The Business-Wide Risk Assessment: AML/CTF Foundation for Australian Accounting Firms 2026
If your accounting practice is captured by the Tranche 2 reforms, there's a natural temptation to jump straight to client identity checks. Resist it. Under the AML/CTF regime, everything starts with your risk assessment — and if you build it badly, every control that follows rests on a weak footing.
This is the document often called the business-wide risk assessment (BWRA). Here's what it is, what AUSTRAC expects to see in it, and how an accounting firm actually completes one.
What the risk assessment is — and why it comes first
Every reporting entity must conduct a money laundering, terrorism financing and proliferation financing (ML/TF) risk assessment before it provides designated services. It answers a single question: where is my practice most exposed to being used to move or hide the proceeds of crime?
Your risk assessment then drives your AML/CTF policies — the procedures and controls that manage the risks you've identified. Together, the risk assessment and the policies make up your AML/CTF program. The reforms moved away from the old prescriptive program split toward this risk-led, two-document structure, and AUSTRAC has been clear that it expects a program tailored to your business, not a template adopted without thought.
The risk factors AUSTRAC expects you to assess
AUSTRAC frames ML/TF risk around a core set of factors. Your risk assessment should work through each, applied to your actual client base:
- Customer risk — who your clients are and how easily you can identify the real people behind them. For accountants this is central: discretionary trusts, SMSFs, unit trusts and companies with layered ownership all make beneficial ownership harder to see. Politically exposed persons (PEPs) and clients reluctant to explain their structures raise the rating.
- Service (product) risk — which of your designated services carry more risk. Forming companies and trusts, acting as a nominee, and holding or moving client money generally carry more ML/TF risk than lower-touch services.
- Delivery channel risk — how you onboard and deal with clients. Remote, non-face-to-face engagement and reliance on third-party introducers carry more risk than long-standing, in-person relationships.
- Geographic risk — the locations of your clients, their funds and the structures involved. Offshore clients, funds flowing from or through higher-risk jurisdictions, and cross-border structures all elevate risk.
You must also have regard to the risk information AUSTRAC publishes — particularly its National Risk Assessments — and you must consider proliferation financing, even where your exposure is low. Recording that you considered it and explaining why your exposure is limited is itself part of compliance.
Accountant-specific risk examples
To make it concrete, the kinds of red-flag factors an accounting firm would weigh include:
- A client establishing a trust or company with no clear commercial rationale, or unusual urgency to do so.
- Offshore beneficial owners or instructions routed through intermediaries who obscure who's really in control.
- Client funds moving through the practice's accounts in patterns that don't match the client's known business.
- Wealth or transaction sizes inconsistent with what you'd expect from the client's profile or lodged returns.
- Referrals connected to cash-intensive businesses or to higher-risk sectors.
For each factor you assess likelihood and impact, arrive at a risk rating, and — crucially — link each risk to a control in your policies. That link, from identified risk to the specific procedure that manages it, is what turns a risk assessment from a description into a working document.
Keeping it current
A risk assessment isn't a "set and forget" document. You must keep it up to date and review it — at least periodically and whenever something significant changes in your practice or the risk environment (a new service line, a shift in your client base, new AUSTRAC guidance). Each review should be dated, so you can show an inspector how your understanding of risk has evolved.
How Veriqua helps
Veriqua's BWRA module is designed to structure your risk assessment across customer, service, delivery-channel and geographic risk (plus proliferation financing), help you rate likelihood and impact, score residual risk after controls, and timestamp every review so your assessment history is inspection-ready. It guides the process; the risk judgements and sign-off remain yours — which is exactly how AUSTRAC expects a reporting entity to own its risk assessment.
Frequently Asked Questions
What is a business-wide risk assessment for accounting firms?↓
Do all accounting firms need an AML/CTF program?↓
Can a small accounting practice use a generic AML/CTF template?↓
How does the risk assessment drive the rest of the AML/CTF program?↓
Related articles
Am I Even Captured? Scope for Accountants
How to determine if your accounting practice is a reporting entity under the AML/CTF Act.
CDD for Accountants — Trusts, SMSFs and Companies
How to identify and verify the complex structures accountants work with daily.
AUSTRAC Audit-Ready for Accounting Firms
What an AUSTRAC inspection looks for and how to build a compliance record.
See how Veriqua handles this
Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.
Disclaimer: This article is general information only and is current as at January 2026. It reflects our understanding of the AML/CTF reforms, the AML/CTF Rules 2025 and AUSTRAC guidance as at that date, all of which may change. The risk factors described are a practical guide, not an exhaustive or prescribed list, and your risk assessment must reflect your own practice. This is not legal, financial or compliance advice. Obtain advice from a qualified professional and refer to current AUSTRAC guidance before acting.