AML Audit Requirements & 2026 Reforms Overview
AML audits are legally required for Australian reporting entities under the AML/CTF Act and must be conducted independently in line with AUSTRAC standards.
The 2026 reforms introduce major changes, including Tranche 2 expansion and updated AML/CTF Rules, increasing regulatory scrutiny.
Independent evaluations must assess ML/TF risk assessments, governance, CDD, transaction monitoring, reporting, record-keeping, and staff training.
Audit frequency is risk-based, with higher-risk entities requiring more frequent reviews.
Common failures include outdated risk assessments, weak CDD documentation, and inadequate training records.
Proper preparation, timely remediation, and regulator-ready reporting are essential to reduce enforcement risk and demonstrate compliance.
If your organisation provides designated financial services in Australia, AML audits are not optional – they are a legal obligation under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). The Australian Transaction Reports and Analysis Centre (AUSTRAC), Australia’s financial intelligence and regulatory authority, requires reporting entities to independently review their AML/CTF programs on a regular, risk-based basis.
2026 marks a watershed moment for AML compliance in Australia. The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 and the new AML/CTF Rules 2025 have introduced the most significant reforms to the law in nearly two decades. Changes commenced for existing reporting entities on 31 March 2026, while Tranche 2 entities – including law firms, accounting firms, real estate professionals, and jewellers – come under full AUSTRAC regulation from 1 July 2026. Australia is also currently subject to a mutual evaluation by the Financial Action Task Force (FATF), which further heightens regulatory scrutiny.
This guide provides compliance officers, risk managers, and reporting entities with a clear, practical, and up-to-date overview of AML audit requirements in Australia. Whether you are preparing your organisation for an independent review, navigating the Tranche 2 reforms, or seeking to understand what AUSTRAC expects – this 2026 guide is designed to help you stay compliant, reduce enforcement risk, and build a defensible AML/CTF program.
Important: AUSTRAC has stated publicly that failure to manage ML/TF risk is a serious regulatory concern — both now and as the 2026 reforms take effect. Proactive compliance, including timely independent evaluations, is the clearest signal an entity can send to its regulator.
What Is an AML Audit in Australia?
An AML audit more formally referred to as an independent review or independent evaluation under Australian law is an impartial, structured assessment of an organisation’s AML/CTF program. Its purpose is to verify that the program: accurately identifies and assesses the organisation’s money laundering and terrorism financing (ML/TF) risks; contains appropriate policies, procedures, and controls to address those risks; and is being effectively implemented in day-to-day operations.
In the Australian regulatory context, an anti-money laundering audit is not simply an internal compliance health check. It is a legally mandated review that must meet independence standards set by AUSTRAC. The reviewer cannot have been involved in developing, implementing, or maintaining the program being reviewed.
AML audits serve a dual function: they protect the organisation by identifying gaps before AUSTRAC does, and they provide the regulator with confidence that Australia’s financial system is defended against criminal exploitation.
Legal Foundation of AML Audits in Australia
The requirement for independent review is embedded in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and given detailed operational effect through the AML/CTF Rules. Under the pre-reform framework, the independent review obligation applied specifically to Part A of an entity’s AML/CTF program the governance and institutional component. Under the reformed framework effective 31 March 2026 for existing reporting entities and 1 July 2026 for Tranche 2 entities, the independent evaluation obligation continues, though the program structure itself is no longer required to be separated into Part A and Part B. Entities may now organise their AML/CTF program in a way that suits their business, provided it meets the substantive requirements of the Act.
AUSTRAC’s regulatory guidance makes clear that the frequency and scope of independent evaluations must be proportionate to the nature, size, and complexity of the reporting entity’s business and its ML/TF risk profile. There is no universal prescribed interval – the risk-based approach governs.
For newly regulated Tranche 2 entities, AUSTRAC has introduced transitional arrangements. Newly regulated businesses may set an extended deadline for their first independent evaluation in their AML/CTF policies, with the first evaluation deadline not less than three years from the original commencement date of 1 July 2026.
AML Audit vs. AML Program Review: What’s the Difference?
These terms are sometimes used interchangeably, but they reflect meaningfully different exercises. An internal AML program review is typically conducted by a compliance officer or internal audit function to assess day-to-day adherence to documented procedures. It forms part of ongoing monitoring and is a regular management activity.
An independent AML audit or evaluation, by contrast, must be conducted by someone who had no involvement in developing or maintaining the program. The reviewer may be an internal auditor (provided they have the requisite independence and AML/CTF competence) or an external specialist such as an AML consultant, lawyer, or accountant. Critically, the reviewer must be free from influence by those responsible for compliance.
| Internal Program Review | Independent AML Audit |
|---|---|
| Conducted by compliance team | Conducted by independent reviewer |
| Routine management activity | Legally mandated under AML/CTF Act |
| Ongoing / continuous | Periodic — based on risk profile |
| Not independently verified | Must meet AUSTRAC independence standards |
| Identifies operational gaps | Validates the program’s design and effectiveness |
Who Needs an AML Audit in Australia in 2026?
Any organisation that provides a ‘designated service‘ as defined under the AML/CTF Act and has a geographical link to Australia must enrol with AUSTRAC and comply with AML/CTF obligations including the independent evaluation requirement. These organisations are collectively referred to as ‘reporting entities’.
Designated Services Under the AML/CTF Act
The AML/CTF Act defines a detailed list of designated services across financial, gambling, and professional sectors. Reporting entities currently regulated by AUSTRAC include — but are not limited to — the following sectors:
- Banks, credit unions, and authorised deposit-taking institutions
- Remittance service providers and international funds transfer services
- Digital currency exchange providers and virtual asset service providers (VASPs)
- Casinos, gaming services, and gambling operators
- Insurance companies and superannuation funds
- Securities dealers, managed investment schemes, and financial advisers
- Bullion dealers
Each of these sectors carries distinct ML/TF risk profiles, which in turn shapes the scope and frequency of their required AML audits.
Tranche 2 Reforms: What They Mean for Law Firms, Accountants & Other New Entrants
Perhaps the most significant development in Australian AML compliance history is the expansion of the law to Tranche 2 entities. From 1 July 2026, AML/CTF obligations including the requirement to maintain an AML/CTF program and ultimately undergo independent evaluation – apply to a new cohort of regulated businesses. These include:
- Legal practitioners (when assisting with certain real property, entity, or asset transactions)
- Accountants and tax agents (in certain designated service roles)
- Real estate agents, buyer’s agents, and property developers
- Dealers in precious metals and gemstones
- Trust and company service providers
The AUSTRAC CEO has publicly acknowledged that the compliance timeline is tight. AUSTRAC’s stated enforcement approach post-1 July 2026 will initially focus on entities that wilfully ignore the obligation to enrol or are complicit in, or wilfully blind to, money laundering activities. Entities making genuine efforts to implement compliance programs will be supported through AUSTRAC’s guidance, starter programs, and industry forums.
However, ‘genuine effort’ requires demonstrable action. Law firms and accounting firms that delay program development and independent evaluation planning beyond 2026 run a material regulatory risk — particularly given that Australia is currently being assessed by FATF, which has historically criticised the country for not regulating these gatekeeper professions.
Tranche 2 entities should treat 1 July 2026 not as the deadline to begin, but as the deadline to be operating. Proactive engagement with an experienced AML consultant now is the most effective risk management step available.
Request an Independent AML Audit Assessment
Speak with a Tranche 2 Consultants specialist about your organisation's AML/CTF program and independent evaluation obligations. Confidential, no-obligation consultation available.
AML Audit Requirements in Australia (2026 Update)
Understanding what AUSTRAC expects from an independent evaluation requires attention to three core areas: the independence standard, the scope of the review, and the frequency expectations.
The Independence Requirement
The reviewer must not have been involved in any part of developing the AML/CTF program, including assessing the organisation’s ML/TF risk, developing controls, or implementing or maintaining the program. This is a substantive independence standard, not a nominal one.
AUSTRAC’s guidance considers several factors in assessing reviewer suitability: whether the reviewer belongs to a professional body with relevant standards; whether they are free from influence by those involved in the program; and how well they understand AML/CTF obligations in the context of the entity’s business. Competence in AML/CTF law and practice not just general auditing is an explicit expectation.
The reviewer may be an internal auditor with appropriate independence, a legal practitioner, an accountant with AML/CTF expertise, or an external AML/CTF consultant. For smaller entities without internal audit functions, engaging an external specialist is both practical and appropriate.
What an AML Audit Must Cover
Under both the pre-reform and reformed frameworks, the independent evaluation is expected to comprehensively assess the design and operational effectiveness of the entity’s AML/CTF program. While the reformed law removes the mandatory Part A / Part B structure, the substantive areas of assessment remain consistent. A well-conducted AML audit should address the following components:
1. Risk Assessment and Governance
The reviewer assesses whether the entity has conducted a thorough ML/TF risk assessment that considers its customers, products, services, delivery channels, and geographic exposure. The reformed Act requires risk assessments to be reviewed and kept current — with specific triggers now mandated for review. Governance arrangements, including board oversight and the appointment of a fit and proper AML/CTF compliance officer (now explicitly required from 31 March 2026), must also be assessed.
2. Customer Due Diligence (CDD)
The audit must examine whether the entity’s customer identification and verification procedures meet regulatory requirements, including the application of simplified and enhanced due diligence measures where appropriate. Under the reformed law, the initial CDD transition period allows existing reporting entities to continue using their existing procedures until 30 March 2029 but ongoing CDD obligations apply from 31 March 2026 without exception. The audit should verify that these obligations are being met in practice.
3. Transaction Monitoring and Reporting
The reviewer should assess whether the entity’s transaction monitoring systems are effective at detecting suspicious activity, and whether suspicious matter reports (SMRs) and threshold transaction reports (TTRs) are being submitted accurately and on time. For existing reporting entities, current SMR and TTR forms remain valid until 2029, but the audit should verify that reporting obligations are being discharged systematically rather than ad hoc.
4. Record Keeping
Reporting entities must retain accurate and complete records for at least seven years. The audit should verify that record-keeping practices cover all required documentation including CDD records, transaction histories, risk assessment documents, staff training logs, and internal governance communications.
5. Staff Training
An effective AML/CTF program requires staff to understand their obligations and recognise potential ML/TF risks. The audit should assess whether training is being delivered, documented, and refreshed as regulatory requirements evolve.
How Often Are AML Audits Required?
AUSTRAC does not prescribe a fixed frequency for independent evaluations. Instead, the frequency is determined by each entity’s ML/TF risk profile and the nature, size, and complexity of its business. In practice, higher-risk entities such as large financial institutions, remittance providers, and casino operators should be conducting independent evaluations more frequently, potentially annually or biennially.
Entities whose risk profile changes materially due to growth, new products, changes in customer base, regulatory developments, or prior audit findings — should trigger a fresh evaluation irrespective of the standard cycle. AUSTRAC also expects that independent evaluations are planned proactively and that remediation findings from prior reviews are tracked and resolved.
For newly regulated Tranche 2 entities, the transitional rules allow flexibility in setting the initial evaluation deadline, with the first evaluation not required before a minimum of three years from commencement. However, entities are strongly encouraged to initiate program readiness assessments and gap analyses well before that deadline.
The AML Audit Process Step-by-Step
Understanding what an AML audit actually involves helps organisations prepare effectively and ensures the review produces genuinely actionable insights rather than superficial sign-off. At Tranche 2 Consultants, our independent evaluations follow a structured four-stage methodology.
Step 1: Pre-Audit Risk Assessment and Scoping
Before formal fieldwork begins, the independent reviewer conducts a preliminary scoping exercise. This includes reviewing the entity’s current AML/CTF program documentation to understand its structure and scope, identifying the designated services provided and the corresponding ML/TF risk categories, and conducting a gap analysis against current AUSTRAC guidance and the applicable regulatory framework.
Scoping decisions made at this stage directly influence the depth of testing applied in later steps. For a large financial institution operating across multiple channels, this may involve defining sample populations, prioritising higher-risk service lines, and coordinating with internal stakeholders to schedule interviews. For a smaller Tranche 2 entity newly coming under regulation, scoping may involve assessing whether the current program documentation is sufficient to proceed to testing at all.
Step 2: Documentation Review
The documentation review is the foundation of any credible AML audit. The reviewer examines the entity’s AML/CTF program documents in detail, including the ML/TF risk assessment, AML/CTF policies and procedures, risk registers and control frameworks, records of board and management oversight, compliance officer appointment documentation, and staff training records and completion logs.
Documentation deficiencies identified at this stage are recorded and flagged for discussion during the testing phase. Common issues include outdated risk assessments that do not reflect the current business model, policies that have not been updated to reflect the reformed AML/CTF rules, and training records that lack evidence of completion or comprehension.
Step 3: Transaction Testing and Staff Interviews
Effective AML audits do not rely solely on documentation. The reviewer tests whether the program is actually operating as documented by examining a sample of customer files, CDD records, and transaction monitoring outputs. This may include reviewing the application of simplified and enhanced due diligence, assessing the completeness and timeliness of suspicious matter reporting, and evaluating whether transaction monitoring rules are appropriately calibrated to the entity’s risk profile.
Staff interviews are a critical component of this phase. The reviewer speaks with compliance officers, relationship managers, and relevant operational staff to assess their understanding of AML obligations and the practical implementation of the program. Gaps between documented procedures and actual practice are among the most common — and most significant — findings in independent evaluations.
Step 4: Audit Findings, Remediation Plan, and Board Reporting
The independent reviewer consolidates findings into a formal audit report. Findings are risk-rated typically as critical, high, medium, or low based on the significance of the gap and the likelihood of regulatory concern. A prioritised remediation plan is developed, with clear ownership, timeframes, and accountability measures assigned to each item.
For findings to be genuinely useful, the audit report must be board-ready: written in clear language, with regulatory references, and structured to support informed decision-making at the governance level. AUSTRAC expects boards and senior management to take an active role in overseeing AML/CTF compliance and a well-structured audit report is the primary mechanism through which that oversight is exercised.
Prepare for Tranche 2 Compliance with Confidence
Schedule a private consultation to assess your AML framework, reporting obligations, and regulatory readiness.
Common AML Audit Failures in Australia
AUSTRAC’s enforcement history is instructive. From the $700 million penalty imposed on the Commonwealth Bank of Australia in 2018, to Crown’s $450 million penalty in 2023, the $67 million penalty against SkyCity in 2024, and ongoing civil penalty proceedings against Entain Group and Mount Pritchard and District Community Club in 2025 – the pattern is consistent. The most costly failures are not isolated technical breaches. They are systemic failures of program design, governance, and operational implementation.
The following are the most frequently identified deficiencies in independent AML evaluations conducted in the Australian market.
Weak or Outdated Risk Assessments
The ML/TF risk assessment is the foundation of any AML/CTF program. A risk assessment that does not accurately reflect the entity’s current business model, customer base, product suite, delivery channels, and geographic exposure cannot generate appropriate controls. Under the reformed law, the obligation to keep risk assessments current is explicit, with mandated triggers for review including material changes to the business. Entities that completed their last risk assessment several years ago and have since expanded product offerings or entered new markets are operating on a structurally compromised foundation.
Poor Customer Due Diligence Documentation
AUSTRAC’s enforcement actions consistently highlight CDD failures as a primary driver of penalty proceedings. Inadequate identification and verification of customers, failure to apply enhanced due diligence to politically exposed persons and high-risk customers, and the absence of ongoing CDD monitoring are among the most common gaps. These failures are particularly acute in organisations where CDD responsibilities are distributed across relationship managers and front-line staff without adequate oversight.
Failure to Update AML/CTF Programs
An AML/CTF program that was fit-for-purpose in 2020 is not necessarily fit-for-purpose in 2026. The reformed AML/CTF law introduces significant changes to program obligations including the shift from a prescriptive, two-part program structure to an outcomes-focused, risk-based model. Entities that have not updated their programs to reflect these changes, or that are operating from procedures last reviewed prior to the 2024 amendments, face material compliance gaps.
Inadequate Staff Training Records
A well-designed AML/CTF program is only as effective as the people implementing it. AUSTRAC expects that all relevant staff receive AML/CTF training proportionate to their role, and that this training is documented. Incomplete training records including records that show training was assigned but not completed, or that lack evidence of comprehension are a recurring finding in independent evaluations and a consistent focus of AUSTRAC’s compliance assessments.
AML Audit Costs in Australia (2026 Pricing Guide)
One of the most common questions compliance officers ask when engaging an independent AML reviewer is: what will this cost? The answer depends on several factors, and understanding them enables more informed procurement and budget planning.
What Influences AML Audit Costs?
The primary cost drivers for an independent AML evaluation in Australia include the size and complexity of the organisation, the number and nature of designated services provided, the transaction volume and geographic footprint of the business, the current state of the AML/CTF program documentation and controls, and the depth of testing required based on risk profile.
A small remittance provider with a single service type and a well-documented program may require a relatively contained evaluation. A multi-jurisdictional financial institution offering a broad range of designated services, with complex transaction monitoring systems and a large customer base, will require substantially more extensive work. Similarly, entities that have undergone limited internal review activity prior to the independent evaluation may require more intensive fieldwork to establish a baseline.
Why Cheap AML Audits Can Be Risky
It is tempting to procure an independent evaluation on the basis of cost alone. However, a superficial review that produces a clean report without genuinely testing the program’s operational effectiveness provides a false sense of security. If AUSTRAC subsequently identifies significant gaps whether through a compliance assessment, a suspicious matter reporting review, or formal enforcement action – the existence of a prior independent evaluation that failed to identify those gaps may not provide the protection the entity expected. Indeed, it may raise questions about the competence and independence of the reviewer.
A credible, rigorous independent evaluation conducted by specialists with genuine AML/CTF expertise and documented to a standard that would withstand regulatory scrutiny is an investment in the organisation’s regulatory standing and risk management, not merely a compliance cost.
Tranche 2 Consultants provides tailored AML audit and independent evaluation services for reporting entities across Australia. Contact us for a confidential scoping discussion and indicative fee estimate.
How to Prepare for an AML Audit in Australia
Preparation is the most effective way to ensure that an independent AML evaluation produces meaningful, actionable insights rather than generating remediation pressure under time constraints. The following practical checklist is designed to help reporting entities both existing and newly regulated Tranche 2 entities assess their readiness.
Internal Pre-Audit Checklist
- Confirm your ML/TF risk assessment has been reviewed and updated to reflect your current business model, including any changes in products, customer types, delivery channels, or geographic activity
- Verify that your AML/CTF program documentation has been updated to reflect the reforms effective from 31 March 2026 (for existing reporting entities) or 1 July 2026 (for Tranche 2 entities)
- Confirm that a fit and proper AML/CTF compliance officer has been appointed and notified to AUSTRAC within the required transitional timeframes (30 May 2026 for existing entities; 29 July 2026 for Tranche 2 entities)
- Review CDD records for completeness – ensure customer identification and verification is documented and that enhanced due diligence has been applied where required
- Audit your transaction monitoring configuration to ensure alerts are being generated appropriately and that suspicious matter reports have been submitted in a timely and accurate manner
- Confirm that staff training has been delivered, documented, and refreshed in line with the updated program obligations
- Ensure record-keeping meets the seven-year retention requirement, covering all required categories of documentation
- Review findings from any prior independent evaluation and confirm that remediation actions have been completed and evidenced
- Prepare an internal readiness summary to brief the independent reviewer at the outset of the engagement
When to Engage an AML Consultant
The right time to engage an external AML specialist is before you need one. For existing reporting entities, the March 2026 commencement of the reformed law is the immediate trigger to review your program against the new obligations and assess whether your current independent evaluation schedule remains appropriate. For Tranche 2 entities, the time to engage is now – not when enrolment opens in March 2026, and certainly not when the 1 July 2026 obligations commence.
Tranche 2 Consultants specialises in supporting reporting entities through the full AML/CTF compliance lifecycle from program development and risk assessment through to independent evaluation, board reporting, and remediation support. Our specialists have deep expertise in the Australian AML/CTF law and practical experience across the Tranche 2 sectors now coming under regulation.
Book a Confidential AML Audit Consultation
Contact Tranche 2 Consultants today to discuss your independent evaluation requirements. Our specialists are available to assist reporting entities across all sectors and jurisdictions.
Why Choose Tranche 2 Consultants for AML Audits in Australia?
Selecting an independent reviewer is not a procurement decision to be made on cost alone. The reviewer’s competence, independence, and understanding of your sector directly influence the quality and credibility of the evaluation. Tranche 2 Consultants was established specifically to serve the Australian AML/CTF compliance market, with a focus on the sectors most significantly affected by the current period of regulatory reform.
- Deep subject matter knowledge: Specialist expertise in Australian AML/CTF obligations
- Tranche 2 reform focus: Technical understanding of both the pre-reform framework and the new AML/CTF Rules 2025, including Tranche 2 obligations
- Regulator-ready reporting: Our evaluation reports are structured to withstand regulatory scrutiny and are documented to a standard appropriate for board presentation
- Practical remediation strategies: We don’t just identify gaps – we develop practical, risk-prioritised remediation plans with clear ownership and timeframes
- National coverage: We work with reporting entities across all Australian states and territories, including remote and regional operations
- Confidential and independent: All engagements are handled with strict confidentiality
Staying Ahead of AML Compliance in Australia
2026 represents a defining moment for AML compliance in Australia. The reformed AML/CTF Act and Rules 2025, the commencement of Tranche 2 obligations for law firms, accountants, real estate agents and others, and Australia’s ongoing FATF mutual evaluation have collectively created the most demanding regulatory environment the country has seen in the AML/CTF space.
For reporting entities already subject to AUSTRAC’s law, the message from the regulator is clear: now is not the time to delay program updates, remediation activities, or independent evaluation planning. For Tranche 2 entities newly entering the law, the time to act is immediately program development, risk assessment, and compliance officer appointment are foundational obligations that cannot be left until the last moment.
An independent AML audit is not simply a regulatory obligation to be ticked off. Conducted properly, it is one of the most valuable tools available to an organisation’s board and senior management providing independent assurance that the AML/CTF program is fit-for-purpose, identifying material gaps before the regulator does, and demonstrating to AUSTRAC a genuine commitment to meeting the spirit as well as the letter of the law.
Tranche 2 Consultants is here to support your organisation through this period of change. Whether you are an existing reporting entity updating your program and planning your next evaluation, or a Tranche 2 entity building an AML/CTF program for the first time, our specialists are ready to help.
Frequently Asked Questions About AML Audits in Australia
How often are AML audits required in Australia?
There is no fixed statutory interval. AUSTRAC requires reporting entities to conduct independent evaluations regularly, with frequency determined by the nature, size, complexity, and ML/TF risk profile of the business. Higher-risk entities should conduct evaluations more frequently in some cases annually. For newly regulated Tranche 2 entities, the transitional rules allow the first evaluation deadline to be set within the entity’s own AML/CTF policies, with the minimum period being three years from the 1 July 2026 commencement date.
Is an AML audit mandatory for small businesses?
Yes, if your business provides a designated service under the AML/CTF Act and has a geographical link to Australia, the independent evaluation requirement applies regardless of size. AUSTRAC does recognise that smaller entities have less complex risk profiles, and the proportionality principle means that a small, low-risk business will require a less extensive evaluation than a large institution. However, the obligation to conduct an evaluation exists for all reporting entities. AUSTRAC has developed starter programs to assist small, low-complexity Tranche 2 businesses in meeting their obligations.
Who can conduct an AML audit in Australia?
The reviewer may be internal or external, provided they meet AUSTRAC’s independence requirements. Specifically, the reviewer must not have been involved in developing, implementing, or maintaining the AML/CTF program being reviewed. External reviewers commonly include AML/CTF consultants, legal practitioners with AML expertise, and accounting firms with specialist compliance practices. The reviewer must also have sufficient competence in AML/CTF obligations as they apply to the entity’s specific business and designated services.
What happens if you fail an AML audit?
A finding of non-compliance in an independent evaluation is not, in itself, an enforcement action. The purpose of the evaluation is to identify gaps so they can be remediated before they become systemic failures. However, if an entity fails to remediate identified gaps, or if AUSTRAC independently identifies significant compliance failures, the consequences can be severe. AUSTRAC’s enforcement toolkit includes infringement notices, civil penalty orders (with potential penalties of up to $23 million per contravention for corporations), remedial directions, enforceable undertakings, external auditor appointments, and registration cancellation for remittance and virtual asset service providers. Australia’s enforcement history including the $1.3 billion Westpac penalty, the $450 million Crown penalty, and ongoing proceedings against major gaming operators demonstrates that AUSTRAC will act decisively against systemic non-compliance.
How long does an AML audit take?
Duration depends on the complexity of the entity and the scope of the review. A straightforward evaluation for a small, single-service entity with well-documented procedures may be completed within one to two weeks of fieldwork. A comprehensive evaluation for a large, multi-service financial institution can take several weeks or longer. Entities should plan ahead: engaging a reviewer, completing scoping discussions, gathering documentation, and scheduling staff interviews all require lead time. Rushing an evaluation increases the risk of superficial findings.
What are AML audit requirements under AUSTRAC?
Under AUSTRAC’s framework, a compliant independent evaluation must be conducted by a reviewer who meets the independence standard (no prior involvement in the program), must assess whether the AML/CTF program adequately identifies and addresses the entity’s ML/TF risks, and must assess whether the program is being effectively implemented in practice. The evaluation must be documented, findings must be reported – typically to the board or senior management and remediation actions must be tracked. Under the reformed law effective from 31 March 2026 for existing reporting entities, the program no longer needs to be structured as Part A and Part B, but the substantive evaluation obligations remain.
"Precious metals and stones concentrate high value in small, easily transferable forms, making the sector inherently attractive to money laundering. Tranche 2 reflects AUSTRAC’s view that dealers now sit on the front line of financial crime prevention."
Speak to a Tranche 2 AML Specialist Today
Book a confidential, no-obligation consultation with Tranche 2 Consultants. Independent AML audits, program development, risk assessments, and Tranche 2 readiness support — nationally.
