By Flagship AML
As Australia prepares for the expansion of its AML/CTF regime under Tranche 2 reforms, one obligation sits at the centre of the framework: the requirement to conduct a money laundering and terrorism financing (ML/TF) risk assessment. At the same time, many professional firms are only beginning to understand what this requirement involves.
By 1 July, reporting entities must have a documented ML/TF risk assessment in place. This is not a procedural step or a document completed for its own sake. It is the foundation on which the firm’s entire AML/CTF program is built.
An ML/TF risk assessment requires a business to analyse how it may be exposed to money laundering or terrorism financing risk through the services it provides. This includes considering the types of clients it acts for, the nature of its services, the jurisdictions it deals with and how those services are delivered. The purpose is not simply to identify risk, but to understand it in context and establish a framework to guide how risk is assessed and managed in practice.
The legislation does not prescribe a single method for conducting this assessment. Instead, it requires firms to adopt a risk-based approach. This is where methodology becomes critical. Methodology is the structured framework a firm uses to identify relevant risk factors, assess their significance and determine how those factors interact to produce a consistent and justifiable outcome. Without a clear methodology, risk assessments can become inconsistent, subjective and difficult to justify.
A well designed ML/TF risk assessment distinguishes between two separate questions. The first is impact, the level of exposure created by the nature of the business. This involves identifying the types of services, clients and structures that give rise to higher risk. The second is likelihood, which considers how those risks arise in practice, how frequently they occur and whether existing controls influence their probability. Separating these elements improves clarity and supports more consistent and defensible outcomes.
AUSTRAC has provided guidance and tools to assist smaller or less complex businesses. These resources are useful, but they are not universally suitable. Many firms will find that their services, client base, or operating model introduce complexities not fully captured by generic templates. The obligation remains with the reporting entity to ensure that its risk assessment is appropriate to its size, nature and complexity.
A common mistake is to treat the ML/TF risk assessment as a one off document that can be completed and set aside.
An ML/TF risk assessment is an ongoing obligation. Reporting entities must review and update their assessment where there are material changes to their business or risk profile. This includes changes to the designated services offered, the types of clients or structures engaged, the jurisdictions involved, or how services are delivered. It also extends to situations where new risks emerge or where the existing assessment no longer reflects the firm’s actual exposure.
In practice, this means the ML/TF risk assessment should be revisited whenever the business evolves. It should not remain static while the firm’s activities change. A risk assessment that is no longer aligned with the firm’s operations may undermine the effectiveness of the broader AML/CTF program and limit the firm’s ability to demonstrate that it has appropriately identified and assessed its risks.
In addition to regulatory expectations, there is an increasing commercial dimension to ML/TF risk assessments. Professional indemnity insurers are likely to take a closer interest in how firms identify and manage financial crime risk, particularly as Tranche 2 obligations come into effect. A clearly documented and consistently applied ML/TF risk assessment may become an important factor in demonstrating sound risk management practices, both at the underwriting stage and in the event of a claim.
In practice, the ML/TF risk assessment should operate as a living framework that informs how risk is assessed across the business. If it does not influence day-to-day decisions, it is unlikely to meet its purpose.
A robust ML/TF risk assessment requires more than a completed document. It requires a clear methodology that can be applied consistently across the firm’s operations.
Importantly, the methodology underpinning the ML/TF risk assessment informs how risk is assessed at the client level. The risk factors identified, and the way those factors are treated, are carried through into the KYC process, where client specific information is evaluated against a consistent framework. This produces an inherent risk outcome and determines whether enhanced due diligence is required.
Where higher risk is identified, enhanced due diligence provides a governance layer, requiring senior oversight, documented reasoning, and the setting of ongoing monitoring parameters. In this way, the ML/TF risk assessment does not operate in isolation, but establishes the structure through which risk is identified, assessed and managed throughout the client lifecycle.
Flagship AML has been designed to support this approach. The platform provides a structured ML/TF risk assessment framework that separates impact and likelihood and embeds a consistent methodology into the client onboarding and risk assessment process. This allows firms to move beyond generic templates and towards a more defensible and operational compliance framework.
As Tranche 2 brings more professional services into scope, firms have a limited window to ensure they are prepared. Having an ML/TF risk assessment in place by 1 July is not simply about meeting a deadline. It is about establishing the foundation for every compliance decision that follows.
Firms that approach this requirement as a formality risk building their compliance framework on weak foundations. Those who approach it properly will be better positioned to understand their exposure, apply consistent judgment and demonstrate compliance.
By Flagship AML
Prepared by Dan Ward and Amira Ward, lawyers and founders of Flagship AML
© 2026 Flagship AML. All rights reserved. This article is for general informational purposes only and does not constitute legal advice.