Conducting an AML/CTF Independent Review: Step-By-Step Process

Note: Australia’s AML/CTF laws were substantially reformed from 31 March 2026. This article reflects the pre-reform framework, which may still be relevant depending on your business, timing, and transitional rules.

For the current AML independent evaluation process (applicable from 31st March 2026), see our guide on how to conduct an AML/CTF independent evaluation.

Introduction

Every Australian reporting entity providing a designated service must maintain a robust AML/CTF program under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (‘AML/CTF Act’). Under the pre‑31 March 2026 framework, Rule 8.6 (or Rule 9.6 for joint programs) of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2007 (Cth) (‘2007 AML/CTF Rules’) required Part A of that program to undergo an AML independent review at regular intervals to test whether systems and controls were working in practice.

From 31 March 2026, this independent review obligation has been replaced by the independent evaluation regime in Section 26F of the AML/CTF Act and the 2025 AML/CTF Rules. This guide sets out, step by step, how AML/CTF independent reviews were conducted under the legacy 2007 AML/CTF Rules – from scoping and sampling through to testing, reporting, and remediation. For the current AML independent evaluation process (applicable from 31st March 2026), see our guide on how to conduct an AML/CTF independent evaluation.

Interactive Tool: See If You Need an Independent AML/CTF Review

Phase 1: Scoping the Review & Defining Materiality

Establishing the Review Universe & Scope

Under the pre‑31 March 2026 AML independent review regime, reviewers would first establish a “review universe” to identify all elements of the AML/CTF program that fell within scope under Rule 8.6 / Rule 9.6 of the 2007 AML/CTF Rules.

Under that framework, the independent review applied to Part A of the AML/CTF program. Accordingly, scoping began by mapping all components of Part A and the relevant operational dimensions of the reporting entity.

A comprehensive review universe supported compliance with Rule 8.6.2 / Rule 9.6.2 of the 2007 AML/CTF Rules, which required reviews to occur at intervals appropriate to the nature, size and ML/TF risk profile of the business.

The review universe was typically built across two key areas:

1. Program Components (Part A requirements): This included foundational elements such as:

• The ML/TF risk assessment;
• Internal controls and risk mitigation measures;
• AML/CTF Compliance Officer appointment;
• Employee due diligence procedures;
• Ongoing AML/CTF training programs;
• Governance and oversight arrangements.
  
  Part B (customer identification procedures) was not legally required to be independently reviewed under Rule 8.6 of the 2007 AML/CTF Rules. However, testing of Part B controls was commonly undertaken to assess whether Part A controls were operating effectively in practice.

2. Business Dimensions: This covered the operational aspects of the organisation that informed the ML/TF risk assessment, such as:

• Designated services provided, as defined in Section 6 of the AML/CTF Act;
• Delivery channels;
• Customer types;
• Geographic exposure and jurisdictions of operation.

The scope and depth of the review were expected to be proportionate to the entity’s ML/TF risk profile, consistent with the risk‑based framework embedded in Chapter 8 of the 2007 AML/CTF Rules.

Testing approaches therefore varied based on risk levels:

• High‑risk areas, such as complex products or manual controls, required larger samples and more detailed walkthroughs;
• Low‑risk areas often received more limited testing.

Setting Materiality Thresholds to Assess Findings

Although the AML/CTF Act and 2007 AML/CTF Rules did not prescribe formal materiality thresholds, establishing documented criteria for classifying findings was considered best practice and supported defensibility under AUSTRAC’s supervisory framework in Part 15 of the AML/CTF Act. This was a critical step in determining when a control weakness or gap escalated into a significant issue.

These thresholds helped classify findings based on their potential impact, referring to the seriousness of the damage which could occur if the risk eventuated. Defined thresholds helped ensure that the review focused on what mattered most to the organisation’s compliance and risk management.

Findings were typically categorised into three levels:

• Major Finding: The most serious category, usually triggered by a significant control failure. Examples included a direct breach of the AML/CTF Act or its associated rules, a systemic breakdown of a key control, or a repeated failure that exposed the business to money laundering or terrorism financing risk.
• Moderate Finding: Applied when a control existed but was not consistently applied or had notable documentation gaps. For instance, a policy might be well‑designed, but staff did not follow it consistently, or there were issues with how systems and controls were relied upon.
• Minor Finding: Issues that did not have a direct impact on risk management. This category often included administrative errors, formatting issues in documentation, or other minor deficiencies that did not compromise the effectiveness of systems and controls.

AUSTRAC’s recommended risk matrix and risk score give the most weight to major and moderate findings.

Phase 2: The Desktop Review & System Walkthroughs

Desktop Review: Policies & Risk Assessments

Under the legacy AML independent review regime, this phase focused exclusively on testing the design effectiveness of your AML/CTF program. It was a thorough document‑based analysis that assessed whether your written policies and procedures, on paper, met the requirements of Section 81 of the AML/CTF Act. Importantly, no transactions were tested at this stage.

The reviewer would examine a range of key documents to ensure they were current, tailored to your organisation, and defensible. This process verified that your documented controls aligned with the identified money laundering and terrorism financing risks. Key documents under review typically included:

• The enterprise‑wide ML/TF risk assessment;
• Product, service, and channel risk assessments;
• The customer risk rating methodology;
• AML/CTF Program Part A (mandatory review scope);
• AML/CTF Program Part B (not legally required to be independently reviewed, but often examined to test implementation of Part A controls);
• Know Your Customer (KYC) and enhanced due diligence procedures;
• Suspicious Matter Report (SMR) procedures;
• Governance charters and relevant board minutes; and
• Staff training materials.

If the design of the program failed at this stage, any subsequent testing of its operational effectiveness became largely irrelevant. The desktop review confirmed that the foundational elements required under the AML/CTF Act and 2007 AML/CTF Rules were present in your documentation before moving on to practical testing.

System Walkthroughs: Testing AML & CTF Technology

Following the desktop review, the focus shifted from documentation to how controls operated in practice. While the AML/CTF Act and 2007 AML/CTF Rules did not prescribe specific technological standards, reporting entities were still required to maintain systems capable of meeting their statutory obligations, including suspicious matter reporting under Section 41, threshold transaction reporting under Section 43, and record‑keeping under Section 107 of the AML/CTF Act. Reviewers also examined whether technological controls were capable of supporting your AML/CTF obligations in practice, and not just on paper.

System walkthroughs were conducted to test how your AML/CTF controls actually operated within your software and technology environment. The objective was to assess whether the technology supporting your AML/CTF program aligned with your documented Part A controls and ML/TF risk assessment.

These walkthroughs involved a hands‑on evaluation of your AML software and automated controls. The reviewer would trace processes from end‑to‑end to assess both the design and initial operating effectiveness of your technology stack. This included examining:

• Transaction Monitoring Systems: the logic behind monitoring scenarios, the rationale for transaction thresholds, the history of rule tuning, and the process for alert generation and escalation;
• Customer Risk Engines: the inputs and weightings used for risk scoring, the events that triggered a change in a customer’s risk rating, and whether these ratings were dynamic or static; and
• Screening Tools: the logic used for matching against Politically Exposed Persons (PEP) and sanctions lists, procedures for handling false positives, the frequency of list updates, and the cadence of ongoing screening.

To create a clear audit trail, these walkthroughs had to be documented with evidence such as:

• Screenshots;
• System logs;
• Flow diagrams; and
• Detailed reviewer notes.

Phase 3: Designing the Sampling Framework & Determining Sample Sizes

Creating a Risk-Based Sampling Framework

Under the legacy AML independent review regime, an effective review relied on a sampling framework with a clear, compliant logic. While AUSTRAC did not prescribe a specific methodology, the review was expected to be documented and based on your AML/CTF risk profile. The goal was to select representative samples that provided adequate coverage of the organisation’s activities and controls, proportionate to the nature, size, and complexity of the business.

The sampling framework was typically designed to test different aspects of the AML/CTF program. Key sample types included:

• Customer samples: selecting a range of customer files to test customer due diligence processes. Samples were stratified by risk level, including low, medium, and high‑risk customers, as well as PEPs and those subject to enhanced due diligence. The objective was to test the practical implementation of Part A controls and customer due diligence procedures (linked to Part B implementation);
• Transaction samples: used to assess whether transaction monitoring controls were functioning consistently with documented risk settings and capable of supporting suspicious matter reporting obligations. Selections focused on transactions that posed a higher ML/TF risk, such as high‑value transfers, unusual patterns of activity, cross‑border payments, and potential structuring behaviours;
• Alert samples: reviewing alerts generated by the transaction monitoring system, including a mix of closed alerts, escalated alerts, and false positives, to assess the quality of investigations and internal decision‑making by the compliance team; and
• Suspicious Matter Report (SMR) samples: testing the SMR process to ensure compliance with Section 41 of the AML/CTF Act and to avoid issues such as tipping‑off. This included reviewing SMRs that were filed with AUSTRAC to check for timeliness and accuracy, as well as instances of suspicious activity that did not result in a report.

Determining Appropriate Sample Sizes

AUSTRAC did not mandate specific sample sizes or require statistical sampling. However, organisations were expected to use a compliant, risk‑based logic to determine the number of items to test.

Sample sizes needed to be sufficient to allow the reviewer to draw reliable conclusions about the effectiveness of systems and controls. They were typically set having regard to:

• The entity’s ML/TF risk exposure;
• Transaction volumes;
• Control complexity; and
• Prior review findings or known weaknesses.

In industry practice, sample size ranges often seen in Australian independent reviews included:

• Customer files: typically between 20 and 60 files;
• High‑risk customers: a higher proportion, sometimes 100% of a small population or a minimum of 10 files;
• Alerts: anywhere from 25 to 100 alerts, depending on volume and system complexity;
• Transactions: generally between 30 and 100 transactions; and
• SMRs: it was common practice to review all SMRs filed within the review period.

Sample sizes would usually increase where controls were manual rather than automated, previous independent reviews had identified deficiencies, there was heightened ML/TF risk exposure, or there was evidence of potential systemic weakness.

Documenting the sampling rationale strengthened the compliance of the independent review under AUSTRAC’s supervisory powers in Part 15 of the AML/CTF Act and the risk‑based expectations embedded in the 2007 AML/CTF Rules.

Phase 4: Control & Competency Testing

Design Effectiveness vs Operating Effectiveness

Under the legacy AML independent review regime, a critical distinction was the difference between design effectiveness and operating effectiveness. These two concepts assessed different aspects of an AML/CTF program.

Design effectiveness testing asked whether a control, if followed correctly, would successfully mitigate the identified money laundering or terrorism financing risk.

For example, a policy that required enhanced due diligence for all PEPs was considered well‑designed if it:

• Identified triggering events;
• Specified additional verification steps; and
• Required appropriate approval or escalation.

This was typically assessed during the desktop review of documentation.

Operating effectiveness testing, however, examined whether that same control was actually being performed consistently and correctly in practice.

Following the previous example, the reviewer would test whether enhanced due diligence was actually triggered when required, properly documented, and reviewed/approved in line with internal controls. While the AML/CTF Act and the 2007 AML/CTF Rules did not expressly use the terms “design effectiveness” and “operating effectiveness”, the purpose of the independent review was to assess whether Part A was functioning effectively in managing ML/TF risk. In practice, this required evidence of operating effectiveness and not merely well‑drafted documentation.

Live Transaction Testing: Tracing End-to-End Processes

Live transaction testing was one of the most powerful methods for assessing the operational effectiveness of systems and controls, particularly for SMR obligations. This technique involved selecting a transaction and tracing its entire journey through the organisation’s AML/CTF framework to see how it was handled from start to finish.

This end‑to‑end trace directly answered the core question: “Could you reasonably detect and report suspicion?” The process typically involved tracking a transaction through the following stages:

• Initiation: the transaction occurred and entered your systems;
• Monitoring: the transaction monitoring system flagged the activity for review, or failed to do so;
• Alert generation: an alert was created for an analyst to investigate;
• Investigation: an analyst reviewed the alert and documented their findings and decision‑making process; and
• Escalation and reporting: a decision was made on whether to file an SMR, which was then lodged with AUSTRAC within the required timeframe prescribed under Section 41 of the AML/CTF Act.

A failure at any point in this chain could expose a significant vulnerability in the entity’s ability to manage ML/TF risk, and almost always led to major findings in a review.

Staff Competency Interviews: Assessing Training Effectiveness

Staff interviews were not informal chats; they were formal control tests designed to assess the effectiveness of the AML/CTF training program and the overall compliance culture within the organisation. These conversations verified whether employees truly understood their responsibilities in mitigating money laundering and terrorism financing risk.

Reviewers often used an “interview map” to structure these tests, targeting different roles with specific questions relevant to their duties. This helped ensure a comprehensive assessment across the business.

• Frontline staff: could be tested on their understanding of KYC procedures and how to identify red flags during customer onboarding;
• Analysts: could be asked about their logic for handling alerts and the process for escalating suspicious activity; and
• Compliance Officer / MLRO: could be questioned on oversight mechanisms, escalation thresholds, governance awareness, and monitoring of controls.

While the AML/CTF Act did not prescribe interview testing, material inconsistencies in responses or a demonstrated lack of understanding were often treated as operating effectiveness failures, as they indicated weaknesses in training effectiveness or governance oversight. This, in turn, could result in poor implementation of policies and procedures by the people responsible for them.

Phase 5: Managing Evidence & The Audit Trail

Establishing an Evidence Room & Index

Under the legacy AML independent review regime, one of the most effective ways to streamline a review and reduce “audit fatigue” was to create a centralised repository for all evidence. Often referred to as an “evidence room”, this was typically a secure digital data room where all documentation requested by the reviewer was stored and organised.

An evidence index that mirrored the structure of the AML/CTF program was used to categorise materials logically. This organised approach reduced back‑and‑forth requests and helped keep the process efficient for both the compliance officer and the reviewer.

While the AML/CTF Act did not prescribe an “evidence room” concept, reporting entities were subject to record‑keeping obligations under Part 10 of the AML/CTF Act. Maintaining well‑organised review materials also strengthened the organisation’s ability to demonstrate compliance to AUSTRAC in any supervisory engagement.

The evidence room would normally contain a comprehensive collection of materials to support the review, including:

• Version‑controlled documents, such as the AML/CTF program and risk assessment;
• Sample tracking sheets for customer files and transactions;
• Screenshots and system logs from technology walkthroughs;
• Interview notes and transcripts from staff competency tests; and
• Copies of prior independent review reports and remediation trackers (where applicable).

Documenting the Review’s Audit Trail

Every step of the independent review had to be meticulously documented to create a traceable audit trail. This process was effectively a “review of the review”, ensuring that all testing, work papers, and conclusions were supported by clear evidence.

The AML/CTF Act and the 2007 AML/CTF Rules did not prescribe specific “work paper” formats, but maintaining a strong audit trail supported the quality and credibility of the independent review and assisted in demonstrating compliance if AUSTRAC later requested substantiation of the methodology or findings.

If the regulator asked how a conclusion was reached, the answer needed to already exist in writing within the audit trail. This trail typically included:

• Testing work papers detailing the procedures performed;
• The rationale for selecting specific samples and the logic behind sample sizes;
• The reviewer’s documented conclusions for each area tested; and
• A clear record of all evidence examined during the assessment.

Phase 6: Finalising the Review Workflow & Remediation Plan

Navigating the Draft Report & Management Response Period

Under the legacy AML independent review regime, the draft report was a crucial collaborative step, not the final verdict. Its primary purpose was to validate the factual accuracy of the reviewer’s findings before the report was finalised.

This phase gave management an opportunity to:

• Offer context for any identified issues;
• Provide evidence that may have been overlooked during testing; and
• Confirm whether conclusions accurately reflected operational realities.

An exit meeting was typically held to present preliminary findings, ensuring there were no surprises for the compliance officer or senior management. Following this, the draft report was issued, initiating the management response period, which usually lasted between one and four weeks.

During this time, the organisation could formally respond to each finding by outlining:

• The root cause;
• Proposed remediation actions; and
• Target completion dates.

Creating a Final Report & RACI Remediation Roadmap

Once the management response period concluded, the reviewer incorporated the feedback and issued the final report. This documented report was provided to senior management and the governing body.

It typically included:

• An executive summary;
• The scope and methodology of the review;
• Risk‑weighted findings and recommendations; and
• Details of the sample sizes used in testing.

Although the AML/CTF Act and the 2007 AML/CTF Rules did not prescribe a specific remediation format, documenting corrective actions supported effective governance and showed that the reporting entity was actively maintaining its AML/CTF program.

To turn findings into an actionable plan, many organisations created a remediation roadmap using a Responsible, Accountable, Consulted, Informed (RACI) matrix. This framework clarified roles and responsibilities for addressing each issue:

• Responsible: the person or team who would perform the work;
• Accountable: the individual who owned the outcome and signed off on completion;
• Consulted:subject‑matter experts who provided input; and
• Informed:stakeholders who were kept up to date on progress.

This roadmap assigned clear ownership and deadlines for each remediation action. It supported stronger governance oversight and reduced exposure under AUSTRAC’s supervisory and enforcement powers.

Presenting Findings to the Board & Risk Committee

In the legacy AML independent review workflow, the final step was presenting the findings to the organisation’s board or a dedicated risk committee.

This was a critical, though often overlooked, element of good governance that demonstrated leadership accountability for the AML/CTF framework. While the AML/CTF Act did not impose personal liability on board members for the independent review itself, governance oversight formed part of maintaining an effective AML/CTF program.

The presentation ensured that senior leadership was fully aware of the health of the AML/CTF program, any significant vulnerabilities, and the resources required for remediation. Board discussion would typically focus on:

• Material findings;
• Root causes of systemic weaknesses; and
• Remediation timelines and risk exposure.

Documented board engagement strengthened the entity’s ability to show that AML/CTF risk management was actively overseen at senior levels.

A structured AML independent review, encompassing everything from scoping and control testing through to reporting and remediation, was a core expectation for Australian reporting entities under the AML/CTF Act and the 2007 AML/CTF Rules. For organisations interpreting historic review reports or remediation plans, understanding how those reviews were run remains essential context.

From 31 March 2026, independent reviews have been replaced by the independent evaluation regime. To understand what your past AML independent reviews mean in practice, or to plan a current independent evaluation that meets today’s requirements, leverage the specialised expertise of our AML/CTF lawyers at Click Legal. Contact our AML independent review & evaluation lawyers today to discuss how our tailored services can help your organisation confidently manage its money laundering and terrorism financing risk.