Risk assessments sound complicated, but here’s what AUSTRAC expects (in simple terms)

If you’ve been attending webinars, reading guidance or following Tranche 2 updates, you’re probably across the basics of AML/CTF compliance by now. You know it’s coming, and you know it applies to your business. You probably even understand what’s required, at least at a high level. And yet, when it comes to actually starting, we’re hearing from many businesses that they’re stuck in the same place.

The blocker? The risk assessment.

Your risk assessment forms the entire basis of the rest of your AML compliance. So for something that feels so technical and high-stakes, it’s no surprise that it’s often the step that stops people from moving forward.

What a risk assessment actually is (in plain English)

At its core, your AML/CTF risk assessment is simply a structured way of identifying the types of money laundering or terrorism financing risks that your business might face, and then deciding how you will manage them.

It’s about understanding your business. Specifically:

• who your clients are
• what services you provide
• how those services are delivered
• and where your exposure to risk in the context of ML/TF may sit

From there, you assess whether you’re comfortable with those risks, and if so, what controls you’ll apply.

What AUSTRAC actually expects

One of the biggest misconceptions is that your risk assessment needs to be complex and written in technical language to be compliant. It doesn’t. AUSTRAC’s position is clear: your AML/CTF program, including your risk assessment, must simply be risk-based and appropriate to your business.

That means it should reflect the size of your business, and the nature of your services.

A small conveyancing firm is not expected to produce the same level of documentation as a major financial institution servicing millions of customers.

AUSTRAC is looking to see that you’ve thought about your risks and documented your reasoning, and that any resulting approach or action is proportionate to that specific risk.

What a reasonable risk assessment looks like

A good risk assessment is structured, but practical. It typically walks through areas such as:

• your client base (e.g. local vs overseas clients)
• the services you provide (e.g. property transactions, company formation)
• how those services are delivered (e.g. face-to-face vs remote vs hybrid)
• any jurisdictions you deal with and their risk-rating

From there, you can assess what risks exist within your business and whether you’re willing to accept them. For each risk, whether you’re willing to accept them or not, you need to document how you will manage it.

For example, you might identify that you occasionally deal with overseas clients. Your risk assessment may determine:

• That you’re comfortable with that, but consider it higher risk, so will apply enhanced due diligence in those cases; or
• That you’re comfortable provided they are in a medium-risk or lower country and will apply enhanced due diligence in those cases; or
• That you’re not comfortable with any overseas clients under the Tranche 2 regulations, and so will decline to represent any party located overseas.

Each of these is a compliant, practical outcome.

What overcomplicating your risk assessment looks like

Where businesses get stuck is trying to make their risk assessment “perfect”. This often leads to:

• overuse of technical language
• copying generic templates that don’t reflect the business
• documenting risks that don’t actually apply
• creating processes that are unrealistic to follow

In some cases, businesses spend weeks trying to refine wording, instead of simply starting. Ironically, this can create more risk, not less as a risk assessment that is overly complex is often harder to implement and harder for your staff to understand, resulting in it being less likely to be followed in practice.

Remember, your risk assessment is the working foundation for your AML program. If it’s not usable, it’s not effective.

How often does your risk assessment need to be reviewed?

Another common concern is how frequently risk assessments need to be updated. AUSTRAC expects your risk assessment to be regularly reviewed, and updated when circumstances change.

In practice, that means reviewing it periodically (often every three years is appropriate for many SMEs or depending on the outcome of your quarterly effectiveness reviews, possibly more frequently), when your business changes (e.g. new services, new client types) or when risk exposure shifts. The latter is particularly important to consider in the context of ongoing monitoring. 

For example, if your business starts working with international clients for the first time, your risk assessment should reflect that.

But if nothing significant has changed, a full rewrite isn’t required.

Common mistakes regulators see when it comes to risk assessments

While AUSTRAC is not expecting perfection, there are some common issues that do raise concerns. 

One is generic risk assessments. If your document could apply to any business, it likely doesn’t meet the requirement to be tailored.

Another is lack of connection between risk and controls. It’s not enough to identify a risk, you also need to show how you’re planning to manage it.

For example, if you identify overseas clients as higher risk, you should outline what additional checks you will apply.

A third common issue is failure to implement what’s written. Your risk assessment must reflect reality. If your documented processes don’t match what your team actually does, that gap becomes a compliance risk.

Finally, some businesses simply don’t start at all, instead waiting until they feel “ready”. This is the most common mistake of all that we’re seeing in the lead-up to the implementation of Tranche 2 regulations.

Taking the first step (without overthinking it)

If you’re feeling stuck, it’s worth remembering that you don’t need to solve everything upfront. You just need to start.

If you qualify for AUSTRAC’s starter packs, the process is already broken down for you. It’s a matter of sitting down and working through the questions step by step, considering your business, your clients and your appetite for risk.

And if the starter packs feel overwhelming, or you’re not sure where to begin, there are even simpler ways to get started, such as easyAML’s tailored risk assessment questionnaire.

Making risk assessments manageable

The biggest shift comes when you stop treating the risk assessment as a standalone task, and start treating it as part of your overall business setup. When structured properly, your risk assessment will become a clear reference point, and the foundation for a strong AML program.

That’s exactly what easyAML is designed to support.

Rather than expecting you to build your risk assessment from scratch, easyAML walks you through a comprehensive, guided questionnaire tailored to your business type. It helps you identify risks, assess your appetite and document how you will manage them (in a way that is practical and aligned with your obligations).

You can get started for free, with no lock-in contracts, no credit card required and no commitments.

Get started now: https://easyaml.com/get-started/