The enterprise-wide risk assessment is the function the other three are calibrated to. Get it venue-specific, and the rest of the program becomes defensible.
Working reference, not legal advice
This article is written for clubs and venues that are reporting entities for EGM-related designated services. It describes the risk-assessment function of an AML/CTF program under the AML/CTF Act and AUSTRAC guidance, as in force from 31 March 2026. It is general information, not legal advice, and it doesn’t establish a compliance position for any particular venue. For a definitive view on your obligations, talk to an AML lawyer or your external AML consultant.
TL;DR
The risk assessment is where a club identifies and assesses the money-laundering, terrorism-financing and proliferation-financing risks it may reasonably face in providing designated services (s 26C). It looks across six limbs: designated services, customer types, delivery channels, countries dealt with, AUSTRAC’s risk information, and any matters the Rules specify.
AUSTRAC expects it to start with inherent risk — the risk before controls. It must be venue-specific, kept current (s 26D), and it’s the document every downstream monitoring threshold should trace back to.
The AML/CTF program is, in law, two things: the reporting entity’s ML/TF risk assessment and its AML/CTF policies (s 26B). This article is about the first of those — the function everything downstream is calibrated to.
The Act requires a club to identify and assess the money-laundering, terrorism-financing and proliferation-financing risks it may reasonably face in providing designated services (s 26C). “Enterprise-wide” (the EWRA) is useful shorthand, but the work in the Act is done by that phrase: the risks the reporting entity may reasonably face in providing itsdesignated services. The assessment covers the venue as a whole. It isn’t a judgment made transaction by transaction at the cashier; it’s a documented profile you can hand to a reviewer.
For an Australian permanent establishment, s 26C frames the assessment around a set of limbs:
The designated services come first because they define the perimeter.For an EGM venue this usually starts with allowing a person to play a gaming machine and paying out winnings or prizes, and may extend to account-based gambling services, the exchange of money or betting instruments, or other gambling-related services where they fall within section 6. TITO, CRTs, cashless cards and carded-versus-uncarded play are then assessed as delivery channels, technologies and practical risk features of those services, not as designated services in their own right. The list itself is where clubs slip, because it’s easy to under-count what actually counts as a designated service — and a service that isn’t on the list isn’t risk-assessed.
The delivery-channel limb has a club-specific wrinkle. AUSTRAC’s pubs and clubs guidance asks venues to consider whether most customers play carded or uncarded, and to identify and manage the risks posed by uncarded play, cash exposure and cash redemption terminals. Carded-versus-uncarded is a distinction the assessment is now expected to address directly.
The countries limb is short for most local clubs. That’s a documented conclusion, not a reason to skip it. A community club with essentially no foreign nexus still records that it considered the limb and why it rated it low.
AUSTRAC’s guidance is that the risk assessment should identify and assess inherent risk— the risk before your controls are applied — with residual risk being what remains after the policies do their work.
It’s tempting to write “low risk, because we identify everyone over $10,000”. But that describes a control, not the underlying risk. Inherent risk first, then the policies manage it down to residual. Collapsing the two is how a risk assessment ends up looking complete while telling you nothing — and it leaves the reviewer unable to see whether the controls are actually doing anything.
A monitoring framework that isn’t anchored in a risk assessment is one where the thresholds are guesses.
The output is a profile specific to this venue, and that specificity is what makes everything downstream defensible. When the AMLCO sets a monitoring threshold, or decides which behaviours warrant a closer look, the answer to “why that line?” should trace back to the risk assessment.
AUSTRAC’s pubs and clubs guidance is explicit that a larger venue or corporate group should ensure any enterprise-level risk assessment appropriately assesses ML/TF risks at each individual venue. A multi-venue operator runs a parent assessment at the group level and a child assessment per venue, because the customer base, machine mix and cash exposure differ site to site.
For a single club, the same principle reads as a quality test: how venue-specific does your EWRA actually read, versus something a template could have produced for any club? The honest answer is the difference between a document that holds up under review and one that doesn’t.
A risk assessment isn’t a document you write once and file. The Act requires it to be reviewed and updated (s 26D):
Monitoring should pull it back open too. Day-to-day operations surface risks the original assessment didn’t anticipate, and the profile is updated. A control calibrated to a risk you assessed once and never revisited is calibrated to a venue you used to be.
The Star, Crown and Mounties matters are often read as missing-controls cases. Read more closely, the recurring thread is broader: programs and controls that AUSTRAC alleged, or the parties admitted, were not sufficiently risk-based, tested, governed, or operating in practice.
In the Mounties matter, AUSTRAC alleged the program lacked a methodology for identifying or assessing ML/TF risk, used generalised risk language, and didn’t explain how its ratings were derived or how controls would be deployed. That is what a generic risk assessment looks like at enforcement. Star and Crown reinforce the broader lesson: an AML/CTF program has to be risk-based, governed, tested and operating in practice, beyond being documented. The EWRA isn’t a box-ticking artefact; it’s the document the rest of the program either earns its defensibility from, or doesn’t.
| Limb | What it asks of the club | Club note |
|---|---|---|
| Designated services | Which s 6 services do we actually provide? | EGM play, paying out winnings, account-based services, and any s 6 exchange/payment services actually provided |
| Customer types | Who do we serve, and how do they differ? | Members, visitors, high-turnover patrons, agents for others |
| Delivery channels | How is the service delivered? | Machine, cage, member account; carded vs uncarded; TITO/CRT |
| Countries | What geographic exposure do we have? | Usually brief — but document the conclusion |
| AUSTRAC risk information | What does the regulator tell us to weigh? | National risk assessments, typologies, guidance updates |
| Rule-specified matters | Anything the Rules add? | Check the AML/CTF Rules 2025 for the venue |
Assess inherent risk across the six. Then let the policies manage it down to residual.
The map for the whole program: how risk assessment, policies, operations and assurance depend on each other and loop back to the EWRA.
What the risk assessment and policies have to cover under the reformed framework, in detail.
How the risk profile turns into a documented baseline that monitoring measures unusual activity against.
Venue Axis captures structured floor observations linked to patron context: the documented, retrievable records that let a venue explain why each monitoring threshold sits where it does.