Before you can assess your clients, you must assess yourself. Your firm-level ML/TF/PF risk assessment is the foundation of your entire AML/CTF program.
Under the AML/CTF Act, every reporting entity must conduct and document a risk assessment of their own business — assessing the money laundering (ML), terrorism financing (TF) and proliferation financing (PF) risks inherent in the designated services they provide. This is separate from, and prior to, assessing individual clients.
Your firm risk assessment must consider:
This isn't a tick-box exercise. AUSTRAC expects your risk assessment to be genuine, documented, and regularly reviewed. A one-page generic document that could apply to any practice will not satisfy an audit. It needs to reflect the actual risks in your specific practice.
The firm risk assessment must be reviewed and updated whenever there is a material change to your business — new services, new client types, new staff, new jurisdictions — and at least annually.
A risk-based approach is central to the entire AML/CTF framework. AUSTRAC does not prescribe exactly what every accounting practice, law firm or real estate agency must do — instead, it requires you to understand your own risks and build controls proportionate to them. You cannot do that without first documenting what those risks are.
The firm risk assessment also underpins every other compliance obligation. Your CDD procedures, your transaction monitoring thresholds, your training content and your suspicious matter reporting triggers should all flow from the risks you identify at the firm level. Without a documented risk assessment, your entire program lacks a logical foundation.
AUSTRAC auditors start here. In a compliance audit, the firm risk assessment is typically the first document requested. If it is missing, out of date, or clearly generic, the audit will escalate. It signals the overall maturity of your compliance program.
Failing to conduct and document a firm-level risk assessment is a direct breach of the AML/CTF Act. More practically, without a risk assessment you cannot demonstrate that any of your other compliance activities are proportionate or appropriate — which puts your entire program in question.
No risk assessment means no defensible AML/CTF program. Even if you have CDD records for every client, AUSTRAC can find your program inadequate if it lacks a documented risk assessment that informed those procedures. This opens the door to significant penalties and enforceable undertakings requiring you to rebuild your entire compliance framework under AUSTRAC supervision.
For sole practitioners, a missing or inadequate firm risk assessment is also a professional liability issue. If your practice is later associated with a money laundering matter, the absence of a genuine risk assessment will be used as evidence that you failed to take your obligations seriously.
SimpleAML guides you through every dimension of your firm-level risk assessment. No account needed — open it now.
Open SimpleAML Free →