Photo by jet-po
Your AML/CTF risk assessment is the foundation of your entire compliance program — and under the 2026 reforms, AUSTRAC expects it to be documented, evidence-based, and reviewed at least annually. A compliant risk assessment identifies the money laundering and terrorism financing (ML/TF) risks your remittance business faces across four mandatory risk factors: your customers, the services you provide, the methods you deliver them through, and the countries you operate in.
If you treat the risk assessment as a box-ticking exercise, your whole program rests on sand. Get it right, and every other control — customer due diligence thresholds, transaction monitoring rules, sanctions screening intensity — flows logically from a defensible analysis. This guide walks you through the methodology AUSTRAC expects, how to score and document each risk factor, and gives you a practical template you can adapt to your own corridors and customer base.
Key Takeaways
- Your AML/CTF risk assessment is a legal requirement under Part 7 of the AML/CTF Act 2006 and underpins your entire compliance program.
- AUSTRAC requires you to assess four risk factors: customer types, designated services, delivery channels, and foreign jurisdictions.
- Under the 2026 AML/CTF reforms (in force from 31 March 2026), the risk assessment must be documented in writing, kept current, and reviewed before launching new products or entering new corridors.
- Each risk factor should be scored (for example low / medium / high) with written reasoning, then combined into an overall residual risk rating after applying your controls.
- Review your assessment at least annually, and immediately after any material change — a new corridor, a new payout method, a regulatory update, or an AUSTRAC enforcement signal.
What an AML/CTF Risk Assessment Actually Is
An AML/CTF risk assessment is a structured analysis of how criminals could misuse your remittance business to launder money or finance terrorism. It is the document that justifies why your controls look the way they do.
Under the AML/CTF Act 2006, every reporting entity must identify, assess, and understand the ML/TF risks it reasonably faces. For remittance dealers, this is not optional and it is not generic — AUSTRAC expects an assessment tailored to your corridors, your customer base, and your delivery methods.
The assessment drives two things. First, it shapes your risk-based controls: the higher the risk in a given area, the stronger your mitigation must be. Second, it gives AUSTRAC and your reviewers a clear line of sight from "here is the risk we identified" to "here is what we do about it."
Think of it as the engine room of your AML/CTF program. A weak risk assessment produces weak controls, missed suspicious activity, and — when AUSTRAC reviews your file — questions you cannot answer.
What Changed Under the 2026 AML/CTF Reforms
The 2026 AML/CTF reforms, which commenced on 31 March 2026, sharpened the expectations around risk assessments. The reforms moved Australia closer to the FATF risk-based standard and made the written, current risk assessment an explicit pillar of the new "AML/CTF policies" framework that replaced the old Part A / Part B program structure.
Under the new rules, your risk assessment must:
- Be documented in writing and approved by your governing body or senior management.
- Reflect the nature, size, and complexity of your business — a single-corridor sole trader and a multi-corridor network are held to proportionate standards.
- Be reviewed and updated before you adopt a new designated service, enter a new corridor, or change your delivery channel.
- Take into account AUSTRAC guidance, national risk assessments, and typologies relevant to the remittance sector.
AUSTRAC also publishes sector-specific risk assessments. Its remittance sector ML/TF risk assessment rated the sector's overall risk as high, citing the cash-intensive nature of the business, exposure to high-risk jurisdictions, and the use of agents. You are expected to read this and reflect it in your own document.
The Four Risk Factors AUSTRAC Expects You to Assess
AUSTRAC frames ML/TF risk around four factors. Your assessment must address each one explicitly and score it. Below is how to approach each, with the questions you should answer in writing.
1. Customer Risk
Customer risk asks: who are the people and entities using my service, and how vulnerable are they to misuse?
For remittance businesses, high-risk customer indicators include politically exposed persons (PEPs), customers using cash, customers whose remittance patterns don't match their stated profile, third parties sending on behalf of others, and customers from or sending to high-risk jurisdictions.
Questions to document:
- What customer types do you serve — individuals, businesses, agents, walk-in cash customers, online registered customers?
- What proportion are PEPs or connected to PEPs?
- Do you onboard customers face-to-face, online, or through agents?
- Are there customer segments where you cannot reliably verify identity or source of funds?
Score each customer segment and explain why. A regular salaried migrant worker sending AUD 500 a fortnight to the Philippines is low risk. An unverified walk-in sending AUD 9,000 in cash to a high-risk jurisdiction is high risk.
2. Product and Service Risk
This factor covers the designated services you provide and how attractive they are to launderers. Different remittance services carry different inherent risk.
Cash-in, cash-out services carry higher risk than bank-to-bank transfers because cash breaks the audit trail. Services that allow third-party payouts, instant settlement, or large value transfers without proportionate verification raise the risk profile.
Questions to document:
- Which designated services under the AML/CTF Act do you provide (for example, remittance arrangements, IVTS)?
- Do you handle cash, and at what thresholds?
- Do you offer instant payout, mobile money, or crypto rails?
- Can value be moved anonymously or to unverified beneficiaries?
3. Delivery Channel Risk
Delivery channel (or distribution) risk examines how you deliver your services. Non-face-to-face onboarding, reliance on agents, and third-party payment introducers all increase risk because they create distance between you and the customer.
If you operate under a remittance network provider (RNP) structure with affiliates or agents, this factor demands close attention. Agents are a known vulnerability in the remittance sector — AUSTRAC has taken enforcement action where network providers failed to oversee affiliate conduct.
Questions to document:
- Do you onboard customers online, in person, or through agents?
- How many agents or affiliates do you have, and how do you oversee them?
- What funding channels do customers use — cash, card, bank transfer, PayID?
- Do you use third-party introducers or aggregators?
4. Foreign Jurisdiction Risk
Jurisdiction risk assesses the countries you send to and receive from. This is often the highest-weighted factor for remittance businesses because corridor choice directly exposes you to sanctions, terrorism financing, and weak overseas controls.
Use credible sources to rate jurisdictions: the FATF grey and black lists, the Department of Foreign Affairs and Trade (DFAT) sanctions lists, Transparency International's Corruption Perceptions Index, and Basel AML Index ratings.
Questions to document:
- Which countries make up your corridors, by volume and value?
- Are any on FATF grey/black lists or subject to Australian autonomous sanctions?
- Do your corridors include conflict zones or jurisdictions with weak AML regimes?
- What is the terrorism financing exposure of each corridor?
A corridor to New Zealand sits at the low end. A corridor to a jurisdiction under FATF "increased monitoring" or near a sanctioned region sits at the high end and demands enhanced controls.
A Step-by-Step Risk Assessment Methodology
Follow this five-step process to produce a defensible assessment.
Step 1 — Identify inherent risk. For each of the four factors, list the risks that exist before you apply any controls. Be honest. Inherent risk for a cash-heavy, multi-corridor MTO is high by design.
Step 2 — Rate inherent risk. Score each factor on a consistent scale — for example low (1), medium (2), high (3). Document the reasoning behind each score with reference to data and AUSTRAC guidance.
Step 3 — Map your controls. For each risk, list the controls that mitigate it: customer due diligence, transaction monitoring, sanctions screening, agent oversight, enhanced due diligence for high-risk corridors.
Step 4 — Assess residual risk. Residual risk is what remains after controls. If a high inherent risk corridor is mitigated by enhanced due diligence and real-time screening, residual risk may fall to medium. Document the logic.
Step 5 — Identify gaps and act. Where residual risk stays unacceptably high, you have a control gap. Record the remediation action, owner, and deadline.
Risk Scoring Matrix Example
A simple way to combine factors is a weighted matrix. The example below shows how a single-corridor MTO might present its assessment.
| Risk factor | Inherent risk | Key controls applied | Residual risk |
|---|---|---|---|
| Customer | High (cash walk-ins, some PEPs) | KYC, source-of-funds checks, PEP screening | Medium |
| Product/service | High (cash-in, instant payout) | Cash threshold limits, TTR reporting | Medium |
| Delivery channel | Medium (mix of in-person and online) | Agent oversight, online ID verification | Low–Medium |
| Jurisdiction | High (corridor to high-risk country) | Enhanced due diligence, sanctions screening | Medium |
| Overall | High | Risk-based program | Medium |
The overall residual rating then justifies the intensity of your program. A "medium" residual rating tells AUSTRAC you understand your exposure and have proportionate controls in place.
How to Document Your Findings
Documentation is where most MTOs fall short. AUSTRAC does not accept a risk assessment that lives in someone's head. Your written assessment should include:
- Business overview — who you are, your services, your corridors, your volumes.
- Methodology — the scale you use, the sources you rely on, who conducted the assessment.
- Factor-by-factor analysis — the four risk factors, each scored with written reasoning.
- Control mapping — how each risk is mitigated, linked to your AML/CTF policies.
- Residual risk conclusion — overall rating and any gaps with remediation plans.
- Approval and version control — who approved it, the date, and the next review date.
Keep dated versions. When AUSTRAC reviews you, showing how your assessment evolved demonstrates an active, living compliance culture rather than a one-off document.
How Often to Update Your Risk Assessment
Review your risk assessment at least once a year as a baseline. The reforms make ongoing review a clear expectation, not a courtesy.
Beyond the annual cycle, trigger an immediate review when any material change occurs:
- You enter a new corridor or expand into a higher-risk jurisdiction.
- You launch a new designated service — for example, adding crypto rails or mobile money payout.
- You change your delivery channel — moving from in-person to online onboarding, or appointing new agents.
- A regulatory or typology update lands — new FATF listings, DFAT sanctions changes, or AUSTRAC guidance.
- An enforcement event in the sector signals a risk you had under-weighted.
Document each review, even when the conclusion is "no change required." The record itself is evidence of active monitoring.
Common Mistakes to Avoid
Copying a generic template without tailoring it. AUSTRAC can spot boilerplate immediately. Your assessment must reflect your actual corridors and customers.
Skipping the residual risk step. Listing inherent risks without showing how controls reduce them leaves your assessment incomplete and your control design unjustified.
Ignoring AUSTRAC's sector risk assessment. The regulator publishes a remittance-specific assessment rating the sector high risk. Failing to reference it suggests you have not done your homework.
Letting the document go stale. An assessment dated two years ago, with no review record, signals to a regulator that your compliance program is dormant.
Putting It All Together
A strong AML/CTF risk assessment is the difference between a compliance program that defends itself and one that collapses under AUSTRAC scrutiny. Work through the four risk factors honestly, score them with evidence, map your controls, and conclude with a residual rating you can stand behind.
Then keep it alive. Review it annually, update it whenever your business changes, and link every control in your program back to a risk you identified. That traceability is exactly what AUSTRAC looks for under the 2026 framework.
Use our AML/CTF program builder to connect your risk assessment to a compliant policy set, and review our corridor guides to ground your jurisdiction risk ratings in real corridor data.
This information is general in nature and does not constitute legal advice. Consult AUSTRAC or a qualified legal professional for advice specific to your situation.
Frequently Asked Questions
How often must I update my AML/CTF risk assessment?
Review your risk assessment at least annually as a baseline, and immediately after any material change — entering a new corridor, launching a new designated service, changing your delivery channel, or a relevant regulatory or sanctions update. Document each review, even when no changes are required, to evidence active monitoring under the 2026 AML/CTF reforms.
What are the four risk factors AUSTRAC expects me to assess?
AUSTRAC requires you to assess customer risk, product and service risk, delivery channel risk, and foreign jurisdiction risk. Each factor must be scored with written reasoning, with controls mapped to reduce inherent risk to an acceptable residual level.
Is a written risk assessment a legal requirement?
Yes. Under the AML/CTF Act 2006 and the 2026 reforms, every reporting entity must identify, assess, and document the ML/TF risks it reasonably faces. The written, current risk assessment is a pillar of your AML/CTF policies and must be approved by your governing body or senior management.
What sources should I use to rate jurisdiction risk?
Use the FATF grey and black lists, the DFAT consolidated sanctions list, Transparency International's Corruption Perceptions Index, the Basel AML Index, and AUSTRAC's own remittance sector risk assessment. Cross-referencing multiple credible sources produces a defensible jurisdiction rating.
What is the difference between inherent risk and residual risk?
Inherent risk is the level of ML/TF risk before you apply any controls. Residual risk is what remains after your controls — such as customer due diligence, transaction monitoring, and sanctions screening — are applied. AUSTRAC expects you to show both and explain how your controls reduce the inherent risk.
