Independent Review vs Independent Evaluation: Understanding the 2026 AML/CTF Reforms

Introduction

The Australian anti-money laundering and counter-terrorism financing (AML/CTF) landscape is undergoing a significant transformation with the commencement of the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) (AML/CTF Amendment Act 2024), together with the associated independent evaluation provisions in the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) (AML/CTF Rules 2025). These 2026 AML/CTF reforms mark the transition from an “independent review” to a more rigorous “independent evaluation”, a change that takes full effect on 31 March 2026.

Understanding these significant changes is essential to ensure compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act 2006). This guide provides a comprehensive overview of the new independent evaluation framework, detailing how the Australian Transaction Reports and Analysis Centre (AUSTRAC) expects entities to conduct an independent assessment of their risk assessment methodology and transaction monitoring systems. 

Why Independent Reviews Are Becoming Independent Evaluations

The shift in terminology from an “independent review” to an “independent evaluation” reflects the structural reforms introduced by the AML/CTF Amendment Act 2024 (Cth). These reforms replace the former Part A / Part B program model with a unified AML/CTF policy framework under Sections 26A-26V of the amended AML/CTF Act 2006 (Cth).

It represents a deliberate regulatory signal that the era of procedural, check-box compliance is ending. Driven by the need to move beyond simply verifying that an AML/CTF program exists on paper, the new focus is on assessing whether the program is operationally effective in the real world. 

Historically, an independent review was confined to Part A of a reporting entity’s AML/CTF program. Often interpreted as a procedural audit, its main purpose was to confirm that a reporting entity had the required documentation and policies in place.

However, AUSTRAC identified that many reporting entities had programs that were:

• Technically compliant according to the regulations.
• Functionally unable to disrupt actual money laundering or terrorism financing activities.

The reforms relocate and expand this obligation through the new independent evaluation requirement in Section 26F(4)(f) of the amended AML/CTF Act 2006 (Cth) and Rule 5-10 of AML/CTF Rules 2025 (Cth), mandating a much deeper level of inquiry. An evaluation scrutinises the logic, data, and outcomes of a compliance program, asking critical questions such as:

• Does the program exist?
• Does the program actually work to mitigate financial crime risks?

This change aims to ensure that AML/CTF frameworks are resilient and effective defences against the evolving complexities of financial crime.

Comparing the Review & Evaluation Frameworks

The Current Independent Review Regime

Under the existing AML/CTF framework, reporting entities are required to conduct an independent review of Part A of their AML/CTF program at regular intervals, pursuant to Rule 8.6 or Rule 9.6 of the AML/CTF Rules 2007 (Cth). This part of the program contains the policies and procedures for identifying, mitigating, and managing money laundering and terrorism financing risks. The review is an impartial assessment designed to check that the program complies with legal obligations and is functioning as intended.

The frequency of these reviews is not prescribed by law, but must occur at “regular intervals”, as per Rule 8.6.2 of the AML/CTF Rules 2007 (Cth). The reporting entity, often with guidance from financial services lawyers, can determine the frequency based on its specific circumstances. Key factors influencing the schedule include:

• The nature, size, and complexity of your business.
• The level of money laundering or terrorism financing risk the business faces.
• Any significant changes to the business, its risk profile, or its designated services.

While the timing is subjective, high-risk organisations conduct an independent review more frequently. The scope of these reviews has often been desk-based, focusing more on verifying that documented policies and procedures are in place rather than conducting extensive operational testing.

The New Independent Evaluation Framework

The reformed AML/CTF framework, effective from 31 March 2026, replaces the independent review with a more rigorous independent evaluation requirement prescribed in Section 26F(4)(f) of the amended AML/CTF Act 2006 (Cth) and Rule 5-10 of AML/CTF Rules 2025 (Cth).

A significant structural change is the introduction of a mandatory minimum frequency under Section 26F(4)(f)(ii) of the amended AML/CTF Act 2006 (Cth). All reporting entities must conduct an independent evaluation at least once every three years. However, this remains a minimum, and entities with a higher risk profile due to their nature, size, or complexity may be expected by AUSTRAC to conduct evaluations more frequently.

The final independent evaluation report must be provided to the governing body and the senior manager responsible for approving the AML/CTF program, in compliance with Rule 5-10(2) of the AML/CTF Rules 2025 (Cth), thereby enhancing governance and accountability. 

This change ensures that those with ultimate responsibility for risk oversight cannot claim ignorance of systemic compliance failures. It elevates the independent evaluation from a departmental audit to a corporate governance priority, making the findings a critical input for the board's risk management and attestation processes.

Key Differences In Scope, Depth & Focus

The transition from an independent review to an independent evaluation marks a fundamental shift in regulatory expectations, moving from a procedural check to a substantive assessment of effectiveness. While a review primarily verifies that a compliance program exists on paper, an evaluation assesses whether that program actually works in practice to mitigate financial crime risks.

The critical distinctions for your compliance program include:

• Primary Objective: The focus shifts from verifying compliance with rules and the existence of policies to assessing the operational effectiveness of the entire program in managing and mitigating ML/TF risks.
• Scope of Assessment: An independent review is largely confined to Part A of an AML/CTF program. The removal of the Part A and Part B program structure in favour of a single, unified set of AML/CTF policies means that the independent evaluation must cover this entire program. Therefore, independent evaluation has a wider ambit, covering the entire program, including the methodology behind the risk assessment.
• Testing Approach: Reviews are often procedural or desk-based. Evaluations mandate substantive, outcome-based testing to determine if controls are achieving their intended results, such as identifying suspicious activity.

Defining Evaluation: Assessing Effectiveness & Not Just Compliance

The Mandate for Outcome-Based Testing

A transformative element of the new independent evaluation framework is the mandatory inclusion of outcome-based testing. Section 26F(1)(a) of the amended AML/CTF Act 2006 (Cth) provides that AML/CTF policies must appropriately manage and mitigate the risks of ML/TF/PF that the reporting entity may reasonably face. While traditional independent reviews often focused on verifying that a process or procedure existed on paper, this new approach differs significantly. In contrast, outcome-based testing evaluates:

• The quality of the process.
• The actual result to determine its operational effectiveness.

This approach moves beyond a simple compliance checklist. For example, in the context of customer due diligence, an evaluator will no longer just check that a “Know Your Customer” file exists. Instead, they may test whether:

• Enhanced Customer Due Diligence (ECDD) procedures were appropriately triggered for a high-risk customer.
• The investigation accurately identified the customer’s Source of Wealth (SoW) and Source of Funds (SoF).
• The controls in place successfully mitigated the identified money laundering and terrorism financing risks.

Similarly, when assessing a transaction monitoring program, the focus is likely to shift from confirming the system is running to testing whether its alerts are correctly tuned to the business's specific risks. Consequently, the evaluation will seek to determine if the system is effective at detecting actual suspicious activity. This focus on outcomes requires reporting entities to:

• Justify the logic behind their controls.
• Demonstrate that their AML/CTF program works in practice.

How The Evaluation Cycle Aligns With Your Updated Risk Assessment

The 2026 reforms create a direct and symbiotic relationship between the independent evaluation and the money laundering and terrorism financing risk assessment. This alignment establishes a continuous improvement loop, ensuring the risk assessment remains a dynamic and responsive tool for your compliance program.

Under the new framework, an adverse finding in an independent evaluation report acts as an official trigger, mandating an immediate review of your entity's risk assessment. If the evaluation identifies that the risk assessment missed a key vulnerability or that mitigation policies were ineffective, you must review and update that assessment as soon as practicable. 

Furthermore, as per Rule 5-15(2) of the AML/CTF Rules 2025 (Cth), any subsequent updates to your AML/CTF policies or procedures to address these findings must be documented in writing within 14 days of the change being made. This creates a virtuous cycle of risk management that follows a clear sequence:

1. Risk Assessment: The entity identifies its inherent money laundering and terrorism financing risks.
2. Mitigation: Policies and controls are designed and implemented to manage those risks.
3. Evaluation: An independent party evaluates whether the risk assessment was accurate and if the policies were effective.
4. Remediation: If the evaluation uncovers deficiencies, the entity must immediately review and update its risk assessment and controls.

Core Principles That Remain The Same

Despite the significant shift in terminology and rigour, several foundational principles of the Australian AML/CTF regime remain intact. This continuity ensures that while the method of assessment is evolving, the core pillars of compliance and risk management are preserved.

Reporting entities can find reassurance in the fact that the fundamental expectations for a sound program are not being discarded. The following core principles will continue to underpin the AML/CTF framework:

The Risk-Based Approach (RBA)

The objects of the AML/CTF laws remain set out in Section 3 of the AML/CTF Act 2006 (Cth). Under the reformed framework, reporting entities must continue to identify, assess and manage ML/TF risk through their AML/CTF program. This includes the ML/TF risk assessment required by Section 26C and AML/CTF policies required by Section 26F of the amended AML/CTF Act 2006 (Cth).

This remains the primary lens through which all obligations are viewed. Reporting entities are still expected to tailor their programs and evaluations to the specific level of money laundering and terrorism financing risk their business reasonably faces. 

Additionally:

• The principle that “one size does not fit all” is paramount.
• This allows for flexibility in how smaller or lower-risk entities meet their obligations.

The Requirement for Independence

Under the current regime, the requirement for independence is mandated under Rule 8.6.1 of the AML/CTF Rules 2007 (Cth). The reformed laws preserve this mandate under Rule 5-10(1) of the AML/CTF Rules 2025 (Cth). 

This is a non-negotiable standard for any assessment. Whether it is called an independent review or an independent evaluation, the assessment must be conducted by a party—either internal or external—who was not involved in the design, implementation, or maintenance of the AML/CTF program. Consequently, the evaluator must be free from bias, conflicts of interest, or any circumstances that could compromise their objectivity.

Core Reporting Obligations

The fundamental duties to report to AUSTRAC remain the bedrock of the regime. This includes the submission of:

• Suspicious Matter Reports (SMRs) under Section 41 of the AML/CTF Act 2006 (Cth)
• Threshold Transaction Reports (TTRs) under Section 43 of the AML/CTF Act 2006 (Cth)
• International Funds Transfer Instructions (IFTIs) under Section 45 of the AML/CTF Act 2006 (Cth)

However, the new evaluation framework will more closely scrutinise the quality and effectiveness of the systems that generate these reports.

Ultimate Legal Responsibility

The legal liability for AML/CTF compliance failures rests squarely with the reporting entity itself, as per Section 26G of the AML/ CTF Act 2006 (Cth). Outsourcing the independent evaluation to an external consultant does not outsource the ultimate responsibility for any shortcomings identified in the AML/CTF program.

Transitioning a 2025 Review into a 2026 Evaluation

From 31 March 2026, the independent evaluation requirement in Section 26F(4)(f) of the amended AML/CTF Act 2006 (Cth) applies. The months leading up to commencement are therefore a critical preparation window.

A practical strategy is to treat your final independent review under Rule 8.6 or Rule 9.6 of the AML/CTF Rules 2007 (Cth) as a “mock evaluation”. Instead of focusing purely on documentation, the 2025 review should test operational effectiveness. This should include:

• Outcome-based testing of key controls;
• A structured assessment of the ML/TF risk assessment methodology (ss 26C–26D);
• An evaluation of how effectively proliferation financing risk is managed under s 26F(1).

AUSTRAC has confirmed that separate transitional rules (made under Schedule 12 of the AML/CTF Amendment Act 2024 (Cth)) will affect timing — not substance. Newly regulated entities may defer their first evaluation (no earlier than 1 July 2029), and some existing entities will receive extended deadlines.

However, once Section 26F(4)(f) commences, any independent evaluation conducted must meet the new effectiveness-based standard. Transitional relief may delay the first deadline — it does not lower the threshold.

Conclusion

The transition from an independent review to an independent evaluation, effective 31 March 2026, marks a fundamental shift in Australia's AML/CTF compliance landscape. This change requires reporting entities to move beyond procedural checks and demonstrate that their policies and procedures are operationally effective in mitigating money laundering and terrorism financing risks.

To navigate these significant changes and ensure your compliance framework is prepared for the new, more rigorous standards, contact Click Legal's specialist AML/CTF independent review lawyers today. Our team of AML/CTF lawyers provides the trusted expertise needed to transition your program with confidence, ensuring your business is ready for the 2026 reforms.

Frequently Asked Questions