What is an AML risk assessment and why is it required?

An AML/CTF risk assessment is a documented analysis of your firm's exposure to money laundering and terrorism financing risks. It is required under the AML/CTF Act as the foundation of your AML/CTF Program. The risk assessment determines the intensity of CDD and monitoring applied to different client types and services — lower-risk clients receive standard CDD, while higher-risk clients require enhanced procedures.

What factors should be included in an AML risk assessment for accounting firms?

An AML risk assessment for accounting firms should evaluate: client risk factors (PEP status, nationality, industry, complexity of entity structure), service risk factors (degree of financial control, transaction volumes, asset management), channel risk factors (face-to-face vs remote engagement, use of intermediaries), and geographic risk factors (exposure to high-risk jurisdictions as identified by FATF).

How should client risk ratings be structured?

Client risk ratings are typically structured on a three-tier scale: Low, Medium, and High. The rating is determined by applying a risk matrix to the client's characteristics — entity type, industry, source of funds, geographic exposure, and whether any red flags are present. The risk rating then drives the level of CDD required and the frequency of ongoing monitoring and re-verification.

How often must the AML risk assessment be updated?

AUSTRAC requires that your risk assessment be kept current and reviewed whenever there are material changes to your business, client base, or the regulatory environment. Best practice is to review the firm-wide risk assessment annually. Individual client risk ratings should be reviewed at re-verification and whenever a red flag is identified during ongoing monitoring.

Does the risk assessment need to be submitted to AUSTRAC?

No. Your risk assessment is an internal document but must be available to AUSTRAC on request during an audit or investigation. It must be in writing, dated, version-controlled, and signed off by senior management. An outdated risk assessment that no longer reflects your actual client base is a compliance failure.

AML Risk Assessment for Australian Accounting Firms: Framework and Guide

The AML/CTF risk assessment is the foundation of your compliance program. Every control you put in place — from CDD intensity to monitoring frequency — must be proportionate to the risks identified in your assessment. For Tranche 2 entities, the obligation to have a documented risk assessment commences on 1 July 2026.

This guide explains the risk assessment framework AUSTRAC expects accounting firms to use, the risk factors to evaluate, and how to document your methodology so it can withstand scrutiny.

The Four Risk Dimensions

AUSTRAC's risk-based approach requires you to assess ML/TF risk across four dimensions:

1. Client Risk

Who are your clients and what characteristics elevate their risk? Key client risk factors include:

Entity type: Individuals (lower risk) vs. complex structures like discretionary trusts, foreign companies, or multi-layered corporate vehicles (higher risk)
PEP status: Politically Exposed Persons and their associates require ECDD by default
Industry: Clients in cash-intensive industries (hospitality, construction, retail), gambling, real estate, or crypto present elevated risk
Source of wealth: Clients with unexplained or inconsistent wealth profiles
Transaction patterns: High-value, complex, or unusual transactions relative to the client's declared profile

2. Service Risk

Not all accounting services carry the same ML/TF risk. Higher-risk services include:

Managing client funds or operating a trust account on their behalf
Acting as a signatory on a client's bank account
Forming or administering companies, trusts, or other legal structures
Providing payroll services where the firm controls fund disbursements
Acting as nominee director or company secretary

Services that involve financial control carry significantly higher risk than advisory services where the firm never touches client funds.

3. Channel Risk

How do you engage with clients and deliver services?

Face-to-face: Generally lower risk — identity can be verified in person
Remote/digital: Higher risk — greater potential for identity fraud; requires robust electronic verification
Through intermediaries: Higher risk — you are relying on another party's CDD
Non-face-to-face with high-risk jurisdictions: Highest channel risk

4. Geographic Risk

Clients, transactions, or structures with links to high-risk jurisdictions require elevated scrutiny. AUSTRAC considers FATF's grey list (increased monitoring) and black list (call for action) countries as high-risk. The EU's high-risk third country list is also a useful reference. Maintain a current list of high-risk jurisdictions in your risk assessment and review it annually.

Building a Client Risk Rating Matrix

Your risk assessment must produce a risk rating for each client that determines the level of CDD applied. A practical three-tier matrix works well for most accounting firms:

Risk Tier	Typical Client Profile	CDD Level	Re-verification
Low	Australian resident individual, standard employment income, no adverse media, standard services	Standard CDD	Every 3 years
Medium	Company or trust structure, complex income sources, non-resident, intermediary-introduced	Standard CDD + enhanced monitoring	Every 2 years
High	PEP or PEP associate, high-risk jurisdiction links, cash-intensive business, complex multi-layer structure	ECDD required	Annually or on trigger

Documenting Your Risk Assessment

Your risk assessment must be:

In writing — a verbal or undocumented assessment will not satisfy AUSTRAC
Dated and version-controlled — keep prior versions to show the history of your risk thinking
Approved by senior management — the managing partner or principal must formally sign off
Reviewed at least annually and whenever there is a material change to your business
Specific to your practice — generic or template risk assessments that do not reflect your actual client base are insufficient

Automated Risk Assessments with Clear AML

Clear AML's risk engine scores every client across AUSTRAC's four required dimensions — client type, service risk, delivery channel, and jurisdiction — generating a documented risk matrix PDF that meets the AML/CTF Act's risk-based approach requirement. Start with a free 14-day trial.

See ClearAML's risk assessment engine →