How Reporting Entities Can Update their AML/CTF Program After an Independent Review

Introduction

Reporting entities regulated by the Australian Transaction Reports and Analysis Centre (AUSTRAC) have a core obligation to maintain a current and effective anti-money laundering and counter-terrorism financing (AML/CTF) program. A key part of this duty involves subjecting the program to a regular AML independent review.

The findings from an independent review are not merely for observation; they trigger the crucial responsibility to update the AML/CTF program to correct any identified weaknesses. This article explains the process for regulated entities to follow after receiving their review results. It details the statutory framework for making updates, provides a step-by-step guide to implementing changes, and outlines the consequences of failing to act on an evaluation’s findings.

Note: Australia’s AML/CTF laws were substantially reformed from 31 March 2026. This article reflects the pre-reform framework, which may still be relevant depending on your business, timing, and transitional rules.

Understanding the Purpose of an AML/CTF Independent Review

What an AML Independent Review Involves for Regulated Entities

An AML/CTF independent review is an impartial assessment of Part A of your AML/CTF program. Under the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules), Part A of your program must be subject to regular independent review. Ultimately, this process is designed to verify that your program is fit for purpose.

Key Areas Assessed During the Independent Evaluation

The AML/CTF Rules (Cth) sets out the specific purposes of an independent review. Under Rules 8.6.5 and 9.6.5, the independent evaluation must assess four key areas to ensure the integrity of the program for all regulated entities.

Specifically, the review must assess the following key areas:

• The effectiveness of the Part A program: This involves evaluating how well your program identifies, mitigates, and manages the ML/TF risks that your organisation reasonably faces.
• Compliance with the AML/CTF Rules: The reviewer must check whether Part A of your program meets all the requirements specified in the AML/CTF Rules.
• Effective implementation of the program: The assessment verifies that the policies, procedures, and controls outlined in your Part A program have been put into practice throughout your business operations.
• Compliance with your own program: The review must also determine whether your reporting entity has been adhering to the systems and controls documented in its own Part A program.

Statutory Framework for Post-Review Program Updates

Obligation to Maintain a Current AML/CTF Program

Under Section 81 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), reporting entities have a fundamental obligation to not only adopt but also maintain an AML/CTF program. This requirement means the program cannot be a static document. Instead, it must be actively kept current to ensure it appropriately addresses the ML/TF risk the business may reasonably face.

When an AML/CTF independent review identifies deficiencies, the obligation to “maintain” the program is triggered. The findings signal that the existing program may no longer be adequate to identify, mitigate, and manage financial crime risks. Therefore, reporting entities must update their program to:

• rectify these issues; and
• ensure it remains effective and fit for purpose.

Obligation to Comply With the Updated Part A Program

Section 82 of the AML/CTF Act (Cth) requires a reporting entity to comply with Part A of its AML/CTF program. Furthermore, this obligation extends to the program as varied or updated. Once changes are made in response to an independent review, the revised program becomes the standard that the entity must follow.

Failing to update a program after known weaknesses have been identified creates a significant AML/CTF compliance risk. Continuing to operate under a deficient program could be viewed as a failure to comply with an appropriate Part A, thereby breaching this core obligation. Ultimately, the act of updating the program and adhering to the new controls is essential for ongoing compliance.

Governance Obligation to Oversee Remediation

The AML/CTF Rules (Cth) establishes a clear line of accountability for acting on review findings. Under Rules 8.6.6 and 9.6.6, the results of the independent review, including any formal report that meets AML/CTF independent review report requirements, must be provided to the reporting entity’s senior management and governing board.

This requirement ensures that leadership has direct oversight of the program’s effectiveness and any identified compliance gaps. As a result, by receiving the report, the board and senior management become responsible for:

• overseeing the remediation of issues; and
• ensuring that findings from an AML independent evaluation are addressed at the highest level of the organisation.

A Step-by-Step Guide to Update Your AML/CTF Program

Step 1: Map Findings to Statutory Requirements

After receiving the AML independent review report, the first step is to connect each adverse finding to the specific requirements of your AML/CTF program. This involves analysing the recommendations and identifying which parts of your program or the AML/CTF Rules (Cth) have not been met.

For example, if the review identifies weak transaction monitoring, this should be mapped to the risk-based controls outlined in Part 8.1 or 9.1 of the AML/CTF Rules (Cth). Ultimately, this process helps clarify the exact nature of the deficiency and what is required to rectify it.

Step 2: Reassess & Update ML/TF Risk Assessment

The findings from an AML independent evaluation often highlight that a reporting entity’s understanding of its ML/TF risk is outdated. Under Section 81 of the AML/CTF Act (Cth), you have an obligation to maintain a program that is appropriate to your risk profile.

Therefore, you must re-evaluate your ML/TF risk assessment, considering not only the auditor’s findings but also any significant changes to your business. These changes may include:

• New technologies or services: the introduction of new technologies or designated services;
• Customer types: changes to your customer types; and
• Foreign jurisdictions: expansion into new foreign jurisdictions.

Step 3: Revise Part A Controls & Procedures

Once the ML/TF risk assessment is updated, you must revise the documented policies and procedures in Part A of your AML/CTF program. This ensures the program accurately reflects the current risk environment and addresses any gaps identified during the review.

Furthermore, Sections 84 and 85 of the AML/CTF Act (Cth) require Part A to identify, mitigate, and manage ML/TF risk. As a result, revisions may be needed in key areas, including:

• Customer identification: updating customer identification procedures;
• Due diligence: enhancing ongoing customer due diligence; and
• Transaction monitoring: improving the systems used for transaction monitoring.

Step 4: Address & Remediate Implementation Failures

An AML/CTF program must be effective in practice, not just on paper. An independent review assesses whether the program has been effectively implemented, as required by Rules 8.6.5 and 9.6.5 of the AML/CTF Rules (Cth).

If the review uncovers operational gaps, such as system failures or staff not following procedures, these must be remediated. To ensure employees can execute their duties correctly, this remediation could involve:

• Technological systems: improving technological systems;
• Workflows: refining workflows; or
• Additional resources: providing additional resources.

Step 5: Update Supporting Programs like Staff Training & Due Diligence

Changes to your core AML/CTF program will likely require corresponding updates to ancillary programs. Part A of the program includes several key components that must align with your overall approach to managing financial crime risk.

According to Parts 8.2, 8.3, 9.2, and 9.3 of the AML/CTF Rules (Cth), reporting entities must maintain specific supporting programs, including:

• Risk awareness training: an AML/CTF risk awareness training program for employees; and
• Employee due diligence: an employee due diligence program to screen relevant staff.

In addition, these supporting programs must be reviewed and updated to reflect any changes made to your ML/TF risk assessment and control procedures.

Step 6: Document Changes & Secure Board Approval

Maintaining a clear audit trail of all changes is essential for demonstrating compliance to AUSTRAC. Therefore, you must keep detailed records of the review findings, the specific remediation actions taken, and the rationale behind any updates to the program.

Under Rules 8.4.1 and 9.4.1 of the AML/CTF Rules (Cth), Part A of your AML/CTF program must be formally approved by your governing board and senior management. Ultimately, this final step ensures that there is appropriate oversight and accountability for the changes made.

Legal Consequences of Not Updating AML/CTF Program

Breaching Core Obligations Under the AML/CTF Act

Failing to act on the findings of an independent review can place reporting entities in direct breach of their core legal duties. Under Section 81 of the AML/CTF Act (Cth), regulated entities have an ongoing obligation to not only adopt but also maintain an AML/CTF program. An independent evaluation that identifies weaknesses is a clear signal that the program may no longer be adequate to ML/TF risk.

Consequently, ignoring these findings means the program is not being maintained, which is a contravention of this requirement.

Furthermore, Section 82 of the AML/CTF Act (Cth) requires a reporting entity to comply with Part A of its program. Therefore, continuing to operate with a program known to be deficient could be seen as a failure to comply with an appropriate Part A, exposing the entity to significant compliance risk.

Exposure to AUSTRAC Enforcement Actions

A failure to remediate issues identified in an independent review can lead to direct regulatory enforcement action from AUSTRAC. Ultimately, the AUSTRAC CEO has specific powers to compel action if a reporting entity is not managing its financial crime risks appropriately.

As a result, AUSTRAC may take several enforcement actions, including:

• Ordering an external audit: Under Sections 161 and 162 of the AML/CTF Act (Cth), the AUSTRAC CEO can require a reporting entity to appoint an external auditor. This can occur if there are reasonable grounds to suspect the entity has contravened the AML/CTF Act (Cth) or is not taking appropriate action to identify, mitigate, and manage its ML/TF risk.
• Issuing a remedial direction: If AUSTRAC is satisfied that a reporting entity has contravened a civil penalty provision, it can issue a remedial direction under Section 191 of the AML/CTF Act (Cth). This direction can compel the entity to take specified actions to ensure it does not contravene the provision in the future, such as implementing new administrative systems.

When AML/CTF Program Updates May Trigger a Further Independent Review

Identifying Triggers for More Frequent Reviews

Significant updates to your AML/CTF program, or changes in your business environment, may necessitate an independent review sooner than scheduled. As a result, reporting entities should consider whether a new AML/CTF independent evaluation is needed following certain events.

According to AUSTRAC guidance, circumstances that may trigger the need for a more frequent review include:

• Structural business changes: Events such as mergers and acquisitions can alter your risk profile and operational structure.
• New products or services: Introducing new designated services or using new channels to deliver them can create new vulnerabilities.
• Changes to your risk profile: This can result from accepting new types of customers, starting to handle cash transactions, or outsourcing certain obligations.
• Significant program amendments: If substantial changes have been made to Part A of your AML/CTF program since the last review, a new assessment may be warranted.
• Past compliance difficulties: A history of compliance issues or deficiencies that have not been fully remediated can be a reason for more frequent oversight.

Determining an Appropriate Review Frequency for Your Entity

The obligation to conduct regular reviews requires reporting entities to establish a suitable schedule. Under Rules 8.6.2 and 9.6.2 of the AML/CTF Rules (Cth), the frequency of these reviews must be determined by your organisation’s specific characteristics.

Ultimately, the key factors to consider are as follows:

• the nature of your business and the industry you operate in;
• the size and complexity of your operations; and
• the type and level of ML/TF risk you might reasonably face.

While AUSTRAC suggests that high-risk organisations should conduct reviews at least every two to three years, the final decision rests on your entity’s unique risk assessment.

Conclusion

An AML/CTF independent review is a critical assessment that triggers a reporting entity’s obligation to update its AML/CTF program to address identified weaknesses. This process involves reassessing risks, revising controls, and securing board approval to ensure ongoing compliance and effectively manage financial crime risks.

Acting on these findings is essential for mitigating statutory risk and maintaining a robust compliance framework. If you need assistance with your AML/CTF program or require an independent evaluation, contact Click Legal’s AML independent review lawyers today to ensure your business meets its obligations.

Frequently Asked Questions