The AML/CTF Act is built on a risk-based approach: your obligations scale with the risk profile of your business, your customers and your services. This is more flexible than a prescriptive regime — and harder to evidence. AUSTRAC will ask 'show me your risk assessment' before it asks anything else.
The four artefacts
- A documented business risk assessment covering products, customers, channels and jurisdictions.
- Risk-tiered customer categorisation (low / medium / high) with criteria.
- Risk-tiered controls — what changes between a low-risk and a high-risk onboarding.
- An annual review cycle with version-controlled updates.
What 'evidence' actually looks like
A 6–10 page risk assessment document, signed by the AMLCO and a director, with appendices covering product mix, customer typology distribution, jurisdiction exposure, and channel risk. Updated annually with a tracked-changes log. Most providers ship a template you can fill in within a working day.