From 1 July, every firm providing a designated service has to risk-assess its clients for money laundering and counter-terrorism financing. Almost everyone I spoke to assumed that meant one more thing to send: a form running to something like sixty-five questions for clients to fill out, chase, and get wrong. At The Firm's AI in Practice Summit on 2 June 2026, Vinyl's Trent McLaren and I put a faster option on the table. Capture the same information in a recorded onboarding call, then let AI generate the risk assessment from the transcript in roughly ninety seconds. If you prefer to watch the session in full, the recording is here.

The purpose of the risk assessment was never the form. It's the outcome. You're establishing what risk a client poses: what the business does, where its funds come from, who the beneficial owners are, and what its suppliers look like.

Capture it in the conversation, not on a form

As tranche two approached, I watched the industry converge on a single answer: build a questionnaire and send it. With more than two thousand firms using Annature for ID verification, I already knew how that would land. Getting clients through the ID process alone had been a big enough shift, and another form to send and chase would be one hoop too many. So instead of asking what a risk assessment is, I called Trent and we asked what it's for, then worked back from there.

Most of what you need surfaces naturally in a discovery or onboarding conversation. When you sit down with a new client, face to face or over Zoom, you're already getting to know the business and how it runs. The gap between a good discovery call and a completed risk assessment is smaller than it looks, because the questions you'd put on a form are largely the ones you'd ask anyway. If someone wanted to learn about my business, I'd far rather get on a call and talk it through than sit answering forty questions in a Word document.

So capture them in the meeting. Record the conversation, ask the bulk of the AUSTRAC questions live, and let the transcript hold the answers. Whatever the meeting misses becomes the short list you chase afterwards.

Do the ID check first

The sequencing matters: the ID check comes before the discovery call.

An ID check now extends beyond citing a document. It screens against sanctions lists and checks whether the person is politically exposed or has been convicted of financial crime. Run it after a clean thirty-minute discovery call and you risk finding the problem too late. Run it first and the result either steers the questions you ask or, in some cases, tells you not to take the client at all.

How AI turns the transcript into an assessment

Once the meeting is done, the transcript becomes the raw material. I dropped a prompt into Vinyl's AI chat, which works across your recorded transcripts, and it generated the risk assessment straight from the conversation. The report opens with a recommended risk rating, explains why, cites the evidence covered in the meeting, and flags anything not discussed as still to be completed. A follow-up email requesting the missing information drafts moments later. The same prompt runs just as well in Claude, ChatGPT or Copilot.

Start to finish, I recorded a meeting, gave it a prompt, and had a risk assessment inside ninety seconds, with an email twenty seconds later setting out what I still needed.

From there the workflow follows familiar compliance lines. Low-risk clients go into ongoing monitoring with a review of around every three years; high-risk clients trigger enhanced due diligence and senior manager approval. The assessment, the program, the review schedule and the staff training records then need somewhere to live, and that's the part we're building out at Annature, synced to Xero Practice Manager so each client's status shows at a glance.

The bigger idea: AI working across layers of context

The most useful idea in the session went past any single feature: how to think about AI's role.

The value isn't a clever risk-assessment generator. It's letting AI work across several layers of context at once: the meeting, the documents, the questions you needed to ask, and the structured output you need at the end. Messy, unstructured input becomes structured information faster. It's the same logic behind the AI that has already been through my inbox by the time I wake up, and the reach only grows as it pulls in emails and files from Dropbox and SharePoint.

I'll be candid about one thing. The AUSTRAC starter kit runs to around forty-six pages and carries a great deal that has little to do with accounting firms. An entire section covers cash payments over ten thousand dollars, and I've never spoken to an accountant who has received one. A useful program is contextualised to the services a firm actually provides, not padded with registers nobody will open.

What firms should take away

The risk assessment arrives on 1 July. The form is optional. For firms that already run discovery and onboarding calls, the lower-friction path is to capture the assessment in conversation and let AI structure it afterwards. And given the time it takes to do properly, I'd charge for it, or build it into your pricing.

We're running a dedicated AML webinar the following week. And I'll be honest about the limits: if AI-generated assessments don't work in practice, we'll build a questionnaire instead.

You can watch this session, along with every other session from the summit and the key takeaways, at thefirm.media/summit.

More like this