AML/CTF ProgramTransactional

How do I build a compliant ML/TF risk assessment for my firm?

Updated 23 May 2026

Quick answer

A compliant ML/TF risk assessment identifies your firm's exposure to money laundering and terrorism financing across four dimensions: client types, products and services, delivery channels, and geographic exposure. Each risk must be rated and documented with the controls you have in place to mitigate it.

AUSTRAC requires every reporting entity to take a risk-based approach to AML/CTF compliance. The foundation of this approach is a documented ML/TF risk assessment that is specific to your firm — generic templates do not satisfy the requirement.

The four risk dimensions

Your risk assessment must analyse your business across four categories:

  • Client risk: Who are your clients? Do they include PEPs, high-net-worth individuals, foreign nationals, or clients from high-risk jurisdictions? Are any clients trusts, companies, or other complex structures?
  • Product and service risk: Which of your services have higher ML/TF exposure? Trust administration, company formation, and handling of client money carry higher risk than general tax returns.
  • Delivery channel risk: Do you onboard clients face-to-face, remotely, or through intermediaries? Remote channels and third-party referrals generally carry higher risk.
  • Jurisdiction risk: Do you have clients based in, or with funds flowing from, jurisdictions on the FATF grey or black list, or those identified by AUSTRAC as high risk?

Rating and documenting risks

For each risk identified, you must assign a rating — typically low, medium, or high — and document the controls you have in place to mitigate it. The rating should reflect both the likelihood that the risk could materialise and the impact if it did.

Controls might include CDD procedures, ongoing monitoring, staff training, and SMR processes. Where your controls are weak, you must rate the residual risk accordingly and take steps to strengthen them.

Review and update requirements

Your risk assessment must be reviewed regularly — at minimum annually — and whenever there is a significant change to your business, your client base, or the regulatory environment. A risk assessment that was prepared at enrolment and never updated will be viewed unfavourably by AUSTRAC.

Common mistakes to avoid

  • Copying a template without tailoring it to your specific client mix and services
  • Assigning low risk to everything without documented justification
  • Failing to identify high-risk client types (PEPs, trusts, SMSFs)
  • Not updating the assessment when you add a new service or client type

How ClearAML helps

ClearAML's risk assessment engine guides you through each dimension with AUSTRAC-aligned prompts, auto-generates a documented risk matrix, and flags when a review is due — ensuring your assessment stays compliant as your firm evolves.

See ClearAML's risk assessment engine →

Related questions

AML/CTF Program

What must be included in an AML/CTF program for an accounting firm?

AML/CTF Program

How do I prepare for an unannounced AUSTRAC inspection?