AML/CTF Risk Assessment for Accounting Firms

An AML/CTF risk assessment is a written document that identifies and rates the money laundering and terrorism financing (ML/TF) risks your accounting firm faces — and completing one is now a legal obligation under the AML/CTF Act 2006 for Tranche 2 reporting entities. With just 65 days until the 1 July 2026 deadline, accounting firms that haven't started this foundational document need to act immediately.

What Is an AML/CTF Risk Assessment?

A risk assessment is the cornerstone of your AML/CTF programme. Under the amended AML/CTF Act 2006, every reporting entity must document the ML/TF risks it faces before it can design proportionate controls. Think of it as a structured audit of your firm's exposure: who are your clients, what services do you provide, how do funds flow, and where could a bad actor exploit your firm?

Without a completed risk assessment, you cannot build a compliant AML/CTF programme — and you cannot demonstrate to AUSTRAC that your approach is genuinely risk-based rather than box-ticking.

Which Accounting Services Are In Scope Under Tranche 2?

Not every service an accounting firm provides triggers reporting entity obligations. Under Tranche 2, the designated services for accountants include: - Trust and company formation — establishing trusts, companies, or other legal arrangements on behalf of clients - Nominee services — acting as a nominee director, shareholder, or trustee for a client - Business and real estate transactions — providing services related to the purchase or sale of a business or real estate on a client's behalf - Client account management — managing money, securities, or other assets on behalf of a client

If your firm provides any of these services, you are a reporting entity and must complete a risk assessment. Pure tax advice, audit work, and standard compliance engagements that do not touch these designated services sit outside scope — but many accounting firms offer a mix, so a careful scoping exercise is essential before you assume you're exempt.

Why Is a Risk Assessment Legally Required?

The AML/CTF Act 2006 — as amended by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 — requires Tranche 2 entities to take a risk-based approach to compliance. A risk-based approach cannot exist without a documented assessment of what those risks actually are.

AUSTRAC has consistently emphasised in its guidance that a compliant risk assessment must be: 1. Written and documented — verbal or informal assessments do not satisfy the requirement 2. Specific to your firm — a generic template downloaded from the internet is not sufficient on its own 3. Regularly reviewed — the assessment must be kept current as your business and client base evolves 4. Used to inform controls — the assessment must actively drive your CDD procedures, transaction monitoring, and staff training

Firms that cannot produce a risk assessment during an AUSTRAC audit face significant enforcement risk, including civil penalties that can reach tens of millions of dollars for serious or systemic breaches.

How Do You Build an AML/CTF Risk Assessment? A Step-by-Step Guide

Building a risk assessment does not need to be overwhelming. Here is a practical framework designed for accounting firms: Step 1: Define your scope. Identify which of your services are designated services under Tranche 2. Document each service line, the volume of clients it touches, and typical transaction sizes. Step 2: Identify your inherent risks. For each in-scope service, identify the ML/TF risks present before any controls are applied. Consider four categories: client risk (who are your clients and where are they from?), geographic risk (do clients have connections to FATF-listed high-risk jurisdictions?), product and service risk (does the service involve high-value transactions or complex structures?), and delivery channel risk (do you onboard clients remotely without face-to-face verification?). Step 3: Rate each risk. Assign a risk rating — typically Low, Medium, High, or Critical — to each identified risk. Document the rationale for each rating. Be honest: a firm with a large SMSF practice serving high-net-worth clients faces different risks than a sole practitioner doing small business bookkeeping. Step 4: Assess your existing controls. Document the controls you already have in place — identity verification procedures, source-of-wealth file notes, referral checks. Evaluate honestly whether those controls are adequate for each risk level. Step 5: Determine your residual risk. After applying controls, what risk remains? This is your residual risk. Where residual risk is still rated High or Critical, you need additional controls before 1 July 2026. Step 6: Document, sign off, and schedule review. The assessment must be a formal written document, approved by a senior responsible officer — typically the managing partner or principal — and scheduled for review at least annually.

What Are the Highest-Risk Scenarios for Accounting Firms?

AUSTRAC guidance and international typologies highlight several scenarios where accounting firms face elevated ML/TF risk: - Shell company and trust formation for clients with unclear business purpose or beneficial ownership - Clients from high-risk jurisdictions as designated by FATF, including those currently on the FATF grey or black lists - Politically exposed persons (PEPs) — current or former government officials and their close associates — who require enhanced due diligence - Unusually complex ownership structures with multiple layers of entities and no clear commercial rationale - Cash-intensive client businesses where large or frequent cash movements are the norm - Structuring or round-tripping of funds through client accounts your firm manages

Understanding these typologies helps you calibrate risk ratings accurately — and demonstrates to AUSTRAC that your assessment is grounded in real-world intelligence rather than theoretical frameworks.

How Does Your Risk Assessment Connect to the Rest of Your AML/CTF Programme?

Your risk assessment is not a standalone document — it actively drives every other element of your programme:

Customer due diligence (CDD): The risk level assigned to a client determines whether standard or enhanced CDD applies. A high-risk client requires deeper verification, source-of-wealth enquiries, and more frequent review. Our guide on Understanding Customer Due Diligence Under Tranche 2 walks through exactly what each tier requires.

Ongoing monitoring: High-risk clients require more frequent transaction monitoring and periodic file reviews. Your risk assessment sets the thresholds. Staff training: Your training programme should be calibrated to the specific risks your firm has identified — not a generic AML/CTF course that ignores your actual exposure. Suspicious matter reporting: Staff can only recognise red flags if they understand the risk profile of your firm's client base.

Platforms like AMLify allow you to build a risk assessment that automatically flows through to your CDD workflows, client risk ratings, and monitoring obligations — significantly reducing the manual burden on your team in the critical weeks ahead of 1 July.

How Often Should You Review Your Risk Assessment?

Under the AML/CTF Act 2006, your risk assessment must be kept current. AUSTRAC expects firms to review their assessment: 1. At least annually — as a routine governance exercise 2. When you introduce a new designated service — each new service brings new inherent risk 3. When your client base materially changes — for example, expanding into a new sector or geographic market 4. After a suspicious matter or compliance incident — to check whether your risk model adequately captured the scenario 5. When AUSTRAC issues updated guidance or typologies — which happens periodically and may affect your existing risk ratings

Building a calendar reminder for your next review date at the time you complete the assessment is a simple but effective governance practice. It also demonstrates to AUSTRAC that your programme is a living system, not a document filed and forgotten.

Key Takeaways

• A written AML/CTF risk assessment is a legal requirement for all Tranche 2 reporting entities, including in-scope accounting firms, and must be in place by 1 July 2026.
• Only designated services trigger obligations — trust formation, nominee services, client asset management, and facilitating business or property transactions are the key categories for accountants.
• Generic templates are not enough — your risk assessment must reflect your firm's actual client base, service mix, and operating environment to satisfy AUSTRAC's risk-based approach requirement.
• Your risk assessment drives everything else — CDD intensity, monitoring frequency, and staff training all flow directly from the risk ratings you document.
• With 65 days to the deadline, firms that have not yet started should prioritise the risk assessment above all other compliance tasks — it is the document that unlocks every other step in your programme.

Frequently Asked Questions

Q: Does every accounting firm in Australia need to complete an AML/CTF risk assessment?

Only accounting firms that provide designated services under the amended AML/CTF Act 2006 are required to complete a risk assessment and register with AUSTRAC. If your firm provides none of the designated services — trust formation, nominee services, client asset management, or facilitating property or business transactions — you are not a reporting entity. However, a formal scoping exercise is strongly recommended before 1 July 2026 to confirm your position in writing, particularly if your service offering is broad.

Q: Can we use a template for our AML/CTF risk assessment?

Templates are a useful starting point for structure and coverage, but they cannot substitute for a firm-specific assessment. AUSTRAC expects your risk assessment to reflect the actual risks arising from your specific client base, service mix, geography, and delivery channels. A template completed without genuine customisation is unlikely to satisfy the risk-based approach requirement. Use a template to ensure you cover all required categories, then populate it with data and analysis specific to your firm.

Q: What happens if we don't have a risk assessment in place by 1 July 2026?

Operating as a reporting entity without a compliant AML/CTF programme — which must include a written risk assessment — is a breach of the AML/CTF Act 2006. AUSTRAC has broad enforcement powers including remedial directions, enforceable undertakings, and civil penalties. Civil penalties can reach tens of millions of dollars for serious or systemic non-compliance. Beyond financial penalties, reputational damage and the operational disruption of an AUSTRAC investigation represent significant risks that are difficult to quantify but very real.

Q: How long does it take to complete a risk assessment for an accounting firm?

For a small to mid-sized accounting firm completing the process for the first time, a thorough risk assessment typically takes between five and fifteen business days from start to sign-off — accounting for data gathering, risk-rating discussions with partners, drafting, and final approval. Firms with more complex service offerings or larger client bases should allow additional time. Starting now with 65 days to the deadline is workable, but that window narrows quickly once you factor in partner availability, client data gaps, and the follow-on work the assessment will trigger.

Q: Does our risk assessment need to be approved by a specific person?

The AML/CTF Act 2006 requires that a reporting entity's AML/CTF programme — including the risk assessment — be approved by the entity's board or equivalent governing body, or by a senior officer with delegated authority. For most accounting partnerships or incorporated practices, this means sign-off from the managing partner, principal, or board of directors. Documenting who approved the assessment, on what date, and with what authority is an important governance step that demonstrates clear accountability to AUSTRAC.

This is general information only and not a substitute for legal advice.