Compliance Risk Assessment: A Practical Guide

A compliance risk assessment is the structured process by which a firm identifies the regulatory obligations relevant to its activities, evaluates the likelihood and impact of failing to meet them, and implements controls to reduce residual exposure to an acceptable level. In Australia, the AML/CTF Act 2006 and the AML/CTF Rules make a documented, risk-based approach a legal obligation — not an optional best practice. Firms that treat it as a one-off exercise or a box-ticking formality face enforcement action, civil penalties, and personal liability for senior managers who approved inadequate frameworks.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Firms should seek independent legal counsel to assess their specific obligations.

What is a compliance risk assessment?

A compliance risk assessment is a formal evaluation that maps an organisation's regulatory exposure, scores each identified risk, and produces a documented plan for reducing that exposure through targeted controls. It is distinct from a general enterprise risk assessment: it focuses specifically on the risk of violating laws, regulations, rules, codes of conduct, or internal policies — and the consequential harm that flows from those violations, including regulatory sanctions, reputational damage, and financial loss.

In regulated Australian sectors, two separate but interlinked assessments are required as of March 2026:

• ML/TF Risk Assessment: A firm-level view of all material money laundering and terrorism financing risks, covering the designated services provided, the customer base, geographies, delivery channels, and the firm's vulnerability to ML/TF. AUSTRAC expects this to be a living document, reviewed formally at least annually and updated whenever material changes occur.
• Customer Risk Assessment: A transaction- or relationship-level assessment applied to individual customers or prospects, rating them against factors such as PEP status, source of funds, country risk, and business type.

Organisations that conduct both quantitative and qualitative assessments — using weighted risk factors rather than binary pass/fail scores — consistently demonstrate lower residual risk and stronger regulator relationships. AUSTRAC's compliance assessments have identified a clear divergence between reporting entities with mature compliance risk management and those operating inadequate frameworks. Good practice includes documented senior management sign-off, weighted risk scoring, and integration across business lines. Poor practice includes static assessments that have not been updated in years, a narrow focus on a single risk type, and no evidence of board or senior manager engagement.

For a broader view of how risk assessment fits within a firm's overall governance structure, see our guide to governance, risk management and compliance (GRC).

Five steps to build a robust compliance risk management framework

A robust compliance risk management framework follows five sequential steps: scope definition, risk identification, risk evaluation, control design and implementation, and monitoring with periodic review. Skipping any step — particularly the monitoring and review phase — is among the most common failures identified by AUSTRAC.

Step 1: Define scope and regulatory universe

Before assessing any risk, the firm must establish which regulations apply to it. In Australia, the regulatory universe for a financial services firm typically includes the AML/CTF Act 2006, the Proceeds of Crime Act 2002 (Cth), ASIC regulatory requirements for AFS licensees, APRA prudential standards — including CPS 220 Risk Management which requires APRA-regulated entities to maintain appropriate risk management frameworks — and the FATF 40 Recommendations, which inform Australia's national risk assessment.

Scope definition must also identify the business units, products, geographies, customer segments, and third parties in scope. Firms with correspondent banking relationships, high-volume cash transactions, or cross-border payment flows will have a materially larger scope than a domestic retail lender.

Step 2: Identify compliance risks

Risk identification draws on multiple sources: regulatory publications and AUSTRAC guidance, horizon scanning for forthcoming legislation (including the AML/CTF reform program), internal incident logs, findings from previous audits, staff interviews, and benchmarking against industry typologies published by AUSTRAC and the AFP. AUSTRAC's Strategic Analysis reports provide sector-specific typologies and risk indicators that reporting entities are expected to apply.

Each identified risk should be recorded in a risk register with a unique identifier, a plain-English description, the regulatory obligation it relates to, and the business area it affects. Risks left undescribed are risks that go unmanaged.

Step 3: Evaluate likelihood and impact

Risk evaluation assigns two scores to each identified risk — likelihood of the risk materialising and impact if it does — producing an inherent risk rating before any controls are applied. Controls are then assessed for their effectiveness, yielding a residual risk rating.

The table below illustrates a standard three-tier scoring framework aligned with AUSTRAC expectations:

Firms using purely qualitative labels ("low / medium / high") without weighted scores give senior management and regulators no basis for comparing risks across business lines. Weighted, numerical scoring — even on a simple 1-3 scale — produces defensible, comparable results.

Step 4: Design and implement controls

Controls should be proportionate to the residual risk score. High residual risks require preventive controls (blocking or deterring the breach before it occurs), detective controls (identifying a breach quickly after it occurs), and corrective controls (restoring compliance and remediating harm). Medium risks may be managed with detective and corrective controls alone, with documented rationale for that decision.

For document-intensive compliance workflows — such as customer identification, right-to-work checks, or supplier onboarding — automated document verification reduces the reliance on manual review, which is one of the most common sources of control failure. Automation does not replace compliance judgement; it ensures that the raw data on which that judgement depends is accurate, current, and consistently captured.

Step 5: Monitor, test, and review

The compliance risk management cycle closes with ongoing monitoring and formal periodic review. AUSTRAC expects the ML/TF risk assessment to be reviewed at least annually, with the review documented and approved by senior management. Reviews should also be triggered by material events: a new product launch, entry into a new market, a significant regulatory development, or an internal incident.

Monitoring mechanisms include management information reports, key risk indicators (KRIs), transaction monitoring alerts, file reviews, and thematic internal audits. The results should feed back into the risk register, updating likelihood and control effectiveness scores.

Australian regulatory requirements: AUSTRAC, ASIC, and the AML/CTF Act 2006

Australian firms operating in regulated sectors face a layered set of compliance obligations, each with its own documentation and governance requirements. As of March 2026, the principal legal and regulatory sources are:

AML/CTF Act 2006: The AML/CTF Rules, Chapter 8.3, require reporting entities to identify, mitigate and manage the ML/TF risks to which they are exposed. The ML/TF risk assessment must be kept up to date and forms the foundation of the AML/CTF program.

ASIC regulatory requirements: For AFS licensees, ASIC requires adequate compliance arrangements under section 912A of the Corporations Act 2001. Regulatory Guide 104 sets out ASIC's expectations for meeting general AFS licence obligations, including risk management.

APRA CPS 220: Under CPS 220 Risk Management, APRA-regulated entities must maintain a risk management framework that includes compliance risk. The board is ultimately responsible for the risk management framework.

AUSTRAC guidance: AUSTRAC's sector-specific guidance provides detailed methodologies for risk-based compliance across banking, remittance, gambling, and digital currency exchange sectors. While not legally binding in the same way as the Act, AUSTRAC expects reporting entities to follow its guidance unless they can demonstrate a well-reasoned alternative approach.

Proceeds of Crime Act 2002 (Cth) and the AFP: The Proceeds of Crime Act creates criminal offences for money laundering. The AFP — which leads serious financial crime investigations — publishes guidance and intelligence that should inform every firm's compliance risk identification process.

The FATF Mutual Evaluation of Australia, most recently conducted in 2015 with ongoing follow-up assessments, identified areas for improvement including beneficial ownership transparency and the scope of reporting entities — both of which directly inform the risk factors Australian firms must address in their ML/TF risk assessment.

Common failures in compliance risk management

The most frequent compliance risk management failures are static assessments, absent senior management approval, departmental silos, and narrow risk focus. These are not theoretical concerns: AUSTRAC's compliance assessments have documented all four as widespread.

Static, outdated assessments are the single most cited failure. An ML/TF risk assessment prepared three years ago and filed without amendment does not reflect the firm's current risk profile. Regulatory expectations have changed, new products have launched, the customer base has evolved, and new typologies have emerged. Regulators do not accept historical documentation as evidence of current compliance.

No documented senior management approval is a governance failure. The AML/CTF Act requires the AML/CTF program (which incorporates the risk assessment) to be approved by a board member or senior manager. A risk assessment that sits in a compliance team folder without board or ExCo visibility is not a governed document — it is a liability.

Departmental silos produce fragmented risk pictures. When the AML team does not share intelligence with the fraud team, and the credit risk team does not communicate with the sanctions team, material risk concentrations go undetected. Effective compliance risk management requires cross-functional risk registers, shared data, and governance forums that bring together representatives from all relevant functions.

Narrow risk focus means that a firm assesses money laundering risk in isolation without considering sanctions, bribery and corruption, data protection, market conduct, or consumer protection obligations. AUSTRAC expects the ML/TF risk assessment to be part of a broader compliance framework — not an isolated exercise.

How technology strengthens your compliance risk assessment

Technology does not replace the judgement required for compliance risk management, but it eliminates the manual bottlenecks that cause assessments to become outdated, inconsistent, and unauditable.

Automated document verification addresses one of the most persistent control weaknesses: the reliance on manual review of customer documents during onboarding and periodic review. Manual review is slow, inconsistently applied across teams, and produces no structured audit trail. Automated verification — applied to identity documents, proof of address, ASIC extracts, and financial statements — produces a consistent, timestamped record of what was checked, when, and what was found.

Risk scoring engines allow firms to implement the weighted, quantitative scoring methodology that AUSTRAC expects, applied consistently across thousands of customers or transactions rather than relying on individual analyst discretion.

Workflow and case management tools ensure that identified risks are assigned to named owners, tracked to resolution, and escalated automatically when deadlines are missed.

For firms assessing the cost of upgrading their compliance technology stack, our pricing page provides a transparent view of what automated verification tools cost, allowing a direct comparison with the cost of manual review and the potential cost of regulatory sanctions.

Our platform processes over 180,000 compliance documents per month with a 94.8% fraud detection rate and an average verification time of 4.2 seconds. For a comprehensive view of CheckFile's approach to document security and compliance infrastructure, the platform is designed to integrate with existing compliance frameworks rather than replace the human judgement at their centre.

For a comprehensive overview, see our document compliance complete guide.

FAQ

What is the difference between a compliance risk assessment and an ML/TF risk assessment?

A compliance risk assessment is the general term for any structured evaluation of an organisation's exposure to regulatory breach and its consequences. An ML/TF risk assessment is the specific type of compliance risk assessment required by AUSTRAC and the AML/CTF Act for reporting entities. The ML/TF risk assessment must cover all material money laundering and terrorism financing risks at the firm level and must be documented, kept current, and available to AUSTRAC on request. It sits above the Customer Risk Assessment, which applies the firm's risk methodology to individual customer relationships.

How often should a compliance risk assessment be reviewed?

AUSTRAC expects the ML/TF risk assessment to be reviewed formally at least once per year, with the review documented and approved by a senior manager. In practice, a review should also be triggered by any of the following: launch of a new product or service, entry into a new geography or customer segment, a significant internal incident, a material change in the regulatory framework, or new typology guidance from AUSTRAC, FATF, or the AFP. Annual review is a minimum, not a target.

What are the consequences of an inadequate compliance risk assessment in Australia?

The consequences operate at three levels. First, regulatory: AUSTRAC can impose civil penalties of up to AUD 28.2 million per contravention. The Westpac and CBA cases demonstrate that aggregate penalties can reach billions. Second, criminal: under the Proceeds of Crime Act 2002, individuals and firms can face prosecution for money laundering offences if inadequate controls allowed the firm to be used to facilitate financial crime. Third, reputational: regulatory censure, enforcement notices, and public statements cause direct harm to customer trust and the firm's ability to operate.

Does a small firm need a formal compliance risk assessment?

Yes. The AML/CTF Act applies to all reporting entities regardless of size. The proportionality principle means that a small firm's ML/TF risk assessment will be less complex than that of a major bank, but it must still be documented, risk-based, and up to date. AUSTRAC has taken enforcement action against small reporting entities as well as large ones. Size reduces the complexity of the required framework, not the obligation to have one.

---

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Australian organisations should consult qualified professionals for guidance specific to their obligations under AUSTRAC, ASIC, APRA and the OAIC.