Independent Evaluations Under the 2026 AML/CTF Reforms: A Comprehensive Overview

Introduction

The reforms, coming in force from 31 March 2026, transition the existing framework for independent reviews to a more prescriptive and detailed ‘independent evaluation’ of Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) programs. This new obligation is mandated under Section 26F(4)(f) of the amended Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and Section 5-10 of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) (AML/CTF Rules). It requires a formal assessment of a program’s design, risk management, and operational effectiveness against money laundering and terrorism financing (ML/TF) risks.

For all reporting entities, including current entities and newly regulated Tranche 2 businesses, understanding these enhanced requirements is crucial for ensuring compliance. This guide provides a practical overview of the new independent evaluation framework, explaining the specific obligations related to frequency, evaluator selection, and responding to findings to help your business navigate the reformed regime.

What Is an Independent Evaluation

Evaluating ML/TF Risk Assessment Framework

Under Section 26F(4)(f) of the AML/CTF Act (Cth) and Section 5-10 of the AML/CTF Rules (Cth), an independent evaluation must determine how your business conducted—or reviewed—its ML/TF risk assessment.

The evaluator assesses whether your ML/TF risk assessment framework aligns with statutory obligations and specifically checks whether you have:

• identified each ML/TF risk relevant to your business
• assessed and documented the likelihood and impact of those risks
• kept clear records that demonstrate compliance with statutory obligations

Assessing the Design of AML/CTF Policies

The evaluation must also confirm that the design of your AML/CTF policies satisfies all requirements under the AML/CTF Act (Cth) and AML/CTF Rules (Cth).

To do so, the evaluator considers:

• whether the policies are fully compliant with every legislative obligation
• whether they are appropriately tailored to the nature, size and complexity of your operations

Testing the Operational Effectiveness of Controls

Finally, Section 5-10 of the AML/CTF Rules (Cth) requires testing the day-to-day effectiveness of your AML/CTF program.

While specific testing methodologies are not provided, during this stage the evaluator examines whether you have:

• implemented the documented controls in practice and followed them consistently
• effectively identified, mitigated and managed ML/TF risks as your program intends

When Businesses Must Conduct an Independent Evaluation

Minimum Three-Year Evaluation Cycle

Under Section 26F(4)(f) of the AML/CTF Act (Cth), your AML/CTF policies must establish the frequency of independent evaluations.

This section also provides a baseline requirement for the independent evaluation of your AML/CTF program, stating it must be conducted at a minimum of once every three years. This ensures a regular, formal assessment of your program’s design and operational effectiveness.

Adopting a Risk-Based Schedule

While a three-year cycle is the minimum, the frequency of your independent evaluation must be tailored to be appropriate for the nature, size, and complexity of your business. Therefore, reporting entities with higher money laundering and terrorism financing risks are expected to conduct evaluations more frequently.

Furthermore, while not statutorily mandated, it is recommended to document the rationale for the frequency you decide upon by detailing the specific factors related to your business that informed the decision. This practice aligns with the record-keeping obligations under Section 116 of the AML/CTF Act (Cth), which requires you to maintain records that demonstrate compliance.

Why Newly Regulated Entities Should Act Early

For newly regulated reporting entities, including those captured under the Tranche 2 reform, it is strongly recommended to conduct the first independent evaluation well before the three-year deadline. Scheduling an evaluation after the first year of operations can provide significant advantages.

Specifically, an early evaluation allows your business to:

• Proactively identify and rectify any significant compliance or ML/TF risk management issues, thereby reducing overall risk.
• Confirm that your AML/CTF compliance framework is on the right track from the outset.
• Access a wider pool of suitable and skilled independent evaluators who may be more readily available.

Selecting a Suitable & Independent Evaluator

Understanding the Independence Requirement

The principle of independence underpins the entire evaluation process; it ensures the evaluator can work without bias, influence, or conflicts of interest. Therefore, the evaluator must be free from any relationships or circumstances that could compromise objectivity and professional judgment.

While an evaluator may be an internal employee or an external consultant, it is essential to understand who can conduct an AML/CTF independent review in Australia, as they must be sufficiently independent from the functions being reviewed. Australian Transaction Reports and Analysis Centre‘s (AUSTRAC) guidelines recommend an independent evaluator to meet the following standards:

• Not responsible for program implementation, meaning they play no role in maintaining or executing the AML/CTF program.
• Uninvolved in program development, including its systems or controls.
• No part in risk assessment, so they did not help evaluate your money-laundering or terrorism-financing risks.
• Separate from compliance functions, and therefore not your AML/CTF compliance officer or a member of the compliance team.

Assessing an Evaluator’s Professional Suitability

Under Section 26F(4) of the AML/CTF Act (Cth), your AML/CTF program—and the person who evaluates it—must be appropriate for the nature, size, and complexity of your business. The statute does not prescribe specific qualifications or experience requirements for evaluators, however, AUSTRAC guidelines expect the evaluator to possess sufficient knowledge of applicable AML/CTF obligations.

When assessing a candidate’s suitability, consider whether they have experience and knowledge of:

• sector-specific money-laundering risks faced by businesses like yours.
• AML/CTF compliance work with entities of similar nature, size, and complexity.
• evaluating the effectiveness of systems, controls, policies, and procedures.
• preparing clear evaluation reports that document findings.
• relevant AML/CTF qualifications or memberships in professional bodies that uphold appropriate standards.

Avoiding the Pitfall of Poor Evaluator Selection

Failing to choose an appropriate evaluator greatly increases the risk that your AML/CTF program will not comply with the AML/CTF Act (Cth). An evaluator who lacks true independence or expertise may produce findings that are inaccurate or unhelpful.

Such shortcomings can leave critical compliance gaps unaddressed, potentially rendering the evaluation invalid. Ultimately, your program may fail to identify, assess, manage, and mitigate money-laundering and terrorism-financing risks, which can lead to the serious consequences of a failure to comply with AML/CTF independent review laws.

Evaluation Process from Preparation to Reporting

Preparing Documents Systems & Staff for the Evaluation

To ensure the integrity of the evaluation, you must provide the evaluator with complete access to all necessary documents, systems, and personnel. A failure to grant appropriate access can impair the reliability of the findings and may increase the risk that your anti-money laundering and counter-terrorism financing (AML/CTF) program fails to meet its obligations, potentially exposing your business to civil penalties.

During the evaluation, the evaluator may request access to a range of materials, including:

• Documentation concerning the development of your ML/TF risk assessment and AML/CTF policies.
• Your current ML/TF risk assessment and AML/CTF policies.
• Relevant records, such as those for customer identification and transactions.
• The results of your own internal monitoring and any previous independent evaluation reports.
• Access to key staff members and senior managers involved in your AML/CTF framework.

Understanding the Final Written Report & Its Contents

Under Section 5-10(2)(e) of the AML/CTF Rules (Cth), the evaluator must produce a written report of their findings, making it vital to understand what an AML/CTF independent review should include. Consequently, this report is the formal deliverable that documents the evaluation’s outcomes.

The written report provides a comprehensive overview of the assessment and must include:

• A summary of the evaluation process, detailing the aspects of the business reviewed and the methodology used.
• The evaluator’s findings on how you undertook or reviewed your ML/TF risk assessment and the design of your AML/CTF policies.
• Findings regarding your compliance with your AML/CTF policies.
• Details of the compliance testing performed, including what was tested, the files sampled, and how the sampling was conducted.

Obligation to Escalate the Report to Senior Management

As per Section 5-10(2)(f) of the AML/CTF Rules (Cth), the evaluator must provide final written report to both your governing body and any senior manager responsible for approving your AML/CTF program. This is a critical governance step required by the reforms.

The purpose is to ensure that your organisation’s leadership is made aware of any deficiencies, allowing them to promptly address adverse findings and remedy any ongoing non-compliance with your AML/CTF obligations.

How to Respond to Findings & Maintain Records

Addressing Adverse Findings in Report

As per Section 5-4 of the AML/CTF Rules (Cth), your AML/CTF policies must describe how your business will respond to an independent evaluation. When a report contains adverse findings, you must review those findings and, where required, update your documentation to fix any issues.

Adverse findings can relate to:

• the way you conducted your ML/TF risk assessment
• the design and adequacy of your AML/CTF policies
• your day-to-day compliance with those policies

Although you do not have to accept every recommendation, it is recommended to treat each finding seriously, and keep comprehensive records showing how you addressed each issue and explaining any decision not to implement a particular recommendation.

Implementing & Monitoring Corrective Actions

In compliance with Section 26G of the AML/CTF Act (Cth), once your ML/TF risk assessment or AML/CTF policies are updated, you must embed those changes across the business. This requires:

• communicating the new requirements to all relevant staff
• confirming that employees understand and follow the updated procedures

You must also monitor the effectiveness of these changes. If deficiencies remain, carry out further reviews and make additional adjustments until the problems are resolved.

Meeting Record-Keeping Obligations

As per Rule 5-15(2) of the AML/CTF Rules 2025 (Cth), any updates to your AML/CTF policies or procedures to address these findings must be documented in writing within 14 days of the change being made. 

It is recommended to include:

• the full independent evaluation report
• notes of discussions about the findings with senior managers and the governing body
• evidence of the evaluator’s suitability and how they were chosen
• detailed actions taken to address every adverse finding
• a progress-tracking plan, including assigned responsibilities
• documented reasons for not addressing specific findings

Practical Next Steps for Businesses

Define Evaluation Frequency & Selection Criteria

Your anti-money laundering and counter-terrorism financing policies must clearly state how often independent evaluations will occur. The schedule must suit the nature, size and complexity of your business, and you must still arrange at least one evaluation every three years.

You should also record the business factors that justify your chosen frequency. This documentation demonstrates a thoughtful, risk-based approach and will support you during regulatory scrutiny.

Furthermore, the policies must describe the criteria used to select an evaluator so you can prove that the individual is suitably independent and has the expertise necessary for your specific ML/TF risks.

Prepare Documentation & Systems for Review

Before the evaluation begins, confirm that the evaluator will have complete access to all relevant information. Start organising key documents and ensure your systems can quickly generate the data and records required for a thorough review.

The evaluator will likely request the following materials:

• ML/TF risk assessment and the documents that show how it was developed
• Your complete AML/CTF policies
• Customer identification and transaction records
• Results from any internal monitoring or previous evaluations
• Access to key staff and senior managers involved in the AML/CTF framework

Plan First Evaluation Timeline

Proactive planning is essential for newly regulated reporting entities.

Although the mandatory deadline is three years, scheduling your first independent evaluation within the first year of operations is strongly advisable for two key reasons:

• It helps you identify and correct significant compliance or ML/TF risk issues early, thereby reducing long-term exposure.
• It increases the chance of securing a wider pool of skilled and available evaluators before demand peaks near the regulatory deadline.

Conclusion

The 2026 reforms introduce a mandatory independent evaluation framework, requiring all reporting entities to assess their AML/CTF program’s design, risk management, and operational effectiveness. Navigating these obligations—from selecting a suitable evaluator and preparing for the review to responding to findings and maintaining records—is essential for ensuring compliance with the new anti-money laundering and counter-terrorism financing regime.

To ensure your business is fully prepared for these significant changes, contact our AML independent evaluation lawyers at Click Legal for trusted expertise. Our specialised services are tailored to help you confidently navigate the reformed landscape and secure your compliance today.

Frequently Asked Questions