What an AML/CTF Independent Review Report Had to Include (Pre‑31 March 2026)

Note: Australia’s AML/CTF laws were substantially reformed on 31 March 2026. This article outlines the historical requirements and structure for an AML/CTF independent review report under the legacy pre-reform framework.

For details on what the new AML independent evaluation report must contain (effective from 31 March 2026), please see our current guide on what an AML/CTF independent evaluation report must include.

Introduction

Under the pre-reform framework, reporting entities had to ensure that Part A of their AML/CTF program was subject to an independent review, as required under the legacy 2007 AML/CTF Rules.  This was mandated under Rule 8.6 (or Rule 9.6 if your business operated under a Joint AML/CTF Program as part of a business group). The goal was to verify the program complied with the requirements of the AML/CTF Act (Cth) and the associated 2007 AML/CTF Rules.

Preparing an independent review report provided senior management and the board with a document detailing the methodology and scope of the review, findings arising from the assessment, and recommendations to address any identified deficiencies. This guide explains how such a report was prepared to include clear findings and recommendations, helping a reporting entity’s compliance team interpret the former framework and address identified gaps.

Understanding the Legacy Independent Review Report’s Purpose & Audience

The Report’s Impact & Role in Business

Under the former framework, an independent review provided an impartial assessment of Part A of an AML/CTF program, as was required under Rule 8.6/9.6 of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2007 (Cth) (2007 AML/CTF Rules).

Its core purpose was to assess whether Part A of the AML/CTF program complied with the requirements prescribed in Part 7 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and Chapter 8 of the 2007 AML/CTF Rules. It aimed to ensure that the program was appropriately designed as per the entity’s money laundering and terrorism financing (ML/TF) risk profile and checked its effectiveness.

The final review report was a document prepared for the organisation’s senior management and its governing body, such as the Board of Directors. Its purpose was to provide assurance as to the design, adequacy, and maintenance of the AML/CTF compliance framework.

Four Key Assessment Areas

An independent review had to evaluate key elements of Part A to determine the adequacy of the AML/CTF program.

The assessment provided an indication of how well the policies and procedures were designed and functioning in practice. Consequently, the review had to assess the following:

• Consistent adherence to the program: The assessment verified whether the business and its employees had consistently followed the obligations and procedures detailed in its own AML/CTF program.
• Effectiveness against ML/TF risk: The review evaluated how effective the Part A program was in addressing the specific ML/TF risks a business faced, consistent with the risk-based framework embedded in Chapter 8 of the 2007 AML/CTF Rules. This involved checking that controls were proportionate to the risk assessment.
• Compliance with 2007 AML/CTF Rules: The report had to verify that the program was designed in compliance with the requirements set out in Part 7 of the AML/CTF Act and Chapter 8 of the 2007 AML/CTF Rules.
• Effective implementation of policies: Rule 8.6/9.6 of the 2007 AML/CTF Rules required more than documentary compliance. The review had to test whether those policies and procedures had been put into practice across the organisation.

Structuring AML/CTF Review Report

The Executive Summary for Management & the Board

The executive summary served as a summary of the independent review report. It was designed for senior management and the Board, providing an overview of the key information.

Under Rule 8.6.6/9.6.6 of the 2007 AML/CTF Rules, the results of the independent review had to be provided to senior management and the board (if applicable). The executive summary therefore played a governance function, enabling leadership to understand the entity’s compliance posture.

This section summarised the following elements:

• Key findings derived from the assessment.
• Major concerns identified during the process.
• Prioritised recommendations for improvement.

Its purpose was to allow leadership to understand whether Part A of the AML/CTF program complied with the AML/CTF framework, and whether it remained appropriate having regard to the entity’s ML/TF risk profile.

Defining Scope, Methodology, & Limitations

This section established the scope and boundaries of the independent review. It provided transparency about how the assessment was conducted, which was important for the clarity of the findings.

An appropriate report clearly detailed several key elements:

• What was tested: An outline of the specific areas of the Part A program that were reviewed, such as the ML/TF risk assessment, employee training programs, transaction monitoring systems, internal controls and risk mitigation measures, appointment and role of the AML/CTF Compliance Officers, and employee due diligence procedures.
• The review period: While the 2007 AML/CTF Rules did not prescribe a specific look-back period, the scope had to be appropriate as per the entity’s risk profile and the requirement under Rule 8.6.2/9.6.2 of the 2007 AML/CTF Rules that reviews occur at regular intervals.
• Evaluation methods: The techniques used to conduct the assessment, including desk-based reviews of policies, interviews with the AML/CTF Compliance Officer, testing of controls, and walkthroughs of key systems.
• Sampling rationale: An explanation of the specific files, transactions, or control samples selected to test operational effectiveness, including the rationale for sample size and selection methodology. Although the 2007 AML/CTF Rules did not prescribe a sampling methodology, the report had to demonstrate that the testing was proportionate to the entity’s ML/TF risk profile.
• Declaration of independence: A statement confirming that the reviewer satisfied the independence requirement under Rule 8.6.1/Rule 9.6.1 of the 2007 AML/CTF Rules. This meant the reviewer was not involved in the design, implementation, or maintenance of Part A of the AML/CTF program.

Presenting Core Findings & Testing Outcomes

The main body of the report presented the detailed findings of the testing and evaluation. This section was structured to cover both the design and operational effectiveness of the AML/CTF program.

It provided the evidence and analysis that supported the conclusions in the executive summary. The assessment generally evaluated:

• Program design: Whether policies and procedures were documented and aligned with the requirements prescribed in Chapter 8 of the 2007 AML/CTF Rules.
• Operational effectiveness: How well the program was implemented and followed in practice by staff.

Key areas covered in the findings often included:

• ML/TF Risk Assessment: An evaluation of whether the risk assessment was current and based on reasonable assumptions.
• Compliance Culture: An assessment of how employees understood and adhered to their AML/CTF obligations.
• Operational Controls: The outcomes of testing key systems like transaction monitoring, ongoing customer due diligence, and employee due diligence procedures.

The Severity Matrix & Prioritised Remediation Plan

Although the 2007 AML/CTF Rules did not prescribe a formal severity matrix, it was a common practice for independent review reports to categorise findings according to risk impact and regulatory exposure.

This section translated the review’s findings into a plan for improvement. It focused on providing practical steps to address identified deficiencies in the AML/CTF compliance framework.

To manage key issues, findings were often categorised based on their seriousness. Identified gaps could be classified as:

• Minor issues.
• Moderate concerns.
• Significant deficiencies.

This classification helped to prioritise corrective actions. The report then provided a remediation plan that:

• Identified specific corrective actions;
• Assigned clear ownership;
• Set realistic deadlines for completion.

Where deficiencies were significant, remediation steps had to be proportionate to the entity’s ML/TF risk exposure and consistent with its obligations under the AML/CTF framework.

Finalising the Independent Review Report for Senior Management

The Board Cover Memo & Evidence Register

The final independent review report was a document provided to the organisation’s senior management and its governing body, such as the Board of Directors, as per Rule 8.6.6/9.6.6 of the 2007 AML/CTF Rules. This aimed to ensure that the leadership of the organisation was aware of the state of its AML/CTF compliance.

To facilitate a review at the executive level, it was common practice to prepare a cover memo. This memo provided a summary allowing the Board to understand the key information, including:

• The review’s key findings.
• Any major concerns.
• A list of recommendations for improvement.

The review report also commonly included an appendix that served as an evidence register. This register documented the materials examined during the assessment. Although not expressly mandated by the 2007 AML/CTF Rules, maintaining a documented evidentiary basis supported the review’s conclusions.

The types of evidence typically listed included:

• The legacy AML/CTF program (Part A and B) and any previous versions from the review period.
• The organisation’s ML/TF risk assessment and its underlying methodology.
• Board or management meeting minutes showing the adoption and oversight of the program.
• Previous independent review reports and correspondence with the Australian Transaction Reports and Analysis Centre (AUSTRAC).
• Employee training registers and due diligence records.

Record-Keeping Obligations

Under Part 10 of the AML/CTF Act, reporting entities had to retain certain AML/CTF records for seven years. While the AML/CTF Act did not expressly single out independent review reports, they formed part of the AML/CTF program documentation and were retained to demonstrate compliance with Rule 8.6/9.6 of the 2007 AML/CTF Rules.

Accordingly, reporting entities retained:

• The final independent review report;
• Supporting working papers (where appropriate);
• Records of management consideration and remediation actions.

Retaining this documentation assisted in the event of AUSTRAC’s supervisory engagement or enforcement action under Part 15 of the AML/CTF Act.

Tracking Progress on Past Remediation Efforts

Although the 2007 AML/CTF Rules did not expressly mandate retrospective remediation tracking, reviewing prior deficiencies was consistent with the requirement under Rule 8.6.2/9.6.2, which provided that independent reviews occurred at regular intervals and remained appropriate to the entity’s ML/TF risk profile.

The independent review typically assessed and included:

• Findings from prior independent review reports.
• Any direct feedback or formal communication received from AUSTRAC.
• The effectiveness of changes implemented in response to previously identified deficiencies or breaches.
• Post-implementation testing of any updates to Part A of the AML/CTF program.

This demonstrated that the AML/CTF program was maintained and updated as required under Chapter 8 of the 2007 AML/CTF Rules.

Post-31 March 2026: What the Independent Evaluation Report Must Include

From 31 March 2026, the former AML/CTF independent review requirement under Rule 8.6/9.6 of the 2007 AML/CTF Rules has been replaced by a statutory AML/CTF independent evaluation requirement under Section 26F(4)(f) of the now-amended AML/CTF Act, supported by Rule 5-10 of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) (2025 AML/CTF Rules).

The 2026 AML/CTF reforms directly affect the content, scope, and governance treatment of the report itself.

Mandatory Minimum Frequency

Unlike the former “regular intervals” requirement, Section 26F(4)(f)(ii) of the AML/CTF Act mandates that independent evaluations occur at least once every three years. The evaluation report must therefore confirm compliance with this statutory minimum.

Expanded Scope of the Report

As per the reformed framework under Sections 26A–26V of the AML/CTF Act, the evaluation is no longer confined to “Part A”. The report must assess the effectiveness of the reporting entity’s entire AML/CTF program.

The report must move beyond confirming documentary compliance and instead demonstrate operational effectiveness through evidence-based testing.

Structural Change in the Nature of the Report

Under the reformed regime, an independent evaluation report must demonstrate:

• Outcome-based testing (not merely document review);
• Assessment of operational effectiveness;
• A clear methodology proportionate to the entity’s risk profile;
• Evidence-based findings capable of scrutiny by AUSTRAC.

The evaluation must be designed to withstand review under AUSTRAC’s expanded supervisory powers.

Conclusion

Under the legacy framework, an AML/CTF independent review report was a key tool for reporting entities, providing senior management with an assessment of their AML/CTF program’s design, implementation, and effectiveness. By defining the review’s scope, presenting findings, and tracking remediation, the final report demonstrated compliance and risk management.

To help ensure your compliance reports are robust and meet AUSTRAC’s expectations, contact Click Legal’s specialist AML independent review & evaluation lawyers. Our specialist AML/CTF lawyers provide legal expertise to assist you in navigating your AML/CTF obligations under both the legacy AML/CTF independent review rules and the current AML/CTF independent evaluation framework, which officially replaced the previous review system on 31 March 2026.