Two related but distinct obligations — and the most common ways professional services firms conflate them in their AML/CTF programs.
Introduction
(Problem-Led, Partner-Centric) As Tranche 2 AML/CTF reforms approach, many professional services firms are asking the same question: “If we’re doing KYC, does that mean we’ve already done our AML risk assessment?” The short answer is no — but the distinction is often misunderstood. This guide explains the difference between KYC and AML risk assessments under Tranche 2, how they interact, and why confusing the two can create compliance gaps even where firms believe they are well prepared. Why This Confusion Happens In practice, KYC and risk assessments often happen close together — sometimes during client onboarding, sometimes informally over time. As a result, firms may: Treat them as interchangeable Complete one but assume it covers the other Apply both inconsistently without clear documentation Tranche 2 does not require more bureaucracy — but it does require clarity of purpose.
What KYC Is (And What It Is Not) Know Your Customer (KYC) focuses on the client relationship. Its purpose is to help a firm understand: Who the client is Who owns or controls them (where relevant) Whether the client presents elevated risk KYC is: Client-specific Applied at onboarding (and reviewed over time) A key input into broader AML controls KYC is not: A substitute for a firm-wide AML framework A one-time identity check with no follow-up A risk assessment of the firm itself (For a full explanation, see the KYC & ID Verification guide.) What an AML Risk Assessment Is An AML risk assessment looks inward, not outward. It evaluates the inherent money laundering and terrorism financing risks faced by the firm, based on factors such as: Types of services offered Client profiles Delivery channels Geographic exposure Under Tranche 2, firms are expected to: Document this assessment Use it to justify proportionate controls Review it periodically The risk assessment sets the context within which KYC decisions are made. How KYC and Risk Assessments Work Together The relationship is directional: The AML risk assessment defines the firm’s overall risk posture KYC applies that posture to individual clients For example: A firm assessed as low-risk overall may apply simplified KYC in many cases A higher-risk service line may trigger enhanced checks for certain clients Treating KYC without a risk assessment removes that context — and weakens defensibility.
Common Tranche 2 Pitfalls Professional firms most often run into issues where they: Perform KYC without a documented risk assessment Have a risk assessment but do not link it to onboarding practices Apply the same level of KYC to all clients regardless of risk Cannot explain why certain checks were considered sufficient From a regulator’s perspective, reasonable judgement must be visible, not assumed. What AUSTRAC Is Ultimately Looking For AUSTRAC does not expect professional firms to operate like banks. What it does expect is that firms can demonstrate: An understanding of their own risk profile Proportionate controls aligned to that risk Consistency between policy, practice, and documentation Clear separation between KYC and risk assessment — and evidence that they inform each other — is central to this.Tranche 2 Readiness Assessment If you are unsure whether your firm is in scope, a short readiness assessment can help. Request a 15-Minute Readiness Assessment.