The requirement to assign and record a customer-specific risk rating has been in force since 1 June 2025. Yet for many reporting entities, this change has not been fully embedded into day-to-day AML/CFT processes.
Our recent webinar with DIA’s Rocky Yuen sparked a lot of “wait… are we meant to be doing that already?” moments. It’s clear that although the rule has been in place for several months, many programmes, templates, and training materials still need updating.
This is especially important because several reforms under the Statutes Amendment Act 2024 are already in effect. These include the removal of address verification for standard CDD and updated reporting timeframes. Together, these shifts mean most entities need to review how their AML/CFT procedures align with both the new risk rating rule and the wider legislative changes.
What the DIA is seeing across the sector
During the webinar, Rocky was very open about the common issues DIA continues to find when reviewing reporting entities. These included:
- New customers being onboarded without a documented risk rating.
- Reliance on system-generated ratings without understanding how they were produced.
- Risk ratings that do not match the level of CDD applied.
- Risk ratings that never change even when customer behaviour changes.
Heading into 2026, DIA expects reporting entities to be able to explain how their risk-rating method works, how it links back to their Section 58 risk assessment, and how it influences real AML/CFT decisions.
A couple of practical pointers
If your risk-rating process still needs refining, focus on these two steps first.
1. Make sure your risk factors reflect your business.
The DIA expects your methodology to match your products, delivery channels, customer types, and jurisdictions. If you cannot clearly explain why a customer is low, medium, or high risk, your criteria probably need tightening.
2. Update risk ratings through ongoing monitoring.
Risk ratings are not a one-off onboarding task. If a customer’s behaviour changes, their rating should change too. This is one of the most common gaps DIA is observing.
Both steps make your programme more defensible and help demonstrate a genuine risk-based approach.
What else has changed
Because parts of the Statutes Amendment Act 2024 are already in force, reporting entities should also have updated procedures that reflect:
- No requirement to verify addresses for standard CDD.
- Extended timeframes for prescribed transaction reporting.
- Updated SAR requirements for law firms.
More reforms are progressing into 2026, including changes to PEP checks, ECDD for trusts, and the use of simplified CDD where risks are low.
Want the full guidance and examples?
We are converting the full webinar into a RADAR CPD module, which will be released in early 2026.
This new module will include:
• Clear explanations from the DIA on what they expect to see in practice.
• Real examples of where reporting entities are going wrong.
• Guidance on how to build a defensible, business-appropriate risk-rating method.
• The updates you should already have made to reflect the legislation now in force.
• What to focus on as we move through 2026 and further reforms take effect.
If you want confidence that your AML/CFT approach would stand up to DIA review, this is a module worth completing.