Skip to main content

Major Australian Banks at High ML/TF Risk

How should boards and senior management respond?

On 6 September 2021, AUSTRAC put the major Australian banks on notice through its money laundering (ML) and terrorism financing (TF) Risk Assessment1 that the sector is high risk for money laundering (ML) and terrorism financing (TF).  This will be AUSTRAC’s official position going forward and a major Australian bank will be hard pressed to argue otherwise unless substantiated by reliable data and a well-evidenced rationale.   AUSTRAC also noted that it is particularly concerned about the low level of governance and assurance around AML/CTF compliance and inconsistency in the application of risk mitigation strategies among the major banks.2

So what should Board members consider in light of AUSTRAC’s findings?

In this short article, we explore some of the questions Board members and senior management of major banks may wish to consider following AUSTRAC’s ML/TF Risk assessments and its underlying concerns. Resolving such questions may assist Boards and senior management in ensuring that ML/TF risks specific to their organisations are properly identified and understood, including how and where in the business the ML/TF risk arises, and what measures are in place to manage the particular ML/TF risk.

AUSTRAC’s ML/TF Risk Assessment addresses inherent risk only – it does not consider the number and quality of the risk mitigation and compliance measures that Australia’s major banks have in place to combat the inherent risks that AUSTRAC has identified.  For example, even if a major bank’s inherent risk may be high (as AUSTRAC has identified), its residual risk may be medium or low, in theory, once its mitigation measures have been considered. 

However, the reality is that the residual risk rating for major banks is more often than not misleading given the challenges that major banks face in designing and documenting appropriate and sustainable mitigation strategies that clearly link back to inherent risks.  This, coupled with difficulties with accurately measuring the extent to which such measures reduce the inherent risks, often leads to results being distorted and an inaccurate depiction of residual risk.  A staged, diligent, and well-informed approach is needed where inherent risks are considered first and foremost followed by the specific mitigation strategies with residual risks being the final consideration.

Inherently high ML/TF risk is rarely mitigated to a low risk profile. If you are a major Australian bank with a self-assessed low ML/TF risk profile overall, question whether you are being accurate and realistic in your assessment of residual ML/TF risk and make adjustments where necessary. 

Banks are now expected to take a diligent and informed approach to assessing customer risk and not apply blanket assessments to a particular group of customers.  There is a need to be accurate and realistic and base your assessments on data-led risk intelligence (i.e. your SMR data, data analytics modelling, law enforcement notices and industry feedback) as opposed to human judgment…and AUSTRAC is also keen to avoid organisations overly “de-risking” the business by applying blanket rules, a large degree of human judgment and/or offboarding of broad categories of customers.       

It is important that ML/TF risks are described objectively using reliable data, highlighted in the right way and not conflated or deflated in Board reports. Ask yourself whether the information you are receiving is presented in a way that enables you to easily grip the key ML/TF risks relevant to your organisation and assess whether your risk mitigation measures are sufficient to address them. Likewise ask yourself whether your organisation is well placed to clearly articulate to your internal teams and the regulator how you are managing your ML/TF risks. 

Understanding and assessing ML/TF risks is only half of the task. You are also required to implement appropriate risk mitigation measures that address your ML/TF risks.  Doing that in a cost effective and efficient way is a commercial imperative.   AUSTRAC flagged inefficiencies in the application of controls across business units and a tendency to defensively over-report.  Such inefficiencies and duplication can be overcome if you take a bird’s eye view of your ML/TF risks, simplify your AML/CTF operations and create AML/CTF uniformity and consistency in AML/CTF communication across your organisation.  Specificity is critical – a small number of targeted, well designed, resourced, and assured controls are far better than a large suite of general controls.


AUSTRAC analysts reviewed and categorised each report in the SMR sample it took as part of the ML/TF Risk Assessment against 414 possible labels grouped by criminal threat, suspicious transactional activity, products and services, customer type, entity attribute and jurisdiction. This data could then be “sliced and diced” and visualised to gain unique insights into the major banks’ aggregate risk profile. 

Like AUSTRAC, consider how you could potentially leverage your SMR data (as well as your Unusual Activity Reports and Transaction Monitoring alert data) and apply robust data analytics to gain useful insights into your key ML/TF risks and enhance your risk-based approach.  This is provided that you are correctly identifying suspicious activity in the first instance and the data captured within SMRs is accurate and can be relied upon to form strategic judgments about trends in ML/TF risk. 

AUSTRAC raises the risks presented by agent banking relationships, third party electronic billers and introduction of the New Payments Platform.3

The speed and ease with which customers can transact using these arrangements, alongside developments in online banking and mobile apps, further limits the opportunity for banks to identify and prevent suspicious transactions and enables money launderers to quickly layer funds between various accounts. Agency relationships not only present a degree of regulatory compliance risk to your organisation but may also hinder your ability to identify ML/TF risks in accordance with your risk profile and appetite. 

AUSTRAC’s ML/TF risk assessment contains useful guidance about specific ML/TF risks.  Major banks should be reviewing their AML/CTF Program to respond to AUSTRAC’s guidance and feedback on ML/TF risk in accordance with the AML/CTF Rules4 and ensure that your AML/CTF Program and its associated compliance measures are updated to manage identified risks. 

AUSTRAC’s ML/TF Risk Assessment, whilst a useful snapshot at a particular point in time, is unlikely to encapsulate the ML/TF risks that you may be encountering now or ahead.   It is critical to monitor all available internal and external risk intelligence and take a data-led approach to identifying risks that you may not otherwise recognise. 

About us

The pressure to tackle financial crime has never been greater. Deloitte’s global financial crime practice is at the forefront of the fight against financial crime and has assisted many of the world’s leading financial institutions in developing, implementing and remediating all aspects of financial crime risk management programs, as well as investigating financial crimes.

Our Australian team works extensively with organisations in understanding, documenting and acting on ML/TF risk. We have advised boards and senior management on AML/CTF over a number of years, and in response to a significant regulatory events and enquiries.

1AUSTRAC, 6 September 2021, “Money Laundering and Terrorism Financing Risk Assessment:  Major Banks”:

2 Ibid, page 7.

3 Ibid, pages 62-63.

4 See Part 8.7 and Part 9.7 of the AML/CTF Rules

Recommended for you