AML/CTF Independent Evaluation Report Requirements: Components, Purpose and Record-Keeping

Introduction

For reporting entities, conducting a regular independent evaluation of their anti-money laundering and counter-terrorism financing (AML/CTF) program is a fundamental legal requirement. This obligation, established under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), is designed to ensure that your policies, procedures, and risk management frameworks are effectively mitigating the risks of money laundering and terrorism financing (ML/TF).

A key outcome of this process is the creation of a formal independent evaluation report, a document with specific components mandated by the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) (AML/CTF Rules). This guide will break down the essential components of a compliant report, explaining what must be included to satisfy regulatory expectations and serve as an effective tool for governance and oversight.

Understanding the Legal Mandate for an AML/CTF Independent Evaluation

Primary Obligation Under the AML/CTF Act

Under Section 26F(4)(f) of the AML/CTF Act (Cth), all reporting entities must include provisions for the conduct of independent evaluations within their AML/CTF policies. This is a fundamental legal requirement for your AML/CTF program.

The AML/CTF Act (Cth) specifies two key requirements for the frequency of these evaluations. According to Section 26F(4)(f), the schedule for conducting an independent evaluation must be:

• Appropriate to your business: The frequency must be suitable for the specific nature, size, and complexity of your operations.
• Set at a minimum interval: An independent evaluation must be conducted at least once every three years to ensure ongoing compliance and effectiveness.

Additionally, the Australian Transaction Reports and Analysis Centre‘s (AUSTRAC) guidance suggests that you should document the reasoning behind the chosen frequency, detailing how factors related to your business’s nature, size, and complexity informed your decision.

Specific Requirements Outlined in the AML/CTF Rules

The AML/CTF Rules (Cth) provide further detail on what the independent evaluation process must involve. Specifically, Rule 5-10 mandates that your AML/CTF policies must require the independent evaluation to cover several specific areas.

As part of the conduct of an independent evaluation, your policies must ensure the process includes:

• An evaluation of the steps you have taken when undertaking or reviewing your money laundering and terrorism financing (ML/TF) risk assessment, as required by Rule 5-10(2)(a).
• A thorough evaluation of the design of your AML/CTF policies to ensure they meet the requirements of the AML/CTF Act (Cth), regulations, and the AML/CTF Rules (Cth), as stated in Rule 5-10(2)(b).
• Testing and evaluating your entity’s compliance with its own AML/CTF policies, according to Rule 5-10(2)(c).
• Testing and evaluating whether you are appropriately identifying, assessing, managing, and mitigating your ML/TF risks, as per Rule 5-10(2)(d).
• The production of a written report that contains the findings on all the matters evaluated, as required by Rule 5-10(2)(e).
• The delivery of this final independent evaluation report to your governing body and any senior manager responsible for approving the AML/CTF program, in accordance with Rule 5-10(2)(f).

Furthermore, Rule 5-10(3) requires that your AML/CTF policies must also clearly outline how your business will respond to the findings presented in an independent evaluation report.

Core Components of a Compliant AML/CTF Independent Evaluation Report

Analysis of ML/TF Risk Assessment Process

Under Rule 5-10(2)(a) of the AML/CTF Rules (Cth), your AML/CTF policies must ensure that an independent evaluation assesses the steps your business took when creating or reviewing its risk assessment for ML/TF.

The resulting written report must document the findings of this evaluation by examining whether your process complied with the requirements of the AML/CTF Act (Cth) and its associated AML/CTF Rules (Cth).

Ultimately, the independent evaluator must verify that your approach to identifying and assessing risks was both thorough and legally compliant.

Evaluation of AML/CTF Policy Design

The independent evaluation report must also contain an assessment of the design of your AML/CTF policies.

This requirement is mandated by Rule 5-10(2)(b) of the AML/CTF Rules (Cth), meaning the evaluation must measure your policies against the obligations set out in the AML/CTF legal framework.

This component of the report focuses on whether your AML/CTF policies are structured to effectively manage and mitigate the ML/TF risks your business may reasonably face.

Furthermore, it ensures your documented procedures are not only present but also appropriately designed for the:

• Specific nature of your business operations.
• Overall size of your organisation.
• Inherent complexity of your business model.

Findings from Testing Program Compliance & Effectiveness

A critical part of the report involves documenting the results of testing your program’s practical application.

Specifically, Rule 5-10(2)(c) of the AML/CTF Rules (Cth) requires the evaluation to test and assess your compliance with your own AML/CTF policies.

This confirms whether your organisation is actively adhering to its established procedures.

Furthermore, under Rule 5-10(2)(d), the evaluation must also test and evaluate the effectiveness of your risk management.

This means the report must contain findings on whether you are appropriately handling the money laundering and terrorism financing risks associated with the designated services you provide by:

• Accurately identifying potential threats to your business.
• Thoroughly assessing the level of risk involved.
• Effectively managing ongoing vulnerabilities.
• Appropriately mitigating the identified risks.

Documenting the Scope & Methodology of the Evaluation

While the AML/CTF Act (Cth) and the AML/CTF Rules (Cth) do not prescribe the exact format of the report, AUSTRAC guidance sets clear expectations for transparency.

Consequently, a compliant report is expected to provide a clear account of how the independent evaluation was conducted.

To achieve this, the written report should typically include:

• A summary of the evaluation process and the specific evaluation method used.
• Details on the aspects of the business that were reviewed.
• Information on what was tested, the files that were sampled, and how the tests or sampling were conducted.

Independent Evaluation Report’s Role in AML/CTF Governance & Oversight

Delivering the Report to Governing Body & Senior Management

Under Rule 5-10(2)(f) of the AML/CTF Rules (Cth), your AML/CTF policies must ensure that the final written independent evaluation report is delivered to key personnel.

Specifically, the report must reach:

• Governing body of the reporting entity
• Senior manager responsible for approving the AML/CTF program

This process is a critical component of corporate governance. It directly supports the oversight responsibilities mandated by Section 26H of the AML/CTF Act (Cth).

To facilitate timely action, AUSTRAC guidance suggests delivering the report as soon as reasonably practicable after it is finalised. Prompt delivery alerts leadership to any deficiencies so they can address non-compliance without delay.

Using the Report to Address Findings & Enhance AML/CTF Program

Your entity’s AML/CTF policies must outline how it will respond to an independent evaluation, creating a robust response mechanism as required by Rule 5-10(3) of the AML/CTF Rules (Cth).

If an independent evaluation report identifies adverse findings, responding to an independent evaluation report is a critical next step where you are expected to review—and, where necessary—update your ML/TF risk assessment and AML/CTF policies. This strengthens your overall risk-management framework.

For example, adverse findings could relate to:

• Methodology used for your ML/TF risk assessment
• Design deficiencies in your AML/CTF policies
• Failures in complying with your own procedures
• Inadequate management and mitigation of ML/TF risks

While you are not required to agree with every observation, AUSTRAC expects you to take all findings seriously. Best practice is to keep detailed records showing how each point was addressed, including the rationale for any decision not to update your AML/CTF program, as this documentation is a key part of maintaining ongoing AML/CTF compliance.

Record-Keeping Requirements for Your Independent Evaluation Report

Under Section 116 of the AML/CTF Act (Cth), reporting entities are required to keep records that can reasonably demonstrate compliance with their independent evaluation obligations. Failure to comply with AML/CTF laws can lead to significant consequences and enforcement action.

This means maintaining thorough documentation of the entire evaluation process, from the selection of the evaluator to the response to the final report.

Consequently, these records are essential for showing AUSTRAC that you have fulfilled your legal duties.

To comply with these requirements, your business should maintain a comprehensive file related to each independent evaluation. Furthermore, this documentation should be detailed enough to provide a clear audit trail.

Key records that are reasonably necessary to demonstrate compliance include:

• The final independent evaluation report, which is the primary document that contains the findings of the review.
• Any evaluated records and files that were sampled or directly assessed during the conduct of the independent evaluation.
• Documentation on evaluator selection, including records showing why your business considered the independent evaluator to be suitable and how you selected them to ensure their independence.
• Records of internal discussions, such as minutes or notes from meetings with your governing body and senior managers regarding the findings presented in the report.
• Detailed action plans for adverse findings, explaining how your organisation has addressed or plans to address any issues from the independent evaluation.
• Documentation regarding responsibility and tracking that outlines who is responsible for implementing changes and how your business will monitor the progress of these actions.
• Specific reasons for inaction, meaning if you decide not to address a specific finding, you must keep records detailing the justification for this decision.

Conclusion

A compliant independent evaluation report is a critical tool for demonstrating that your AML/CTF program meets its legal obligations and effectively manages risk. Understanding its core components, from the analysis of your ML/TF risk assessment to the documentation of compliance testing, is essential for robust governance and continuous improvement.

If you require trusted expertise to conduct an independent evaluation of your AML/CTF program, contact Click Legal’s specialist AML independent evaluation lawyers today. Our tailored services are designed to help reporting entities in Australia achieve peace of mind and ensure their risk management frameworks are both compliant and effective.

Frequently Asked Questions