How Often Should You Conduct an AML/CTF Independent Review in Australia

Introduction

Reporting entities are required to subject Part A of their anti-money laundering and counter-terrorism financing (AML/CTF) program, a core component of AML/CTF compliance, to a regular independent review. This obligation is established under Parts 8.6 and 9.6, where applicable, of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules). These rules do not prescribe a fixed schedule, creating a compliance challenge for businesses that must determine the timing of their reviews.

This article explains the legal standard for the frequency of independent review under the AML/CTF framework. It clarifies how to conduct an independent review at an appropriate interval based on a risk assessment, business changes, and other triggers, enabling compliance professionals to meet their statutory obligations.

Note: Australia’s AML/CTF laws were substantially reformed from 31 March 2026. This article reflects the pre-reform framework, which may still be relevant depending on your business, timing, and transitional rules.

Interactive Tool: Check Your AML/CTF Review Frequency & Compliance

Frequency of AML Independent Review under the AML/CTF Act

Rules 8.6.1 and 9.6.1 of the AML/CTF Rules (Cth) mandate that Part A of an AML/CTF program must be subject to a regular independent review.

This obligation is framed as an ongoing and periodic requirement, meaning it is not satisfied by a single, one-off review. Therefore, reporting entities must establish a recurring process to ensure compliance with this rule.

Meaning of “Regular” and Its Risk Assessment Implications

The term “regular” is not defined within the AML/CTF Rules (Cth). Instead of prescribing a fixed schedule, it requires a risk-based approach to determine the appropriate frequency of an independent review.

Under Rules 8.6.2 and 9.6.2 of the AML/CTF Rules (Cth), the frequency of the review must consider several key factors specific to the reporting entity, as follows:

• The nature, size, and complexity of the business operations; and
• The type and level of money laundering and terrorism financing (ML/TF) risk the business might face.

These factors make a risk assessment an essential part of determining what constitutes a “regular” interval for an AML independent review. Ultimately, this structure ensures that the compliance effort is proportionate to the specific risks of the entity.

Independent Review: What the Law Actually Requires

Annual Reviews are not Mandatory

A common misunderstanding is that reporting entities must conduct an AML independent review on a fixed annual schedule. However, no statutory provision within Parts 8.6 and 9.6 of the AML/CTF Rules (Cth) mandates yearly reviews.

Instead of prescribing a specific cycle for the frequency of independent reviews, the law clarifies the following:

• No set timeframes: There is no legal requirement for a review to occur every 12, 24, or 36 months.
• Risk-based approach: The obligation is framed around a risk-based assessment rather than a rigid timetable.

Relying on a Single Review or Pure Convenience

The statutory obligation under Rules 8.6.1 and 9.6.1 of the AML/CTF Rules (Cth) require that Part A of an AML/CTF program be subject to “regular independent review.” This establishes an ongoing duty, meaning a single review conducted once will not satisfy the legal requirement over the long term.

Furthermore, deciding on the frequency of an independent review based purely on convenience or budgetary constraints introduces compliance risk. While the Rules do not expressly prohibit considering these factors, the core purpose of the review must ultimately be met.

Under the AML/CTF Rules (Cth), a key purpose is to assess the effectiveness of the program in relation to the entity’s specific ML/TF risk. As a result, a schedule determined by convenience alone may fail to assess this effectiveness adequately, particularly if the business or its risk profile changes.

When a Fixed Review Cycle Creates Legal Risk

Vulnerability of Static Review Cycles

Relying on a static or fixed timetable to conduct an AML independent review, such as scheduling one every two years without exception, introduces significant compliance risk. The primary danger is that an AML/CTF program may become non-compliant during the interval between reviews.

Furthermore, a fixed cycle does not adapt to shifts in a business’s risk environment. This approach can fail to satisfy the legal standard that the frequency of an independent review must account for the specific nature, size, complexity, and ML/TF risk of the entity. Consequently, a program that was effective at the last review may no longer be adequate, leaving the business exposed to the consequences of non-compliance.

Rapid Business Change and Untested Known Deficiencies

A fixed review schedule is particularly hazardous for businesses undergoing rapid change. Sticking to a pre-determined date for the next independent review can be inadequate when the business experiences events such as:

• Entering new regulated activities, for instance, offering cryptocurrency exchange or remittance services;
• Onboarding new high-risk customer segments; or
• Introducing new products or designated services.

These changes can fundamentally alter a business’ AML/CTF risk assessment and render existing controls ineffective.

In addition, another significant risk arises when known deficiencies are left untested. If a prior independent review identified compliance gaps or made recommendations for improvement, waiting for the next scheduled review leaves those weaknesses unverified. Without a follow-up review to assess the effectiveness of any corrective actions, the business cannot demonstrate that it has adequately addressed identified issues.

Trigger-Based AML Independent Reviews

Business Changes Prompting an Out-of-Cycle AML Independent Review

Certain business events may require an immediate, out-of-cycle independent review to maintain compliance, even if these triggers are not explicitly listed in the AML/CTF Rules. Furthermore, a failure to conduct an independent review following significant operational shifts can undermine the effectiveness of an AML/CTF program.

Common triggers that can prompt the need for a new risk assessment and review include:

• Significant changes to the AML/CTF program itself;
• The introduction of new products or designated services;
• Structural business changes like mergers or acquisitions;
• Starting to outsource AML/CTF obligations to another entity;
• Expansion into new jurisdictions; and
• Major updates or changes to core systems, such as transaction monitoring platforms.

Regulatory Actions and Statutory Failure Triggers

Regulatory actions and the discovery of specific compliance failures are clear indicators that an immediate independent review is necessary. As a result, an inquiry or compliance action from the Australian Transaction Reports and Analysis Centre (AUSTRAC) should prompt a business to assess its program’s effectiveness through a new review.

The identification of certain statutory failures also serves as a critical trigger. These include breaches of key obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), such as:

• Failures in suspicious matter reporting, as required by Section 41;
• Gaps in reporting threshold transactions under Section 43; and
• Deficiencies in record-keeping obligations outlined in Section 107.

Frequency of Independent Review in the Context of Joint Programs

Group-Wide Reviews Versus Entity-Specific Risk

For designated business groups, Part 9.6 of the AML/CTF Rules (Cth) governs the requirements for joint AML/CTF programs. Under Rule 9.6.1, Part A of a joint program must be subject to a regular independent review at the group level.

This creates a key challenge for compliance. The obligation to conduct an independent review applies to the program as a whole, but the ML/TF risk can vary significantly between individual entities within the group. As a result, this requires balancing a group-wide assessment against the specific risk profiles of each member.

Risks of Applying a Single Review Cycle Across a Designated Business Group

The AML/CTF Rules (Cth) do not specify whether a single review cycle is sufficient for all entities operating under a joint program. However, applying one fixed frequency of independent review across an entire designated business group can introduce compliance risk. A uniform cycle may fail to capture important differences in risk at the individual entity level.

Furthermore, this approach could breach the requirement under Rule 9.6.2 of the AML/CTF Rules (Cth). This rule mandates that the review frequency must consider several factors for each reporting entity within the group, as follows:

• the nature of the entity;
• the size and complexity of the entity; and
• the specific ML/TF risk of the entity.

Ultimately, a single cycle might be inadequate for a high-risk entity, even if it is appropriate for others.

Real Legal Standard for Timing of an AML Independent Review

For compliant independent review timing, a reporting entity must meet a practical legal test. The central question is whether the business can demonstrate that its AML/CTF program was subject to a regular independent review sufficient to assess its effectiveness and compliance at all relevant times.

This standard is derived from the obligations under Parts 8.6 and 9.6 of the AML/CTF Rules (Cth). It requires more than just conducting a review; it demands that the frequency of independent review is adequate to ensure the program remains effective as the business and its risks evolve.

When assessing this adequacy, a reporting entity must be able to provide evidence and reasoning based on its unique circumstances. Key considerations include:

• The entity’s risk profile: A business with a higher ML/TF risk will be expected to conduct an independent review more frequently than a lower-risk entity.
• The rate of business change: Businesses that frequently introduce new products, expand into new jurisdictions, or undergo significant operational changes need a shorter review cycle to ensure their AML/CTF program keeps pace.
• Findings from past reviews: If a previous independent review identified significant deficiencies or made critical recommendations, a follow-up review may be required sooner to verify that corrective actions have been effective.
• Regulatory exposure: If the entity’s industry is under increased scrutiny, or if the business has had prior compliance issues, more frequent reviews can demonstrate a commitment to addressing regulatory concerns.

Conclusion

The frequency of an AML/CTF independent review in Australia is not determined by a fixed schedule but by a risk-based approach specific to each reporting entity. Businesses must be able to justify the timing of their reviews based on their unique risk profile, the rate of operational change, and any compliance triggers, rather than adhering to a static cycle.

To ensure your approach to the frequency of an independent review meets these complex legal standards, contact the AML independent review lawyers at Click Legal for specialised guidance. Our Legal Team offers expert independent legal reviews for AUSTRAC-regulated businesses, helping you maintain compliance with confidence.

Frequently Asked Questions