Legal development

AML/CTF reforms; ML/TF risk assessment changes

By Steven Blackburn, Hong-Viet Nguyen and Samantha Carroll

18 February 2025

Share Share
Vault door inswing
Share

    Background

    The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act (Cth) (the Amendment Act) will commence on 31 March 2026. Schedule 2 of the Amendment Act makes substantial changes to a reporting entity's obligation to perform a money laundering and terrorism financing (ML/TF) risk assessment.

    What are the key changes?

    Currently, a reporting entity's obligations in respect of its ML/TF risk assessment are set out in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1) (Cth) (AML/CTF Rules). The Amendment Act introduces new obligations that relate to the ML/TF risk assessment and also codifies existing ML/TF risk assessment obligations that are currently implied, into the AML/CTF Act. The changes in the Amendment Act emphasise the importance of a reporting entity's ML/TF risk assessment in developing and maintaining a robust anti-money laundering and counter-terrorism financing framework.

    The table below summarises the current requirements for ML/TF risk assessments under the AML/CTF Act and AML/CTF Rules, comparing those requirements with the changes set out in the Amendment Act.

    Current requirement

    Changes in the AML/CTF Amendment Act 

    A requirement to carry out an ML/TF risk assessment is not explicitly stated in the AML/CTF Act.

    There is an express obligation to carry out an ML/TF risk assessment contained within the Amendment Act. The steps taken by a reporting entity to undertake an ML/TF risk assessment must be appropriate to the nature, size and complexity of the reporting entity's business.

    An ML/TF risk assessment is required to consider the risks of money laundering and financing of terrorism.

    An ML/TF risk assessment is required to consider the risks of money laundering, financing of terrorism and proliferation financing.

    The AML/CTF Rules do not expressly state what should be considered as part of undertaking an ML/TF risk assessment. Instead the AML/CTF Rules lists factors that should be considered by reporting entities as part of "identifying its ML/TF risk".

    The Amendment Act expressly states the factors required to be considered as part of undertaking an ML/TF risk assessment, specifically:

    • the kinds of designated services provided, or proposed to be provided, by the reporting entity, including any new or emerging technologies relating to those services;
    • the kinds of customers to whom the reporting entity’s designated services are or will be provided;
    • the delivery channels by which the reporting entity’s designated services are or will be provided, including any new or emerging technologies relating to those delivery channels;
    • the countries with which the reporting entity deals, or will deal, in providing its designated services;
    • information communicated either directly or indirectly by the Australian Transaction Reports and Analysis Centre (AUSTRAC) to the reporting entity that identifies or assesses the risks associated with the reporting entity's provision of its designated services; and
    • the matters (if any) specified in the AML/CTF Rules.

    The AML/CTF Rules contains an obligation for the AML/CTF Program to be independently reviewed at a frequency that considers the nature, size and complexity of the reporting entity's business, and the type and level of ML/TF risk that it might face. It is implied that the ML/TF risk assessment will be reviewed as part of a review of the AML/CTF Program, though an express requirement for a review of the ML/TF risk assessment is not contained within the AML/CTF Act or AML/CTF Rules.

    There is an express requirement under the Amendment Act for the ML/TF risk assessment to be continually reviewed and kept up to date.

    Specifically, the Amendment Act states that the ML/TF risk assessment must be reviewed on a cyclical basis (at least every three years) as well as in response to significant changes (i.e. triggers) that relate to the ML/TF risk assessment. ML/TF risk assessment triggers include:

    • where there is a significant change to the factors considered when first undertaking the ML/TF risk assessment (e.g. the kinds of services provided, the kinds of customer types etc);
    • where AUSTRAC communicates information that identifies or assesses risk associated with the reporting entity's provision of designated services; and
    • any circumstances specified in the AML/CTF Rules arise.

    A requirement for the ML/TF risk assessment to be up to date prior to providing designated services to a customer is not contained within the AML/CTF Act.

    The Amendment Act contains an express requirement for the ML/TF risk assessment to be up to date prior to providing designated services to a customer.

    There is no express requirement for the governing board and senior management to have oversight of the ML/TF risk assessment within the AML/CTF Act. The AML/CTF Rules requires that the governing board and senior management of a reporting entity have oversight of, and approve, Part A of the AML/CTF Program. It is implied that this would require oversight of the ML/TF risk assessment.

    The Amendment Act states that the governing body must have appropriate ongoing oversight of the identification and assessment of risks for the purposes of the ML/TF risk assessment. Further, the Amendment Act includes an express requirement for:

    • any updates to the ML/TF risk assessment to be notified, in writing, to the governing body as soon as practicable after they are made; and
    • the ML/TF risk assessment (including any updates) to be approved by senior management.

    Are you ready for the reforms?

    In preparation for the ML/TF risk assessment-related reforms contained within the Amendment Act, reporting entities should consider the below questions.

    • Are there mechanisms in place to ensure that the ML/TF risk assessment is reviewed and performed at least once every three years and in response to significant changes?
    • Are there mechanisms in place to identify significant changes to the matters that will impact the ML/TF risk assessment? What is the criteria that will be applied to determine whether a change is 'significant' or has a 'significant' impact on ML/TF risks?
    • To what extent has proliferation financing been considered in the design of the ML/TF risk assessment?
    • For reporting entities involved in 'gatekeeper' professions, how do those professions ensure that the ML/TF risk assessment meets the required standard and is implemented effectively, while limiting any unnecessary compliance burden (particularly for small businesses)?
    • Are there mechanisms in place to ensure that prior to providing a designated service to a customer, the ML/TF risk assessment is up to date?
    • Are processes in place to ensure that the governing body and senior management are kept abreast of changes to the ML/TF risk assessment?

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    This material is current as at 13 February 2025 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts