Who Could Conduct an AML/CTF Independent Review In Australia (Pre‑31 March 2026)

Note: Australia’s AML/CTF laws were substantially reformed on 31 March 2026. This article outlines the historical eligibility and independence criteria for conducting an AML/CTF independent review under the legacy pre-reform framework.

For details on the rules regarding who is eligible to perform the new AML independent evaluation (effective from 31 March 2026), please see our current guide on who can conduct an AML/CTF independent evaluation.

Introduction

Reporting entities in Australia must navigate strict obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). Prior to the major legislative reforms introduced on 31 March 2026, a critical component of this framework was the requirement under the former Rules 8.6 and 9.6 of the pre-reform Anti-Money Laundering and Counter-Terrorism Financing Rules 2007 (Cth) (2007 AML/CTF Rules) to conduct an independent review of Part A of the AML/CTF program. This impartial assessment, mandated by the Australian Transaction Reports and Analysis Centre (AUSTRAC), was a key part of effective AML/CTF compliance under the pre-reform framework. As of 31 March 2026, the independent review process has been officially replaced by a new “AML/CTF Evaluation” process.

Selecting the right professional to conduct that former review was a vital decision for business owners and directors seeking to safeguard their operations. While the 2007 AML/CTF Rules allowed for various internal or external reviewers, engaging specialised legal experts offered a distinct advantage in interpreting complex regulatory requirements. This guide explores the criteria for independence under that former regime.

Historical Core Requirements for an AML/CTF Reviewer in Australia

The Historical Mandate for Independence & Expertise

Under the pre-March 2026 framework, when selecting a person to conduct an independent review, two core principles were non-negotiable: independence and expertise.

Under the legacy Rule 8.6.1 and Rule 9.6.1 of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2007 (Cth) (2007 AML/CTF Rules), a reporting entity had to ensure that Part A of its AML/CTF program underwent an AML/CTF independent review. Those legacy 2007 AML/CTF Rules required that the review be conducted by a person who was independent of the design, implementation, and maintenance of the AML/CTF program. In practical terms, this required a reviewer who was sufficiently independent to provide an objective assessment of the program. Independence was therefore a strict legal requirement under the former rules, not just best practice.

In addition to independence, the reviewer had to possess sufficient expertise to properly assess:

• Compliance with the pre-reform AML/CTF Act and 2007 AML/CTF Rules.
• The adequacy of the legacy ML/TF risk assessment (as was required under Part A).
• Whether controls were appropriate, having regard to the reporting entity’s risk profile.

While the former 2007 AML/CTF Rules did not prescribe formal qualifications, AUSTRAC expected the reviewer to have sufficient knowledge of:

• The AML/CTF Act and the associated 2007 AML/CTF Rules.
• How to interpret and apply those legal obligations to your organisation’s specific context.
• A comprehensive grasp of the ML/TF risks relevant to your industry and business model.

When assessing a potential reviewer’s suitability under the legacy regime, you could also consider whether they belonged to a professional body that required adherence to relevant professional standards. This provided additional assurance of their qualifications and commitment to objectivity.

Reviewer Disqualifications Under the Legacy 2007 AML/CTF Rules

The pre-2026 requirement for “independence” acted as a functional disqualification test. To maintain the integrity of the independent review, the legacy Rules 8.6.1 and 9.6.1 of the 2007 AML/CTF Rules disqualified individuals or firms from conducting the assessment if they had prior involvement with the program. A person did not satisfy the independence requirement if they were involved in:

• Designing, implementing, or maintaining Part A of your AML/CTF program.
• Developing your ML/TF risk assessment or any related internal controls.
• Performing any of the specific functions or measures that were being reviewed as part of the assessment.

Additionally, AUSTRAC also recommended considering if the person was someone who could be influenced by people involved in the risk assessment or development of the program. The core principle was that the reviewer could not assess their own work.

Internal vs. External Independent Reviews Under the Legacy Framework

Using an Internal Reviewer

Under the legacy framework, reporting entities had the option to appoint an internal employee to conduct the independent review of their AML/CTF program. However, this was only permissible if the individual met the strict independence criteria to ensure an impartial assessment.

Specifically, the internal reviewer must not have been involved in the development, implementation, and/or maintenance of the AML/CTF program.

This meant that, in most cases, the AML/CTF compliance officer appointed under Rule 8.5.1 of the 2007 AML/CTF Rules or members of the compliance team were not suitable candidates, since they were involved in maintaining the program.

A viable internal reviewer was typically someone from a separate department with no compliance responsibilities.

For instance, a larger organisation could appoint an internal auditor who had sufficient knowledge of AML/CTF law but was separate from the compliance function.

Conversely, for smaller businesses with limited staff, finding a genuinely independent employee could be challenging.

Why Businesses Chose an External Reviewer

Many businesses, particularly those with limited internal resources or potential conflicts of interest, preferred to engage an external party to conduct the independent review.

This approach offered several advantages that provided additional assurance to management, boards, and AUSTRAC.

Key motivations for choosing an external reviewer included:

• Impartiality: An external reviewer, such as a lawyer, accountant, or specialist consultant, was free from internal influences and could provide an objective assessment of policies and procedures.
• Specialised Expertise: External professionals often possessed deep, specialised knowledge of the AML/CTF Act and associated rules, bringing a high level of technical competence to the review.
• Broader Industry Perspective: Having worked with numerous businesses, external reviewers understood industry practices and could offer insights that an internal employee might not possess.
• Resource and Capacity Issues: Many organisations did not have internal staff with the necessary time, expertise, or capacity to dedicate to a thorough AML/CTF program review.
• Stakeholder Confidence: An independent review report from an external firm could provide greater assurance to regulators, financial partners, and other stakeholders that the compliance framework met the required standards.

Selecting the Right External Partner Under the Legacy Framework

Assessing Technical Competence & Industry Knowledge

Under the former system, when selecting an external partner to conduct an independent review, it was important to assess their technical competence and specific industry knowledge. The reviewer had to have a clear understanding of the business operations and the unique ML/TF risks the relevant sector faced. This expertise ensured the review was relevant and effectively evaluated compliance with the AML/CTF Act.

AUSTRAC has historically expressed concerns about advisors who relied on generic, template-based approaches. A simple “tick-the-box” solution was unlikely to satisfy regulatory obligations, as it might not have accurately reflected the specific financing risks of the business. Furthermore, some businesses found that template risk assessments provided by consultants often:

• Contained controls that were not actually in use.
• Were ineffective in practice.

A suitable reviewer had to move beyond generic templates to provide a tailored assessment. Consequently, they needed to:

• Understand known money laundering techniques relevant to the industry.
• Ensure the AML/CTF program and risk assessment were customised to the operational reality.

Key Questions for a Potential Reviewer Under the Former System

To gauge the suitability of a potential reviewer’s process, it was important to ask detailed questions about their methodology. The answers helped determine if their approach aligned with regulatory expectations and the complexity of the business. Ultimately, a clear methodology was key to an independent review that provided practical utility.

Licensees typically considered asking the following questions to understand their approach:

• Tailoring and Customisation: Was the AML/CTF program and ML/TF risk assessment they provided tailored specifically to the business, or did they use a generic template?
• In-Depth Analysis: Did their process involve a site visit or other detailed inquiries to understand operations and risks firsthand?
• Risk Assessment Process: Could they explain the methodology used for the risk assessment, and how they used both qualitative and quantitative data to determine risk ratings?
• Implementation and Effectiveness: How did they assess whether the AML/CTF program had been properly implemented, and what steps did they take to evaluate its effectiveness in practice?
• Scope of Testing: What was their process for transaction testing, and what sample sizes did they typically use to verify that policies and procedures were being followed?
• Reporting: What specific outcomes, findings, and recommendations could be expected in the final independent review report?

Accountants & the Independence Conflict Under the Legacy Framework

A common question was whether a business’s regular accountant could conduct the independent review. An accountant could perform the review, provided they met the strict independence criteria mandated by the 2007 AML/CTF Rules.

A conflict arose if the accountant was involved in the creation or maintenance of the systems they were tasked with assessing. For instance, if the accounting firm helped develop the internal financial controls or advised on the risk assessment, they would not be considered independent enough to conduct the review. However, if their services had been limited to standard accounting and tax advice, and they possessed the necessary AML/CTF expertise, they could be a suitable choice.

The Lawyer-Led Advantage in AML/CTF Independent Reviews

Deeper Regulatory Insight: Lawyers vs. General Auditors

When conducting an independent review under the former system, the distinction between a legal expert and a general auditor was noteworthy. Auditors and consultants typically focused on the technical aspects of an audit, testing the operational effectiveness of existing processes. Their primary role was to verify that procedures were being followed as documented.

Lawyers, however, are trained to interpret and apply complex legislation like the AML/CTF Act. They would analyse operations against the specific statutory requirements and associated rules and regulations, providing legally sound and compliant solutions.

This regulatory insight was important for helping ensure an AML/CTF program was:

• Procedurally correct; and
• Legally robust, especially when compliance was under scrutiny by AUSTRAC.

The Strategic Benefit of Legal Professional Privilege

Engaging a law firm to conduct an independent review offers a strategic advantage known as legal professional privilege. This legal principle protects confidential communications between a lawyer and their client made for the purpose of giving or receiving legal advice.

This protection is generally not available when engaging an accountant, auditor, or general consultant.

Legal professional privilege creates a secure environment for open and honest discussions about potential weaknesses or gaps in an AML/CTF program. It allows a business to address sensitive findings from the review report without the risk of those communications being disclosed to regulators or third parties in future proceedings.

Conclusion

Selecting an independent and expert reviewer was a critical obligation for all reporting entities under the AML/CTF Act – a duty that has transitioned to the new AML/CTF independent evaluation process as of 31 March 2026. While businesses could choose between internal and external reviewers under the legacy system, engaging a legal expert offered helpful advantages in navigating complex AML/CTF regulations and protecting business operations, which remains equally true under the current evaluation framework.

Whether you need to address historical compliance requirements under the pre-reform rules or arrange your new independent evaluation, contact Click Legal’s AML/CTF independent review and evaluation lawyers today. Our experienced AML/CTF lawyers provide independent evaluation services to help your business meet its compliance obligations under the reformed AML/CTF landscape.

Frequently Asked Questions