What Is Risk Assessment and Why Your Practice Needs It by July 2026

Written By Paul Timms

A foundational guide for accountants and lawyers preparing for Tranche 2 AML/CTF compliance

If you're an accountant or lawyer in Australia, July 1, 2026 marks a watershed moment for your practice. From that date, your profession becomes subject to comprehensive Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) obligations under what's known as Tranche 2 regulations.

At the heart of these new requirements sits a concept that many professionals find confusing: risk assessment. This isn't just another compliance checkbox—it's a fundamental shift in how you'll onboard and manage client relationships.

This guide explains what risk assessment actually means, why it's required, and what it will mean for your practice.

Which Services Trigger AML/CTF Obligations?

For Accountants:

  • Forming companies, trusts, or partnerships for clients

  • Acting as a nominee director, shareholder, or partner

  • Providing registered office or business address services

  • Acting as a trustee

  • Preparing for or carrying out financial transactions

  • Tax agent services in certain circumstances

For Lawyers:

  • Managing client money, securities, or property in trust accounts

  • Forming companies, trusts, or partnerships for clients

  • Acting as nominee director, shareholder, or partner

  • Real property transactions (buying, selling, or managing)

  • Trust and company administration services

Not every service you provide will trigger obligations—but many core services will.

Understanding Risk Assessment: What It Actually Means

Simple definition: Risk assessment is the process of evaluating the potential money laundering and terrorism financing (ML/TF) risk associated with providing services to a specific client.

Think of it as asking and answering: "What's the likelihood that this client relationship could, even unknowingly, involve or facilitate financial crime?"

Let's clear up common misconceptions:

What Risk Assessment Is NOT

Not a judgment of your client's character or integrity

Not a credit check or financial assessment

Not about whether you trust your client

Not focused on tax compliance or business viability

Not discriminatory profiling

What Risk Assessment IS

A regulatory requirement under the AML/CTF Act

An objective evaluation based on defined risk factors

Focused on ML/TF risk, not other business risks

Applied consistently to all clients

Designed to protect Australia's financial system

 

The Two Levels of Risk Assessment

AUSTRAC requires risk assessment at two distinct levels:

1. Enterprise-Wide ML/TF Risk Assessment

You must develop and maintain a comprehensive risk assessment of your entire practice, considering:

  • Client types you serve (individuals, companies, trusts, high-net-worth clients, politically exposed persons)

  • Services you provide (which designated services trigger obligations)

  • Delivery channels (in-person, online, through intermediaries)

  • Geographic exposure (clients in high-risk jurisdictions)

  • Transaction patterns (cash-intensive services, unusual complexity)

This assessment informs your AML/CTF Program—your documented compliance framework that must be approved by your governing body and reviewed at least every three years.

According to AUSTRAC guidance, this risk assessment must take into account:

  • AUSTRAC's published guidance and risk insights

  • National risk assessments on money laundering and terrorism financing

  • Sector-specific indicators of suspicious activity

  • Intelligence from law enforcement and regulatory agencies

  • Your firm's actual experience and incident history

2. Individual Client Risk Assessment

For each client, you must conduct Customer Due Diligence (CDD) that includes determining their ML/TF risk profile. This happens in two phases:

Initial CDD (before providing designated services):

  • Verify client identity

  • Understand the nature and purpose of the relationship

  • Assess the client's ML/TF risk based on information reasonably available

  • Determine what level of due diligence is appropriate

Ongoing CDD (throughout the relationship):

  • Monitor for unusual transactions or behaviour

  • Review and update client information at appropriate frequencies

  • Reassess risk if circumstances change significantly

  • Identify triggers for enhanced due diligence

The Five Risk Levels Explained

While each firm can define its own risk categories, most compliance frameworks use five levels:

NO RISK DETECTED

  • Indication: No assessment rules were triggered (typically indicates a system configuration issue)

  • Reality: Every client carries some level of risk—even if minimal

  • Action: Should not occur with properly configured systems

LOW RISK

  • Characteristics: Standard client with straightforward services, verified identity, domestic operations

  • Frequency: The majority of typical clients fall here

  • CDD Level: Standard due diligence

  • Example: Australian individual seeking tax return preparation with verified identity and clear source of income

MEDIUM RISK

  • Characteristics: Some complexity requiring additional scrutiny

  • Frequency: Less common, but not unusual

  • CDD Level: Enhanced documentation or explanation may be needed

  • Examples:

    • Client with international business interests

    • Complex trust structures

    • Cash-intensive businesses

    • Clients using intermediaries

HIGH RISK

  • Characteristics: Significant risk factors requiring enhanced due diligence

  • Frequency: Uncommon for most practices

  • CDD Level: Enhanced CDD mandatory

  • Examples:

    • Politically Exposed Persons (PEPs) or their family members

    • Clients from high-risk jurisdictions

    • Complex offshore structures

    • Unusual transaction patterns

EXTREME RISK

  • Characteristics: Maximum risk requiring intensive controls

  • Frequency: Rare

  • CDD Level: Senior management approval, comprehensive enhanced due diligence

  • Examples:

    • Sanctions screening alerts

    • Known links to criminal activity

    • Transactions connected to conflict zones

Critical point: Risk levels determine the depth of due diligence required. Higher risk doesn't mean you must refuse service—it means you must take additional steps to understand and mitigate the risk.

What Factors Determine Risk Level?

AUSTRAC identifies key factors that influence ML/TF risk:

Client-Related Factors

  • Identity verification status (fully verified vs. gaps in documentation)

  • Client type (individual, company, trust, partnership)

  • Beneficial ownership transparency (clear ownership vs. complex structures)

  • PEP status (prominent public positions create higher risk)

  • Business activities (cash-intensive industries, import/export, real estate)

  • Source of wealth (explained and consistent vs. unclear or inconsistent)

Service-Related Factors

  • Type of designated service (trust account management carries different risk than tax prep)

  • Transaction complexity (simple returns vs. complex restructures)

  • Service frequency (one-off vs. ongoing relationship)

  • Face-to-face interaction (in-person vs. remote/online only)

Geographic Factors

  • Client location (domestic vs. international)

  • High-risk jurisdictions (countries with weak AML/CTF controls)

  • Sanctions countries (designated by Australian government)

  • Transaction destinations (where money is moving to/from)

Behavioural Indicators

  • Reluctance to provide information

  • Inconsistent or contradictory details

  • Unusual hurry or pressure to complete transactions

  • Requests to circumvent normal procedures

  • Transactions lacking economic rationale

The Risk Assessment Process in Practice

Here's what risk assessment looks like operationally:

Step 1: Client Onboarding

When a new client engages your services:

  1. Collect identity verification documents

  2. Understand the service they're requesting

  3. Gather information about their circumstances

  4. Check for PEP status and sanctions screening

Step 2: Automated Risk Evaluation

Modern compliance platforms (like VerifiMe) automatically assess risk by:

  • Verifying identity against government databases (DVS checks)

  • Screening against sanctions lists

  • Applying your firm's risk rules to the client's profile

  • Calculating an initial risk rating in seconds

Step 3: Risk Mitigation

Based on the risk level:

  • Low Risk: Proceed with standard onboarding

  • Medium/High Risk: Complete additional due diligence steps (source of wealth verification, additional documentation, explanation of business purpose)

  • Extreme Risk: Senior management review, comprehensive enhanced due diligence, consider whether to provide service

Step 4: Ongoing Monitoring

Throughout the client relationship:

  • Monitor for changes in risk profile

  • Conduct periodic reviews (frequency based on initial risk)

  • Reassess if services or circumstances change materially

  • Document all risk decisions

Why This Matters for Your Practice

Regulatory Compliance

Non-compliance carries serious consequences:

  • Civil penalties up to $22.2 million for corporate entities

  • Criminal prosecution for serious breaches

  • Reputational damage

  • Potential loss of practicing certificate

Protecting Your Practice

Risk assessment is actually a business protection tool:

  • Reduces your exposure to being unknowingly used for criminal purposes

  • Provides documented evidence of your due diligence

  • Creates defensible decision-making if client relationships are questioned

  • Identifies red flags early before you're deeply involved

Professional Standards

Your professional bodies support these requirements:

  • Aligns with existing "know your client" principles

  • Reinforces existing anti-money laundering guidance

  • Protects the reputation of your profession

  • Demonstrates commitment to ethical practice

Common Concerns Addressed

Q: "Won't this slow down client onboarding?"

Short answer: Potentially, but only initially.

For low-risk clients (the vast majority), automated systems complete risk assessment in seconds. For higher-risk clients requiring enhanced due diligence, yes—onboarding takes longer. But this protects you from problematic relationships.

Early adopters report that after initial setup, the process becomes routine and clients come to expect it.

Q: "How do I assess risk in areas outside my expertise?"

You don't have to be a criminal intelligence expert.

Modern compliance platforms embed risk intelligence from AUSTRAC, law enforcement, and industry sources. You input client information; the system applies sophisticated risk rules based on regulatory guidance.

Your role is to:

  • Collect accurate client information

  • Respond to system alerts

  • Apply professional judgment to unusual situations

  • Escalate concerns appropriately

Q: "What if a good client is flagged as high-risk?"

High risk doesn't mean bad client.

Many legitimate clients have risk factors (international operations, complex structures, PEP status). High risk means enhanced due diligence is required—not that you must refuse service.

You'll need to:

  • Collect additional documentation

  • Understand and document their circumstances more thoroughly

  • Monitor the relationship more closely

  • Potentially get senior management approval

Most high-risk assessments are resolved with proper documentation.

Q: "Can I outsource this?"

Partially, yes.

You can use third-party compliance platforms (like VerifiMe) to:

  • Verify client identities

  • Conduct sanctions screening

  • Apply risk assessment rules

  • Provide audit trails

However, you remain responsible for:

  • Defining your risk assessment approach

  • Making final decisions about client relationships

  • Maintaining your AML/CTF Program

  • Reporting suspicious matters to AUSTRAC

The July 2026 Timeline: Why Start Now?

Starting now means:

  • Spreading client verification over 8 months instead of rushing in weeks

  • Identifying and resolving issues before they're urgent

  • Training staff gradually with real scenarios

  • Building confidence in systems before they're mandatory

  • Avoiding the last-minute compliance rush

What VerifiMe Can Do for Your Practice

VerifiMe is purpose-built for Australian AML/CTF compliance, offering:

Automated Identity Verification

  • DVS integration with Australian government databases

  • Biometric verification for document authenticity

  • Instant verification results

Flexible Risk Assessment Engine

  • Pre-configured "Golden Path" rule sets for professional services

  • Customizable rules matching your risk appetite

  • Automated risk calculation based on verified identity data

Compliance Management

  • Digital audit trails for AUSTRAC readiness

  • Risk mitigation workflow tracking

  • Suspicious matter report preparation support

Client Experience

  • Digital identity wallet for clients

  • "Verify once, use many times" efficiency

  • Clients control permission to their verified identity

Key Takeaways

  1. Risk assessment is mandatory from July 1, 2026 for accountants and lawyers providing designated services

  2. Risk assessment is about compliance, not judgment of your clients' character

  3. Most clients will be low risk and experience minimal friction in onboarding

  4. Higher risk requires enhanced due diligence, not automatic refusal of service

  5. Technology platforms can automate much of the risk assessment process

  6. Early preparation is crucial—the 8-month window will close quickly

  7. AUSTRAC provides extensive guidance—use their sector-specific risk insights and indicators

  8. Your professional body and compliance specialists can provide additional support

This blog is part of the VerifiMe Tranche 2 Compliance Series.

Want to see how VerifiMe simplifies risk assessment for professional services firms? Book a demonstration

 

Paul Timms
Next

Leading by Example: How Confidant Partners is Preparing for AML/CTF Tranche 2