How to Test Part B Alongside an AML/CTF Independent Review Without Expanding Scope

Introduction

A regular independent review of Part A of an anti-money laundering and counter-terrorism financing (AML/CTF) program is a core obligation for Australian reporting entities under Rule 8.6 / Rule 9.6 of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (Cth) (AML/CTF Rules 2007). However, the effectiveness of these risk management frameworks, which include crucial systems and controls, hinges directly on the quality of customer due diligence information gathered under Part B.

This creates a significant challenge for reporting entities: how to gain real assurance without allowing the review’s scope and cost to become unmanageable. This guide provides a practical framework for compliance officers and senior management on when and how to integrate targeted Part B testing. The gaol is to ensure that the independent review effectively validates the ability of your policies and procedures to mitigate and manage money laundering or terrorism financing (ML/TF) risk.

Note: Australia’s AML/CTF laws were substantially reformed from 31 March 2026. This article reflects the pre-reform framework, which may still be relevant depending on your business, timing, and transitional rules.

Why Part B Testing Is Unavoidable in Your Independent Review

Part A Controls Depend on Part B Data Quality

The effectiveness of Part A of your AML/CTF program is fundamentally reliant on the quality of customer data collected under Part B.

Consequently, key Part A functions cannot operate effectively without accurate and complete information gathered during the initial customer onboarding process, including:

• Ongoing customer due diligence (OCDD).
• Transaction monitoring systems.
• Enhanced customer due diligence (ECDD).

Furthermore, if customer identification procedures are not conducted correctly, it can severely impact your ability to mitigate and manage ML/TF risks.

This dependency means that errors made during the initial Know Your Customer (KYC) process can undermine your entire compliance framework.

For instance, consider a scenario where a bank fails to identify all directors of a new company account, which could lead to the following consequences:

• Transaction monitoring systems in Part A may fail to link suspicious activity in the company account to a high-risk director’s personal account.
• The failure to connect these accounts prevents the bank from forming a complete picture of the potential risk.
• This ultimately results in a failure to provide valuable financial intelligence to the Australian Transaction Reports and Analysis Centre (AUSTRAC) and law enforcement agencies.

While the AML/CTF Rules 2007 (Cth) do not strictly mandate a review of Part B, there is a growing regulatory expectation and industry best practice that a review must validate the practical implementation of controls, not just their design.

Regulatory Shift to Outcomes-Focused Framework

The Australian regulatory landscape is shifting from a prescriptive, rule-based regime to an outcomes-focused framework. This change requires reporting entities to demonstrate that their AML/CTF systems and controls are not just well-designed on paper, but are genuinely effective in practice.

As a result, a simple review of policies and procedures alone is no longer sufficient to meet this standard. This move away from a “checklist approach” means reporting entities must use their judgment to tailor customer due diligence efforts to the specific risks each customer presents.

Under this outcomes-based model, you must be able to prove that your compliance program works in the real world.

Therefore, testing the implementation of your Part B KYC procedures provides concrete evidence that your Part A controls are functioning as intended and achieving the required compliance outcomes.

The 2026 AML/CTF reforms further solidify this focus on effectiveness.

When Should Part B Testing be Included in an Independent Review

Trigger 1: Material Reliance on Onboarding Data in Part A Controls

Your Part A controls, such as OCDD and transaction monitoring programs, are fundamentally dependent on the quality of the customer data collected under Part B. Consequently, if your systems and controls for identifying suspicious activity rely on automated risk scoring or transaction rules, the accuracy of the initial KYC information is essential for these controls to function effectively.

An independent review should include Part B testing when there is a material reliance on this onboarding data. For instance, if incorrect customer information is captured during the applicable customer identification procedures (ACIP), it can undermine the entire compliance framework.

Specifically, this failure can prevent your transaction monitoring system from functioning correctly by:

• Failing to identify high-risk patterns correctly.
• Losing the capability of linking related accounts.
• Thereby failing to ML/TF risks.

Trigger 2: Recent Changes to Customer Due Diligence or KYC Frameworks

A significant change within your business is a clear trigger for incorporating Part B testing into your next independent review. Ultimately, such changes can introduce new vulnerabilities or operational gaps in your AML/CTF program.

Key changes that should prompt Part B testing include:

• Implementing new technology: Adopting new systems for customer onboarding or verification requires testing to ensure they are integrated correctly and function as intended.
• Offering new services: Introducing new products or designated services may alter your ML/TF risk assessment and require updated customer due diligence procedures that need validation.
• Entering new jurisdictions: Expanding services to customers in different geographical locations introduces new risks that your existing KYC framework may not be equipped to handle.
• Updating policies and procedures: Any significant update to your Part B policies requires a practical test to confirm that staff understand and are implementing the new procedures correctly.

Trigger 3: Prior Deficiencies or Regulator Scrutiny

Previous compliance issues or heightened attention from AUSTRAC serve as strong indicators that Part B testing is necessary, as the consequences for failing to comply with AML/CTF laws can be severe. Therefore, if a prior independent review identified weaknesses in your KYC processes, a follow-up test is crucial to verify that you have effectively implemented the recommended corrective actions.

Furthermore, if AUSTRAC issues guidance specific to your industry or takes enforcement action against competitors for KYC-related failings, it signals an area of regulatory focus.

Proactively testing your Part B controls in response provides key benefits, such as:

• Allowing you to identify and address similar potential deficiencies in your systems and controls before they attract regulatory scrutiny.
• Demonstrating to senior management and the board that the business is actively managing its legal obligations.

Best Practices to Test Part B Without Expanding Scope

Test for Effectiveness & Not Completeness

When including Part B in an independent review, the primary goal is to assess the effectiveness of your KYC processes, rather than re-performing them exhaustively. The focus is on determining whether the outcomes of your customer due diligence support the overall integrity of Part A of your AML/CTF program.

This approach tests how effectively your Part A obligations have been implemented in practice by moving beyond a simple check for missing documents. Instead, it evaluates whether your systems and controls are genuinely effective at:

• Effectively identifying your ML/TF risks.
• Appropriately mitigating and managing those identified risks.

Use Risk-Based Sampling & Not Volume-Based Sampling

A strategic sampling method is essential to keep the review focused and efficient. Therefore, instead of reviewing a large, random volume of customer files, a risk-based approach targets areas where compliance failures are more likely to occur and would have a greater impact.

This involves selecting a sample that concentrates on specific high-risk categories, such as:

• Customers that your business has assessed as posing a high ML/TF risk.
• Clients with complex ownership structures or those connected to high-risk jurisdictions.
• Accounts where ECDD has been applied.

Focus on Decision Points & Not Just Data Points

An effective review should test the quality of risk-based judgments made during the customer lifecycle, rather than just verifying the presence of data points or documents. This aligns with the shift towards an outcomes-based framework, where reporting entities must demonstrate the rationale behind their compliance decisions.

To achieve this, the reviewer should assess key decision points to determine if they were appropriate and well-documented. For example, the review could examine specific scenarios, including:

• Whether the initial risk rating assigned to a customer was justified by the information collected.
• If ECDD was triggered correctly in response to high-risk indicators.

Align Testing to Part A Dependencies

To ensure Part B testing remains relevant and anchored to the primary scope of the review, each test should be directly mapped to a Part A dependency. Because failures in customer identification can significantly undermine downstream controls, testing must focus on the quality of KYC data that informs these critical functions.

For instance, testing can verify and assess several key dependencies, such as:

• If the information collected during onboarding is sufficient and accurate enough to support your transaction monitoring program.
• Whether the identification of beneficial owners is robust enough to inform suspicious matter reporting and ECDD effectively.

Include Personnel Interviews in Addition to File Testing

Relying solely on a review of customer files can provide an incomplete picture of your compliance practices. To counter this, incorporating walkthroughs and interviews with key personnel offers deeper insight into how your AML/CTF program is implemented on a day-to-day basis.

By speaking with your AML/CTF compliance officer, senior management, and other relevant staff, a reviewer can understand the practical application of your customer onboarding and ongoing monitoring procedures. Ultimately, this method reduces over-reliance on document review alone by verifying that the processes described in your written program are the same as those being followed in practice across:

• The execution of your customer onboarding workflows.
• The consistency of your ongoing monitoring procedures.

Explicitly Identify Scope of the Review

To prevent expanding scope and manage expectations, it is crucial to explicitly define the boundaries of Part B testing before the independent review begins. Furthermore, this involves creating a clear and documented methodology that outlines the objectives and limits of the testing.

The defined scope should be included in the review plan and final report, detailing essential elements such as:

• The specific objectives of the Part B testing.
• The methodology used to select the sample.
• The size of the sample and the types of customers included.

Common Findings When Part B Is Tested Alongside Part A

The “All Customers Are Low or Medium Risk” Problem

A frequent finding during an independent review is the application of a blanket “low” or “medium” ML/TF risk rating to all customers. This often occurs when reporting entities decide their business is generally low-risk, failing to conduct a genuine risk assessment for each individual client.

This approach is contrary to the AML/CTF laws, which require you to assess the specific risk posed by each customer. As a result, this creates issues such as:

• Failing to identify customers who should be subject to enhanced customer due diligence.
• Creating a significant gap in your compliance framework.

Incomplete Identification of Control Persons

Testing of Part B procedures often reveals a failure to correctly identify all beneficial owners or other control persons for non-individual customers. This is a critical gap in KYC processes that can undermine your entire anti-money laundering and counter-terrorism financing program.

For instance, an error during the ACIP, such as missing one of three company directors when opening an account, can have significant consequences. This failure can impact your business by:

• Preventing your transaction monitoring systems from linking suspicious activity to high-risk individuals.
• Weakening your ability to mitigate and manage money laundering and terrorism financing risks.

Over-reliance on Third-Party KYC Tools Without Oversight

While reporting entities are permitted to outsource KYC functions to third-party vendors, a common issue is an over-reliance on these tools without adequate internal oversight. Your business remains ultimately responsible for AML/CTF compliance, even when using external service providers.

An independent review may find that there are no proper management oversight procedures to ensure the outsourced services are being delivered correctly and in accordance with your AML/CTF Program. Without this oversight, you face consequences such as:

• Not being satisfied that your legal obligations are being met.
• Exposing your business to significant compliance risk.

Weak Documentation of AML/CTF Risk Rationale

A recurring issue is the weak documentation of the rationale behind risk-based decisions made during the customer due diligence process. Even if appropriate risk assessments are conducted, they are often not recorded in sufficient detail.

This lack of documentation makes it impossible to demonstrate your compliance reasoning to an independent reviewer or to AUSTRAC. Detailed records must be kept for various elements, including:

• The specific identification steps taken.
• The risk assessments conducted for each customer.
• The justification for applying simplified or enhanced due diligence.

Why This Approach Matters More Under the 2026 Reforms

Broader Customer Due Diligence Obligations Increase Failure Points

The 2026 AML/CTF reforms have expanded customer due diligence obligations for all Australian reporting entities. The framework has shifted from a prescriptive, checklist-style approach to a more flexible, outcomes-focused model that demands greater judgment from:

• Your designated compliance officer.
• Your senior management team.

This new regime has introduced more complexity, requiring reporting entities to maintain a deeper understanding of the nature and purpose of customer relationships alongside continuous risk assessment.

Furthermore, the reforms have done away with the Part A and Part B separation, meaning the AML/CTF program now operates as a single framework rather than divided components.

As a result, the number of potential failure points within your policies and procedures has increased, making it more critical than ever to test that your systems and controls are effectively implemented.

Technology-Driven Onboarding Increases Hidden Risks

While technology and third-party tools are essential for efficient customer onboarding, they can also introduce hidden risks if not properly managed. Many reporting entities outsource their KYC checks to external providers, but your business remains ultimately responsible for meeting its legal obligations under the AML/CTF laws.

An independent review can identify an over-reliance on automated systems without adequate internal oversight. Under the reformed regime, this matters across the AML/CTF program as a whole, rather than just a separated Part A framework.

Without a robust process to validate these tools, your business is exposed to significant compliance risk that may go undetected until a failure occurs, particularly if the tools are not:

• Functioning correctly on a technical level.
• Operating in accordance with your specific AML/CTF program.

Regulators Shift Focus to Outcomes

The 2026 AML/CTF reforms have solidified the regulatory shift towards demonstrable effectiveness, meaning AUSTRAC is now more focused on whether your systems and controls work in practice. A well-designed program on paper is no longer sufficient, as reporting entities must be able to prove that their compliance framework is achieving its intended outcomes in:

• Mitigating money laundering risks.
• Managing terrorism financing vulnerabilities.

That is also why independent evaluation now carries broader significance: your policies must provide for an independent evaluation of your entire AML/CTF program, rather than a narrower review tied to the old Part A and Part B structure.

Conclusion

Strategically testing your Part B customer due diligence procedures is essential for a meaningful independent review, providing true assurance that your Part A controls are effective in practice. This targeted approach not only validates your ability to mitigate and manage money laundering and terrorism financing risks but also prepares your business for the outcomes-focused 2026 reforms.

To ensure your AML/CTF program meets its legal obligations and is prepared for future changes, contact Click Legal’s experienced AML/CTF lawyers for a comprehensive AML/CTF independent review. Our team provides specialised guidance on structuring your next review to ensure your compliance framework remains robust and fully aligned with regulatory expectations.