Many requirements under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and AML/CTF Rules are risk-based.

Adopting a risk-based approach is fundamental to meeting your obligations under the AML/CTF Act, and also protecting your business and the financial system from criminal abuse.

Under a risk-based approach, you identify and assess the money laundering and terrorism financing (ML/TF) risks your business faces and determine which ones are the greater and lesser threats to your business.

You can then apply your resources where they will have the biggest impact, to mitigate and manage the highest assessed ML/TF risks.

A risk-based approach recognises that ML/TF risks are not the same for every business, customer or transaction. It recognises that you are best placed to understand your particular ML/TF risks, taking into account your:

• customer types (e.g. natural persons, companies etc.)
• products or services offered
• the geographical areas in which the business operates
• delivery channels ( e.g., over-the-counter, online).

For example, you would rely on your assessment of the risks when determining how to complete customer identification for a particular customer. Different procedures can be applied depending on the level of risk. When dealing with medium risk customers, services and situations, the level of customer due diligence and other risk mitigation would be lower than if you were dealing with high risk customers, services and situations.

Senior management oversight

Senior management must be made aware of, and understand, the ML/TF risks to your business, and decide whether the business is capable of mitigating and managing the identified risks effectively.

Documenting and maintaining your risk assessment is important to ensure that senior management and relevant employees understand the ML/TF risks.

Your senior management or board must approve and oversee the implementation of the risk-based systems and controls that are documented in your AML/CTF program. Decisions about entering or maintaining particular higher-risk business relationships, for example, must be escalated to senior management for consideration.

Why adopt a risk-based approach?

A risk-based approach is at the foundation of global best practice approaches to combating money laundering and terrorism financing.

A risk-based approach to mitigating and managing ML/TF risk means you can focus on the outcomes that the regulation is intended to achieve. That is, preventing money laundering, terrorism financing and other serious financial crimes, rather than complying with a checklist of requirements.

The benefits of this approach include:

• more efficient and effective use of resources
• minimising compliance costs and burdens on customers
• greater flexibility to respond to new and emerging risks as money laundering and terrorism financing methods change.

Applying a risk-based approach to your AML/CTF obligations

Where you identify ML/TF risks, you must develop and implement procedures to mitigate and manage them. A risk-based approach allows you to apply measures proportionate to the level of risk. This ensures that you can use your resources effectively.

Continually review and update your risk assessment

For a risk-based approach to work, you need to continually review and update your risk assessment. You must ensure you understand the risks your business faces, including identifying and addressing new and emerging risks. This assessment must also take into account guidance and other information provided or published by AUSTRAC and law enforcement agencies.

Systems and controls

Your approved systems and controls to mitigate and manage your identified ML/TF risks should also be adequately resourced.

Staff training and communication

It’s also important to communicate these risks to all relevant employees through appropriate documentation and AML/CTF risk awareness training. Document your risk assessment and procedures for mitigating and managing your identified ML/TF risks, including supporting evidence, and how you will monitor effectiveness.

Examples: Applying a risk-based approach effectively

Example 1

FinanceCo has assessed that there is significantly higher risk when its customers use cash versus online transactions.

To mitigate and manage this risk, staff have been trained to ask a series of additional questions when processing cash transactions. FinanceCo has also implemented enhanced monitoring alerts to detect unusual activity associated with cash transactions.

Example 2

TransferIt Pty Ltd has updated its risk assessment and determines that transactions sent to a particular south-east Asian country are no longer a high risk.

They make changes to their systems and controls, proportional to the new level of risk, and document the reason for the change and the internal approval process. These changes involve TransferIt removing and adjusting existing monitoring alerts for customers that transact to the country. 

Understanding ML/TF risks

ML/TF risks can be broadly understood on two levels:

• at the whole-of-reporting entity level
• in relation to particular customers and business relationships.

The AML/CTF Act and Rules set out a range of measures required for reporting entities to identify, mitigate and manage their ML/TF risk across their businesses. See AUSTRAC’s guidance and insights on risk assessments

In line with your business’s risk assessment, you must apply a range of risk-based systems and controls when dealing with particular customers, including:

• procedures to verify your customers’ identity and for ongoing due diligence
• understanding the nature and purpose of the business relationship with different customer types
• understanding the control structure of non-individual customers (i.e. underlying beneficial ownership information)
• understanding risks arising from changes in the nature of the business relationship, control structure, or beneficial ownership of your customers
• ongoing monitoring of transactions and business relationships with the assessed level of ML/TF risks.

See AUSTRAC’s guidance on customer identification and verification