What Reporting Entities Should Fix Before Their Next AML Independent Review

Introduction

Before an independent review, the real question for a business is not whether it is ready, but whether its anti-money laundering and counter-terrorism financing (AML/CTF) program will hold up under scrutiny. Under Parts 8.6 and 9.6, where applicable, of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules), the program must be subject to a regular independent review of its effectiveness, implementation, and compliance.

This process is a test of whether controls actually work, not just a check of documentation. This article explains the core compliance areas that reporting entities need to address to confirm their approach to AML/CTF compliance is operationally effective before the next independent review.

Note: Australia’s AML/CTF laws were substantially reformed from 31 March 2026. This article reflects the pre-reform framework, which may still be relevant depending on your business, timing, and transitional rules.

Why AML Independent Reviews Fail

Treating AML Independent Review as a Documentation Exercise

Many reporting entities approach an independent review as a check on their written policies. However, this approach fails because reviewers are required to test for operational compliance, not just review documents. They look beyond the written AML/CTF program to verify that controls are actively and effectively applied in practice.

An independent reviewer tests whether the business is meeting its statutory obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). This includes assessing compliance with key requirements, such as:

• Section 41: Reporting suspicious matters;
• Section 43: Reporting threshold transactions; and
• Section 107: Maintaining required records.

If a business only has documented procedures but cannot provide evidence of them working, the reviewer will conclude the controls are not effective. For example, having a detailed suspicious matter reporting (SMR) policy is insufficient if there is no audit trail of how potential matters were investigated and why decisions were made.

Untested Controls Lead to Regulatory Action

When a reporting entity does not regularly test its own AML/CTF controls, the independent review will expose any operational gaps. Weak or untested controls are a primary cause of adverse findings, which can lead to increased regulatory attention from the Australian Transaction Reports and Analysis Centre (AUSTRAC).

Furthermore, if a control has not been tested internally, the reviewer’s assessment will be the first time its effectiveness is formally challenged. This means that:

• if controls are weak, the review will identify them; and
• if documentation is poor, explanations for control failures will not be accepted.

For instance, a transaction monitoring system that generates alerts without a clear process for meaningful investigation is an untested control. As a result, an independent reviewer will identify this as a significant failure, regardless of what the written policy states.

Core Compliance Areas to Fix Before Your Next AML Independent Review

ML/TF Risk Assessment

The money laundering and terrorism financing (ML/TF) risk assessment serves as the foundation for the entire AML/CTF program. During an independent review, all controls, and procedures are judged against this document, meaning it must be a living document that accurately reflects the business’s specific circumstances. A generic or outdated risk assessment will cause the rest of the program to fail scrutiny.

To meet expectations, the risk assessment must be evidence-based and aligned with actual operations. It should clearly consider key factors, including:

• The types of customers the business engages with;
• The specific products and designated services offered;
• The methods used to deliver those services; and
• Actual transaction behaviours and patterns.

Customer Due Diligence

AML independent reviewers focus on operational effectiveness, which means they test actual customer files rather than simply reading written policies. Therefore, a reporting entity must be able to provide evidence that its customer due diligence (CDD) procedures are being implemented correctly and consistently. Without sufficient evidence from customer files, a reviewer is likely to conclude that the CDD framework is not operationally effective.

Sampling customer files is a necessary step to confirm that the CDD framework is working. This testing should verify that:

• Customer identification and verification has been completed according to the program;
• The assigned customer risk ratings are justified and documented;
• High-risk customers are subject to enhanced due diligence measures; and
• Customer information is periodically reviewed and updated as required.

Suspicious Matter Reporting

Under Section 41 of the AML/CTF Act (Cth), reporting entities must report suspicious matters to AUSTRAC. An independent review will test the entity’s ability to detect, investigate, and report such matters, as it is not enough to simply have a policy.

To prove the process works end-to-end, entities should test their frameworks to ensure they function as designed, focusing on key areas such as:

• Internal escalation pathways for raising concerns;
• Decision-making processes for evaluating suspicious activity; and
• Reporting timelines to ensure regulatory deadlines are met.

Furthermore, it is critical to maintain clear records documenting why a matter was or was not deemed suspicious and subsequently reported. A low volume of Suspicious Matter Reports (SMRs) is not necessarily a sign of compliance; instead, it may raise questions about the effectiveness of the entity’s detection capabilities.

Transaction Monitoring

A transaction monitoring program must function effectively in practice. An independent reviewer will assess whether the system is capable of identifying unusual activity that warrants further investigation, in line with the entity’s specific risk profile.

Reporting entities should regularly review and test their transaction monitoring framework by focusing on critical components, including:

• Assessing the logic and thresholds used to generate alerts; and
• Examining the process for how those alerts are investigated and resolved.

A system that generates alerts without leading to meaningful investigation and documentation will not withstand the scrutiny of an independent review.

Threshold Transaction Reporting

Reporting entities have a statutory obligation under Section 43 of the AML/CTF Act (Cth) to report transactions involving physical currency of AUD $10,000 or more. A key part of an independent review is to verify compliance with this requirement.

To prepare, a business must be able to demonstrate the completeness and accuracy of its threshold transaction reporting. This involves reconciling transaction data against the reports submitted to AUSTRAC. The goal of this process is to identify and address any transactions that were either missed or reported incorrectly.

Record-Keeping Requirements

The obligation to maintain records is established under Section 107 of the AML/CTF Act (Cth). From a reviewer’s perspective, if an action or decision is not documented, it is assumed that it did not happen. Poor record-keeping creates significant vulnerabilities during an independent review and can invalidate processes that are otherwise compliant.

To prevent this, clear and accessible audit trails are necessary for all critical AML/CTF functions. This includes maintaining records of:

• Decisions made during suspicious matter investigations;
• The rationale behind customer risk classifications; and
• The outcomes of transaction monitoring alert investigations.

Operational Areas to Fix Before an AML Independent Review

Align Training With Actual Risk

Effective AML/CTF training must equip staff to identify and manage ML/TF risks specific to their roles. An AML independent review will assess whether the training program is merely a generic overview or if it is tailored to the organisation’s specific business model and risk profile.

To meet expectations, a reporting entity should ensure its training program includes:

• Role-specific content: Training should address the particular ML/TF risks that employees may encounter in their day-to-day duties (for example, risks faced by frontline staff at a bank differ from those faced by a fund manager);
• Completion tracking: The business must maintain records, such as a training register or system report, to demonstrate that all employees have completed the required training for their role; and
• Competency testing: Where relevant, the program should include measures to test employees’ understanding of their obligations and the entity’s internal processes.

Generic, off-the-shelf training packages are a common reason for adverse findings in an independent review because they often fail to address entity-specific risks.

Make Governance Visible

A reporting entity must be able to demonstrate active oversight from its board and senior management, as reviewers will seek evidence beyond mere statements in a policy document. Independent reviews frequently uncover governance failures in addition to operational compliance gaps.

Visible governance requires clear documentation, including:

• Board meeting minutes that show the AML/CTF program was formally approved;
• Processes for escalating significant AML/CTF issues to senior management; and
• Evidence that the board and senior management receive and consider the results of any independent review, as required under Parts 8.6.6 and 9.6.6 of the AML/CTF Rules (Cth).

Close the Loop on Previous Review Findings

Unresolved findings from prior independent reviews can indicate that the AML/CTF program is not effective. A reviewer will assess how the business has responded to previously identified deficiencies. Repeat findings from one review to the next significantly elevate regulatory risk.

To demonstrate effective management of past issues, a reporting entity should maintain a remediation register. This document should provide clear evidence of the status of previous findings, as follows:

• The specific actions taken to address each recommendation;
• The completion status of each action item; and
• The date when the issue was resolved.

Validate Third-Party and Outsourcing Arrangements

Reporting entities remain fully responsible for any AML/CTF functions they outsource to third-party providers. Therefore, during an independent review, the entity must demonstrate that it maintains control and oversight over these arrangements.

This requires showing evidence of a robust vendor management process, which includes:

• Due diligence: A thorough assessment of the vendor’s capability to perform the outsourced function before entering into an agreement;
• Contractual controls: Written contracts that clearly define the roles, responsibilities, and performance expectations for the third party; and
• Ongoing monitoring: Regular checks to ensure the vendor is meeting its obligations and that the systems, such as screening tools, are operating as intended.

Ensure Ongoing Customer Due Diligence and Employee Due Diligence

An AML/CTF program must include processes for due diligence that extend beyond the initial onboarding of a customer or employee. This includes both ongoing customer due diligence (OCDD) and employee due diligence (EDD).

For OCDD, the program must detail a risk-based approach to reviewing and updating customer information throughout the relationship, with a particular focus on high-risk customers. Vague policy statements about keeping information current are insufficient; instead, the reviewer will seek evidence that these processes are consistently executed.

For EDD, the program should detail practices for identifying higher-risk roles from an ML/TF perspective. This involves:

• Documenting the basis for assessing why certain roles are rated as higher risk, such as their level of seniority or involvement in key controls;
• Applying additional due diligence measures for these roles; and
• Monitoring the movement of staff from lower-risk to higher-risk positions.

Conclusion

Before the next independent review, the critical question is whether AML/CTF controls can demonstrate compliance or if they will reveal operational gaps when tested today. Under Australian AML/CTF law, compliance is ultimately defined not by documentation, but by whether the program works effectively in practice.

To ensure your program can withstand this level of scrutiny, it is essential to have it assessed by an expert. Contact our specialist AML/CTF lawyers at Click Legal today to discuss how our independent review services can provide clarity and confidence in your AML/CTF compliance.

Frequently Asked Questions