C HT US CI GH

RAC INSIGH S • AU TRAC NSIG TS

INS TS • STR I N S H TS
AC IG A A IG
I N S H T S • U S T R C I N S H TS
C IN IGHTS AUST AC IN IGHT
SIG •A RA SIG S
I N S H T S • U S T R C I N S H TS
IGH A A I
NSI T S • U S T R C I N S G H TS
GH AU AC IGH
S I G T S • A S T R A I N S I G TS
HT US CI HT
IGH S • AU TRAC NSIGH S
TS • STR INS TS
HTS AUST AC IN IGHT
•A RA SI S
T S • U S T R C I N S G H TS
AU AC IGH
S• S INS T
AU TRAC IGH S
• AU S T RA I N S T S
S C IN IGHT
SIG S
AU TRAC
STR I N S H TS
US AC IG
T R A I N S I H TS
S T R C I N S G H TS
AC IG
T R A I N S I H TS
C G H
R A I N S I G TS
C IN HT
AC SI S
I N S G H TS
C IN IGHT
SI S
I N S G H TS
I
I N S G H TS
IGH
S I G TS
HT
IGH S
T
GH S
TS
HT
S
TS
S

INSIGHTS
AUSTRAC

ASS E SS I N G M L / T F R I S K
 A
A
AU
S
AU
ST
AU
STR
AU
STR
AU A
STR
AU AC
STR
AU A
STR C I
AU A
STR C IN
AU A
STR C INS
AU A I
STR C INS
AU A IG
STR C INS
AU A I G
STR C INS H
AU AC IGH
STR INS T
AU AC IGH
STR INS T
AU AC IGH S
STR I NSI T S•
AU A G
STR C INS HTS •
AU A IG
STR C INS HTS •
AU A IG A
STR C INS HTS •
AU AC I GH AU
I T
 STR INS TS •
AU A IG A
ST R C I N S H TS • U ST
AU A I G A
ST R C I N S I H TS • U ST R
AU AC GH
T A US
STR INS
AU AC I G H S • AU T R A
STR INS T S
AU AC I G H S • AU T R AC
STR I NSI T S• S TRA
AU A G A
ST R C I N S H TS • U ST R C I
AU A IG A A
ST R C I N S H TS • U ST R C I N
AU A I G A A
ST R C I N S H TS • U ST R C I N S
AU A IG A A
ST R C I N S H TS • U ST R C I N S I
AU AC IGH A A
STR INS T US C IN
SIG
AU AC I G H S • AU T R AC
STR INS TS • ST R INS
AU A IG A A IG
I
ST R C I N S H TS • U ST R C I N S I H
AU A G A A G
ST R C I N S H TS • U ST R C I N S I H T
AU AC IGH A A G
STR INS TS • U ST R C I N S H TS
AU A I G A A I G
ST R C I N S H TS • U ST R C I N S I H TS •
AU A IG A A G
I
ST R C I N S H TS • U ST R C I N S I H TS •
AU A G A A G A
I
ST R C I N S H TS • U ST R C I N S I H TS •
AU A G A A G A
ST R C I N S H TS • U ST R C I N S I H TS • U
AU AC IGH A A G H A U
STR INS T US C IN
SIG TS • A S
AU AC I G H S • AU T R AC H U
STR INS T S INS T S
AU AC I G H S • AU T R AC I G H S • AU T
STR I NSI T S• S TRA I NSI T S• S TR
AU A G A G A
ST R C I N S H TS • U ST R C I N S I H TS • U ST R
AU A IG A A G A A
I
ST R C I N S H TS • U ST R C I N S I H TS • U ST R
AU A G A A G A A
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I
AU A IG A A G A A
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I
AU A IG A A G A A
I
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S
AU A G A A G A A
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S I
A G
H OW TO AU AC IGH A C A UST AC IN
STR INS TS • U ST R INS HTS
•
AU A I G A A I G A RA SIG
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S I
USE THIS AU A IG A A G A A G

business might be at risk.

I
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S I H
AU A G A A G A A G
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S I H T
A IG A A G A A G

(ML/TF) risks to your business.

AU
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S I H TS
AU A IG A A G A A G
I
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S I H TS •
DOCUMENT AU A G A A G A A G
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S I H TS •
AC IGH A A C G A

This document is designed to help you

AU

critical for your business’ reputation and

INS INS HTS UST AC IN GHTS A

Resilience against criminal exploitation is

STR TS • U ST R
A I G A A I G • A RA SIG •A

expectations regarding the assessment of

identifies and manages any vulnerabilities.

AU

money laundering and terrorism financing

integrity. It’s important to know where your

understand your obligations and AUSTRAC’s

ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S I H TS • U
A G

regulatory activity, will help ensure you have

A IG A A G A A

a comprehensive ML/TF risk assessment that

AU

These insights, developed in the course of our

I
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S I H TS • U S
AU A G A A G A A G A
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S I H TS • U ST
AU A IG A A G A A G A
ST R C I N S H TS • U ST R C I N S I H TS • U ST R C I N S I H TS • U ST R
AU AC IGH A A G H A U A C G H A U
STR INS T US C IN
S I G TS • A ST R A I N S I G TS • A ST R A

01
AU
STR
AC
INS
I G H S • AU T R AC
T S INS H T U S C INS H T U S
AU AC I G H S • AU T R AC I G H S • AU T R A C I G H S • AU T R AC
STR I NSI T S• S I NSI T S• S I NSI T S• S TRA
AU A G A
TRA G A
TRA G A CI
ST R C I N S H TS • U ST R C I N S H TS • U ST R C I N S I H TS • U ST R
 P ROT ECT
YO U R
B U S I N E SS
FROM FINANCIAL
CRIME
Criminals are adept at exploiting financial
products, services or delivery methods to
facilitate their illegal activities.

When it comes to protecting the financial

sector from criminal exploitation, businesses
such as yours are the first line of defence.
A key part of that defence is ensuring you
have a compliant anti-money laundering
and counter-terrorism financing (AML/CTF)
program in place.

Your AML/CTF program is a central part of the

risk-based scheme established by the Anti-
Money Laundering and Counter-Terrorism
Financing Act 2006 (AML/CTF Act) and its
purpose is to identify, mitigate and manage
ST R C I N S H TS

your ML/TF risk.

• A ST R AC I N S I G TS
R AC I N S I G TS
IGH
G

TS
H

U ST AC I N I G H TS

Your program must meet certain criteria and

H

ST R C I N S H TS
TRA INSIG TS
R AC I N S I G TS

demonstrate that it is able to identity, mitigate

IGH
SIG

TS
INS

INS HTS
A
AC

and manage the risks.

S
C IN IGHT
INS HTS
IG

NSI HTS
SIG TS
INS

SIG
AU

IGH S
RA
U ST
ST R

AC

GH
IG

HT
AU

TS
C

HTS
AU

TS
AC
S•

S
 03
05
03
 ASS E SS YO U R
ML/TF RISK
Before you can develop and implement
your AML/CTF program, you must do a
comprehensive ML/TF risk assessment.
It is essential to conduct these assessments
S

appropriately, as they are the foundation

ST R C I N S H TS
ST R C I N S H TS
R AC I N S I G TS

for your AML/CTF program.

G

INS HTS
IGH
IG
NSI

INS HTS
S
C IN GHT
INS HTS
IG

INS HTS
SIG TS
SIG
I

IGH S
TRA

IGH
IG

HT
TS
A
AC

TS
HTS
AC

GH

TS
S
AN A P P ROP R I AT E M L/T F
R IS K A S S ES S M E N T W I L L
COM P REHE N S I V E LY:

■ identify and evaluate the ML/TF risk

posed to your business, having regard
to its nature, size and complexity

■ take into account your customer types,

the designated services you offer, the
methods you use to deliver those services
and the foreign jurisdictions you deal with.

■ assess the inherent risk, also known as initial

risk, before any AML/CTF systems have been
applied to reduce the risk.
Inherent risk is the level
TO DE T ERM I N E T H E I N H E R E N T
of ML/TF risk before
ML/T F RIS K, YO U M U S T:
you apply systems and
■ develop an appropriate risk assessment controls to reduce the risk
methodology or model, including a way
to measure the likelihood and impact
of ML/TF risks Residual risk is the level
■ populate the model with all relevant
of ML/TF risk after you
risks and associated risk attributes, and have applied systems and
controls to reduce the risk
■ perform the risk assessment and ensuring
that its outputs align with the scoring
or ranking mechanisms of the
methodology/model.

Once you have determined your inherent

risks, you must apply systems and controls to
reduce, or mitigate, those risks. You can then
determine the residual risk. Once you have
determined the residual risk you must apply
systems and controls to manage those risks.
For detailed guidance on how to develop a risk
assessment methodology and conduct a risk
assessment, see austrac.gov.au/managing-risk

05
DOCUMENT
YO U R R I S K
ASS E SS M E N T,
SYST E M S A N D
C O N T RO LS
Once you have completed your risk assessment, Your risk assessment needs to function
you need to document it. If you do not as a ‘living document’. You will not have
properly document your risk assessment, you appropriate risk-based systems and controls
cannot develop appropriate risk-based systems in place unless these systems and controls are
and controls in your AML/CTF program. regularly reviewed and adapted over time,
having regard to emerging, developing and
WE EX P EC T YO U TO D O C U M E N T:
changing risks.
■ the method used to conduct the risk
Your risk assessment must be based on
assessment
all available data and should not be limited to
■ an assessment of the likelihood and impact the risks posed by how the product or channel
of the inherent ML/TF risk functions. You will also need to consider
information about trends in usage of the
■ a scale for assessing the level of importance
product or channel, transaction monitoring,
of ML/TF risk (for example, low, medium
suspicious matter reporting, internal financial
and high)
crime reporting, and information from
■ how you have considered the following AUSTRAC and law enforcement to fully
risk factors, as specified by the Anti-Money understand your risks.
Laundering and Counter-Terrorism Financing
Rules (AML/CTF Rules):

- the risks associated with your customer

types, including politically exposed persons

- the products and services your business

offers and the channels used to distribute
them

- the risks associated with any foreign

jurisdictions you operate in.

■ how you have considered the nature, size and

complexity of your business, and any additional
risks posed by the industry you operate in.

07
A P P LY
R I S K- BAS E D
C O N T RO LS
Appropriate risk-based systems and controls ■ how often the system or control is applied
must have regard to the type of ML/TF risk you
■ the resources and expertise required for
identified and be in proportion to the level of
carrying out or managing the system or
risk. For example, in areas assessed as medium
control, and
or high risk, you would apply more robust and/
or strengthened systems and controls. ■ the degree of internal reporting and
oversight by senior staff for ensuring the
When determining the nature and robustness
effectiveness of the system or control.
of a system or control, you should consider at
least the following factors: As with your risk assessment process, an
appropriate risk-based system or control must
■ the scope or coverage of the relevant system
be sufficiently documented in order to be
or control in your business e.g. customers,
consistently implemented.
transactions and/ or employees
What is the difference
between preventative
and detective controls?
Preventative controls are those that limit
the ability to use your product or channel
in a way that would increase the ML/TF risks.
This includes things like setting transactions
limits or having a management approval
process for high-risk customers, products or
countries, applying different identification
processes for customers you don’t deal
with in person, or not accepting customers
who you deem as too high risk.

Detective controls only seek to monitor

activity through your product or channel.
This includes things like gathering
information about how your products
or channels are used, and information
from internal records, such as transaction
monitoring and suspicious matter reporting.

NOT E: If your controls are detective

only and not preventative, they may not
correspond with your ML/TF risks and may
not reduce your inherent risks.

09
05
09
03
C O N T I N U O U S LY
R E V I E W YO U R
ML/TF RISK
ASS E SS M E N T
An assessment of ML/TF risks must be carried implemented, you must fully document this,
out before you introduce new products, including your methodology and rationale.
new channels or adopt new or developing
In addition to periodic reviews of your systems
technologies to deliver services.
and controls, there are a range of circumstances
You must regularly review the systems and that can trigger an immediate need to review a
controls that mitigate and manage your risks product or channel’s ML/TF risk assessment and
to ensure they remain aligned with current its controls and how they impact your broader
risks and are working as intended. AML/CTF program.

If you conclude that you have reduced a risk

as a result of a system or control you have
 A

IGH
S

STR C INS HTS •

INS HT
I
ST
STR
A
STR C

STR C INS HTS

STR C IN
STR C I

STR C INS
AU
A

I
STR
A

INS
AU

IG
STR
A

INS HTS
STR C INS
AU

IG
A

INS
AU

G
A
AC
AU

IG
I
AU

A
AC
AU

STR

AC
AU
AU

STR
A
AU

STR
A
AC
AU
AU
AU
AU

ST
AU
AU
ES C A L ATE YO UR TRI GGERS
TO S ENI O R MA NAGEM ENT

You must have processes in place to ensure

WHAT IS A T R I G G E R?
A trigger is an instance or occurrence that
indicates to you that you need to review your
risk assessment and its controls and how they
impact your broader AML/CTF program.
EXA M P L E S O F T R I G G E R S
IN C LUDE W H E N:
■ there is a big change in your customer
uptake or use of a product or channel
■ there is a big change in the volume or value
of relevant transactions
■ you make a change to the product or
channel, for example, the channel is
expanded or more flexible features are
added to the product
■ your transaction monitoring identifies
unusual patterns of activity
■ your ongoing customer due diligence
identifies unusual patterns of activity
■ your financial crime compliance function
identifies threats or emerging trends of
criminal exploitation of the product or
channel
■ a change in the external environment leads
to a change in your exposure to risk, or
■ AUSTRAC or law enforcement communicate
information about the ML/TF risks of the
product or channel.
you identify and escalate triggers to senior
management responsible for ongoing risk
assessments. Your process for escalating triggers
may vary depending on the size and complexity
of your business. As a minimum, processes
should be put in place to:
■ ensure risk updates are built into your business
strategy reviews of products or channels
■ identify and escalate trends from your
transaction monitoring
■ review, escalate and refer trends from your
suspicious matter reports, international fund
transfer instructions and trends of large or
unusual cash activity, including from your
threshold transaction reports
■ escalate and refer significant issues or
trends identified by your financial crime
compliance function relating to criminal activity
■ ensure teams dealing with warrants or notices
from law enforcement escalate significant
issues or trends of unusual or criminal activity
■ escalate changes in your external environment
that you have identified and analysed, such
as changes to legislation or the economic
environment, and
■ otherwise carry out periodic reviews at
appropriate intervals, taking into account the
ML/TF risks.
11
P ROV I D E
AC C E SS TO
YOUR ML/ TF RISK
I N FO R M AT I O N
To enable your risks to be appropriately Effective governance and oversight is
reviewed, updated, mitigated and managed, dependent on the completeness and
you must have processes in place to ensure accuracy of information provided to your
those with risk management responsibilities senior management, committees and boards.
have access to full and timely information Information flows about your ML/TF risks
about your risks. and AML/CTF controls must be coordinated
and structured and not driven by events
This information needs to be fully documented,
or incidents.
as do risk assessments.

SET CLEAR
ACCOUNTABILIT Y
FO R M L / T F
R I S KS
After you have identified a risk, you must have accountabilities within senior management to
processes in place to ensure your systems take action on updated risk assessments and
and controls correspond with that risk. This to introduce systems and controls to mitigate
starts with briefing senior management on and manage your risks.
updated risk assessments. There must be clear
 F U RTHER

FOR MORE INFORMATION, PLEASE SEE AUSTRAC.GOV.AU/MANAGING-RISK

I N FO R MAT ION
HTS
•
T S • AU S T R
A
T S • AU S T R C I N S
AU AC IGH
• A ST R AC I N S I G TS • A
U H U
• A ST R AC I N S I G TS • A ST R AC
H U I

FOR MORE INFORMATION ON AML/CTF PROGRAMS, PLEASE SEE AUSTRAC.GOV.AU/AMLCTF-PROGRAMS

U ST

13
R AC I N S I G TS • A ST R AC N S I G H
AU
ST R INS H TS U I T
A C I G H
• A S T R A C N S I G H S • AU
U
U ST I T S
R AC I N S I G T S • A S T R A C N S I G H S • AU T R AC
ST R INS H TS U STR I T S• S
I • NSI TRA INSIG
 AUS AC I GH AU AC AC G
T N TS ST IN GHTS AUST I N S H T S • U S T R C I N S H TS
AUS RAC I SIGHT • AUS RAC IN SIGHT • AUS RAC IN IGHTS AUST AC IN IGHT
T N S T S T S • R S S
AUS RAC I SIGHT • AUS RAC IN SIGHT • AUS RAC IN IGHTS AUST AC IN IGHT
TRA NSI S• T R S S T R S • R S S
AUS C IN GHTS AUST AC IN IGHT • AUS AC IN IGHTS AUST AC IN IGHTS
T S T S • R S
AUS RAC I SIGHT • AUS RAC IN SIGHT • AUS RAC IN IGHTS AUST AC IN IGHT
TRA NSI S•
AU T R AC S S T R AC S IGH • AU R AC S
AUS C GH IGH • AU IGH S
T R A I N S I G T S • A S T R A I N S I G TS • A S T R A I N S I G T S • A S T R A I N S I G TS
AUS C IN HTS US C IN HT C IN HTS US C IN HT
T T S UST
S • TR S S
AUS RAC I SIGHT • AUS RAC IN SIGHT • AUS RAC IN IGHTS AUST AC IN IGHT
TRA NSI S• T R S S T R S I • R S S

DISCLAIMER
AUS C IN GHTS AUST AC IN IGHT • AUS AC IN GHTS AUST AC IN IGHTS
T S T S • R S
AUS RAC I SIGHT • AUS RAC IN SIGHT • AUS RAC IN IGHTS AUST AC IN IGHT
TRA NSI S•
AU T R AC S S T R AC S I GH • AU R AC S I
AUS C GH IGH • AU GH S
T R A I N S I G T S • A S T R A I N S I G TS • A S T R A I N S I G T S • A S T R A I N S I G TS
UST C HT US CI H U CI HT US CI HT
RAC INSIGH S • AU TRAC NSIG TS • A STRAC NSIGH S • AU TRAC NSIGH S
STR INS T S I HT US INS T S I T
AC IGH S • AU TRAC NSIGH S • AU TRAC IGH S • AU TRAC NSIGH S
I N T S S T I N T S S I N S T S • S T R I N S T S
TRA S • R S TR
C IN IGHTS AUST AC IN IGHT • AUS AC IN IGHTS AUST AC IN IGHTS
AC S I G • A R A S IG S • T R A S I G • A R A S I G

© Copyright Commonwealth of Australia

INS HTS • USTR C INS HTS AUSTR C INSI HTS • USTR C INS HTS
C IN IGHTS AUST AC IN IGHT • AUS AC GH AU AC IGH
SIG •A RA SIG S• T R A I N S I G T S • A S T R A I N S I G TS
INS HTS • USTR C INS HTS AUSTR C INSI HTS • USTR C INS HTS
IG A A IG • A G A A IG
INS HTS • USTR C INS HTS AUSTR C INSI HTS • USTR C INS HTS
IGH AU AC IGH • AU AC G HT A US A C I GH
SIG TS • A STRA INSIG TS • A STRAC INSIGH S • AU TRAC INSIG TS
HTS US C IN H U T S H
SIG TS • A STRA INSIGH S • AU TRAC INSIG TS
IGH
TS •
• AU TRAC
STR INS H TS U STR C INS TS • STR INS H TS
HTS AUST AC IN IGHT • AUS AC IN IGHTS AUST AC IN IGHT
•A RA SI S• T RA SIG •A RA SIG S

AUSTRAC recommends that independent professional advice be sought.

TS • USTR C INS GHTS AUSTR C INS HTS • USTR C INS HTS
AU AC IGH • AU AC IGH AU AC IGH
S• S INS T S INS T S I T
AU TRAC IGH S • AU TRAC IGH S • AU TRAC NSIGH S
T S
S T RA I N S T S S T I N S S • T R I N S T S
• AU
S C IN IGHT • AUS RAC IN IGHTS AUST AC IN IGHT
S • R S S
AU TRAC SIG S• TRA I G A A I G
STR INS HTS AUSTR C INS HTS • USTR C INS HTS
US AC IG •A AC IGH AU AC IG
T R A I N S I H TS • U S T R A I N S I G T S • A S T R A I N S I H TS
G C IN H U C G H
STR C INS HTS AUST S I G T S • A S T R A I N S I G TS
STR
AC
INS
IGH
T
• AU RAC
S INS H T U S C I H T
AC IGH S • AU TRAC IGH S • AU TRAC NSIGH S
RA I N S T S S T I N S TS • STR I N S T S
C IN IGHT • AUS RAC IN IGHTS AUST AC IN IGHT
S• TRA SIG •A RA SIG S

opinions. The Commonwealth accepts no liability for any loss suffered as a result of reliance on this publication.
AC SIG

matters. It is not intended to be comprehensive. It does not constitute nor should it be treated as legal advice or
INS HTS AUSTR C INS HTS • USTR C INS HTS

The information contained in this document is intended to provide only a summary and general overview on these
C IN IGHT • AUS AC IN IGHTS AUST AC IN IGHT
S S T S • R S S
C IN IGHT • AUS RAC IN IGHTS AUST AC IN IGHT
SIG S• TRA S IG • A R A S IG S
INS HTS AUSTR C INS HTS • USTR C INS HTS
IGH • AU AC IGH AU AC IGH
T S
SIG TS • A STRA INSIGH S • AU TRAC INSIG TS
HT U C I T S
SIG S STR NSI S• TR I N S H TS
HT • AUST AC IN GHTS AUST AC IN IGHTS
IGH S • AU RAC SIG •A RA SIG
TS STR I N S H T S • U S T R C I N S H TS
I
HT • AUST AC IN GHTS AUST AC IN IGHTS
S•
A R AC SIG •A RA SIG
TS UST I N S H T S • U S T R C I N S H TS
•A R AC IGH AU AC IGH
S • U S T R A I N S I G T S • A S T R A I N S I G TS
AUS C IN HTS US
TR A
C IN H
• AU TRAC SIG •A S I G TS
STR I N S H T S • U S T R C I N S H TS
• AU A IG A A IG
S T R C I N S I H T S • U S T R C I N S I H TS
A C G H A U A C G H
UST T S I
RAC INSIGH S • AU TRAC NSIG TS
STR INS TS • STR INS H TS
A IG A A IG
S T R C I N S I H T S • U S T R C I N S I H TS
AC GH AU AC G