top of page

KYC vs AML Risk Assessments Under Tranche 2: What Professional Firms Commonly Confuse

Introduction (Problem-Led, Partner-Centric)

As Tranche 2 AML/CTF reforms approach, many professional services firms are asking the same question:

“If we’re doing KYC, does that mean we’ve already done our AML risk assessment?”

The short answer is no — but the distinction is often misunderstood.

This guide explains the difference between KYC and AML risk assessments under Tranche 2, how they interact, and why confusing the two can create compliance gaps even where firms believe they are well prepared.


Why This Confusion Happens

In practice, KYC and risk assessments often happen close together — sometimes during client onboarding, sometimes informally over time.

As a result, firms may:

  • Treat them as interchangeable

  • Complete one but assume it covers the other

  • Apply both inconsistently without clear documentation

Tranche 2 does not require more bureaucracy — but it does require clarity of purpose.


What KYC Is (And What It Is Not)

Know Your Customer (KYC) focuses on the client relationship.

Its purpose is to help a firm understand:

  • Who the client is

  • Who owns or controls them (where relevant)

  • Whether the client presents elevated risk

KYC is:

  • Client-specific

  • Applied at onboarding (and reviewed over time)

  • A key input into broader AML controls

KYC is not:

  • A substitute for a firm-wide AML framework

  • A one-time identity check with no follow-up

  • A risk assessment of the firm itself

(For a full explanation, see the KYC & ID Verification guide.)


What an AML Risk Assessment Is

An AML risk assessment looks inward, not outward.

It evaluates the inherent money laundering and terrorism financing risks faced by the firm, based on factors such as:

  • Types of services offered

  • Client profiles

  • Delivery channels

  • Geographic exposure

Under Tranche 2, firms are expected to:

  • Document this assessment

  • Use it to justify proportionate controls

  • Review it periodically

The risk assessment sets the context within which KYC decisions are made.


How KYC and Risk Assessments Work Together

The relationship is directional:

  • The AML risk assessment defines the firm’s overall risk posture

  • KYC applies that posture to individual clients

For example:

  • A firm assessed as low-risk overall may apply simplified KYC in many cases

  • A higher-risk service line may trigger enhanced checks for certain clients

Treating KYC without a risk assessment removes that context — and weakens defensibility.


Common Tranche 2 Pitfalls

Professional firms most often run into issues where they:

  • Perform KYC without a documented risk assessment

  • Have a risk assessment but do not link it to onboarding practices

  • Apply the same level of KYC to all clients regardless of risk

  • Cannot explain why certain checks were considered sufficient

From a regulator’s perspective, reasonable judgement must be visible, not assumed.


What AUSTRAC Is Ultimately Looking For

AUSTRAC does not expect professional firms to operate like banks.

What it does expect is that firms can demonstrate:

  • An understanding of their own risk profile

  • Proportionate controls aligned to that risk

  • Consistency between policy, practice, and documentation

Clear separation between KYC and risk assessment — and evidence that they inform each other — is central to this.


Tranche 2 Readiness Assessment (15 mins)

If you are uncertain whether your firm has clearly separated — and correctly linked — its KYC practices and AML risk assessment, a short readiness assessment can help clarify:

  • Whether both elements are required for your services

  • Where gaps or overlaps may exist

  • What is already sufficient vs what needs refinement

No obligation. No demos. No sales discussion.

Recent Posts

See All

Comments

bottom of page