What Is an AML Risk Assessment?
An AML risk assessment is a documented evaluation of your business's exposure to money laundering and terrorism financing. It answers three questions:
- 1. What risks does your business face? (e.g., cash transactions, high-value deals, international clients)
- 2. How likely are these risks? (low, medium, or high probability)
- 3. What controls do you have in place? (how you mitigate the risks)
Why Risk Assessments Matter
Under the AML/CTF Act, you're required to conduct a risk assessment before you start providing designated services. This isn't optional — it's a core requirement of your AML/CTF program.
But here's the good news: for most small businesses, the risk assessment is straightforward. You're not a bank handling billions of dollars. You're a local professional services firm. Your risks are manageable and predictable.
Don't Overcomplicate It
AUSTRAC provides free risk assessment templates in their Program Starter Kits. For most Tranche 2 businesses, you can use the template as-is, customize a few sections, and you're done. You don't need a 50-page consultant report.
The Two Types of Risk Assessments
Organizational Risk Assessment
Covers your business as a whole. What services do you offer? What types of clients do you serve? What geographic areas do you operate in?
Frequency: Updated annually or when your business changes significantly.
Customer Risk Assessment
Evaluates each individual client. Are they a PEP? Are they from a high-risk country? Is the transaction unusually large or complex?
Frequency: Conducted for every new client before engagement.
Step 1: Identify Your Risks (Organizational)
Start by identifying the risk factors that apply to your business. AUSTRAC groups risks into nine categories:
Customer Risk
Who are your clients? Are they individuals, companies, trusts, or foreign entities? Do you serve PEPs (politically exposed persons)?
Example (Real Estate): "Our typical client is an Australian resident purchasing or selling residential property in [suburb]. We occasionally serve foreign investors (5% of transactions) and trusts (10% of transactions)."
Product/Service Risk
What services do you offer? Are any inherently high-risk (e.g., trust administration, large cash transactions)?
Example (Accounting): "We provide tax preparation, bookkeeping, and basic financial advice. We do not administer trusts, handle client funds, or facilitate international transfers. Low risk."
Delivery Channel Risk
How do you interact with clients? Face-to-face, online, or via intermediaries? Non-face-to-face channels are higher risk.
Example (Legal): "We meet all clients in person at our office before engagement. We do not offer fully online services. Low risk."
Geographic Risk
Where are your clients located? Where do you operate? FATF identifies high-risk countries with weak AML controls.
Example (Conveyancing): "We operate exclusively in Victoria, Australia. 98% of our clients are Australian residents. Occasionally serve clients from NZ/UK (low-risk countries). Low risk."
Transaction Value Risk
What's the typical transaction size? Higher-value transactions carry higher risk.
Example (Jeweller): "Typical sale: $500-$5,000. Occasional high-value sales ($20,000+) for engagement rings and luxury watches. Medium risk for high-value transactions."
Cash Handling Risk
Do you accept cash payments? Cash is the highest-risk payment method for money laundering.
Example (Real Estate): "We do not accept cash payments for deposits or settlements. All payments are via bank transfer or cheque. Low risk."
Beneficial Ownership Risk
Do you serve companies, trusts, or other entities with complex ownership structures? Harder to verify beneficial owners = higher risk.
Example (Accounting): "30% of our clients are family trusts or small companies. We verify beneficial ownership for all entities. Medium risk."
PEP Risk
Do you serve politically exposed persons (government officials, diplomats, etc.)? PEPs are higher risk due to corruption exposure.
Example (Legal): "We have not served any PEPs in the past 12 months. If we do, we will apply enhanced CDD. Low risk (current), medium risk (potential)."
Third-Party Risk
Do you rely on third parties (e.g., referral partners, outsourced CDD providers)? Less control = higher risk.
Example (Conveyancing): "We use FreeAML (AUSTRAC-compliant provider) for identity verification. All other CDD activities are conducted in-house. Low risk."
Step 2: Rate Your Risks (Low/Medium/High)
For each risk category, assign a rating: Low, Medium, or High. Be realistic — don't over-inflate risks, but don't downplay them either.
Risk Rating Guide
Australian residents, low-value transactions, face-to-face services, no cash, transparent ownership. Most small businesses fall here.
Foreign clients from low-risk countries, high-value transactions, complex entities (trusts/companies), occasional cash payments, online services.
Foreign clients from high-risk countries (FATF list), PEPs, large cash transactions, opaque ownership structures, non-face-to-face onboarding.
Step 3: Document Your Controls
For each identified risk, explain how you mitigate it. This is where you describe your AML/CTF program's controls.
Example: Real Estate Agency
Risk: Beneficial ownership (Medium)
Description: 10% of our clients are trusts or companies. Verifying beneficial owners can be complex.
Controls: We verify beneficial ownership for all entities using ASIC company extracts, trust deeds, and beneficial ownership declarations. If ownership structure is unclear, we request additional documentation. Enhanced CDD applied when beneficial ownership cannot be clearly established.
Risk: High-value transactions (Medium)
Description: 20% of our transactions exceed $2 million. Higher value = higher money laundering risk.
Controls: For transactions over $2M, we conduct enhanced CDD: verify source of funds, obtain senior management approval, conduct additional AML screening, and monitor transaction progress closely.
Step 4: Customer Risk Assessment (Per Client)
For every new client, conduct a quick risk assessment using a checklist. This determines whether you apply standard or enhanced CDD.
Customer Risk Assessment Checklist
Check all that apply. More checkmarks = higher risk.
Risk scoring:
- 0-1 checkmarks: Low risk (standard CDD)
- 2-4 checkmarks: Medium risk (standard CDD + enhanced monitoring)
- 5+ checkmarks: High risk (enhanced CDD required)
Red Flags: What to Watch For
These are common money laundering indicators. If you see any of these, conduct enhanced CDD and consider filing a Suspicious Matter Report (SMR).
Cash Red Flags
- • Client insists on paying in cash despite having other payment options
- • Multiple cash payments just under $10,000 (structuring to avoid TTR reporting)
- • Cash doesn't match client's stated income or profession
Identity Red Flags
- • Client uses multiple names or variations of their name without explanation
- • ID documents look altered, forged, or inconsistent
- • Client is evasive about their address, employment, or source of funds
- • Beneficial owner information is deliberately obscured or contradictory
Transaction Red Flags
- • Transaction makes no business sense given client's profile
- • Client is in a rush to complete transaction with no logical reason
- • Funds come from unexpected sources (e.g., third parties, offshore accounts)
- • Client cancels or backs out of transaction after you request additional information
Behavioral Red Flags
- • Client is unusually secretive or defensive about routine questions
- • Client offers to pay extra fees to expedite or avoid verification
- • Client provides contradictory information across multiple interactions
- • Client has no apparent concern about unfavorable terms (e.g., price, timeline)
Real Estate-Specific Red Flags
- • Client buys property well above market value with no negotiation
- • Client has no interest in viewing property before purchase
- • Property is purchased and immediately resold at a loss
- • Funds for settlement come from unrelated third parties
Accounting/Legal-Specific Red Flags
- • Client requests you set up complex structures with no legitimate business purpose
- • Client asks you to hold funds in trust and transfer to unrelated parties
- • Client's financial records are incomplete, inconsistent, or appear falsified
- • Client changes service providers frequently without explanation
What to Do If You Identify High Risk
If your customer risk assessment indicates high risk, you must apply enhanced customer due diligence (enhanced CDD). This typically includes:
- Verify source of funds: Ask for bank statements, pay slips, sale contracts, or other proof of where the money came from
- Verify source of wealth: Understand the client's overall financial situation (e.g., employment history, business interests, inheritance)
- Senior management approval: Have a director or senior staff member review and approve the engagement
- Enhanced ongoing monitoring: Review the relationship more frequently (e.g., every 6 months instead of annually)
- Additional AML screening: Check adverse media, sanctions lists, and PEP databases more thoroughly
Important: High risk doesn't mean you can't serve the client. It just means you need extra scrutiny. Document everything.
Free Templates & Resources
Don't reinvent the wheel. AUSTRAC provides free risk assessment templates:
- Real Estate Program Starter Kit — includes risk assessment template
- Accounting Program Starter Kit — includes risk assessment template
- Legal Program Starter Kit — includes risk assessment template
Download them at austrac.gov.au (search "Program Starter Kits").
Need Help?
FreeAML: For free AML verification tools (no signup required), visit freeaml.com.au. We help businesses verify clients in 60 seconds — fully AUSTRAC compliant, with automatic risk scoring included in every check.
Automate Your Customer Risk Assessments
FreeAML automatically scores every client's risk level during verification. No manual checklists required.