jurisdictions and from the Financial Action Taskforce (FATF), which provide useful information on international ML/TF risks.
To determine whether guidance or feedback is relevant to your business, you should consider whether it:
- is directed at your business or sector
- deals with criminal offences your business or sector is likely to face
- relates to your designated services, delivery methods, customer types or the jurisdictions you deal with.
Reviewing your ML/TF risk assessment
The risk assessment methodology you use must be flexible enough to adapt to changes that affect your risk level. To make sure your risk assessment is current, you must always assess the ML/TF risk of any new service or process before offering it to customers. This includes:
- new designated services
- new ways of delivering existing designated services
- using new technologies to provide designated services
- engaging with a new jurisdiction.
You must also review your level of risk when there are certain changes to your customers’ circumstances. These are:
- a change in the nature of your business relationship with a customer
- the customer’s beneficial owner changes
- changes to a customer’s corporate structure or other control structures.
You should also monitor external changes to ML/TF risks that may impact on the particular ML/TF risks faced by your business or organisation.
To stay up to date with new guidance and feedback on emerging ML/TF risks, you should:
- subscribe to InBrief for quarterly notifications from AUSTRAC
- check AUSTRAC’s latest guidance updates page regularly
- check international guidance on ML/TF risks regularly, including guidance published by the Financial Action Task Force and other jurisdictions.
You must also ensure that your contact details are up to date so you can receive email updates from AUSTRAC on new guidance.
This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened.
The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.
This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.