When Should you Conduct an Out-of-Cycle AML/CTF Independent Review

Introduction

Reporting entities have an ongoing obligation to ensure their anti-money laundering and counter-terrorism financing (AML/CTF) program is subject to a regular independent review. This process is a critical component of compliance, verifying that an organisation’s risk assessment, policies, and procedures effectively mitigate money laundering and terrorism financing (ML/TF) risks.

The frequency of an independent review is not based on a fixed schedule but on a risk-based approach, which may require a review outside the regular cycle. This article explains the key triggers for an out-of-cycle review, helping reporting entities understand when to conduct one to maintain compliance in response to significant operational or risk-profile changes.

Note: Australia’s AML/CTF laws were substantially reformed from 31 March 2026. This article reflects the pre-reform framework, which may still be relevant depending on your business, timing, and transitional rules.

Understanding AML/CTF Independent Reviews

Legal Mandate for Regular AML/CTF Independent Reviews

Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), reporting entities are required to adopt and maintain an AML/CTF program. Section 82 of the AML/CTF Act (Cth) specifies that reporting entities must comply with Part A of their program.

Rule 8.6.1 of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules) mandates that Part A of a standard AML/CTF program must be subject to a regular independent review.

Further, reporting entities that are part of a designated business group may adopt a joint AML/CTF program. Similar to standard programs, there is a legal obligation for this program to be independently reviewed. Furthermore, this requirement is established under Section 85(2)(c) of the AML/CTF Act (Cth) and detailed in Part 9.6 of the AML/CTF Rules (Cth).

Rule 9.6.1 of the AML/CTF Rules (Cth) states that Part A of a joint program must undergo a regular independent review. The objectives of this review mirror those for a standard program but are applied to each member of the designated business group.

Purpose of AML/CTF Independent Reviews

The purpose of this review is to assess several key areas of compliance and effectiveness, as follows:

• Effectiveness: The review assesses whether Part A of the program is effective in identifying, mitigating, and managing the ML/TF risk the reporting entity faces.
• Compliance with Rules: It verifies that the program complies with the requirements set out in the AML/CTF Rules (Cth).
• Implementation: The review checks that the policies and procedures outlined in the program have been effectively implemented across the organisation.
• Adherence: It assesses whether the reporting entity has complied with its own Part A program in practice.

The person conducting the review can be an internal or external party; however, Rule 8.6.3 requires that they were not involved in the design, implementation, or maintenance of the program. Following the review, Rule 8.6.6 requires that the results and any report are provided to the organisation’s senior management and governing board.

What Is an Out-of-Cycle AML/CTF Independent Review

An out-of-cycle or triggered independent review is an unscheduled, objective evaluation of a reporting entity’s Part A program, a critical component of overall AML/CTF compliance. Also known as an event-driven review, it is not part of a regular compliance schedule. Instead, it is initiated in direct response to specific circumstances.

This type of independent review is a practical application of a risk-based approach. It is conducted when there are specific events within the organisation, including:

• significant operational changes;
• newly identified risks; or
• compliance failures.

The purpose is to ensure the AML/CTF program remains effective and compliant in managing ML/TF risk, particularly between regularly scheduled reviews. Furthermore, while reporting entities have an ongoing obligation to have their programs independently reviewed on a regular basis, an out-of-cycle review functions as a specialised assessment to address immediate concerns. It allows a business to verify that its policies and procedures are still appropriate following a material change, rather than waiting for the next scheduled review.

Key Triggers for an Out-of-Cycle Independent Review

Material Change in ML/TF Risk Profile

A significant shift in your organisation’s ML/TF risk profile is a primary trigger for an out-of-cycle independent review. Under Rules 8.6.2 and 9.6.2 of the AML/CTF Rules (Cth), the frequency of a review is tied to your business’s specific risk level. Therefore, any material change to that risk warrants a fresh assessment.

Events that can alter your risk profile include:

• New Customer Types: Onboarding different types of customers may introduce new and unforeseen risks to your organisation.
• High-Risk Jurisdictions: Starting to provide services to customers with connections to high-risk foreign jurisdictions can increase your exposure.
• Emerging Risks: New financial crime methods or typologies may emerge that your current AML program does not adequately address.

New Designated Services, Products, or Delivery Channels

Introducing new designated services, products, or methods of delivery is another key trigger for an independent review. Under Section 81 of the AML/CTF Act (Cth), a reporting entity must have an effective AML/CTF program in place before offering a designated service. An out-of-cycle review helps verify that your existing policies and procedures are sufficient to manage the risks associated with these new offerings.

For example, launching a new digital platform for customer onboarding or offering a new type of financial product changes the nature of your business. A review is necessary to assess whether your risk assessment and controls, such as customer due diligence and transaction monitoring, are still effective for the expanded business model.

Significant Business Growth or Operational Complexity

Major structural or operational changes can significantly impact the complexity of your business and its risk profile, justifying an out-of-cycle independent review. The frequency of reviews is linked to the nature, size, and complexity of your business under Rule 8.6.2 of the AML/CTF Rules (Cth).

Triggers in this category include:

• Mergers and Acquisitions: A merger or acquisition introduces new systems, customer bases, and potentially different risk appetites that must be assessed.
• Rapid Growth: A sudden increase in the volume or number of transactions can strain existing compliance controls and processes.
• Outsourcing Arrangements: If you begin outsourcing certain compliance obligations to a third party, a review is needed to ensure those functions are being performed correctly and in line with your program.

Further, significant changes to your organisation’s governance structure or leadership can also be a trigger for an out-of-cycle review.

Identification of Compliance Failures or Control Breakdowns

Discovering internal compliance failures is a critical trigger for conducting an independent review. Under Section 82 of the AML/CTF Act (Cth), reporting entities have an ongoing obligation to comply with Part A of their program. A breakdown indicates that the program may not be operating effectively in practice.

An out-of-cycle review is warranted if your organisation identifies issues such as gaps in customer due diligence (CDD), failures in transaction monitoring, or missed reporting obligations. The purpose of the review, as outlined in Rule 8.6.5 of the AML/CTF Rules (Cth), is to assess the program’s effectiveness and implementation, making it an essential tool for diagnosing and rectifying such failures.

Adverse Findings from a Previous Review

If a previous independent review identified significant deficiencies in your AML/CTF program, it may be necessary to conduct a follow-up review sooner than scheduled. This allows your organisation to verify that the remedial actions taken have been effective in addressing the identified weaknesses.

Furthermore, the review can confirm whether previously identified issues have been resolved and that the implemented changes are working as intended. This provides assurance to senior management and the board, who must receive the review report under Rule 8.6.6 of the AML/CTF Rules (Cth), that the organisation’s compliance posture has improved.

Increased AUSTRAC Engagement or Industry Enforcement

Heightened scrutiny from AUSTRAC or broader enforcement action within your industry can signal the need for a proactive independent review. Receiving a formal notice or query from the regulator is a direct indicator that your compliance framework may require assessment.

Additionally, if competitors in your sector are subject to public enforcement action, it may highlight systemic risks relevant to your own business. Conducting an independent review allows you to assess your program’s robustness against these emerging regulatory expectations and demonstrate proactive compliance management.

How to Embed Trigger-Based Independent Reviews Into AML Governance Framework

To effectively manage ML/TF risk, reporting entities should integrate trigger-based independent reviews into their formal AML governance framework. Practical steps to embed this process into your governance include:

• Formalise Trigger Events: Your AML/CTF program or associated governance documents should clearly define the specific events that will prompt an assessment for an out-of-cycle review. These triggers could include:
  • launching new designated services;
  • significant compliance failures; or
  • receiving a formal notice from AUSTRAC.
• Assign Monitoring Responsibility: Designate a specific role, typically the AML/CTF Compliance Officer, with the responsibility for monitoring and identifying when a trigger event occurs. As a result, this ensures clear accountability within the organisation.
• Establish Escalation Pathways: Create a formal process for the AML/CTF Compliance Officer to report and escalate material triggers to senior management and the governing board. This allows for timely and informed decision-making about whether to conduct an independent review.
• Document All Decisions: It is important to document the assessment and decision-making process whenever a trigger event is identified. This includes recording the rationale for either proceeding with a review or determining that one is not necessary at that time.
• Report Review Outcomes: In line with Rule 8.6.6 of the AML/CTF Rules (Cth), the results of any independent review, along with any prepared report, must be provided to senior management and the board. Therefore, this final step ensures that the organisation’s leadership is aware of the program’s effectiveness and any required improvements.

Common Mistakes Reporting Entities Make with AML/CTF Independent Reviews

A frequent error many reporting entities make is treating the independent review schedule as a fixed calendar-based task, such as conducting one every two or three years. This approach fails to comply with the risk-based obligation set out in the AML/CTF Rules (Cth). Under Rule 8.6.2, the frequency of an independent review must be determined by several factors, as follows:

• Business characteristics: The nature, size, and complexity of the business; and
• Specific risks: Its specific money laundering and terrorism financing risk.

As a result, adhering to a rigid timeline without considering significant changes to the organisation’s risk profile can lead to compliance gaps.

Furthermore, another common mistake is the failure to properly escalate the findings of an independent review. Rule 8.6.6 of the AML/CTF Rules (Cth) explicitly requires that the results of the review, including any prepared report, must be provided to the reporting entity’s senior management and governing board. Ultimately, this step is a critical part of AML/CTF governance, ensuring that leadership has oversight of the program’s effectiveness and can address any identified deficiencies.

Conclusion

Reporting entities have an ongoing obligation to ensure their anti-money laundering and counter-terrorism financing program is independently reviewed, with the frequency dictated by a risk-based approach under the AML/CTF Rules (Cth). An out-of-cycle independent review is therefore essential when material changes to your organisation’s risk profile or operations occur, ensuring your compliance framework remains effective.

To ensure your organisation effectively meets its obligations and correctly identifies triggers for an out-of-cycle review, contact Click Legal’s independent review lawyers for expert guidance. Our team provides thorough and independent assessments of anti-money laundering programs to verify compliance and effectiveness, giving you confidence in your ongoing risk management framework.

Frequently Asked Questions