Quick Summary of Risk assessment
- Meaning: A documented assessment of the money laundering, terrorism financing and proliferation financing risks your business may reasonably face, both for services you provide and services you plan to provide.
- Why it matters for Tranche 2: Your risk assessment drives what controls you put in place, including customer due diligence, enhanced due diligence, monitoring, and reporting.
- Start date: Your AML and CTF program must be in place from 1 July 2026 for tranche 2 sectors.
Risk Assessment Defined – It Means for Your Business
AUSTRAC reform guidance states you must conduct a risk assessment to identify and assess your business’s money laundering, terrorism financing and proliferation financing risks. It must cover risks when you provide designated services and when you plan to provide designated services.
What your Risk Assessment Must Cover
- Your kinds of designated services, including new or emerging technologies
- Your kinds of customers
- Your delivery channels, including new or emerging technologies
- The countries you deal with
AUSTRAC also expects you to consider information communicated by AUSTRAC that identifies or assesses ML and TF risks related to your designated services.
Practical Examples for Tranche 2 Sectors
- A real estate business that accepts deposits from overseas related parties and uses buyer agents as a delivery channel.
- A law firm that handles trust money for property settlements and corporate structuring.
- An accounting practice that offers company formation support and manages client bank signatories.
Best Practices for Effective Risk Assessment
- Keep the methodology proportionate. AUSTRAC notes smaller, less complex businesses may have a simpler risk assessment, while larger, complex businesses are expected to go deeper.
- Write it so people can use it. AUSTRAC expects it to be easy to understand and usable by the governing body, senior managers, the AML and CTF compliance officer, and relevant staff.
- Treat planned services as in scope. If you intend to add new services, channels, or countries, assess the incremental risk before launch.
Risk Assessment Challenges
- Writing a generic document that does not connect to how the firm actually operates.
- Missing delivery channel risk, especially introducers, referrers, and online onboarding.
- Not refreshing the assessment when services, client types, or countries change.
Conclusion – From Analysis to Action
A practical risk assessment is your compliance blueprint. If it is clear, tailored, and actually used, the rest of your program becomes easier to implement and far easier to defend.
“Bookmakers sit at a natural convergence point for cash, speed and anonymity. AUSTRAC’s focus reflects the reality that wagering platforms can be misused as value transfer mechanisms if risk controls are not actively applied.”
