The AUSTRAC risk management tool: Are you meeting your obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006?

Share on twitter
Share on linkedin
Share on facebook


By Dr. Drew Donnelly, Compliance Quarter.

Last month in Financial crime doesn’t pay – three ways in which wrongdoers may soon be hit in the pocket we addressed the government’s increasing crackdown on financial crime and wrongdoing and those who would (even unwittingly) facilitate it. We mentioned the recent court case involving Tabcorp where the organisation agreed to pay $45 million for failing to meet its obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act).

Today we take a closer look at the requirements of the Act. Specifically, we look at the risk-management obligations for small-to-medium sized enterprises (SMEs) under that Act and its associated regulatory regime. This should be particularly pressing for SMEs, given that the Australian Transaction Reports & Analysis Centre (AUSTRAC) recently identified risk-management as an area of uneven compliance.

Among other areas, AUSTRAC noted the overuse of templates, generic risk assessments and lack of independent review of programs as situations where businesses need to improve.

The requirement to develop a program under the Act

The Act and its associated regulatory regime set out a range of compliance requirements for ‘designated services’ including enrollment, record-keeping and reporting obligations.

Today we focus on the requirement under that Act that ‘designated services’ must develop and comply with a ‘anti-money laundering and counter-terrorism financing program’, which is designed to identify, mitigate and manage the risk that their services might involve or facilitate money laundering or the financing of terrorism (see Part 7, Division 2 of that Act).

The definition of ‘designated services’ in the Act is broad but includes account/deposit-taking services, payroll services, life insurance services and loan services.

The risk-management tool

AUSTRAC has developed a risk management tool to help SMEs with the development of their program. While there is no regulatory requirement to use this tool, it is intended to provide useful guidance for SMEs in the development of a program. The tool sets out several steps for businesses:

Step One: The business should Identify possible risks as part of their program. Categories of possible risk include:

  • Customer risk, such as dealing with new, unknown customers;
    Service risk, such as a consistent request to a bank for branch pick-up only;
  • Business channel risk, such as use of a third-party agent or broker;
  • Country risk, such as business with a country subject to trade sanctions; and
    Regulatory risks, such as the risk to the organisation of not submitting their compliance reports.

Step 2: The business needs to carry out a risk assessment. That is, work out the chance that the identified risk will occur, and the impact of those risks occurring. This means that the business can then arrive at a ‘risk score’.

Step 3: The business needs to prepare its risk treatment. This includes developing policies and procedures to manage the identified risks.

Step 4: The business needs to prepare for and carry out risk monitoring and review.

Next steps for SMEs

Review the risk management tool (see and consider AUSTRAC’s recent report on compliance (see

If you think that we could be of assistance in developing or reviewing a risk management program for your business, please get in touch.

More to explorer

Autumn leaves falling with copy space on black background

Avoiding Compliance Atrophy: The Critical Role of Assurance Reviews for Growing Energy Retailers

As energy retailers expand their customer base and operations, ensuring ongoing compliance with regulatory obligations can become increasingly challenging. A key risk is “compliance atrophy” – where initially compliant documents, processes and systems slowly deteriorate and waste away over time if not regularly monitored and reviewed. What is compliance atrophy? Compliance atrophy is typically a result of documents, processes and systems being ‘updated’ or ‘reworded’ to reflect changes in focus for the business and input from other stakeholders including marketing

person holding debit card

AER payment difficulty framework review

The Australian Energy Regulator (AER) is conducting a review of the consumer protections available under the National Energy Customer Framework (NECF) for those experiencing payment difficulties. On 14 May 2024, the AER released an issues paper for consultation. The review is driven by the commitment in Action 8 of the ‘Towards Energy Equity’ strategy in which the AER committed to considering whether improvements could be made to the NECF to ensure that consumers experiencing payment difficulties are identified early, engaged

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

Leave a Reply

Your email address will not be published. Required fields are marked *