Skip to content

ML/TF risk assessment — how to actually do one

How to assess your agency's money-laundering and terrorism-financing risk in a way that satisfies AUSTRAC.

The risk assessment is the foundation of your programme. Every other control — your CDD procedures, your monitoring, your reporting thresholds — should be calibrated to the risks the assessment identifies.

The AML/CTF Rules 2025 require the assessment to cover four mandatory dimensions:

  1. Customer types — categorise your customers (individual residents, foreign buyers, companies, trusts, PEPs, high-net-worth, first-home buyers) and assess the inherent risk of each.
  2. Designated services and delivery methods — assess the risk of each Item 53–55 service you provide and how it is delivered (signed in office, signed remotely, agent-introduced, online portal).
  3. Delivery channels — face-to-face engagement is generally lower risk than non-face-to-face. Online auctions, remote signings, and agent-introduced buyers each carry their own risk profile.
  4. Foreign jurisdictions — buyers, sellers, or funds from countries on the FATF grey or black list, sanctions-listed jurisdictions, or known high-risk countries materially shift the risk score.

The standard methodology is likelihood × impact. For each identified risk, score the likelihood that it occurs in your business (rare, unlikely, possible, likely, almost certain) and the impact if it does (insignificant through to catastrophic). Multiply or matrix the two to produce an overall rating: low, medium, high, or extreme. Document the reasoning.

AUSTRAC inspectors look for three things:

  • Specificity. Does the assessment reflect your actual business — your geography, your customer mix, your average transaction value — or has it been copied from another agency?
  • Linkage. Do the controls in your programme actually address the risks the assessment identified, or does the programme just describe generic procedures regardless of risk?
  • Currency. When was the assessment last reviewed? AUSTRAC expects review at least every two years, and immediately after any material change (new office, new service line, regulatory change, significant incident).

The assessment is not a one-off project. It is a living document that drives the rest of the programme.

Each material change to your customer base, services, or risk environment will require the assessment to be revisited and re-approved across every transaction your agency has on the books.

What to do next: Draft your four-dimension risk assessment using your last 12 months of transactions as the evidence base, and have your governing body review and approve it before 1 July 2026.

Up next · Building Your Programme
Independent review

Why your programme must be independently reviewed, how often, and what the reviewer looks at.

Sources

  1. AML/CTF Act 2006 (Cth) s 84
  2. AML/CTF Rules 2025 Part 5

This is general guidance for Australian real estate professionals. It does not constitute legal advice. Consult a qualified AML/CTF practitioner before relying on it for your agency.

Back to Building Your Programme