How to Conduct an AML/CTF Independent Evaluation: Step-by-Step Process & Methodology

Introduction

For all reporting entities, conducting a regular independent evaluation of their anti-money laundering and counter-terrorism financing (AML/CTF) program is a fundamental legal requirement. This obligation serves as a critical check to ensure policies and procedures are not only compliant on paper, but are also effective in practice at mitigating the risks of money laundering and terrorism financing (ML/TF).

This guide provides a practical, step-by-step framework for conducting a thorough and effective independent evaluation, designed to assist compliance officers, senior managers, and the governing body in meeting their obligations and strengthening their overall AML/CTF risk management.

Understanding Legal Obligations for an Independent Evaluation

Mandate Under Section 26F of the AML/CTF Act

Under Section 26F(4)(f) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), all reporting entities must embed provisions for independent evaluations within their AML/CTF policies. This Section establishes the foundational legal requirement for this critical oversight function.

The legislation also sets a minimum frequency, mandating evaluations at least once every three years. Yet, under Section 26F(4)(f)(i), the schedule must suit the nature, size, and complexity of each business, so higher-risk or more complex organisations may need more frequent reviews.

Specific Requirements Under Rule 5-10 of the AML/CTF Rules

While the AML/CTF Act (Cth) creates the mandate, Rule 5-10 of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) (AML/CTF Rules) provides the detailed requirements that every independent evaluation must satisfy. The conduct of an independent evaluation must include:

• An evaluation of the steps taken when you undertook or reviewed your ML/TF risk assessment.
• An evaluation of the design of your AML/CTF policies against the AML/CTF Act (Cth) and AML/CTF Rules (Cth).
• Testing and evaluation of your compliance with your own AML/CTF policies.
• Testing and evaluation of whether you are effectively identifying, assessing, managing, and mitigating ML/TF risks.
• The production of a written independent evaluation report detailing the findings.
• The delivery of this report to your governing body and any relevant senior manager.

Furthermore, Rule 5-10(3) requires that your AML/CTF policies must also outline how your organisation will respond to the findings of an independent evaluation report.

What the Law Does Not Prescribe

Although the legal obligations are clear, the legislative framework is outcomes-based and does not dictate a specific methodology for conducting an evaluation. Reporting entities and evaluators therefore have flexibility to choose the most appropriate approach for their circumstances.

Because there are no mandated testing formats or sample sizes, each entity must defend a methodology that matches the nature, size, and complexity of its operations.

Step 1: Defining the Scope of Evaluation

Adopting a Whole-of-Program Scope

An independent evaluation must cover your entire AML/CTF program, not just isolated components.

This comprehensive approach ensures that all aspects of your compliance framework are assessed for design and effectiveness. For reporting entities operating in multiple jurisdictions, the evaluation should also assess compliance with Australian AML/CTF obligations and include a reasonable sample from your Australian operations.

Under Rule 5-10(2) of the AML/CTF Rules (Cth), the conduct of an independent evaluation must include an assessment of several key areas to be considered comprehensive:

• ML/TF Risk Assessment: an evaluation of the steps you took when undertaking or reviewing your ML/TF risk assessment.
• Policy Design: an evaluation of how your AML/CTF policies are designed against the requirements of the AML/CTF Act (Cth) and AML/CTF Rules (Cth).
• Compliance: testing and evaluation of your compliance with your own AML/CTF policies and procedures.
• Effectiveness: testing and evaluation of whether you are appropriately identifying, assessing, managing and mitigating your ML/TF risks.

Implementing a Risk-Based Scoping Approach

While the scope must be comprehensive, the focus of your independent evaluation should be guided by risk. Your AML/CTF policies must be appropriate to the nature, size and complexity of your business, and the evaluation’s methodology should reflect this.

Accordingly, allocate greater attention and more rigorous testing to areas of your business that present a higher risk of ML/TF.

A risk-based approach ensures that the evaluation effectively addresses your highest-risk areas. This could involve deeper testing of:

• High-risk customers or business relationships.
• Complex or new products and designated services.
• Transactions involving high-risk jurisdictions or delivery channels.
• Areas where previous internal reviews or compliance breaches have highlighted systemic issues.

Step 2: Selecting a Competent & Independent Evaluator

The Core Requirement for Independence

Your AML/CTF policies must ensure the evaluator is genuinely independent. Independence requires the evaluator to steer clear of the following functions:

• Designing AML/CTF controls
• Implementing those controls
• Running daily compliance activities

Keeping the evaluator separate is essential, as an individual who builds or operates the program would end up assessing their own work, undermining the objectivity and credibility of the review.

Choosing Between Internal & External Evaluators

Reporting entities may select either a qualified internal employee or an external consultant. However, you must clearly demonstrate independence when the evaluator is internal.

For instance, an employee from the internal audit or risk management team—fully separate from the compliance officer—could satisfy the requirement.

Engaging an external evaluator often offers a more straightforward route to independence because:

• Their position outside the organisation removes conflicts of interest
• Findings tend to be more defensible if challenged by the Australian Transaction Reports and Analysis Centre (AUSTRAC)

Ultimately, engaging specialised AML/CTF lawyers can provide an independent and credible assessment that withstands regulatory scrutiny.

Step 3: Developing a Defensible Evaluation Methodology

Mapping Legal Requirements to Testing Areas

A robust evaluation methodology begins by translating legal obligations into concrete testing areas. Rule 5-10(2) of the AML/CTF Rules (Cth) provides the framework for this process, requiring the independent evaluation to cover several key components of your AML/CTF program.

Your testing plan must map directly to these requirements, ensuring each legal mandate is assessed.

The core areas for testing derived from the AML/CTF Rules (Cth) include:

• ML/TF Risk Assessment: An evaluation of the steps you took when you conducted or reviewed your ML/TF assessment, as required by Rule 5-10(2)(a).
• Policy Design: An assessment of how your AML/CTF policies are designed to meet the requirements of the AML/CTF Act (Cth) and the AML/CTF Rules (Cth), mandated under Rule 5-10(2)(b).
• Compliance with Policies: Testing to determine if your organisation is adhering to its own AML/CTF policies and procedures, as stipulated by Rule 5-10(2)(c).
• Operational Effectiveness: An evaluation of whether you are effectively identifying, assessing, managing, and mitigating your ML/TF risks in practice, a critical requirement under Rule 5-10(2)(d).

Designing a Comprehensive Testing Approach

To gather sufficient evidence, your evaluation methodology should incorporate a variety of testing methods. A comprehensive approach ensures that the independent evaluator can form a well-supported opinion on the design and effectiveness of your AML/CTF program.

This involves granting the evaluator full access to key information and personnel. Common methods for gathering evidence include:

• Document Review: Examining foundational documents such as your ML/TF risk assessment, written AML/CTF policies, and records of internal monitoring.
• System and Control Testing: Assessing the functionality of systems used for transaction monitoring and customer due diligence to ensure they are operating as intended.
• File Sampling: Reviewing a selection of customer identification records and transaction histories to test the practical application of your policies.
• Staff Interviews: Speaking with relevant staff members, the compliance officer, and senior managers to understand their knowledge of and adherence to AML/CTF procedures.

Creating a Risk-Based Sampling Methodology

Because it is not practical to test every transaction or customer file, a defensible sampling methodology is essential. This approach should be risk-based, focusing greater attention on areas that present a higher risk of ML/TF.

The methodology for selecting samples must be documented and justifiable. When creating a sample for testing, an independent evaluator should consider including:

• A representative selection of different customer types and risk ratings.
• Transactions involving high-risk products, designated services, or jurisdictions.
• Customer files that have been subject to enhanced customer due diligence.
• Cases that have triggered internal alerts or suspicious matter reports.

The final independent evaluation report should detail what was tested, the files that were sampled, and how the sampling was conducted to ensure transparency.

Testing for Operational Effectiveness Not Just Compliance

A critical component of a high-quality independent evaluation is testing for operational effectiveness, not just compliance. While compliance confirms that policies exist and are being followed, effectiveness testing determines if those policies actually work to manage and mitigate risk.

This crucial distinction is embedded in the AML/CTF Rules (Cth). Specifically, Rule 5-10(2)(c) requires testing for compliance with your policies, but Rule 5-10(2)(d) goes further by mandating an evaluation of whether you are appropriately identifying, assessing, managing and mitigating your ML/TF risks.

To illustrate this difference, consider how these tests apply to a transaction monitoring system:

• A compliance check might simply confirm that your monitoring system is running.
• An effectiveness test would assess whether it is properly configured to detect unusual activity relevant to your specific ML/TF risks.

Step 4: Conducting the Evaluation & Identifying Findings

Executing Tests & Documenting Results

The execution phase involves systematically carrying out the tests defined in the evaluation methodology.

An independent evaluator must meticulously document each step of this process to create a transparent and defensible audit trail, which ensures the final conclusions are well-supported by clear evidence.

This documentation should detail the specific activities undertaken during the evaluation. According to regulatory expectations, the final independent evaluation report will typically outline:

• The aspects of the business that were reviewed.
• The evaluation method used to assess each area.
• A description of what was tested and the specific files that were sampled.
• An explanation of how the tests and sampling were conducted.

Identifying & Classifying Findings by Severity

Under Rule 5-10(2)(e) of the AML/CTF Rules (Cth), the conduct of an independent evaluation must include the production of a written report containing the findings.

These findings often identify deficiencies, which typically include:

• Gaps in the design of your anti-money laundering and counter-terrorism financing policies.
• Failures in their practical implementation.

Once identified, these findings should be classified by severity to prioritise remedial action.

A common approach is to categorise them as High, Medium, or Low risk, based on their potential impact on your ability to manage and mitigate ML/TF risks. This classification helps your governing body and senior managers understand the urgency and significance of each issue.

Step 5: Documenting & Delivering the Evaluation Report

What Your Evaluation Report Must Include

Under Rule 5-10(2)(e) of the AML/CTF Rules (Cth), the independent evaluator must create a written report capturing their findings in a transparent, formal record of the evaluation.

To ensure clarity and defensibility, the written report should include the following key components:

• A summary of the evaluation process – outlines the scope of the review, the business areas assessed, and the method used for each.
• Findings on risk assessment and policy design – describes how you undertook or reviewed your ML/TF risk assessment and the design of your AML/CTF policies.
• Findings on compliance and effectiveness – assesses whether your organisation is complying with its AML/CTF policies and effectively managing ML/TF risks.
• Details of testing and sampling – specifies what was tested, which files were sampled, and explains how the sampling supports the final conclusions.

Delivering the Report to Your Governing Body

The AML/CTF Rules (Cth) impose a clear obligation to communicate results to senior leadership. Rule 5-10(2)(f) therefore demands that the final report be delivered to the governing body and any senior manager who approves the AML/CTF program.

Your AML/CTF policies must embed this requirement, ensuring the report reaches these individuals as soon as reasonably practicable, so leadership can address deficiencies promptly and rectify any non-compliance.

Step 6: Responding to the Evaluation & Addressing Findings

Your Obligation to Address the Findings

Your organisation's responsibilities do not end once the independent evaluation report is delivered; in fact, responding to an independent evaluation report is a critical next step. Under Rule 5-10(3) of the AML/CTF Rules (Cth), your AML/CTF policies must explicitly detail how you will respond to the findings of an independent evaluation report.

This legal requirement ensures that reporting entities have a formal process to address any identified deficiencies. Consequently, taking concrete steps to rectify issues may involve:

• Updating your ML/TF risk assessment.
• Amending your existing policies and procedures to close compliance gaps.

Creating a Continuous Improvement Loop

The independent evaluation should be viewed as part of an ongoing cycle of improvement rather than a one-time event, forming a key part of your overall AML/CTF compliance strategy. Ultimately, this continuous process involves:

• Evaluating your program and actively addressing the findings.
• Updating your controls and then re-testing in the future to confirm ongoing effectiveness.

To support this, some reporting entities conduct internal reviews between formal independent evaluations. These interim checks foster a culture of continuous enhancement by helping to:

• Identify systemic issues early before they escalate.
• Assess how new products or delivery channels impact your ML/TF risk assessment.
• Ensure that recommendations from previous reports have been implemented effectively.

Conclusion

A well-executed independent evaluation is a critical operational audit required by the AML/CTF Act (Cth) to ensure your compliance program is both designed correctly and effective in practice. Following a structured process—from defining a risk-based scope to addressing findings—strengthens your controls and reduces regulatory exposure.

To ensure your evaluation meets regulatory standards and provides genuine insight into your risk management framework, contact Click Legal's AML independent evaluation lawyers today. Our team offers specialised services to guide you through every step, providing the trusted expertise needed to achieve peace of mind and secure your compliance.

Frequently Asked Questions