Under the reformed AML/CTF Act, every reporting entity must produce a written money laundering and terrorism financing (ML/TF) risk assessment. It sits at the start of your AML/CTF program — Part A — and every other control you implement flows from it.
AUSTRAC does not publish a single mandatory template. Instead, they require you to assess your risk across four factors and document your reasoning. This guide gives you that template in a copy-ready format, plus a 30-minute process to complete it.
The Four Risk Factors AUSTRAC Requires
Your risk assessment must cover all four of the following. Miss one and your program is incomplete.
| # | Risk Factor | What It Means | Example Signals |
|---|---|---|---|
| 1 | Customer type | Who are your customers? | PEPs, offshore entities, trusts with nominee directors, cash-intensive businesses |
| 2 | Product & service | What designated services do you provide? | Trust account transactions, conveyancing, bullion sales, company formation |
| 3 | Delivery channel | How do customers engage with you? | Face-to-face vs. remote onboarding, intermediaries, online-only |
| 4 | Geographic | Which countries are involved? | FATF high-risk jurisdictions, DFAT-sanctioned countries, tax havens |
For each factor, you rate the inherent risk (before controls), describe the mitigating controls you have in place, then record the residual risk.
The Risk Scoring Matrix (Copy This)
Use a three-level scale. AUSTRAC accepts this as standard.
| Score | Label | Triggers |
|---|---|---|
| 1 | Low | Customers are local individuals, services are routine, onboarding is face-to-face, no international exposure |
| 2 | Medium | Some corporate or trust clients, occasional cross-border transactions, some remote onboarding |
| 3 | High | PEPs, complex structures, cash-heavy transactions, exposure to FATF-listed jurisdictions, anonymous delivery channels |
Apply this score to each of the four factors. Your overall ML/TF risk is the highest of the four (not the average — one high-risk factor drives your whole program to "high").
Worked Example — A Small Accounting Practice
| Factor | Score | Reasoning |
|---|---|---|
| Customer type | Medium | Mix of sole traders and SMEs; two clients have foreign directors |
| Product & service | Medium | Provide company formation and trust account management |
| Delivery channel | Low | All onboarding face-to-face; no intermediaries |
| Geographic | Low | All clients Australia-based; no FATF-listed country exposure |
| Overall | Medium | Driven by customer type and product mix |
This practice's program, CDD, and monitoring must be calibrated to medium risk.
The 30-Minute Process
You do not need a consultant for this. Block 30 minutes and work through these five steps.
Step 1 — List your designated services (5 min). Write down every service you provide that falls within the AML/CTF Act. For accountants, this typically includes company formation, trust account management, and acting as a registered office. For real estate agents, it's buying/selling real estate on behalf of clients. Match them against the AUSTRAC list of designated services.
Step 2 — Segment your customer base (10 min). Group your existing customers by type (individual, company, trust, partnership), jurisdiction, and any PEP status. You do not need to list every customer — summarise the segments. If more than 10% of your book is non-resident or involves trusts with corporate trustees, that is a signal to rate customer type as medium or high.
Step 3 — Score each of the four factors (5 min). Using the matrix above, assign 1/2/3 to each factor with a one-sentence justification. Be honest. Under-rating is a red flag to AUSTRAC if your actual client base tells a different story.
Step 4 — Describe your mitigating controls (5 min). For each factor, write one or two sentences on what you do to manage that risk: identity verification, sanctions and PEP screening, transaction monitoring thresholds, enhanced due diligence triggers. This is what moves you from inherent risk to residual risk.
Step 5 — Record the overall rating and review date (5 min). State the overall ML/TF risk rating, sign and date it, and schedule a review (minimum annually, or whenever your business materially changes — new service line, new jurisdictions, acquisition).
That's a compliant Part A risk assessment.
Three Mistakes That Fail Audits
Rating everything "low" with no evidence. If your customer base includes any trust structures, overseas beneficiaries, or PEPs, rating customer risk as low without explaining why is the fastest way to draw an AUSTRAC review.
Treating it as a one-off document. The risk assessment is a living document. AUSTRAC expects it to be reviewed at least annually and re-done when your business changes. A risk assessment dated two years ago with no update history is treated as no risk assessment at all.
Writing it in isolation from your controls. Part A (risk assessment) must be consistent with Part C (CDD), Part D (transaction monitoring), and Part E (reporting). If your risk assessment says "high geographic risk" but your CDD program has no enhanced measures for non-resident clients, that is a direct contradiction auditors will flag.
Use This Template, Or Let AML Mate Generate Yours
You can take the matrix above into a Word document and complete it yourself in 30 minutes. That works, and for many small practices it is exactly what AUSTRAC expects.
If you want the assessment tied directly to your AML/CTF Program Parts A–F, customer records, and audit log in one place, AML Mate generates your full risk assessment from a 5-minute questionnaire — pre-filled with industry-specific guidance for accountants, lawyers, real estate agents, and jewellers.
Either way, get this document done before 1 July 2026. Every other part of your compliance program depends on it.
Related reading: