Do I still need a solicitor for AML/CTF Tranche 2 compliance?

Yes. HeadStart Docs products are digital publications that give you a substantial head start, but they must be reviewed and tailored by a qualified solicitor to your specific business circumstances before implementation.

How is HeadStart Docs different from the free AUSTRAC Starter Kits?

AUSTRAC Starter Kits are generic starting points that require significant customisation. HeadStart products are sector-specific, pre-populated with industry-relevant risk factors and scenarios, and include 12 months of AML Portal access for ongoing compliance including screening, record keeping and reporting tools.

What if the AML/CTF rules change after I purchase?

Your digital products are yours to keep. If significant regulatory changes occur, updated versions will be available to active portal subscribers. The AML Portal itself is continuously updated to reflect current AUSTRAC requirements and sanctions lists.

What happens after my 12-month AML portal access expires?

Your documentation is yours forever. To continue using the AML Portal (screening tools, compliance calendar, record keeping), you pay $35 per customer CDD. Cancel anytime — no subscription required.

Is HeadStart Docs a law firm?

No. HeadStart Docs is a digital publisher and platform provider. We sell digital compliance products and portal access. We do not provide legal advice. Referrals for legal advice can be made to our related law firm, HeadStart Counsel.

When does AML/CTF Tranche 2 commence in Australia?

Tranche 2 AML/CTF obligations commence on 1 July 2026. All reporting entities in designated sectors including lawyers, accountants, real estate agents, conveyancers, and trust and company service providers must have their AML/CTF programs in place by this date.

13 December 2025•Documentation

AML/CTF risk assessment: Documentation examples and structure

Name: HeadStart Docs
Brand: HeadStart Docs
Price: 679 AUD

The risk assessment component of an AML/CTF program typically involves documenting how your business identifies, assesses and manages ML/TF/PF risks. This article provides examples of how businesses commonly structure their risk assessment documentation.

What businesses typically record

A risk assessment generally documents several categories of information. The specific content depends on your business, designated services and risk profile. Common elements include:

Business context

Description of your business, services offered and which services are designated services

Risk categories

Categories of risk relevant to your business (customer, service, geographic, channel)

Risk identification

Specific risks identified within each category

Risk rating methodology

How risks are rated (e.g., low, medium, high) and the criteria used

Controls

Measures in place to manage identified risks

Residual risk assessment

Risk level remaining after controls are applied

Examples of controls commonly documented

Controls are the measures businesses put in place to manage identified risks. The following are examples of controls that businesses commonly document. The appropriate controls for your business depend on your specific risk assessment.

Customer-related controls

Customer identification and verification procedures
Beneficial ownership identification processes
Politically exposed person (PEP) screening
Sanctions list screening
Ongoing customer due diligence triggers
Enhanced due diligence procedures for higher-risk customers

Transaction-related controls

Transaction monitoring procedures
Threshold transaction reporting processes
Unusual transaction identification criteria
Cash handling protocols (if applicable)
Third-party payment procedures

Operational controls

Staff training and awareness programs
Suspicious matter escalation procedures
Record keeping and retention policies
Compliance officer appointment and responsibilities
Independent review schedule

Risk rating methodology examples

Businesses typically use a rating system to categorise risks. Common approaches include:

Three-tier rating (Low, Medium, High)

Low risk

Examples: Long-standing customers, straightforward transactions, low-value services, customers from low-risk jurisdictions

Medium risk

Examples: New customers, higher-value transactions, some complexity in ownership structure, customers from moderate-risk jurisdictions

High risk

Examples: Complex corporate structures, customers from high-risk jurisdictions, politically exposed persons, large cash transactions, unusual transaction patterns

Inherent vs residual risk

Many businesses document both:

Inherent risk: The risk level before controls are applied
Residual risk: The risk level after controls are applied

This approach helps demonstrate how controls reduce risk to an acceptable level.

Documentation structure examples

There is no single required format for risk assessment documentation. Common structures include:

Narrative format

A written document describing the business, its risks and how they are managed. Suitable for smaller or less complex businesses.

Risk register format

A spreadsheet or table listing each risk, its rating, controls and residual risk. Useful for tracking and reviewing multiple risks systematically.

Hybrid format

A narrative overview supported by risk register tables for specific categories. Common for medium-sized businesses.

Risk considerations by sector

Different sectors may face different risk profiles. Examples of risks by sector that businesses commonly document include:

Legal Professionals

Trust account handling, conveyancing transactions, complex client structures

Accounting Professionals

Business sale facilitation, client fund management, tax planning structures

Real Estate Professionals

High-value property transactions, international purchasers, cash deposits

TCSPs

Company formation services, nominee arrangements, beneficial ownership complexity

Precious Metals Dealers

Cash transactions, high-value items, anonymous purchaser risk

Regular review

Risk assessments typically require regular review to remain current. Many businesses review their risk assessment annually, or when significant changes occur (new services, new customer types, regulatory changes).

Questions to discuss with your adviser

What risk categories are most relevant to your designated services?
How should you document controls already in place?
What rating methodology is appropriate for your business size and complexity?
How often should your risk assessment be reviewed?
Who should be involved in the risk assessment process?
How does your risk assessment connect to your compliance procedures?

Read our complete Tranche 2 Guide

Key dates, affected sectors, obligations and how to prepare

Start your documentation efficiently

HeadStart Docs™ provides free sector-specific compliance documents including risk assessment frameworks. All documents require legal review and tailoring.

Disclaimer: This article is general information only. It is not legal, financial or compliance advice. HeadStart Docs™ provides free compliance documents, not legal services.

We do not guarantee the accuracy of information provided. Obligations may apply depending on your designated services. Always confirm your specific requirements with a qualified adviser.

Need a lawyer to review your AML/CTF program? HeadStart Counsel offers fixed-fee tailoring from $1,800+GST. Separate entity and engagement.

Free Compliance Tools

Implementation TimelineKey dates and milestones for Tranche 2 compliance Readiness TestAssess your compliance readiness in 2 minutes Sanctions ScreeningSearch Australian sanctions lists and country risk

Ready to get compliant?

Sector-specific compliance documents to help you build your AML/CTF program.