AML/CTF Risk Assessment: Building a Proportionate Program for Mid-Market Firms

Key Takeaways

• A money laundering and terrorism financing risk assessment is the foundation of the program.
• The regime is risk-based, so controls should match the risk a firm actually faces.
• Risk is commonly assessed across customers, services, delivery channels and jurisdictions.
• The program must name a fit and proper AML/CTF compliance officer and provide for staff training.
• Programs must be kept current and reviewed as the business and the law change.

1. 1.In Brief
2. 2.Step 1: Define the scope of the assessment
3. 3.Step 2: Assess risk across the key factors
4. 4.Step 3: Design controls that match the risk
5. 5.Step 4: Appoint a compliance officer and train your staff
6. 6.Step 5: Review and keep the program current
7. 7.Signs a program is not proportionate
8. 8.Frequently Asked Questions

An AML/CTF program is only as good as the risk assessment beneath it. This article explains how a mid-market firm assesses its money laundering and terrorism financing risk and builds a program that is genuinely proportionate, meeting the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) without bolting on controls built for a major bank.

In Brief

The risk assessment comes first. The program is built on top of it. The regime is risk-based, so fit to risk is the guiding principle. Risk is usually considered across customers, services, channels and geography. The program names who is responsible and provides for training and review.

Step 1: Define the scope of the assessment

Start by identifying which of your activities are designated services, because those are what bring you within the regime and what the assessment has to cover. Mid-market firms often run a mix of activities, only some of which are designated services. Map that scope clearly and you keep the assessment focused, avoiding both gaps and wasted effort.

If the Tranche 2 reforms have brought new activities within scope for your sector, include them. Those reforms commenced on 1 July 2026 and extend designated services to many professional and real estate activities, so any newly captured service belongs in the assessment.

Step 2: Assess risk across the key factors

A practical risk assessment weighs several factors together. The common categories are:

• Customer risk, which turns on the types of customers you serve, their structures and their behaviour.
• Service and product risk, which turns on the designated services you provide and how they could be misused.
• Delivery channel risk, which turns on whether you deal face to face, remotely or through intermediaries.
• Jurisdiction risk, which turns on the locations connected to your customers and transactions.

For each factor, form a view on the level of risk and why. The goal is a reasoned, documented picture of where your exposure sits, not a number for its own sake.

Step 3: Design controls that match the risk

Once the risk picture is clear, design controls that respond to it. A firm with a small number of well-understood, lower-risk customers does not need the apparatus of a major bank. A firm with higher-risk exposure should invest more.

Controls usually cover how you conduct customer due diligence, how you monitor transactions, how you handle higher-risk customers through enhanced measures and how you escalate and report suspicious matters. Each control should trace back to a risk in the assessment. A control that answers no identified risk is wasted effort. A risk with no control behind it is exposure.

Step 4: Appoint a compliance officer and train your staff

The program needs an owner. You must appoint an AML/CTF compliance officer, a fit and proper person with the authority and standing to make compliance work. The program should name that person rather than leaving responsibility diffuse.

Staff also need to understand their part. Training lets the people who onboard customers and handle transactions recognise risk and know what to do when something looks wrong. A control that exists on paper but is unknown to front-line staff does not function.

Step 5: Review and keep the program current

Risk is not static. Customers change, services change and the law changes. The program should provide for regular review and be updated when circumstances shift. A fresh perspective from time to time helps catch drift between what the program says and what the firm actually does.

For an external view of where programs fall short, our starter kit gaps report card sets out recurring weaknesses and our anti-money laundering practice page describes how we help firms close them.

Signs a program is not proportionate

• It reads like a bank's program despite a far smaller and simpler business.
• It applies the same intensive controls to every customer regardless of risk.
• It identifies risks that the controls never actually address.
• No one in the firm clearly owns it.
• It has not been reviewed since it was first written.

Frequently Asked Questions

Why does the risk assessment come before the program?

Because the program exists to manage identified risk. Without an assessment, controls are guesswork. The assessment tells you where your exposure lies so the program can respond to it.

What does proportionate mean in practice?

The depth of your controls should match the risk you face. A genuinely lower-risk firm can run a leaner program. Higher-risk exposure warrants more intensive measures. It is about fit, not minimum effort.

What factors should a risk assessment cover?

Commonly customers, services and products, delivery channels and jurisdictions, considered together to build a reasoned picture of where the firm's risk is concentrated.

Who should be responsible for the program?

A nominated AML/CTF compliance officer within the firm, a fit and proper person with the authority to oversee compliance. Diffuse responsibility tends to mean no responsibility.

How often should the program be reviewed?

Regularly, and whenever the business, its customers or the law change materially. A program that is never revisited drifts out of step with the firm it is meant to protect.

This is general information, not advice on your situation. If you would like help assessing your risk and building a proportionate program, get in touch or call (07) 4270 8880.

This article is for general information purposes only and does not constitute legal advice and should not be relied on as such. While we take reasonable care to ensure the accuracy of the information provided, we make no representations or warranties as to its completeness, currency or reliability. We accept no liability for any loss or damage arising directly or indirectly from the use of, or reliance on, this website's content. You should always seek professional advice tailored to your specific circumstances before acting on any information in this article. Liability limited by a scheme approved under Professional Standards Legislation.