Common Mistakes in AML/CTF Independent Evaluations Post 2026 Reforms

Introduction

With the upcoming anti-money laundering and counter-terrorism financing (AML/CTF) reforms reinforcing an outcomes-focused regulatory model, the requirement for a robust independent evaluation has become more critical than ever for reporting entities. This process, mandated by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), is a cornerstone of effective governance, designed to assess whether a business is appropriately managing its money laundering and terrorism financing (ML/TF) risks.

However, conducting a compliant and effective independent evaluation involves more than a simple checklist review. Many reporting entities make critical errors that can undermine the entire process, leading to regulatory scrutiny and significant civil penalties. This guide will explore the most common mistakes made during these evaluations to help your organisation ensure its approach is not only compliant but also genuinely effective in strengthening its risk management framework.

Misunderstanding the Legal Standard and Scope of an Independent Evaluation

Legal Requirement for Independent Evaluation

The legal requirements for an independent evaluation are set out in Section 26F(4)(f) of the AML/CTF Act (Cth) and further specified in Rule 5-10 of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) (AML/CTF Rules). Together, these provisions require a comprehensive, whole-of-program assessment of your AML/CTF framework.

Under Rule 5-10, the independent evaluation must address:

• ML/TF risk assessment – reviewing the steps taken to undertake or update your risk assessment against the AML/CTF Act (Cth) and AML/CTF Rules (Cth).
• AML/CTF policies – assessing whether the design of your policies meets all legal and regulatory requirements.
• Testing for compliance – confirming that day-to-day operations follow your AML/CTF policies.
• Testing for effectiveness – evaluating whether your systems and controls are appropriately identifying, assessing, managing, and mitigating ML/TF risks.

This requires not just a review of documentation, but a holistic assessment of how your AML/CTF program operates in practice.

Common Mistake: Superficial and Narrowly Scoped Reviews

A frequent error made by reporting entities is treating the independent evaluation as a superficial, check-the-box exercise or limiting its scope to isolated components of the program.

This typically involves:

• Reviewing only written policies, or
• Testing a single function, such as customer due diligence

Such an approach incorrectly treats the evaluation as a documentation review, rather than a whole-of-program assessment.

Why This Fails the Legal Standard

A superficial or narrowly scoped evaluation fails to meet the legal standard because it cannot adequately assess the effectiveness of your AML/CTF program.

Simply confirming that policies exist does not demonstrate:

• whether staff actually follow them, or
• whether they are effective in preventing and detecting financial crime

Similarly, limiting the scope of the evaluation prevents the identification of operational weaknesses, particularly where systems, processes, and controls interact.

In practice, this often results in evaluators not being given full access to:

• relevant documents
• key personnel
• operational systems

This leads to an incomplete and unreliable assessment, which fails to identify gaps in areas such as transaction monitoring or ongoing due diligence.

Using Evaluators Who Are Not Truly Independent

Legal Mandate for an Independent Evaluator

The AML/CTF legal framework mandates that the independent evaluator be genuinely independent and able to assess the program without bias, influence, or conflicts of interest.

Such independence safeguards the integrity of the evaluation and the reliability of its findings.

Whether the evaluator is an internal auditor or an external consultant, they must remain free from compromising relationships that could affect objectivity and professional judgment.

Common Independence & Conflict of Interest Mistakes

A frequent error is choosing an evaluator who lacks independence because of internal relationships or prior involvement with the AML/CTF program. For an evaluation to be truly independent, the evaluator must not have been involved in the core functions they are reviewing.

Typical missteps that compromise independence include selecting an individual who:

• Is responsible for implementing or maintaining the AML/CTF program.
• Was involved in the development of the AML/CTF program, its systems, or its controls.
• Participated in the entity’s ML/TF risk assessment.
• Is the designated AML/CTF compliance officer or a member of the compliance team.

Lack of Independence Undermines Credibility

Appointing an evaluator who is not independent undermines the credibility and defensibility of the entire evaluation report.

When the evaluator has a conflict of interest, their ability to exercise independent judgment is compromised, and the integrity of the findings presented to the governing body and senior management suffers.

Consequently, a report from a non-independent evaluator may overlook deficiencies, leaving the reporting entity exposed to issues with its ongoing AML/CTF compliance and unmitigated ML/TF risks.

Failing to Use a Defensible & Risk-Based Methodology

Requirement for a Reasonable & Risk-Based Approach

Under Rule 5-10 of the AML/CTF Rules (Cth), the methodology used for an independent evaluation must be reasonable and risk-based.

To achieve this, your approach must include the following elements:

• Your AML/CTF policies must clearly set out how the evaluation will be conducted.
• The design must properly test and evaluate whether your organisation is effectively identifying, assessing, managing, and mitigating the specific ML/TF risks it faces.

A defensible methodology is crucial for the governance and oversight functions of the reporting entity’s senior manager and governing body.

Common Mistake: Weak Sampling & Methodology

A frequent failure in conducting an independent evaluation is the use of a flawed or poorly documented methodology. The written report from the evaluator must detail the method used, but many fall short in this area.

Common mistakes that undermine the evaluation include:

• No documented methodology: The evaluator fails to create or follow a clear, documented plan for the evaluation.
• Weak or arbitrary sampling: The process for selecting customer files or transactions for testing is not risk-based, leading to a focus on low-risk areas while high-risk ones are overlooked.
• Not focusing on high-risk areas: The evaluation fails to dedicate sufficient attention to the products, services, or customer types that your own risk assessment has identified as posing the greatest ML/TF threat.

Consequences of an Unjustifiable Methodology

Employing an unjustifiable methodology invalidates the conclusions of the independent evaluation report. If the approach to testing and sampling is flawed, the findings cannot be reliably defended, and the entire process fails to provide meaningful assurance to the governing body.

This failure means that material compliance deficiencies and unmitigated ML/TF risks may be missed entirely. Consequently, a flawed evaluation methodology leads to severe outcomes, such as:

• Compromising your ongoing compliance obligations.
• Increasing the risk of regulatory scrutiny and potential civil penalties.

Testing Policy Design Instead of Operational Effectiveness

The Legal Focus on the Effectiveness of Risk Management

The law requires an independent evaluation to assess operational effectiveness, not merely the documented design of your AML/CTF program.

Under Rule 5-10(2)(d) of the AML/CTF Rules (Cth), that evaluation must test whether your business is:

• identifying ML/TF risks
• assessing those risks in a structured way
• managing them through appropriate controls
• mitigating residual exposure to an acceptable level

This legal standard moves beyond a simple document review. Its core task is to confirm that your AML/CTF controls are functioning as intended within day-to-day operations and address the risks your organisation can reasonably expect to face.

Common Mistake: Confirming Policies Instead of Testing Application

A common error is to run an independent evaluation that only confirms the existence of written policies. This turns the process into a documentation exercise rather than a true assessment of risk management.

Because policies on paper reveal nothing about real-world compliance, an effective evaluation must go further:

• observe staff behaviour to verify day-to-day adherence
• sample transactions to test whether controls actually detect suspicious activity
• challenge control owners on how exceptions are handled in practice

Why This Is a Core Failure Under an Outcomes-Based Regime

Failing to test operational effectiveness is a fundamental error under Australia’s outcomes-focused AML/CTF regulatory model.

Where an independent evaluation judges policy design alone, it withholds the assurance your governing body and senior manager need. Consequently:

• regulatory expectations remain unmet, exposing the business to enforcement action
• board confidence in the AML/CTF program is undermined, as no proof of effectiveness is supplied

An evaluation that stops at design therefore falls short of the outcomes-based standard and leaves significant compliance risk unaddressed.

Producing Generic Findings Without Linking to ML/TF Risk

Legal Requirements for Evaluation Findings

The AML/CTF Rules (Cth) set clear expectations for an independent evaluation report. Under Rule 5-10(2)(e), the evaluator must provide a written report containing specific findings.

These findings must address four distinct areas:

• ML/TF risk assessment process used or reviewed.
• Design of the AML/CTF policies against legal requirements.
• Compliance with internal AML/CTF policies.
• Effectiveness of risk management measures for identifying, assessing, managing and mitigating ML/TF risks.

Common Mistake: Vague Conclusions & No Risk Linkage

A common mistake is for an evaluation report to contain vague or generic conclusions that are not explicitly linked to the business’s ML/TF risks. This happens when findings are presented as simple pass/fail statements without context.

For instance, a report might label customer due-diligence procedures as “inadequate” yet fail to explain how this shortcoming endangers the entity’s unique risk profile, leaving the finding superficial and hard to action.

Unlinked Findings Are Unusable & Disconnect Compliance from Risk

Generic findings that are not tied to specific ML/TF risks become unusable for decision-makers. Without an explanation of the practical risk implications, governing bodies and senior managers cannot prioritise effective remediation.

When findings are not linked to risk, the reporting entity may face several problems:

• Unable to prioritise remediation, because deficiencies lack risk context.
• Ongoing non-compliance as vulnerabilities remain unaddressed.
• Unmanaged ML/TF risks that can escalate into regulatory action.

This dangerous disconnect means the entity has technically completed an independent evaluation, yet its vulnerabilities—and the associated ML/TF threats—persist unchecked.

Failing to Identify Root Causes & Actionable Issues

Implicit Requirement to Find Root Causes

While the legislation does not explicitly say so, identifying root causes is an implicit requirement for any effective evaluation.

In particular, your AML/CTF policies should specify:

• how you will respond to an independent evaluation,
• when and how you will evaluate the program, and
• the process for updating controls after adverse findings.

To address a deficiency properly, you must first understand its underlying cause rather than the surface symptom. An effective evaluation therefore moves beyond merely stating a problem and instead asks why it occurred.

Common Mistake: Identifying Symptoms Instead of Causes

A common failure is producing a report that highlights only the symptoms of non-compliance and ignores their root causes. This leaves senior management and the governing body without a clear path to remediation.

For example, a report might note that customer due diligence procedures are deficient. Potential underlying causes include:

• inadequate staff training,
• flaws in the onboarding system, or
• poorly written internal policies and procedures.

Without this deeper analysis, the reporting entity is left guessing at the correct solution.

Unaddressed Root Causes Lead to Recurring Issues

Failing to identify and treat the root causes of compliance failures almost guarantees that the same issues will resurface in later evaluation cycles. When a business applies only a superficial fix, the fundamental problem remains unresolved.

This oversight creates a cycle of recurring adverse findings, signalling to the regulator that governance is ineffective.

Failing to Escalate & Deliver the Report Properly

Legal Requirements for Report Delivery & Governance

Under Rule 5-10(2)(f) of the AML/CTF Rules (Cth), your AML/CTF policies must ensure the final independent evaluation report is delivered to:

• The governing body, which holds ultimate accountability for compliance and risk management.
• Any senior manager responsible for approving the program, so they can act on the evaluation’s findings.

Section 26H of the AML/CTF Act (Cth) then mandates that the governing body exercise ongoing oversight of the entity’s compliance and risk management, thereby creating a clear legal duty to keep key leadership fully informed.

Common Mistake: Keeping the Report Within the Compliance Function

A significant governance failure occurs when the independent evaluation report is not escalated beyond the compliance function.

When that happens, several consequences follow:

• Findings, particularly adverse ones, do not reach the senior manager or governing body that holds ultimate responsibility for the AML/CTF program.
• Those with the authority to drive meaningful change remain unaware of critical deficiencies, allowing problems to persist.

Improper Delivery Breaks the Governance Chain

Failing to deliver the report to the correct leadership levels is a direct compliance breach that breaks the required governance chain.

Improper delivery creates a chain reaction:

• Under Section 26H of the AML/CTF Act (Cth), the governing body cannot perform its oversight duties if it is unaware of the evaluation’s findings.
• The purpose of the independent evaluation is undermined, leaving the organisation exposed to unaddressed risks and potential regulatory action.

Failing to Respond Remediate & Maintain Records

Legal Duties to Respond & Keep Records

Under Rule 5-10(3) of the AML/CTF Rules (Cth), your AML/CTF policies must clearly outline how your business will respond to the findings of an independent evaluation report.

Furthermore, Section 116 of the AML/CTF Act (Cth) mandates that you must keep all records necessary to demonstrate compliance. For an independent evaluation, this includes:

• The final evaluation report itself.
• Documentation detailing how any adverse findings were addressed.
• Records of discussions about the findings with your senior manager and governing body.
• The rationale for not acting on a specific finding, if applicable.

Common Mistake: Inaction & Poor Documentation

A critical error is failing to act on the findings presented in the independent evaluation report, particularly when they are adverse. This inaction can lead to ongoing non-compliance and a failure to appropriately manage and mitigate identified ML/TF risks.

Equally problematic is poor documentation of the remediation process. Common mistakes include:

• Failing to implement necessary updates to your ML/TF risk assessment or AML/CTF policies.
• Not documenting the changes made or the reasons for those changes within the required 14-day timeframe.
• Treating the evaluation as a one-off compliance task rather than a continuous improvement mechanism for your governance framework.

Why This Poses the Highest Enforcement Risk

Failing to act on known deficiencies identified in an independent evaluation report is a significant concern for regulators and carries a high risk of enforcement action.

Ignoring adverse findings demonstrates a failure in governance and oversight essential for maintaining AML/CTF compliance. This inaction signals to the regulator that the business is not effectively managing its ML/TF risks, which can lead to ongoing non-compliance and the potential for significant civil penalties.

Conclusion

A compliant and effective independent evaluation requires avoiding critical errors such as misunderstanding its legal scope, using a flawed methodology, or failing to act on adverse findings. These common mistakes undermine the process, which is designed to be a continuous governance mechanism for strengthening your AML/CTF risk management framework.

To ensure your next review meets regulatory standards and provides genuine value, contact Click Legal’s specialist AML independent evaluation lawyers today. Our experts offer trusted guidance and tailored solutions to help you navigate your compliance obligations and fortify your financial crime defences with confidence.