A quick-start guide to AML/CTF risk assessments and red flags

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Australia’s AML/CTF regime is on the brink of major reform, with Tranche 2 legislation set to capture law firms, real estate professionals and accountants.

For many, this means new obligations and new opportunities to strengthen defences against money laundering and terrorism financing (ML/TF). At the core of it all is the risk-based approach.

The global risk environment

Financial crime is growing more complex and cross-border. Geopolitical tensions, evolving sanctions and rising levels of organised crime have all contributed to a global risk environment in flux.

This means AML/CTF compliance can’t be static or one-size-fits-all. Professionals in every sector must understand the risks specific to their industry, clients and services.

What is a risk-based approach?

A risk-based approach is about tailoring your AML/CTF framework to your business. That includes assessing who your clients are via CDD, what services you provide, how those services are delivered and where your exposure lies geographically. It’s not about doing everything for every client - it’s about doing the right things based on risk.

As Alice Molan, Partner at Herbert Smith Freehills, puts it:

“The risk-based approach is all about designing a compliance framework that’s responsive to the risks in your business.”

The foundation: ML/TF risk assessments

Your risk assessment is the cornerstone of your AML/CTF program. It identifies the areas where your business is most exposed and ensures your controls are aligned with those risks.

Under the proposed changes to the AML/CTF Act, reporting entities must assess ML/TF risks in relation to:

• Services offered
• Customer types
• Delivery methods (in-person, online, through third parties)
• Jurisdictions involved
• Regulator (AUSTRAC) guidance

Risk assessments must be current, reviewed at least every three years, and approved by senior management. Each outdated risk assessment could count as a separate compliance breach.

Structuring your risk assessment

No matter your industry, your risk assessment should consider:

1. Sectoral risk. Legal, real estate and accounting sectors are inherently high-risk. Consider exposure to high-value transactions, client money, or structures that may obscure ownership.
2. Firm-wide risk. What’s your service mix? What channels do you use? Do you work with offshore clients or receive international funds?
3. Customer risk. High-risk clients may include PEPs, offshore entities, or clients whose business activities don’t align with their source of funds or requested services.
4. Geographic risk. Some countries pose higher ML/TF risk due to poor AML controls, corruption or sanctions.
5. Product/service risk. Trust accounts, cross-border transactions and company formation services often carry elevated risk.
6. Delivery channel risk. Fully online engagements or those mediated through third parties (like family offices) may lack face-to-face verification and increase risk.
7. Transaction/matter risk. Each transaction should be reviewed individually. Look for complexity, unusual payment terms, last-minute changes or crypto involvement.

A strong risk assessment doesn’t just list risks - it evaluates their likelihood and impact and documents how they’re managed.

Start with what you already do

If you’re new to AML/CTF, don’t panic. You’re likely already assessing risk in your day-to-day operations. The key is formalising those instincts.

Legal professionals already screen clients through conflict checks, matter acceptance and fee viability. Start documenting complexity, urgency, or unusual structuring.

Real estate agents vet buyers and sellers, look for unusual sales patterns and conduct basic anti-fraud checks. Build on that by logging sources of funds and whether the client viewed the property.

Accountants assess financial credibility and business models. Start recording client backgrounds, red flags in financials and any economic mismatches.

You don’t need to start from scratch. Use these existing processes to build your formal AML/CTF framework.

Templates are a starting point, not the end

Templates can help structure your approach, especially for smaller firms. But they’re not enough on their own.

Avoid the checkbox mentality. Tailor templates to your firm, offer training to staff, and encourage professional judgement. Set clear escalation processes for concerns.

Practical tips for all sectors

• Start with the big picture
  Define your firm-wide risks: services, client base, jurisdictions and delivery channels.
• Assess clients and matters individually
  Every new engagement is a fresh opportunity to reassess.
• Let your risk assessment guide your AML program
  It should inform how you apply due diligence, manage client money and escalate concerns.
• Monitor ongoing relationships
  Risk changes over time. A low-risk client today could become high-risk tomorrow.
• Keep records
  Document decisions, controls and reviews. Regulators expect a clear audit trail.

Strengthening AML defences

As financial crime becomes more sophisticated, criminals look to exploit professionals as entry points to the financial system. That includes law firms used to move dirty money via trusts, accountants helping structure offshore entities and real estate agents enabling anonymous property purchases.

Regulatory reform is about making these sectors more resilient and accountable. A strong, practical risk assessment helps you stay compliant, spot red flags and make confident decisions.

Whether you're helping settle a property, prepare a tax return or draft a trust deed, your AML obligations are coming. Start small, stay practical and apply your judgement. If something doesn’t feel right, it probably isn’t.