Building an AML/CTF Program Under the 2026 Reforms: The Critical Role of Independent Evaluations

Introduction

Under the upcoming anti-money laundering and counter-terrorism financing (AML/CTF) reforms, all reporting entities must develop and maintain a compliant anti-money laundering and counter-terrorism financing program (AML/CTF program). Mandated by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), these programs protect businesses from money laundering, terrorism financing, and proliferation financing. With deadlines of 31 March 2026 for existing entities and 1 July 2026 for newly regulated businesses, preparation is critical.

This guide outlines the five key steps to developing an AML/CTF program—governance, risk assessment, policy design, ongoing review, and independent evaluation—under the reformed laws. It highlights how these elements operate as a continuous, risk-based system, with independent evaluation playing a central role in testing whether your program is effective in practice.

Why AML/CTF Programs Are Being Reframed Under the 2026 Reforms

The 2026 AML/CTF reforms introduce a fundamental shift in how regulated businesses must approach AML/CTF compliance. Instead of a prescriptive, one-size-fits-all model, the new framework embraces a dynamic, risk-based approach that recognises each reporting entity’s unique money-laundering and terrorism-financing (ML/TF) risks.

An effective program must be tailored to the specific risks your business reasonably faces, reflecting its individual needs and characteristics. The steps you take to complete your risk assessment and develop your policies must align with the nature, size, and complexity of your business. For example, a large, complex organisation is expected to conduct a deeper risk assessment and implement more extensive policies than a small, less complex business.

The ongoing compliance process revolves around several key obligations that operate in a cycle:

• Conduct a thorough ML/TF risk assessment to identify and evaluate threats.
• Develop tailored AML/CTF policies based on that assessment.
• Ensure day-to-day compliance with those policies across the business.
• Regularly review and update the policies as risks and circumstances change.
• Arrange independent testing to confirm the program remains effective.

When You Must Have Your AML/CTF Program in Place

As a reporting entity, you must develop, maintain, and comply with an AML/CTF program. This program is designed to shield your business from money laundering, terrorism financing, and proliferation financing.

The date by which your AML/CTF program must be in place depends on the nature of your business. The key compliance deadlines are:

• 31 March 2026 – currently regulated businesses must update their existing programs to meet the new requirements.
• 31 March 2026 – businesses offering new virtual-asset designated services or acting as an intermediary for the transfer of value.
• 1 July 2026 – newly regulated businesses, including the legal, accounting, real-estate sectors, and dealers in precious metals, stones, and products.

From these dates, it becomes mandatory that the program is documented and approved by a senior manager before you provide any designated service to customers.

Transitional Rules and Deadlines

To support smooth implementation, the Department of Home Affairs and Australian Transaction Reports and Analysis Centre (AUSTRAC) are finalising transitional rules. These rules will give reporting entities additional time to align their business processes with certain new obligations.

Key transitional arrangements are as follows:

• Transitional period for initial Customer Due Diligence (CDD): Existing reporting entities have a three-year window (31 March 2026 – 30 March 2029). During this time, businesses have specific options and obligations:
  • They may either keep using current customer identification procedures or adopt the new initial CDD obligations.
  • The chosen method must be applied consistently to all new customers.
  • New ongoing CDD requirements still take effect on 31 March 2026.
• Extended notification for AML/CTF compliance officer: Existing entities must notify AUSTRAC of the appointed officer by 30 May 2026, while newly regulated businesses and virtual-asset service providers have until 29 July 2026.
• Staggered initial independent evaluations: To manage demand, the first evaluation deadline for newly regulated businesses will be staggered, with the earliest date being 1 July 2029. AUSTRAC will allocate a specific deadline based on each entity’s AUSTRAC account number.
• Registration roll-over: Currently registered digital currency exchange providers and remittance service providers will not have to re-register under the new framework.
• Deferred obligations for new Virtual Asset Service Providers: Compliance duties for newly regulated virtual-asset services, including the “travel rule” for virtual-asset transfers, are deferred until 1 July 2026.

What an AML/CTF Program Must Contain

ML/TF Risk Assessment

An AML/CTF program is built upon a comprehensive ML/TF risk assessment.

This assessment serves as the foundation of your entire program. Specifically, it identifies and evaluates the specific money laundering, terrorism financing, and proliferation financing risks your business may reasonably face.

Under Section 26C of the AML/CTF Act (Cth), your risk assessment must consider several key factors, including the ML/TF risks that may arise from:

• The types of designated services you provide.
• The kinds of customers you serve.
• The delivery channels you use to provide your services.
• The countries you or your customers deal with.

AML/CTF Policies

The second core component of your program consists of your AML/CTF policies.

As required by Section 26F(1) of the AML/CTF Act (Cth), these policies detail the procedures, systems, and controls you will implement to manage and mitigate the specific ML/TF risks identified in your risk assessment.

Importantly, these policies are not a one-size-fits-all solution. Instead, they must be carefully designed to achieve the following:

• Be tailored to the nature, size, and complexity of your business.
• Ensure you can appropriately manage and mitigate your identified risks.
• Help you comply with all your AML/CTF obligations.

The 5-Step Framework for Developing An AML/CTF Program

Step 1: Establishing Governance Framework

The first step in developing your AML/CTF program is to create a clear governance and oversight structure. This framework builds ownership and accountability by defining specific roles and responsibilities within your business.

Within this framework, three key roles must be clearly defined:

• Governing Body: This person or group, such as a board or business owner, is primarily responsible for executive-level decisions. Under Section 26H of the AML/CTF Act (Cth), the governing body must exercise ongoing oversight of your risk assessment and overall compliance.
• Senior Manager: You must appoint one or more senior managers responsible for making key AML/CTF decisions. As outlined in Section 26P of the AML/CTF Act (Cth), a senior manager’s core function is to approve the AML/CTF program and any subsequent updates.
• AML/CTF Compliance Officer: This individual manages day-to-day compliance. According to Sections 26J(2) and 26L of the AML/CTF Act (Cth), the compliance officer must oversee the effective operation of your AML/CTF policies and report to the governing body.

Step 2: Identifying & Assessing ML/TF Risks

The foundation of your entire AML/CTF program is a comprehensive ML/TF risk assessment that identifies and evaluates the specific risks your business may reasonably face before any controls are applied.

Your assessment must consider the following factors, from which ML/TF risks may arise:

• Designated services you provide.
• Customer types you serve.
• Delivery channels you use to provide services.
• Countries you or your customers deal with.

The steps you take must be tailored to the nature, size, and complexity of your business, resulting in a documented and defensible risk profile of inherent risks.

Step 3: Mitigating & Managing Risks Through AML/CTF Policies

Once you have identified and assessed your ML/TF risks, you must develop and implement AML/CTF policies to manage and mitigate them. These policies set out the procedures, systems and controls your business will use to address the risks identified in your assessment.

As required by Section 26F(1) of the AML/CTF Act (Cth), your policies must manage your identified risks and ensure compliance with all AML/CTF obligations.

Your policies must be tailored to the nature, size, and complexity of your business and be effective in practice. In most businesses, effective controls focus on three critical areas:

• Customer due diligence to verify identities and assess risk levels.
• Transaction monitoring to detect unusual or suspicious activity.
• Reporting to AUSTRAC when thresholds are met or suspicion arises.

Step 4: Reviewing & Updating Your AML/CTF Program

Developing an AML/CTF program is not a one-time task; it requires ongoing attention to remain effective. You have an obligation to review and update your program regularly so it continues to address your ML/TF risks.

Under Sections 26D and 26E of the AML/CTF Act (Cth), a review is mandatory at least once every three years and whenever specific triggers occur, including:

• Significant changes to designated services, customer types, delivery channels or countries dealt with.
• New AUSTRAC information identifying or reassessing relevant risks.
• Adverse findings in an independent evaluation report concerning your risk assessment or policies.

Step 5: Conducting Independent Evaluations

The final step requires periodic independent evaluations that provide external validation your program is well-designed and operating effectively.

According to Section 26F(4)(f) of the AML/CTF Act (Cth), and Section 5-10 of the AML/CTF Rules 2025 (Cth), your policies must ensure an independent evaluation is conducted to assess your risk assessment process, policy design and practical compliance.

An evaluation must occur at least once every three years, with the exact frequency determined by the nature, size, and complexity of your business. The evaluator—internal or external—must be independent of the program’s development and daily management.

Importance of Independent Evaluations

What Independent Evaluations Assess for Reporting Entities

An independent evaluation provides a comprehensive assessment of your entire AML/CTF program. According to Section 26F(4)(f) of the AML/CTF Act (Cth) and Section 5-10 of the AML/CTF Rules 2025 (Cth), the evaluation must cover three distinct areas.

The scope of the evaluation includes a detailed assessment of:

• Your ML/TF risk assessment process, where the evaluator will assess how you initially conducted or subsequently reviewed it to ensure alignment with the AML/CTF Act (Cth) and the AML/CTF Rules 2025 (Cth).
• The design of your AML/CTF policies to determine if they are structured to meet all relevant legal and regulatory obligations.
• Your operational effectiveness and compliance, testing whether your program is effective in practice by assessing if you have appropriately identified, managed, and mitigated risks while complying with your own documented policies.

Why This Step Is Structurally Critical for Your Program

Independent evaluations are a critical assurance layer within the AML/CTF framework because they provide an objective validation of your program’s integrity and effectiveness. This process moves beyond internal checks by introducing an unbiased perspective to confirm that your systems and controls are not just well-documented but are also working as intended in your daily operations.

This step is vital for several reasons:

• It helps identify compliance gaps or weaknesses in your risk management that may not be apparent from an internal viewpoint.
• It acts as a crucial credibility mechanism, demonstrating to AUSTRAC and other stakeholders that your business is committed to robust and effective AML/CTF compliance.

How Independent Evaluation Connects All 5 Steps

The independent evaluation functions as a comprehensive feedback loop that connects and reinforces all five steps of your AML/CTF program. It does not operate in isolation but rather serves to test the integration and effectiveness of the entire compliance cycle, ensuring each component works together cohesively.

When an evaluation report contains adverse findings, it triggers a mandatory review process. Under Sections 26D and 26F of the AML/CTF Act (Cth) and Sections 5-1 and 5-4 of the AML/CTF Rules 2025 (Cth), you must review and, if necessary, update your ML/TF risk assessment and AML/CTF policies.

This directly links the evaluation (Step 5) back to the rest of your program by:

• Connecting back to your risk assessment (Step 2), policies (Step 3), and internal review processes (Step 4).
• Creating a continuous cycle of improvement across your operations.
• Ensuring your governance framework (Step 1) remains highly responsive to any identified deficiencies.

Common Mistakes When Developing AML/CTF Programs

When developing an AML/CTF program, several missteps can undermine its effectiveness and trigger non-compliance.

To ensure your framework remains robust, be mindful of these frequent errors:

• Using a generic, one-size-fits-all approach instead of tailoring the program to the business’s specific circumstances.
• Failing to ensure your risk assessment and subsequent policies are appropriate to the nature, size, and complexity of your business, as a large, complex organisation is expected to have a more in-depth program than a smaller, less complex one.
• Treating the program as a mere documentation exercise, rather than ensuring your AML/CTF policies are effective in practice and integrated into your daily operations.
• Neglecting to actively comply with your documented policies, which is required under Section 26G(1) of the AML/CTF Act (Cth).
• Viewing the independent evaluation as a simple compliance task, which overlooks its critical function under Section 5-10 of the AML/CTF Rules 2025 (Cth) to test and evaluate whether your program is operationally effective at identifying, managing, and mitigating your ML/TF risks.

Conclusion

Developing a compliant anti-money laundering and counter-terrorism financing program under the 2026 reforms requires a risk-based approach that is actively maintained through a continuous cycle of assessment, implementation, and review. The independent evaluation serves as the ultimate test, providing critical assurance that your program is not only well-designed but also operationally effective in mitigating your specific money laundering and terrorism financing risks.

To ensure your business is prepared for these significant changes and can demonstrate robust compliance, contact Click Legal’s experienced AML independent review lawyers today. Our team provides the trusted expertise you need to navigate the reform with confidence and secure your operations against financial crime.

Frequently Asked Questions