A ML/TF Risk Assessment is the process of identifying and assessing a business’s exposure to money laundering and terrorism financing risk. It sits at the centre of Australia’s AML/CTF framework.
Without a proper risk assessment, firms cannot properly determine what controls are needed, when enhanced due diligence applies, how monitoring should occur or where higher risk exposures exist.
For many Tranche 2 businesses, the ML/TF risk assessment will become one of the most important compliance documents they maintain.
What Does ML/TF Mean?
ML stands for money laundering. TF stands for terrorism financing. Although related, they are not identical.
Money laundering generally involves disguising the origins of criminal proceeds. Terrorism financing may involve the movement of funds to support terrorism activities, even where the funds themselves originated lawfully.
AML/CTF laws are designed to help firms identify and manage exposure to both risks.
Why Risk Assessments Matter
Australia’s AML framework is risk-based. This means businesses are not expected to treat every client or transaction identically. Instead, firms and real estate agencies are expected to identify areas of higher risk, apply stronger controls where appropriate and document their reasoning.
The risk assessment forms the foundation for those decisions.
What Risks Are Assessed?
A ML/TF risk assessment usually considers factors such as customer risk, geographic risk, service risk, delivery channel risk and transaction risk.
For example:
- complex company structures may increase customer risk;
- sanctioned jurisdictions may increase geographic risk;
- remote onboarding may increase delivery risk; and
- cash intensive transactions may increase transaction risk.
Risk Assessments are Not Just Templates
Many firms initially approach risk assessments as paperwork exercises. That can become dangerous. A meaningful risk assessment should reflect the actual services provided by the business, the real client profile, operational workflows, escalation pathways and governance arrangements.
A generic template copied from another firm or business may not properly reflect the firm’s real exposure.
Individual Client Risk vs Business Wide Risk
There are generally two different levels of AML risk assessment:
- business wide risk assessments; and
- individual client or engagement risk assessments.
The business wide assessment examines the overall exposure of the practice. The client level assessment examines the risk presented by a specific onboarding matter or transaction. Both are important.
Why Smaller Firms Struggle
Many smaller firms are not compliance specialists. They are lawyers, accountants, real estate agents, conveyancers and dealers in precious metals and stones and advisers trying to operationalise new obligations while still running a business.
Common challenges include understanding risk categories, documenting rationale, maintaining consistency, linking assessments to workflows and keeping assessments updated over time.
This is why practical operationalisation has become such a major focus within the Tranche 2 transition.
A Good Risk Assessment Should Be Defensible
AML compliance does not require perfect prediction. Regulators generally expect firms to identify obvious risks, apply reasonable controls, document their reasoning and revisit assessments periodically.
A defensible risk assessment is usually practical, proportionate, understandable, evidence based; and aligned with the actual business.
The goal is not to eliminate all risk. The goal is to understand it and manage it appropriately.
By Amira Ward and Daniel Ward
Flagship AML
Published May 2026 • Estimated reading time: 4 minutes
Related Articles
- What Is KYC Under Australia’s AML/CTF Laws?
- What Is Enhanced Due Diligence?
- What Is Beneficial Ownership?
- What Is Ongoing Monitoring?
© 2026 Flagship AML. All rights reserved. This article is for general informational purposes only and does not constitute legal advice.