AUSTRAC’s 2026 Regulatory Expectations: What They Mean for AML Independent Evaluations

Introduction

Reforms to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) that took effect on 31 March 2026 now require current reporting entities to manage money laundering and terrorism financing (ML/TF) risks under an outcomes-focused framework. A further change will commence on 1 July 2026, bringing newly regulated entities under these same obligations to implement policies and procedures based on a tailored risk assessment.

As part of this 2026 regime, the Australian Transaction Reports and Analysis Centre (AUSTRAC) expects businesses to conduct an independent evaluation to test whether their anti-money laundering and counter-terrorism financing (AML/CTF) controls are genuinely effective. This article explains AUSTRAC’s updated expectations and staggered deadlines for current and newly regulated entities so you can properly prepare to conduct an independent evaluation.

Interactive Tool: See If You Are Ready for Independent Evaluation

Why AUSTRAC’s 2026 Expectations Matter for Independent Evaluations

AUSTRAC’s Shift to Outcomes-Focused Regulation

As part of the 2026 AML/CTF reforms, AUSTRAC is reinforcing an outcomes-focused regulatory model. This approach moves beyond simple procedural checks to prioritise the real-world effectiveness of a reporting entity’s systems.

AUSTRAC’s main priorities for 2026 and beyond are twofold:

• The effective management of ML/TF and proliferation financing (PF) risks; and
• The submission of high-quality reporting to AUSTRAC.

This focus means that reporting entities must demonstrate that their AML/CTF programs are not just documented, but are actively working to identify and mitigate financial crime risks within their organisation.

Why Independent Evaluations Need to Test Effectiveness

An AML independent evaluation must go further than a simple review of policy documents. Its purpose is to provide an objective assessment of whether an AML/CTF program is working effectively in practice, as a paper-based compliance check is no longer sufficient.

Under the AML/CTF Act (Cth), an independent evaluation must assess several key areas. The independent evaluator is required to:

• Evaluate how the ML/TF risk assessment was conducted and reviewed;
• Assess the design of the AML/CTF policies against legal requirements; and
• Test whether the business has complied with its policies and effectively managed its ML/TF risks.

This means an evaluator must look for evidence of implementation, sound governance, and operational effectiveness. Furthermore, the evaluation should test whether:

• Customer due diligence (CDD) is being performed correctly;
• Transaction monitoring is identifying suspicious activity; and
• The compliance officer and senior managers are overseeing the program properly.

AUSTRAC’s Reform Timeline and Risks for Reporting Entities

Transition Risk for Current Reporting Entities from 31 March 2026

For current reporting entities, the AML/CTF reforms commence on 31 March 2026. These organisations face the challenge of managing their existing obligations while simultaneously moving to the reformed framework. Furthermore, AUSTRAC expects these entities to maintain the effectiveness of their current money laundering controls throughout this period.

To manage this transition, businesses must develop and document a clear implementation plan. This plan should detail how policies, procedures, and systems will be updated to meet the new obligations under the reformed AML/CTF Act (Cth). Ultimately, an independent evaluation for these entities should assess the progress against this plan and ensure that ML/TF risks are managed effectively during the change.

Readiness Risk for Newly Regulated Entities from 1 July 2026

Businesses new to the AML/CTF regime, such as those in the legal, accounting, and real estate sectors, must comply with their obligations from 1 July 2026. These newly regulated entities face a readiness risk, which involves establishing a compliant and effective AML/CTF program from the ground up.

By the 1 July 2026 deadline, AUSTRAC has set clear expectations for these businesses. They must complete their enrolment, and also have key compliance measures in place, including:

• An established AML/CTF program, which can be developed independently or by using an AUSTRAC starter program.
• An appointed AML/CTF compliance officer to oversee the program.
• Completed training for all relevant staff on the program and internal processes.
• The capability to engage with clients and report suspicious matters to AUSTRAC.

Scope of AML Independent Evaluation Differ by Entity Type

The different circumstances of current and newly regulated entities mean that the focus of an independent evaluation should be tailored accordingly. For current reporting entities, the evaluation should centre on their transition. It needs to test whether they have a sufficient implementation plan and are making demonstrable progress against it, while also ensuring existing controls remain effective.

For newly regulated businesses, the initial compliance effort is about building a solid foundation. Although the Anti-Money Laundering and Counter-Terrorism Financing Transitional Rules 2026 (Cth) (AML/CTF Transitional Rules) provide staggered deadlines for their first independent evaluation, their programs must be designed to withstand future scrutiny. As a result, the first independent evaluation for these entities will have a different focus, assessing the initial design and implementation of their:

• AML/CTF program;
• risk assessment; and
• governance frameworks.

Why Independent Evaluations Should Test Existing Control Effectiveness

Assessing Current AML/CTF Controls During Transition

AUSTRAC expects current reporting entities to continue implementing their existing AML/CTF controls while transitioning to the reformed framework. Therefore, an independent evaluation should test whether these established systems and controls remain effective during the implementation of the 2026 changes.

This assessment verifies that core AML/CTF functions are not neglected. Specifically, an evaluator should check that key controls are still operating as intended, including:

• CDD processes;
• Transaction monitoring systems;
• Suspicious matter reporting (SMR) and escalation; and
• Governance and oversight frameworks.

If a business has effective controls, it is expected to continue managing its ML/TF risks while embedding the reform-related updates.

Testing Transition-Related ML/TF/PF Risks

The process of implementing large-scale reforms can introduce specific ML/TF/PF risks. Consequently, an independent evaluation should assess how an organisation has identified and managed these new challenges.

Transition-related risks can arise from various sources, such as:

• Process gaps created between old and new systems;
• Staff uncertainty regarding updated procedures; or
• Delays in implementing necessary system changes.

A risk-based approach requires reporting entities to document these risks and the mitigating controls put in place. Furthermore, the evaluation should confirm that the business has strengthened its understanding of these unique risks.

Identifying Weak or Outdated Controls

AUSTRAC expects reporting entities to use the reform period as an opportunity to review and strengthen their existing frameworks. As a result, an independent evaluation should identify whether known weaknesses or outdated controls have been addressed or left unresolved.

If previous reviews or audits identified ineffective systems, an evaluation should verify that the organisation has taken action to update them. This demonstrates a commitment to managing ML/TF risk effectively. Conversely, failing to address known deficiencies is a significant regulatory concern, both under the current rules and when the new reforms commence.

Key AML Independent Evaluation Testing Areas after 2026 Reforms

Documented Reform Implementation Plan

An independent evaluator should verify that the business has a documented implementation plan for managing the transition to the reformed AML/CTF framework. Furthermore, AUSTRAC expects current reporting entities to develop and formalise these plans to guide the updates to their policies and procedures. The plan should clearly outline how the organisation will adapt its systems to meet its new obligations.

A generic implementation plan is not sufficient, as the plan must be tailored to the specific ML/TF/PF risks the business faces. Therefore, an independent evaluation should assess whether the plan is genuinely risk-based. This involves checking if the organisation has documented its unique risks and the specific controls it will implement to manage and mitigate them.

Demonstrating Sustained Progress

AUSTRAC requires reporting entities to show sustained effort and progress against their implementation plans. As a result, an independent evaluation should look for evidence that the plan is being actively executed, rather than being a document created solely for AML/CTF compliance purposes.

An independent evaluator should assess whether the organisation is making tangible progress in transitioning its policies, procedures, and systems according to the timelines set out in its plan.

Escalating Delays, Gaps & Interim Controls

A critical aspect of governance is ensuring that any issues with the reform implementation are communicated to the appropriate levels of management.

An independent evaluation should check if there are processes for escalating delays, gaps, or the need for interim controls. The final written report from an independent evaluation must be provided to the governing body and any senior manager responsible for the AML/CTF program, making this upward reporting channel a key area of focus.

Reporting & Non-Reporting Decisions

As part of its outcomes-focused approach, AUSTRAC prioritises quality reporting from reporting entities. An independent evaluation should therefore review the decisions made by the business regarding suspicious matters, including:

• examining a sample of reports submitted to AUSTRAC to assess their quality and timeliness; and
• reviewing instances where suspicious indicators were present but the organisation made a decision not to report.

This helps to test the effectiveness of the compliance officer’s judgment and the overall risk assessment framework. Ultimately, such a review provides insight into whether the business is genuinely prepared to identify and report suspicious activity.

Evidence an Independent Evaluator Should Request

To conduct a thorough assessment, an independent evaluator should request access to a range of documents and records. Failing to provide adequate access can compromise the reliability of the evaluation. Examples of evidence an evaluator may request include:

• The documented ML/TF risk assessment and any related development materials.
• The organisation’s AML/CTF policies and procedures.
• Board papers and minutes, including records of discussions with senior managers about the evaluation findings.
• Records of staff training on new policies and systems.
• Implementation trackers or project plans showing progress against reform milestones.
• A reasonable sample of CDD records and transaction monitoring alerts.
• Logs or registers tracking the remediation of any previously identified issues or adverse findings.

Building Independent Evaluation-Ready AML/CTF Programs for Newly Regulated Entities

Customising the AML/CTF Program

Newly regulated entities can use an AUSTRAC’s program starter kits or develop their own AML/CTF program. If using a starter kit, it is important to first consider whether your business aligns with the characteristics described for that kit. The program must be tailored to the specific ML/TF risks your organisation faces.

Customisation ensures the policies and procedures are appropriate for the nature, size, and complexity of your business. This involves adapting the program to account for your specific:

• Designated services and products;
• Client base and their risk profiles;
• Delivery channels, such as face-to-face or online services; and
• Overall risk assessment findings.

Appointing a Compliance Officer & Establishing Reporting Lines

By 1 July 2026, newly regulated entities must appoint an AML/CTF compliance officer. The role and authority of this officer should be clearly documented to establish effective governance. This includes defining their responsibilities for overseeing the AML/CTF program.

It is also important to establish and document clear reporting lines. These pathways ensure that any issues, suspicious matters, or potential compliance gaps can be escalated effectively to senior management or the governing body.

Maintaining Staff Training & Internal Process Records

AUSTRAC expects that by 1 July 2026, all relevant staff will be trained on the organisation’s AML/CTF program and its internal processes. Maintaining detailed records of this training is necessary for future AML/CTF compliance checks.

These records serve as important evidence during an independent evaluation. As a result, an independent evaluator will need to verify that staff understand their obligations and are equipped to implement the company’s policies and procedures correctly.

Documenting CDD & SMR Records

From 1 July 2026, newly regulated entities must be prepared to engage with clients and report suspicious matters to AUSTRAC. This requires having documented processes for key customer-facing activities.

Businesses must keep records that show how they conduct CDD, including how they identify clients and assess their risk. In addition, it is necessary to document the procedures for escalating suspicious activity internally to the compliance officer for review and potential reporting. Ultimately, these records will be a key focus of any future independent evaluation.

Conclusion

To meet AUSTRAC’s 2026 expectations, reporting entities must prepare for an independent evaluation that assesses the practical effectiveness of their AML/CTF controls. This requires both current and newly regulated businesses to adopt a risk-based approach, ensuring their policies and procedures are not only documented but are genuinely working to manage and mitigate financial crime risks.

To navigate these changes and ensure your organisation is prepared, obtaining the right support from qualified legal professionals is essential. Contact our AML lawyers at Click Legal to conduct your independent evaluation and review, identify compliance gaps, and effectively manage any remediation to meet your regulatory obligations.

Frequently Asked Questions