ML/TF risk assessment — how to actually do one
How to assess your agency's money-laundering, terrorism-financing and proliferation-financing risk in a way that holds up to AUSTRAC review.
In short
Section 26C of the Act requires a written ML/TF risk assessment — which under the 2025 Rules must also cover proliferation financing — across four categories: kinds of customers, kinds of designated services, delivery channels, and foreign jurisdictions. Score each risk on likelihood and impact, document the reasoning, and match controls in your programme to what the assessment found. Re-do it whenever something material changes.
The risk assessment is the foundation of the programme. Every other control — your CDD procedures, your monitoring, your reporting thresholds — should be calibrated to what the assessment finds.
Three risk legs, not two. Under the 2024 reforms the assessment is still colloquially the "ML/TF risk assessment", but Section 26C now requires you to identify and assess money-laundering, terrorism-financing and proliferation-financing (PF) risks. Proliferation financing covers funds connected to the manufacture, acquisition or use of nuclear, chemical or biological weapons in contravention of Australian or international law. For most real estate agencies the PF risk is low and is adequately addressed by the same controls that handle ML/TF risk — AUSTRAC's position is that you don't have to write a separate counter-PF policy in that case, but you do have to consider PF when scoring the assessment.
Section 26C requires the assessment to cover four mandatory categories:
- Kinds of customers — categorise the customers you actually deal with (Australian residents, foreign buyers, companies, trusts, PEPs, high-net-worth individuals, first-home buyers) and assess the inherent risk of each.
- Kinds of designated services — assess each Table 5, Item 1 service you provide as a buyer's or seller's agent, and how it is delivered (signed in office, signed remotely, agent-introduced, online portal).
- Delivery channels — face-to-face engagement is generally lower risk than non-face-to-face. Online auctions, remote signings and agent-introduced buyers each carry their own profile.
- Foreign jurisdictions — buyers, sellers or funds connected to countries on the FATF "Call for Action" list (currently Iran, DPRK and Myanmar), the FATF Increased Monitoring list, or DFAT-sanctioned jurisdictions materially shift the risk score.
The standard methodology is likelihood × impact. For each identified risk, score the likelihood of occurrence (rare, unlikely, possible, likely, almost certain) and the impact if it does (insignificant through to catastrophic). Combine the two through a matrix to produce an overall rating: low, medium, high or extreme. Write down the reasoning.
AUSTRAC inspectors look for three things:
- Specificity. Does the assessment reflect your actual business — geography, customer mix, average transaction value — or has it been copied?
- Linkage. Do the policies in your programme actually address the risks the assessment identified, or does the programme just describe generic procedures regardless of what was found?
- Currency. When was the assessment last reviewed? AUSTRAC expects it kept up to date and revisited whenever something material changes — a new office, a new service line, a regulatory shift, a significant incident.
The assessment is not a one-off project. It is the document that drives the rest of the programme, and it has to keep pace with the business.
When the customer base, the services or the risk environment changes, the assessment is revisited and re-approved. Controls that flow from it are then re-tuned in line with the new rating.
What to do next. Draft your four-category assessment using your last 12 months of transactions as the evidence base. Have the governing body approve it before 1 July 2026 and put a calendar entry for the next review.
Frequently asked questions
- What are the four mandatory categories?
- Kinds of customers, kinds of designated services, delivery channels, and foreign jurisdictions. Section 26C of the AML/CTF Act 2006 sets them out.
- How often does the risk assessment need to be reviewed?
- There is no fixed interval in the Act. AUSTRAC expects it to be reviewed whenever something material changes — a new office, a new service line, a regulatory shift, a significant incident — and at sensible intervals otherwise.
- Can I copy another agency's risk assessment?
- No. Specificity is the first thing an inspector tests. A copied assessment that does not reflect your actual customer mix, geography and transaction profile is treated as no assessment at all.