Conduct an AML/CTF Risk Assessment

MitchellJanuary 29, 2019


What is an AML/CTF Risk Assessment?

An AML/CTF risk assessment is the process of identifying risk and developing policies and procedures to minimise and manage that risk, whilst assessing the likelihood and severity of facilitating ML/TF through your service. Part A of your AML/CTF program requires the development of a framework to identify, prioritise, treat, control and monitor risk exposures.

It is important to consider the likelihood and severity of facilitating ML/TF through your service when evaluating the risks.

Likelihood x Severity = Risk Score

Part A of your AML/CTF program requires the development of a framework to identify, prioritise, treat, control and monitor risk exposures. Keep in mind, elements of Part A also inform the risk-based approach that is applied in Part B.

After enrolling with your FIU (for Australia this is AUSTRAC), conducting an AML/CTF risk assessment is the first step towards achieving compliance. The AML/CTF program constitutes Part A of your AML/CTF obligations.

An AML/CTF Program establishes the operational framework for a reporting entity to meet its compliance obligations under the AML/CTF Act. It builds a toolkit for identifying and treating the ML/TF risk a business faces. The program documents the policies, procedures and controls which aim to mitigate and manage these risks.

There are two components to an AML/CTF program;

  • Part A (general) of an AML/CTF program covers identifying, managing and reducing the money laundering and terrorism financing risk faced by a reporting entity.
  • Part B (customer identification) covers a reporting entity's customer due diligence (CDD) procedures.

Conducting a ML/TF risk assessment is necessary for Part A of your AML/CTF program

bronID risk assessment

What must be included?

Assess the ML/TF risk posed by all:

  • Designated services, before the entity introduces them to the market.
  • Methods of delivering a designated service, before the entity adopts them.
  • New or developing technologies used to provide designated services, before adopting them
  • Changes in the nature of the business relationship, control structure or beneficial ownership of its customers.

Things to consider:

Well documented

Your AML/CTF program policies and procedures must be well documented and stored as a reference for independent audit, this is in addition to your reporting obligations to AUSTRAC.


Your AML/CTF program must have oversight from the board and senior management on an ongoing basis, your nominated AML compliance officer is a facilitator of this information sharing.

Regular Updates and Reviews

The AML/CTF program must be subject to independent reviews and updated regularly in accordance with the risk-based approach. We cover this procedure in more detail in Review your AML/CTF Program

Identifying your AML/CTF Risk Factors

Inherent Risk - AML/CTF Controls = Residual Risk

bronID risk chart

Assess the risk your business has of facilitating ML/TF. bronID assesses the risk of ML/TF to your business by helping you to measure the following risk factors.

  1. Customer Risk
  2. Product Risk
  3. Delivery Risk
  4. Jurisdiction Risk
  5. Operations Risk
  6. Environment Risk

Customer Risk

How you categorise your customers into low/medium/high risk-buckets and what you do with the sensitive PII information a customer shares during the KYC verification process are important processes to outline when conducting an AML risk assessment, identifying your ML/TF risk and building your AML/CTF program. For example, a customer who is PEP (politically exposed person) should be considered high risk and therefore receive additional monitoring and checks to counter and minimise the ML/TF risk posed from serving this person.

bronID can dynamically update risk scores. Create and Update the ML/TF Risk Profiles of Your Customers to meet the recommendations from recognised international organisations when assessing customer risk. Allowing an individual to use the same digital identity, bronID, to verify on a variety of financial services will also contribute to a better, more complete risk profile for your customer.

In addition to this, it is important to do PEP and Sanctions checks for each customer. This should also influence which risk bucket you place each customer in. Customer identification influencing the risk is explored further in Know Your Customer.

Product Risk

The type of product or service provided, for example, exchanges versus banking and what is the justified risk of each of these products independently and as a suite. Once you release a product which requires reporting to AUSTRAC, you are inviting regulatory risk for non-compliance in addition to the business risk.

A complete list of the various product/service offerings should be compiled and assessed for their vulnerability to money laundering and terrorist financing.

Considering that bronID is a solution specifically tailored for AML/CTF compliance we interact with a variety of products and services, from banks to cryptocurrency exchanges, gaining expertise on how each product/service is assessed for ML/TF risk, this knowledge can help inform your assessment.

Delivery Risk

The method of delivery of your service. Whether that be face to face, over the counter (OTC), through an online market, web application or app. While face to face offers less risk to facilitate money laundering than digitally, most financial services today are online services.

The bronID digital identity system is tailored to synergise with an array of financial technology services. Therefore building towards an open standard of AML compliance for all online delivery methods and reduce the overall risk of these services by standardising AML/CTF best practice.

Jurisdiction Risk

An AML/CTF program is able to identify, categorise and attribute an ML/TF risk score of providing services within a particular jurisdiction. These being, low (requires monitoring), medium (concern) and high (primary concern). To determine these factors you will need to asses the political, economic, legal, cultural and government structures and standards in each country.

There are a variety of international organisations which assess the jurisdiction risk of ML/TF. Some focus on the countries overall risk others provide information on assessing the risk posed by PEPs and sanctions pose within these jurisdictions. There are a few factors you should consider when assessing your jurisdiction risk when providing service internationally.

jurisdictionn risk chart

Operations Risk

These are the risks of ML/TF your internal business activities create. For example, assessing the risk the employees who are performing KYC verifications is one aspect of operations risk. Operation risk is also influenced by what internal policies and procedures are in place to perform AML/CTF controls.

Environment Risk

The risk environment your designated service is exposed to. For example, digital currency exchanges are more vulnerable to risks related to cybercrime and hacking.

Regulatory Risk

Regulatory risk is associated with breaches to the provisions of the AML Act and rules and regulations. The regulator's measures to detect, deter and remedy non-compliance will be commensurate with an entity's perceived risk rating.

Factors which place an entity at higher risk of non-compliance are:

  • Customer verification not done properly;
  • Failure to train staff adequately;
  • Not having an AML/CTF program;
  • Failure to report suspicious matters;
  • Not submitting an AML/CTF compliance report; and
  • Not having an AML/CTF compliance officer.

Minimising these risks is directly related to the policies and procedures outlined in your AML/CTF program and whether these are implemented, reviewed and reinforced correctly.

Customer Identification is covered predominantly by Part B of the AML/CTF Program and will be covered in more detail in Know Your Customer.

Reporting and Record Keeping are facilitated by AUSTRAC online.

Implementing the AML/CTF program is covered in Design your AML/CTF Program.

The effectiveness of your AML/CTF program is to be assessed by an independent reviewer, covered in Review your AML/CTF Program.

Risk Assessment

When it comes to quantifying your ML/TF risk the most common method is to attribute a risk score by assessing the likelihood of a non-compliance event occurring against its severity or impact.

Likelihood x Severity = Risk Score

When it comes to money laundering and terrorist financing, the severity of when a designated service is non-compliant can be drastic. This emphasises the importance of taking a risk-based approach to regulation, while it shouldn’t be expected for businesses to have a zero-risk tolerance, minimising the risks which have the highest risk level/score is a good start to achieving industry best practice compliance.

Risk Treatment

Risk treatment represents the processes in place which aim to minimise and manage the risks, apply strategies, policies and procedures. Create a risk management worksheet which dictates the treatment/actions taken to minimise both business and regulatory risk.

Risk Appetite

Expressed as an acceptable or unacceptable level of risk.

Some questions you may ask yourself:

  • What risks will the business accept?
  • What risks will the business NOT accept?
  • What risks will the business treat on a case-by-case basis?
  • What risks will the business send to a higher level for a decision?

Upon completing an AML/CTF Risk Assessment, you are ready to move forward with your AML/CTF program.

Do you need a sector-specific ML/TF Risk Assessment?

Follow us on Medium, Twitter, Facebook, and LinkedIn.

AML/CTFbronID PortalAML/CTF ProgramCompliance SeriesRisk Assessment


Written by


A catalyst for transforming legislation and governance into easy to use software. The personified pen of bronID.


Stay in the know

Keep up to date with the latest developments and regulatory changes.

Wave footer