top of page
Search

What Is an AML/CTF Risk Assessment?

A Plain-English Guide for Tranche 2 Firms

From 1 July 2026, many Australian real estate, legal and accounting firms will fall under new anti-money-laundering laws known as the AML/CTF Tranche 2 reforms. One of the most important things these businesses must do is a risk assessment. But what does that really mean in everyday terms? Let’s break it down.


Why Risk Assessments Matter for Tranche 2 Businesses

Before Tranche 2, many professional services weren’t regulated under Australia’s AML/CTF rules. Under the reforms, firms that provide certain designated services, like handling client funds for property settlement, trust account work in law firms, or structuring financial transactions, must now think more like banks when it comes to managing financial crime risk.

A risk assessment becomes essential because it:


  • Helps identify where your business could be vulnerable to money laundering or terrorism financing

  • Guides you to design the right policies and controls

  • Is a core part of the AML/CTF program AUSTRAC expects you to have documented and in place well before July 2026.


What Is a Risk Assessment?

A risk assessment means asking and answering two basic questions:


  1. What kinds of illegal activity might affect your business? This can be money laundering, terrorism financing or other related harms that criminals might try to exploit your services for.

  2. How likely are those risks to happen and how bad would the impact be?


This isn’t about guessing. You need to review your business operations, clients, services, markets and how transactions actually work.


A risk assessment is not just a tick-the-box document. It’s a working tool to help you understand your vulnerabilities and guide real actions to reduce them. It’s also something AUSTRAC expects you to write down, update over time and use to make decisions about your compliance program.


What Your Risk Assessment Should Cover

A good risk assessment looks at these things:


1. Your Services

Consider all the ‘designated services’ your firm provides which might include:


  • Property transactions or conveyancing in real estate

  • Trust account handling or company formations in law

  • Complex financial planning in accounting


These services each carry different levels of risk.


2. Your Customers

Different customers may present different risks. A first-time local buyer is not the same as a complex international trust structure. You should think about:


  • Who your clients are

  • How they transact with you

  • Whether they present unusual patterns that could hide illicit funds.


3. How You Deliver Services

Are your services provided online, in person, or both? Do you work with intermediaries? Every channel can change the risk picture.


4. Where You Do Business

If you deal with clients in certain countries, or operate in areas known for financial crime risk, your risk profile changes.


In technical terms, these are called inherent risks. The risks that exist before you put any controls in place. Once you know them, a good risk assessment helps you decide what controls are needed and how to prioritise them based on likelihood and impact.

What Comes After the Risk Assessment?


Once you’ve identified and assessed the risks, you then use that information to build or update your AML/CTF Program. We’ll cover that in detail in our next blog.


Want to know more? Book a free consultation with one of our AML experts.

 
 
 

Recent Posts

See All
What Is an AML/CTF Program?

Your Business Roadmap for Managing Financial Crime Risk If you've already read our guide on AML/CTF risk assessments, you'll know that identifying your risks is the first critical step for Tranche 2 f

 
 
 

Comments

bottom of page