Congratulations to our new Partners and Principal. Read more now.
By: Neil Jeans, Katherine Shamai, Martin Stone, Annelies Homersham
19 Feb 20257 min read
Money Laundering / Terrorism Financing/Proliferation Financing (ML/TF/PF) risk assessment is a process of identifying, assessing, and understanding the risks of money laundering, terrorist financing, and proliferation financing (ML/TF/PF) that an organisation may face. It involves evaluating various factors to determine the level of risk and the implementation of appropriate measures to mitigate those risks.
ML/TF/PF risk assessment is crucial for AML/CTF compliance because it helps organisations develop targeted strategies to mitigate their risks effectively and efficiently allocate resources to areas with higher risks, ensuring that efforts are focused where they are most needed.
The insights gained from ML/TF/PF risk assessments help design and implement robust AML/CTF programs tailored to the identified risks and enable ongoing monitoring and updating of AML/CTF measures to address emerging threats.
The risk-based approach to AML/CTF involves tailoring measures to the specific risks identified. ML/TF/PF risk assessments support this approach by helping to prioritise risks based on their severity and likelihood, allowing for proportionate responses, supporting the customisation of AML/CTF controls and procedures. These controls and procedures can then be designed to address the specific risks identified rather than applying a one-size-fits-all approach, and allowing for dynamic adjustments to AML/CTF measures as new risks emerge or existing risks evolve.
FATF sets international standards for ML/TF/PF risk assessments, emphasising the importance of a risk-based approach in implementing AML/CTF measures.
The AML/CTF Rules outline the requirements for risk assessments and the risk-based approach that reporting entities must follow.
New reporting entities must identify the ML/TF/PF risks they face related to their customers, products and services, delivery channels, and geographic locations. Following this they must assess the likelihood and impact of these risks, considering factors such as the nature and complexity of their business operations.
The risk assessment's findings must be documented, including the methodology used and the rationale for the conclusions reached.
New reporting entities must implement AML/CTF controls that are proportionate to the level of risk identified. Higher-risk areas require more stringent controls.
New reporting entities must monitor transactions and customer activities to detect and respond to suspicious behaviour.
Risk assessments must be reviewed and updated regularly to ensure they remain effective and relevant, and any changes incorporated in the AML/CTF program.
The AML/CTF Act 2024 includes requirements for assessing the ML/TF/PF risk of a particular customer before and while providing designated services.
Reporting entities are required to evaluate various risk factors, such as the customer's occupation, source of funds, transaction patterns, and geographic location. Based on the assessed risk factors, they are then required to assign the customer a risk score and categorise them as low, medium, or high-risk.
New reporting entities must screen customers against PEP lists to identify individuals who hold or have held prominent public positions, as well as their family members and close associates before they provide them with a designated service.
Customers must also be screened against national and international sanctions lists to ensure they are not subject to sanctions or sanction risks.
On a risk basis, new reporting entities will need to consider when they will conduct adverse media checks to identify any negative news or reports associated with the customer.
New reporting entities may face several challenges in complying with the new risk assessment requirements including data quality and availability; complexity of risk assessments; resource allocation; and subjectivity in risk evaluation.
Accurate risk assessments depend on high-quality data, which may not always be available. New reporting entities may struggle to obtain reliable data, particularly for PF risks, which are less well-documented than ML/TF risks.
New reporting entities should consider whether there is a need to invest in data management systems to ensure high-quality, accurate, and up-to-date data, including collaborating with industry partners to identify reliable data sources.
The scope and tailored approach add complexity to a risk assessment, and new reporting entities will need to develop methodologies to assess and mitigate a wide range of risks accurately.
New reporting entities should seek to simplify risk assessment processes by breaking them down into manageable steps and leverage technology and analytical tools to streamline risk assessments and improve accuracy where possible.
Implementing the ML/TF risk assessment requirements may require significant investment in training, technology, and personnel.
New reporting entities may find it challenging to allocate the necessary resources to comply with the enhanced requirements.
New reporting entities could seek external support or consulting services to supplement internal resources.
Risk assessments often involve a degree of subjectivity, which can lead to inconsistencies in how risks are evaluated and managed. New reporting entities must establish standardised criteria and processes for risk evaluation to ensure consistency and provide training and calibration sessions for staff involved in risk assessments to reduce subjectivity.
To address the ML/TF/PF risk assessment obligations under the AML/CTF Act, new reporting entities should follow these steps:
The AML/CTF Act introduces new civil penalty provisions in relation to the development and maintenance of an ML/TF risk assessment, increasing the regulatory risk as a result of non-compliance. These include civil penalty provisions for commencing to provide a designated service without an ML/TF risk assessment or if its risk assessment is not up to date.
Although the new AML/CTF requirements for new entrants won't be enforced until July 2026, it is important to start planning and preparing for the changes to the AML/CTF requirements now. With a short lead time to compliance and limited AML/CTF experts across Australia, demand will only continue to increase as the compliance date approaches. If you would like to discuss any of the above with one of our AML/CTF specialists, please reach out.
Understanding changes to AML/CTF obligations and the Privacy Act: what reporting entities need to know.
From 1 July, the updated AML/CTF regime takes effect for Tranche 2 organisations including the real estate industry. There is already commentary, interpretation and subsequently confusion in the aged care market.
The AML/CTF Amendment Bill 2026 gives AUSTRAC new powers to restrict or prohibit the use of high‑risk mechanisms such as crypto ATMs by reporting entities.
