How customer risk assessment actually works—a guide for Tranche 2 entities

In our first risk assessment blog, we explained what risk assessment is and why it's mandatory from 1 July, 2026. Now let's get practical: How does customer risk assessment actually work? 

Risk assessment isn't a single event—it's an integrated process that runs throughout your customer relationship.

The Big Picture: Two Phases of CDD

AUSTRAC structures Customer Due Diligence (CDD) into two distinct phases, each with its own risk assessment requirements:

1.      Initial CDD: Before You Provide Services

Purpose: Understand who your customer is and what ML/TF risk they present before you begin providing designated services.

Key Requirements:

• Verify customer identity using approved methods
• Establish the nature and purpose of the relationship
• Determine the customer's ML/TF risk profile
• Decide what level of due diligence is appropriate
• Complete this before providing any designated service

Risk Assessment Role: Initial risk assessment determines whether you can proceed with standard CDD, or whether enhanced CDD is required.

2.      Ongoing CDD: Throughout the Relationship

Purpose: Monitor the customer relationship for changes that could increase risk or trigger red flags.

Key Activities:

• Monitor for unusual transactions or behaviour
• Review and update customer information at appropriate frequencies
• Reassess risk if circumstances change significantly
• Identify triggers for enhanced due diligence
• Submit suspicious matter reports when necessary

Risk Assessment Role: Periodic reassessments ensure your understanding of the customer's risk remains current.

Common Questions

a)      "How long does the whole CDD process take?"

For low-risk customers (70-80% of cases):

• Identity verification: 5-15 minutes (Customer time)
• Automated processing: Seconds to minutes
• Risk assessment: Automatic upon verification
• Mitigation review: Minutes (usually none required)
• Total elapsed time: Same day, often within an hour

For medium-risk customers:

• Identity verification: Same as above
• Risk assessment: Automatic
• Mitigation completion: Hours to days (depends on info gathering)
• Total elapsed time: 1-3 business days

For high-risk or complex customers:

• Identity verification: Same as above
• Enhanced due diligence: Days to weeks
• Senior management approval: Additional time
• Total elapsed time: 1-2 weeks or more

b)     "Do I need to reassess existing customers?"

Pre-commencement customers (customers before July 1, 2026):

Good news: You don't need to conduct initial CDD again unless:

• You need to file a suspicious matter report about them
• There's a significant change resulting in medium/high ML/TF risk
• They request new designated services materially different from existing relationship

However, you must:

• Monitor for unusual transactions and behaviours
• Review and update KYC information at appropriate frequency
• Maintain ongoing CDD throughout relationship

Practical approach:

• Risk-based prioritization of existing customer remediation
• Phased approach over 18-month window
• Focus first on high-risk or high-value customers

c)      "What if I get the risk assessment wrong?"

The good news:

• Customer risk assessment is based on objective criteria from your rules
• System applies rules consistently
• Documentation shows your reasoning

If challenged:

• AUSTRAC expects reasonable grounds, not perfection
• Your documented process demonstrates good faith
• Can revise and improve rules over time
• Regular reviews show ongoing commitment

Protection through documentation:

• Detailed mitigation comments
• Clear rationale for decisions
• Evidence of rule application
• Proof of ongoing monitoring

Key Takeaways

1. Risk assessment is integrated into customer onboarding—not a separate, disconnected process
2. Most of the process is automated when using modern compliance platforms like VerifiMe
3. Initial CDD happens before you provide designated services—it's a prerequisite, not an afterthought
4. Ongoing CDD continues throughout the relationship—this isn't "set and forget"
5. Mitigations are your compliance toolkit—they demonstrate how you manage identified risks
6. Documentation happens automatically when using proper systems—your audit trail builds itself
7. Most customers are low risk and experience minimal friction
8. The process gets easier as you gain experience and refine your rules