The AML/CTF risk-based approach: how AUSTRAC expects you to identify and mitigate risk

What the risk-based approach is

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) mandates that reporting entities adopt a risk-based approach to compliance. This approach is a core requirement for all entities falling within the AML Tranche 2 scope checker.

The risk-based approach requires reporting entities to identify, mitigate, and manage the money-laundering and terrorism-financing risk reasonably faced by the entity. This involves a continuous process of assessment and adaptation to ensure controls remain effective.

AUSTRAC provides guidance outlining its expectations for how reporting entities should implement this obligation. This guidance assists entities in operationalising the risk-based approach and fulfilling their legal responsibilities.

Four risk factors

AUSTRAC’s guidance on the risk-based approach identifies four categories of risk factors that businesses must consider. These are customer risk, product, service or designated-service risk, delivery channel risk, and jurisdictional or country risk. These factors are not assessed in isolation; they interact and influence one another.

Assessment of these risk factors requires a dual perspective. Businesses must evaluate risk at the enterprise level, considering the overall business profile, and at the customer level, examining each individual customer relationship. This comprehensive assessment informs the design of appropriate controls.

The documented risk assessment process is a key driver for the design of controls. These controls may include the intensity of customer due diligence measures, the rules used for transaction monitoring, the content of staff training, and the practices used for reporting suspicious matters.

Customer Risk Rating + Enhanced Due Diligence

Customer risk ratings are determined by considering four factors. These ratings inform the level of due diligence required for each customer.

Customers assessed as higher risk necessitate Enhanced Customer Due Diligence (ECDD). This involves more rigorous processes than standard customer due diligence, including obtaining additional identification, gathering information about the customer’s source of funds and source of wealth, and applying increased scrutiny to ongoing monitoring. Senior management approval is also required for establishing or continuing a business relationship with a customer identified as higher risk. A beneficial owner identifier can assist in this process.

ECDD is specifically mandated for certain customer categories. These include politically exposed persons, customers originating from higher-risk jurisdictions, and customers exhibiting other indicators that elevate their risk profile.

Practical implications for Tranche 2 entities

The expanded AML/CTF regulatory framework, effective from 1 July 2026, brings lawyers and conveyancers, accountants and tax advisers, real estate agents, trust and company service providers, and precious metals and stones dealers within the remit of anti-money laundering and counter-terrorism financing obligations. These entities, collectively referred to as Tranche 2 entities, must now implement robust AML/CTF programs.

A critical first step for each Tranche 2 entity is to undertake a comprehensive enterprise-level risk assessment. This assessment forms the foundation for developing the Part A of the AML/CTF program. AUSTRAC emphasises that a standardised approach is not appropriate; each entity’s program must be tailored to its individual circumstances.

AUSTRAC provides sector starter program templates to assist Tranche 2 entities. However, these templates are intended as a starting point only. The risk assessment, and subsequently the program, must accurately reflect the specific characteristics of each firm, including its customer base, the services it provides, and the channels through which those services are delivered.