Welcome to the How to Comply with the AML/CTF Act Series!

If you haven’t been introduced to the series, check out this post:

“How to comply with the AML/CTF Act Series - an introduction”

What is an AML/CTF Risk Assessment?

An AML/CTF risk assessment is the process of identifying risk and developing policies and procedures to minimise and manage that risk, whilst assessing the likelihood and severity of facilitating ML/TF through your service. Part A of your AML program requires the development of a framework to identify, prioritise, treat, control and monitor risk exposures.

It is important to consider the likelihood and severity of facilitating ML/TF through your service when evaluating the risks.

Likelihood x Severity = Risk Score

Part A of your AML program requires the development of a framework to identify, prioritise, treat, control and monitor risk exposures. Keep in mind, elements of Part A also inform the risk-based approach that is applied in Part B.

After enrolling with your FUI (for Australia this is AUSTRAC), conducting an AML/CTF risk assessment is the first step towards achieving compliance. The AML program constitutes Part A of your AML/CTF obligations.

An AML Program establishes the operational framework for a reporting entity to meet its compliance obligations under the AML/CTF Act. It builds a toolkit for identifying and treating the ML/TF risk a business faces. The program documents the policies, procedures and controls which aim to mitigate and manage these risks.

There are two components to an AML/CTF program;

  • Part A (general) of an AML/CTF program covers identifying, managing and reducing the money laundering and terrorism financing risk faced by a reporting entity.
  • Part B (customer identification) covers a reporting entity’s customer due diligence (CDD) procedures. See the bronID Verification Portal for the self-serve solution to KYC.

Conducting a risk assessment is predominantly under Part A of your AML program.

What must be included?

Assess the ML/TF risk posed by all:

  • Designated services, before the entity introduces them to the market
  • Methods of delivering a designated service, before the entity adopts them
  • New or developing technologies used to provide designated services, before adopting them
  • Changes in the nature of the business relationship, control structure or beneficial ownership of its customers.

Things to consider:

In writing

Your AML program policies and procedures must be in writing, this is in addition to your reporting obligations to AUSTRAC.


Your AML program must have oversight from the board and senior management on an ongoing basis, your nominated AML compliance officer is a facilitator of this information sharing.

Regular Updates and Reviews

The AML program must be subject to independent reviews and updated regularly in accordance with the risk-based approach. We cover this procedure in more detail in ‘Review your AML program’.

Identifying your AML/CTF Risk Factors

Business Risk + Regulatory Risk = ML/TF Risk

bronID Risk Framework

Business Risk

Assess all of the risks your business poses to AML/CTF Act compliance. Identifying the factors is key, while this is not an exhausted list, most ML/TF business risk factors come under these four categories.

  1. Customer Risk
  2. Product Risk
  3. Delivery Risk
  4. Jurisdiction Risk

Customer Risk

How you categorise your customers into low/medium/high risk-buckets and what you do with the sensitive PII information a customer shares during the KYC verification process are important processes to outline when conducting an AML risk assessment, identifying your ML/TF risk and building your AML program.

For example, a customer who is PEP (politically exposed person) should be considered high risk and therefore receive additional monitoring and checks to counter and minimise the ML/TF risk posed from serving this person.

bronID can dynamically update risk scores. Create and Update the ML/TF risk profiles of your customers to meet the recommendations from recognised international organisations when assessing customer risk. Allowing an individual to use the same digital identity, bronID, to verify on a variety of financial services will also contribute to a better, more complete risk profile for your customer.

In addition to this, it is important to do PEP and Sanctions checks for each customer. This should also influence which risk bucket you place each customer in. Customer identification influencing the risk is explored further in ‘Know Your Customer’.

Product Risk

The type of product or service provided, for example, exchanges verses banking and what is the justified risk of each of these products independently and as a suite. Once you release a product which requires reporting to AUSTRAC, you are inviting regulatory risk for non-compliance in addition to the business risk.

A complete list of the various product/service offerings should be compiled and assessed for their vulnerability to money laundering and terrorist financing.

Considering that bronID is a solution specifically tailored for AML/CTF compliance we interact with a variety of products and services, from banks to cryptocurrency exchanges, gaining expertise on how each product/service is assessed for ML/TF risk, this knowledge can help inform your assessment.

Delivery Risk

The method of delivery of your service. Whether that be face to face, over the counter (OTC), through an online market, web application or app. While face to face offers less risk to facilitate money laundering than digitally, most financial services today are online services.

The bronID digital identity system is tailored to synergise with an array of financial technology services. Therefore building towards an open standard of AML compliance for all online delivery methods and reduce the overall risk of these services by standardising AML/CTF best practice.

Jurisdiction Risk

An AML program is able to identify, categorise and attribute an ML/TF risk score of providing services within a particular jurisdiction. These being, low (requires monitoring), medium (concern) and high (primary concern). To determine these factors you will need to asses the political, economic, legal, cultural and government structures and standards in each country. 

There are a variety of international organisations which assess the jurisdiction risk of ML/TF. Some focus on the countries overall risk others provide information on assessing the risk posed by PEPs and sanctions pose within these jurisdictions.

There are a few factors you should consider when assessing your jurisdiction risk when providing service internationally.

Jurisdiction Risk map Factors which impact a jurisdiction’s risk score

Regulatory Risk

Regulatory risk is associated with breaches to the provisions of the AML Act and rules and regulations.

The regulator’s measures to detect, deter and remedy non-compliance will be commensurate with an entity’s perceived risk rating.

Factors which place an entity at higher risk of non-compliance are:

  • Customer verification not done properly
  • Failure to train staff adequately
  • Not having an AML/CTF program
  • Failure to report suspicious matters
  • Not submitting an AML/CTF compliance report
  • Not having an AML/CTF compliance officer.

Minimising these risks is directly related to the policies and procedures outlined in your AML program and whether these are implemented, reviewed and reinforced correctly.

Customer Identification is covered predominantly by Part B of the AML Program and will be covered in more detail in Know Your Customer.

Reporting and Record Keeping are facilitated by AUSTRAC online. These obligations will be covered in more detail in Reporting and Record Keeping.

Implementing the AML/CTF program is covered in Design your AML Program

The effectiveness of your AML program is to be assessed by an independent reviewer, this will be covered in Review your AML Program.

Risk Assessment

When it comes to quantifying your ML/TF risk the most common method is to attribute a risk score by assessing the likelihood of a non-compliance event occurring against its severity or impact. 

Likelihood x Severity = Risk Score

When it comes to money laundering and terrorist financing, the severity of when a designated service is non-compliant can be drastic. This emphasises the importance of taking a risk-based approach to regulation, while it shouldn’t be expected for businesses to have a zero risk tolerance, minimising the risks which have the highest risk level/score is a good start to achieving industry best practice compliance.

Risk Treatment

Risk treatment represents the processes in place which aim to minimise and manage the risks, apply strategies, policies and procedures.

Create a risk management worksheet which dictates the treatment/actions taken to minimise both business and regulatory risk.

Here is an example of quantifying Customer Risk:

Risk Management Worksheet

Risk Appetite

Expressed as an acceptable or unacceptable level of risk.

Some questions you may ask yourself:

  • What risks will the business accept?
  • What risks will the business NOT accept?
  • What risks will the business treat on a case-by-case basis?
  • What risks will the business send to a higher level for a decision?

Upon completing an AML/CTF Risk Assessment, you are ready to move forward with your AML program.

Use the information from your risk assessment to:

Design your AML program

Move onto Part B obligations with:

Know Your Customer

For applying a Part B, KYC & KYB compliance check, see the bronID portal