AML Independent Review for Joint and Standard AML/CTF Programs: A Comparative Guide

Introduction

Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), reporting entities are required to adopt and maintain an anti-money laundering and counter-terrorism financing (AML/CTF) program. A critical component of this obligation, outlined in the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules), is that Part A of the program must be subject to a regular independent review to manage financial crime risks.

The specific obligations for an AML independent review vary depending on whether an organisation operates as a single reporting entity or as part of a designated business group (DGB) with a joint program. This article explains the key differences in the AML independent review process for both structures. It covers the distinct legal requirements for scope, frequency, and reporting to assist reporting entities and their senior management in ensuring AML/CTF compliance.

Note: Australia’s AML/CTF laws were substantially reformed from 31 March 2026. This article reflects the pre-reform framework, which may still be relevant depending on your business, timing, and transitional rules.

Legal Framework for Standard & Joint AML/CTF Programs

Standard AML/CTF Programs

Under Section 81 of the AML/CTF Act (Cth), a reporting entity must adopt and maintain an AML/CTF program. A standard AML/CTF program is a written document that applies to a single, particular reporting entity. Furthermore, this type of program is tailored specifically to the money laundering and terrorism financing (ML/TF) risk that the individual business may reasonably face.

As outlined in Section 84 of the AML/CTF Act (Cth), a standard program is divided into two main parts, as follows:

• Part A (General): This section’s primary purpose is to identify, mitigate, and manage the organisation’s specific ML/TF risk, and it must contain the policies and procedures for governance, risk assessment, and compliance for that single entity; and
• Part B (Customer Identification): This part sets out the applicable customer identification and verification procedures that the reporting entity uses for its customers.

Ultimately, the entire framework is designed to ensure the program’s controls, risk assessment, and governance are specific to one reporting entity.

Joint AML/CTF Programs for Designated Business Groups

For reporting entities that are part of a DBG, Section 85 of the AML/CTF Act (Cth) allows for the adoption of a joint AML/CTF program. This is a single written program that applies to every reporting entity within the group. As a result, it allows multiple related businesses to operate under a unified compliance framework.

Similar to a standard program, a joint AML/CTF program is divided into Part A and Part B. However, its application is broader. Specifically, the primary purpose of Part A of a joint program is to identify, mitigate, and manage the ML/TF risk that each reporting entity within the DBG may reasonably face.

This group-level structure means the program must address the collective risks of the entire DBG while also being effectively implemented by each member. In addition, according to the AML/CTF Rules (Cth), the independent review of a joint program must assess its effectiveness with regard to the ML/TF risk of each reporting entity in the group.

A Comparison of AML Independent Review Obligations

Core Obligation to Conduct an AML Independent Review

The legal foundation for conducting an AML independent review is consistent for all reporting entities, regardless of their structure. Under the AML/CTF Rules, both standard and joint AML/CTF programs share a core requirement.

Specifically, the rules mandate regular independent reviews for Part A of these programs as follows:

• Standard programs: Rule 8.6.1 specifies that Part A must be subject to regular independent review; and
• Joint programs: Rule 9.6.1 mandates the same requirement for Part A.

Ultimately, this establishes an identical baseline obligation for a single reporting entity and for each member of a DBG.

Frequency of AML Independent Review

The timing of an independent review is determined by risk. The AML/CTF Rules (Cth) require the frequency to be based on specific factors for both program types, including:

• Business characteristics: the nature, size, and complexity of the business; and
• Risk exposure: the type and level of ML/TF risk the business might face.

While the criteria are the same, their application differs for a joint program. Under Rule 9.6.2, the assessment must consider these factors for each reporting entity within the DBG.

As a result, the review frequency for a joint program is based on the collective risk profile of the group, which may be more complex than that of a single organisation. Furthermore, high-risk organisations should arrange for an AML/CTF independent review every two to three years.

Independence Requirement for the Reviewer

A reviewer must be independent from the functions and measures being assessed. This requirement applies whether the reviewer is an internal employee or an external consultant.

According to Rules 8.6.3 and 9.6.3 of the AML/CTF Rules (Cth), an AML independent reviewer must not have been involved in key activities, such as:

• Program management: the design, implementation, or maintenance of the Part A program; or
• Risk and control development: the development of the business’s ML/TF risk assessment or related internal controls.

For a joint program, however, the independence test is broader. The reviewer’s independence is assessed against the entire group-level program and the risk assessments of all reporting entities within the DBG, not just one.

Scope of the AML Independent Review

The prescribed scope of an AML independent review is worded identically for both standard and joint programs in the AML/CTF Rules (Cth). The purpose of the review is to provide an impartial assessment of several key areas.

Under Rules 8.6.5 and 9.6.5, the review must assess the following:

• Program effectiveness: the effectiveness of the Part A program in light of the entity’s ML/TF risk;
• Regulatory compliance: whether the Part A program complies with the AML/CTF Rules (Cth);
• Implementation: if the Part A program has been implemented effectively; and
• Internal adherence: whether the reporting entity has complied with its own Part A program.

By contrast, for a joint program, the practical scope is significantly wider. The review must test the effectiveness and implementation of shared, group-level policies and procedures across each individual reporting entity in the DBG.

Understanding Reporting Obligations

A critical difference between the two program types lies in the final reporting stage of the independent review. Therefore, the obligations for distributing the review findings are distinct for single entities and DBG.

The AML/CTF Rules (Cth) outlines these distribution requirements as follows:

• Standard programs: under Rule 8.6.6, the results of a review must be provided to the senior management and governing board of that single reporting entity; and
• Joint programs: under Rule 9.6.6, the review report must be provided to the senior management and governing board of each reporting entity within the DBG.

Key Differences in Independent Review for Joint & Standard Programs

Scope Complexity in Single v Multi-Entity Systems

An AML independent review of a joint AML/CTF program is inherently more complex than one for a single entity. A standard program operates within one business, meaning the reviewer tests a consistent set of controls in a single operational environment.

In contrast, a joint program for a DBG involves a shared framework applied across multiple reporting entities. Therefore, the independent reviewer must test this framework’s effectiveness in each distinct operational setting.

This requires a broader and more intricate scope to ensure the program is working effectively for every member of the group, as these distinct settings may involve different factors, including:

• Systems: varying technological infrastructures across the group;
• Customer bases: distinct client profiles and associated risks; and
• Service delivery methods: diverse ways of providing products or services.

Risk Assessment for Entity Risk v Group Entity Risk

A standard program’s AML/CTF independent review focuses on how well the business has identified and managed its own specific ML/TF risks. Ultimately, the risk assessment is confined to that single reporting entity’s activities.

However, for a joint program, the review must assess risk on two levels. According to Rule 9.6.2 of the AML/CTF Rules (Cth), the review must consider the risks faced by each reporting entity.

Therefore, the reviewer’s obligations are as follows:

• Evaluate group-level risk: assess the overarching ML/TF risk assessment; and
• Verify local variations: ensure the assessment addresses the unique risk variations within each individual business in the DBG.

Control Design v Control Execution Across the Organisation

In a single-entity structure, the design and execution of AML/CTF controls typically occur within the same organisation. As a result, the independent review can test both the design of the policies and procedures and their practical implementation in a unified setting.

By contrast, a joint program often involves controls designed centrally by a group compliance function but implemented locally by different reporting entities. An AML independent review must therefore go beyond assessing the central design. Furthermore, it needs to test whether these controls are consistently and effectively executed across the entire DBG, accounting for any necessary and appropriate local adaptations.

Governance & Accountability Challenges in a DBG

For a single reporting entity, governance, and accountability for compliance are generally straightforward, with clear lines of responsibility leading to a compliance officer and senior management. Consequently, the AML/CTF independent review can easily trace ownership of risk decisions and compliance functions.

Within a DBG, assigning accountability can be more challenging. A compliance failure in one entity could stem from issues at the local level, weaknesses in the group program, or both.

Therefore, the AML independent review must carefully assess the governance framework to determine if roles and responsibilities are clearly defined and if there is effective oversight for the program across all reporting entities. This is reinforced by Rule 9.6.6 of the AML/CTF Rules (Cth), which requires the final report to be provided to the management of each entity in the group.

Sampling & Testing Methodology for Business Group

When conducting an AML independent review for a single business, the reviewer can draw a representative sample of transactions and customer files from that one entity to test its compliance. The methodology is contained and focused on a single set of operations.

For a joint program, however, this approach is insufficient. A sample taken from just one member of a DBG will not provide a reliable picture of the program’s effectiveness across the entire group.

Instead, the testing methodology must be designed to draw samples from multiple reporting entities. This ensures the findings are representative of the group’s overall risk profile and control environment.

Conclusion

The legal obligation to conduct a regular independent review of an anti-money laundering and counter-terrorism financing program applies to both single reporting entities and those in a DBG. While the rules are formally identical, the structural complexity of a joint program fundamentally changes how the review must be conducted to ensure compliance across every business in the group.

Navigating these requirements is essential for maintaining a compliant AML/CTF framework. For expert guidance on your independent review, contact Click Legal’s AML independent review lawyers today to ensure your program effectively manages your financial crime risks.

Frequently Asked Questions