Real-Time Risk Assessment: What AML Reform Really Means for You

FrankieOne

Australia’s upcoming AML/CTF reforms represent the most significant compliance transformation in two decades. For regulated entities - from banks and super funds to fintechs and digital exchanges, the implications are clear: static, periodic reviews are no longer enough.

At FrankieOne’s recent live webinar, Real-Time Risk Assessment: What AML Reform Means for You, industry leaders unpacked the coming changes and what they mean for compliance, fraud, and risk teams across sectors.

Hosted by Patrick Lynch from FrankieOne, the panel featured:

  • Jeremy Moller, AML legal specialist and advisor to the Law Council of Australia and AUSTRAC consultation processes.
  • Celeste De Highden, AML Compliance Officer at HESTA and former risk leader at NAB, Medibank, and Australia Post.
  • Ronald Daliya, Financial crime advisor with more than 20 years’ experience across banking, super, fintech, and RegTech innovation.

Together, they explored what’s driving the shift to real-time risk assessment, how businesses can adapt their programs, and what practical steps leaders can take now.

Want to dive deeper? 👉Watch the full webinar replay here

1. From Periodic to Continuous: The Regulatory Reset

Jeremy Moller set the tone by calling the AML reforms “the largest change in 20 years.” The new rules go beyond incremental adjustments, introducing expectations for risk rating, sanctions screening, proliferation financing controls, and ongoing due diligence.

These aren’t just technical updates. They represent a philosophical shift - from retrospective compliance to real-time intelligence gathering.

“You can’t have a static onboarding process that’s one-and-done,” Moller said. “The expectation now is that you continuously update risk profiles whenever there’s a trigger - a sanctions hit, a new service, or a change in beneficial ownership.”

For many entities, that means a fundamental rethink of how compliance, data, and monitoring are structured.

2. Governance and Documentation: Proving the ‘Why’ Behind Every Decision

Both Celeste De Highden and Ronald Daliya emphasised that the new environment demands defensible compliance, being able to show why decisions were made.

“It’s not enough to do the right thing,” De Highden explained. “You need to capture the conversations, document your reasoning, and have governance that links board-level oversight all the way down to analysts’ decisions.”

The regulators’ shift from “should” to “must” in guidance underscores the need for strong governance records. Daliya added:

“The guidance now uses ‘must’ far more often - that’s not accidental. It means regulators expect an explainable, traceable record of every decision, tied back to your risk assessment.”

Maintaining a register of guidance, national risk assessments, and sectoral risks will be critical - a practical step that many smaller and mid-tier institutions currently overlook.

 

3. Defining ‘Real-Time’: It’s Not About Seconds, It’s About Triggers

“Real-time” doesn’t mean instant processing of every transaction. As the panel clarified, it’s about being event-driven - having systems that respond dynamically when something changes.

“Do as much as you can upfront,” Moller advised. “Then think about how you keep that customer picture current - through trigger-based events, sanctions updates, or ownership changes.”

Daliya added that technology plays a pivotal role:

“If you get it right on the way in, tech can support you on the way through. The aim is an engine that runs quietly in the background, alerting you only when you need to act.”

De Highden reinforced that smaller entities can still adopt proportional responses: “It’s about your size, complexity, and risk profile. But you must respond - because this reform is for the whole community.”



4. The Operational Reality: Resourcing, Data, and the Human Factor

The panel agreed that resourcing pressures will be one of the biggest operational impacts. As Tranche 2 brings tens of thousands of new entities into scope, the industry faces a shortage of experienced compliance talent.

“There’s going to be a people crunch,” Lynch observed - a point De Highden echoed: “Resourcing and capability will be key. It’s not just headcount; it’s data fluency, integration, and the ability to adapt models quickly.”

Technology is an enabler, but not a silver bullet. Daliya captured the balance succinctly:

“You can have the best toolset in the world, but without governance and context, it’s just noise. You need both capability and clarity.”

Jeremy Moller added that institutions should rethink their processes around efficiency and customer experience, ensuring compliance doesn’t come at the cost of usability:

“Avoid duplication. Don’t ask customers the same information multiple times. Use data intelligently to meet both compliance and experience expectations.”



5. Building a Defensible Risk Model

A recurring theme was the need for explainable, auditable risk models.

De Highden cautioned that many organisations still treat risk models as static scoring tools:

“It’s not just a number anymore. You need to know what data feeds your model, why those attributes matter, and how the model evolves.”

Moller added that entities often fail to link recent incidents, such as suspicious matter reports,  back into their core risk assessment:

“If your risk assessment doesn’t reflect what you’re actually seeing, you’re missing the point. Use those insights to refine your understanding.”

This ongoing feedback loop - from operational events back into governance frameworks, is what transforms compliance from reactive to proactive.



6. Practical Steps: Where to Begin

For regulated entities just starting their uplift, Ronald Daliya offered pragmatic guidance:

  1. Start with a plan - even if it’s imperfect. “It doesn’t matter if you have to change it later,” he said. “You need leadership buy-in early.”
  2. Map your stakeholders. Compliance isn’t siloed. It touches product, customer, legal, and data teams.
  3. Prioritise data integrity. “Accuracy and completeness of customer data are the foundation,” De Highden noted.
  4. Embed sustainability. Compliance should be operationalised, not treated as a one-off project.
  5. Address privacy and consent early. Moller highlighted that terms, conditions, and customer consent for data sharing will be critical enablers and potential blockers if left too late.

“31 March isn’t the end,” Moller concluded. “It’s the end of the beginning. The moment for action is now.”

7. The Broader Perspective: Collaboration, Technology, and Team Australia

As the discussion closed, the panel reflected on the broader purpose behind AML reform,  not just compliance, but harm prevention and national security.

“This is about Team Australia,” Lynch said. “The goal isn’t box-ticking — it’s generating intelligence that helps keep bad actors out of the system.”

Moller agreed, pointing to the opportunity for greater collaboration between regulated sectors and smarter data sharing frameworks.

“If we can work together - sharing intelligence, automating friction points, and modernising systems, we can achieve both compliance and resilience.”

Key Takeaways

  • Static, periodic reviews are no longer compliant.
  • Regulators expect event-driven, real-time monitoring tied to ongoing risk triggers.
  • Risk models must be documented, explainable, and defensible.
  • Automation and integration are essential for scalability.

Success depends on balancing compliance, efficiency, and customer experience.

Watch the Full Webinar

Hear the full conversation with Jeremy Moller, Celeste De Highden, and Ronald Daliya and learn how AML reform is reshaping the compliance landscape in Australia.

👉 Watch the full recording