Skip to main content

Your Guide to AU AML Risk Ratings: Build, Run, and Stay Compliant

Set up your firm’s internal Risk Rating profile and carry out compliant assessments for each new client in line with AU’s AML rules.

Jordan avatar
Written by Jordan
Updated this week

From 1 July 2026, Australian law firms that provide designated services will become reporting entities under the AML/CTF Act, as amended by the 2024 legislative reforms. This includes activities such as:

  • Conveyancing and real property transactions

  • Setting up trusts or companies

  • Managing client funds or assets

  • Acting as a nominee shareholder, trustee, or director

These firms must assess the money laundering, terrorism financing, and proliferation financing (ML/TF/PF) risk of all new customers before providing a designated service, as part of their Customer Due Diligence (CDD) obligations. This is consistent with Section 28(3)(a) of the AML/CTF Act and AUSTRAC’s risk-based approach outlined in Part 5 of the Second Exposure Draft AML/CTF Rules (ED2).

Realaml’s Risk Rating tool is built to help law firms meet these obligations quickly, affordably, and auditably.


Part 1: Set Up Your Firm’s Risk Profile

Your Risk Profile defines how your firm assesses customer risk and what actions staff should take based on that risk level.

🔒 AUSTRAC requires your CDD procedures, including risk assessments, to be tailored to your firm’s designated services, delivery channels, and risk exposure.

Access via: Compliance → Risk Profile

1.1 Profile & Red Flags

Risk assessments must address AUSTRAC’s three core ML/TF/PF indicators:

  • Customer Type

  • Jurisdictional Risk

  • Purpose of the Business Relationship

Realaml’s seven pre-set sections include:

  • Customer Type

  • Customer Engagement & Interaction

  • Identity Verification & Jurisdiction Risk

  • Products & Services

  • Transaction Rationale & Customer Involvement

  • Financial Movement & Red Flags

  • Matter Value

All sections can be renamed but not removed. Each section supports:

  • Custom and default questions

  • Multiple choice answers, default values, internal notes

  • High-risk flags that auto-assign a score of 5

AUSTRAC Risk Mapping

These sections are structured to reflect AUSTRAC’s requirements under Part 5 of the Rules — ensuring ML/TF/PF risk is assessed before a business relationship is formed.

Default Risk Rating Disclaimer

Until you confirm your custom Risk Profile, your reports will include:

“The current risk rating is based on the default profile provided by Realaml.”

To remove:

  • Go to Risk Profile → Confirm Profile → Type “Confirm” → Save

1.2 Recommended Actions

Map internal instructions for each score:

  • High Risk (5) → Enhanced CDD (ECDD), source of funds, senior review

  • Medium-High (4) → ECDD or management sign-off

  • Medium (3) → CDD with documented rationale

  • Low (1–2) → Standard CDD sufficient

1.3 Compliance Documents

Upload internal AML documentation to support staff and demonstrate preparedness:

  • AML/CTF Program

  • Risk Assessments

  • SOPs and onboarding workflows

  • Staff training material


Part 2: Running a Risk Rating

2.1 Complete IDV / PEP Screening

Before launching a Risk Rating, Realaml requires one of the following:

  • Face IDV / Quick IDV / FaceMatch

  • PEP or Sanctions Check

These results are used to assess jurisdictional risk, identity integrity, and red flags as outlined in Part 5 of the AML/CTF Rules.

2.2 Launch & Complete Risk Rating

From the customer dashboard:

  • Navigate to the Risk Rating tab → Click “Start New Risk Rating”

  • Complete all sections (auto-save enabled)

Staff can:

  • Select predefined or default answers

  • Add internal notes to support decisions

  • Trigger auto High-Risk score based on flagged responses

Risk scoring helps identify whether Enhanced Due Diligence (EDD) under Section 32 may be required — for example, due to suspicion, complex arrangements, or high-risk jurisdictions.

2.3 Final Review & Override

Realaml averages scores and rounds up:

  • 1–2 = Low Risk

  • 3 = Medium Risk

  • 4 = Medium-High Risk

  • 5 = High Risk

Staff may override scores with written justification (stored in audit trail).

2.4 Submit & Export

Once submitted:

  • Rating appears in dashboard and is linked to the IDV

  • Export options:

    • Risk Rating PDF

    • Combined AML Compliance Report

Linked Individuals & Reuse

If multiple individuals relate to the same matter (e.g., co-trustees):

  • Responses are copied between parties but can be edited


💡 FAQs: Legal Sector Compliance

Is a Risk Rating required for every new customer?
✅ Yes. Section 28(3)(a) of the AML/CTF Act requires risk-based CDD for all new customers before a designated service is provided.

Does this apply to firms only doing property or trust work?
✅ Yes. Conveyancing, trust establishment, company formation, and similar activities are all designated services under Tranche 2.

Can we delay the Risk Rating?
🚫 Generally no. Risk assessments must be conducted pre-engagement. Limited exceptions for delayed verification (e.g., urgent low-risk transactions) exist under Rule 5.6 but require controls and justification.

How does Realaml help us stay compliant?
Realaml:

  • Embeds AUSTRAC-aligned risk questions

  • Ensures risk is assessed before engagement

  • Provides audit-ready documentation

  • Supports escalation, ECDD, and file review


✅ Summary: What Law Firms Must Do by 1 July 2026

  • Enrol with AUSTRAC as a reporting entity

  • Establish and confirm an AML/CTF Program

  • Perform IDV + Risk Rating on every new customer

  • Maintain up-to-date records and documentation

  • Train staff and enforce ECDD processes for High Risk clients

With Realaml, your firm is risk-rated, audit-ready, and compliant — in just a few clicks.

Did this answer your question?