Key Overview of AML Independent Review Requirements in Australia
- An AML independent review is a mandatory regulatory requirement under Australia’s AML/CTF Act 2006, requiring reporting entities to have their AML/CTF programs independently assessed.
- The review must evaluate the effectiveness of risk assessments, AML policies, transaction monitoring, customer due diligence, governance, and reporting processes.
- AUSTRAC requires the reviewer to be independent and technically competent, ensuring the review objectively tests whether AML controls work in practice.
- With AML/CTF reforms commencing in 2026, regular independent reviews help businesses strengthen compliance, identify gaps early, and reduce regulatory and enforcement risks.
For reporting entities operating under Australia’s Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), the independent review obligation is not a bureaucratic formality. It is a core regulatory requirement that AUSTRAC scrutinises closely, and one that enforcement action has repeatedly shown to be a significant area of non-compliance.
This guide is written for Compliance Officers and Money Laundering Reporting Officers (MLROs) who need a clear, accurate understanding of what an AML independent review is under Australian law, what AUSTRAC’s independent review requirements actually entail, how frequently a review must occur, what it must cover, and how to select a suitably qualified and independent reviewer.
With the AML/CTF Amendment Act 2024 now passed and major reforms commencing on 31 March 2026 for current reporting entities and 1 July 2026 for newly regulated Tranche 2 entities, the stakes of getting this right have never been higher. This blog provides a compliance-ready breakdown of everything you need to know.
What Is an AML Independent Review Under Australian Law?
An AML independent review is an impartial, structured assessment of a reporting entity’s AML/CTF program, conducted by someone who was not involved in developing, implementing, or maintaining that program. Under Australian law, it is a mandatory obligation and not an optional quality assurance measure for all reporting entities subject to the AML/CTF Act.
AUSTRAC’s guidance is clear: the review must check that the reporting entity is complying with its AML/CTF program, that the program properly addresses the entity’s money laundering and terrorism financing (ML/TF) risks, and that it meets the legislative requirements. The independence requirement is strict: the reviewer cannot have been involved in any part of developing the program, including assessing ML/TF risks, developing controls, or implementing or maintaining the program.
Critically, the reviewer does not need to be an external party. An internal reviewer is permissible, for example, an internal auditor who has no compliance function and played no role in building the program. However, for most small to mid-sized reporting entities, engaging an external specialist is the most practical way to satisfy both the independence and competency requirements simultaneously.
What AUSTRAC expects is a review that is genuinely independent, technically competent, and capable of producing documented findings that can be presented to senior management and, where necessary, to the regulator.
Legislative Basis Under the AML/CTF Act 2006
Under the existing AML/CTF Act 2006 (Cth), the independent review obligation is established in Section 81, which requires reporting entities to have Part A of their AML/CTF program independently and regularly reviewed. Section 82 imposes an equivalent requirement for Part B (the customer identification program). Together, these provisions establish a clear statutory duty to subject AML/CTF programs to periodic independent scrutiny.
The AML/CTF Rules 2007 (Old Rules) supplemented these provisions with more specific requirements around frequency, scope, and documentation. Under the AML/CTF Amendment Act 2024, which takes effect for current reporting entities on 31 March 2026, the independent review obligation is retained and embedded within the reformed risk-based framework. Reporting entities should note that transitional obligations under the current Rules continue to apply until then.
The key legislative principle that underpins the independent review of obligation is this: no entity should be the sole judge of its own compliance. External scrutiny, or at minimum, genuinely independent internal scrutiny, is integral to the integrity of Australia’s AML/CTF regime.
AML Audit vs AML Independent Review — Are They the Same?
The terms “AML audit” and “AML independent review” are often used interchangeably in industry, but they are not synonymous under Australian law. When businesses informally refer to an “AML audit”, they are typically describing a broad compliance review process, one that may or may not satisfy AUSTRAC’s specific statutory requirements.
What AUSTRAC requires is an independent review in the precise sense defined under the Act and Rules: an impartial, documented assessment conducted by someone with no conflict of interest relative to the program being assessed. A general audit, particularly one conducted by the same provider who built or manages the AML/CTF program, will not satisfy this requirement.
The distinction matters in an enforcement context. AUSTRAC’s proceedings against Mount Pritchard and District Community Club (Mounties) in 2025 explicitly alleged that five reviews conducted by an external provider over four years did not meet the requirements of a formal independent review under the AML/CTF Rules because they failed to test or verify the effectiveness of the entity’s systems and procedures. This case is a direct warning: the label “review” is not enough. The substance, methodology, and independence of the assessment are what count.
Who Must Conduct an AML/CTF Independent Review?
All reporting entities under the AML/CTF Act are obligated to have their AML/CTF program independently reviewed. This encompasses financial institutions, remittance providers, digital currency exchange providers, casinos, and other businesses providing designated services as defined in the Act.
With the passage of the AML/CTF Amendment Act 2024, Tranche 2 entities, including lawyers, accountants, real estate agents, and dealers in precious metals and stones, will become reporting entities from 1 July 2026. These businesses will be subject to the full suite of AML/CTF obligations, including the independent review requirement, from that date. For many of these sectors, this represents an entirely new compliance obligation, and early preparation is strongly advisable.
The risk-based approach underpins both who conducts the review and how frequently: entities with higher risk profiles, more complex service offerings, or larger customer bases will be expected to review more frequently and with more rigorous scope than lower-risk, simpler operations.
Identify AML Compliance Gaps Early
A professional AML review can uncover hidden compliance gaps before regulators do.
AUSTRAC Independent Review Requirements Explained
AUSTRAC’s guidance on independent reviews sets out a clear framework of expectations. Reporting entities should not approach this obligation as a box-ticking exercise. AUSTRAC’s enforcement posture, evidenced by a substantial body of civil penalty proceedings, makes clear that superficial compliance will be treated as non-compliance.
How Often Is an Independent AML Review Required?
Under the existing AML/CTF Rules, the requirement is to conduct an independent review “regularly”, a standard that is deliberately calibrated to the size, nature, and complexity of the reporting entity. AUSTRAC has not mandated a fixed interval. Instead, the entity’s own risk assessment should inform the review cycle.
In practice, most mid-to-large reporting entities conduct independent reviews every one to two years. Smaller, lower-risk entities may operate on a two-to-three-year cycle. However, several trigger events should prompt an unscheduled or earlier review regardless of the regular cycle. These include rapid business growth or geographic expansion; the introduction of new products, services, or delivery channels; a material change in the entity’s customer base or risk profile; AUSTRAC supervisory engagement or an enforcement action; or any significant breach or gap identified in an internal compliance assessment.
What Must the Review Cover?
Under the current framework, the independent review must cover Part A of the AML/CTF program, which is the risk-based program that addresses how the entity identifies, mitigates, and manages its ML/TF risks. The review of Part B (the customer identification program) is a separate obligation under Section 82 but is typically conducted concurrently. Under the reformed framework commencing 31 March 2026, the Part A/Part B distinction is removed, and the review obligation applies to the unified AML/CTF program.
A properly scoped independent review should address the following areas:
- ML/TF risk assessment: whether the entity’s risk assessment is current, methodology-sound, and appropriately calibrated to its actual risk exposure.
- AML/CTF policies and controls: whether documented policies are adequate to identify and mitigate identified risks, and whether they are being followed in practice.
- Transaction monitoring: whether the transaction monitoring system is fit for purpose, appropriately tuned to the entity’s risk profile, and subject to documented testing and review.
- Suspicious Matter Reporting (SMR): whether the entity has adequate processes to identify, escalate, investigate, and report suspicious matters to AUSTRAC in a timely manner.
- Customer due diligence (CDD) and enhanced due diligence (ECDD): whether CDD and ECDD processes are applied consistently, proportionately, and in accordance with the entity’s program.
- Governance and board oversight: whether there is adequate evidence of senior management and board engagement with AML/CTF compliance, including documented challenge and sign-off.
- AML/CTF training framework: whether risk awareness training is current, appropriately tailored to the entity’s risk profile, and completed by relevant staff.
Documentation and Reporting Expectations
An independent review that produces no documented output is unlikely to satisfy AUSTRAC’s expectations. Reporting entities should expect the reviewer to produce a written report setting out the scope of the review, the methodology applied, findings (including gaps and deficiencies), and a recommended remediation plan with prioritised actions.
This report should be formally presented to senior management and, where required, to the governing body or board. Under the reformed framework, the role of governing bodies and senior management in overseeing AML/CTF compliance is an explicit legislative requirement. Evidence that findings were reported, considered, and acted upon will be important in demonstrating ongoing compliance. The written report should be retained as part of the entity’s compliance records.
Common Failures Identified in Independent AML Reviews
Drawing on enforcement cases, AUSTRAC supervisory guidance, and practical experience conducting independent AML reviews across a range of Australian reporting entities, three categories of failure consistently emerge. Understanding these failure modes is essential both for conducting a meaningful review and for preparing your organisation in advance.
Outdated AML/CTF Risk Assessments
Perhaps the most frequently recurring finding in independent AML reviews is a risk assessment that has not been meaningfully updated to reflect changes in the entity’s business, customer base, or operating environment. Many risk assessments begin as copy-paste templates, which are generic documents that describe theoretical ML/TF risks rather than the entity’s actual exposure.
AUSTRAC’s enforcement proceedings against Crown confirmed that failing to include a risk assessment methodology was a specific area of non-compliance. An AML/CTF risk assessment that is not calibrated to the entity’s specific products, services, customer demographics, and delivery channels will fail to serve its regulatory and practical purpose and will be identified as deficient in any properly conducted independent review.
Weak Transaction Monitoring Frameworks
Transaction monitoring is a technically demanding area that is frequently under-resourced and under-documented. Independent reviews commonly identify rule-based transaction monitoring systems that were set up at program implementation and have never been reviewed, tested, or tuned since, even as the entity risk profile has changed.
Common deficiencies include monitoring rules that generate excessive false positives but are never refined; alert thresholds that have not been calibrated to the entity’s specific risk indicators; and a complete absence of documented testing to confirm the system is operating as intended. AUSTRAC expects transaction monitoring to be not just in place, but demonstrably effective. Reviews that fail to verify operational effectiveness as was alleged in the Mounties proceedings do not satisfy the regulatory standard.
Governance and Board Oversight Gaps
Governance failures are a recurring theme across AUSTRAC’s major enforcement cases. In the Entain proceedings (December 2024), AUSTRAC alleged that the board and senior management did not have appropriate oversight of the entity’s AML/CTF processes, a failing that limited the company’s ability to identify and respond to the risks it faced.
In independent reviews, governance deficiencies typically manifest as: no documented evidence that the board or senior management has received, considered, and challenged AML/CTF compliance reporting; AML/CTF not appearing as a standing agenda item in board or risk committee papers; and a compliance function that reports findings but receives no documented response from senior leadership. Under the reformed framework, the explicit legislative requirement for governing body and senior management oversight means these gaps will attract heightened scrutiny from 31 March 2026 onwards.
Prepare for Your AML Independent Review
Get your policies, controls, and documentation ready before the formal AML review begins.
Preparing for an AML Independent Review: Step-by-Step Guide
Proactive preparation significantly improves the quality and efficiency of an independent review and reduces the remediation burden that follows it. The following four-step approach is designed to help compliance officers and MLROs prepare their organisation systematically.
Step 1: Conduct an Internal Gap Assessment
Before engaging an independent reviewer, conduct your own preliminary gap assessment. Map your existing AML/CTF program documentation against AUSTRAC’s guidance and the AML/CTF Rules to identify obvious deficiencies before they become documented findings in the formal review. This pre-review readiness check is not about concealing issues, it is about making efficient use of the reviewer’s time and ensuring your program is in a reviewable state.
At a minimum, confirm that the following documents exist, are current, and are accessible: the AML/CTF program (Part A and Part B, or the unified program under the reformed framework); the ML/TF risk assessment; transaction monitoring procedures; CDD and ECDD policies; training materials and completion records; and board and senior management reporting on AML/CTF compliance.
Step 2: Review Your AML/CTF Program Against AUSTRAC Guidance
Cross-reference your AML/CTF program against the current AUSTRAC guidance notes available on the AUSTRAC website, as well as the new AML/CTF Rules 2025 (tabled in Parliament on 29 August 2025, effective 31 March 2026). For current reporting entities, ensure that your program continues to comply with existing obligations while simultaneously beginning transition planning for the reformed framework.
Pay specific attention to Part A coherence: does your risk assessment methodology support the controls described in your program? Does your program accurately describe the actual processes your staff follow? Misalignment between documented policies and operational reality is a consistently identified weakness.
Step 3: Test Operational Effectiveness
A well-designed AML/CTF program that is not being applied in practice provides no compliance protection. Before the independent review, test the operational effectiveness of your key controls by sampling actual case work.
This should include: a sample of Suspicious Matter Reports (SMRs) to test whether the investigation, escalation, and reporting process is functioning as documented; a sample of customer due diligence files to verify that onboarding processes were applied consistently and completely; a review of Enhanced Due Diligence (ECDD) cases to confirm that higher-risk customers were identified and treated appropriately; and an assessment of whether transaction monitoring alerts are being reviewed, dispositioned, and documented within acceptable timeframes. Deficiencies identified at this stage can be remediated before the formal review commences.
Step 4: Prepare Senior Management for Findings
Independent reviews almost always produce findings. This is not a sign of program failure, and it is the expected and appropriate outcome of a rigorous, independent assessment. Senior management should be briefed in advance to set appropriate expectations: findings will emerge, some will require action, and the board’s role is to receive those findings, challenge where appropriate, and ensure that remediation is resourced and tracked.
Prepare a remediation tracking mechanism before the review is complete so that findings can be actioned promptly. A documented remediation plan, with clear ownership and target dates, demonstrates the kind of governance maturity that AUSTRAC expects. It also provides important protection in the event of a regulatory inquiry or supervisory engagement following the review.
How to Choose the Right Independent AML Reviewer in Australia
Selecting an appropriate independent reviewer is a compliance decision. AUSTRAC’s guidance makes clear that the reviewer’s suitability depends on their independence, competence, and understanding of AML/CTF obligations as they apply to the reporting entity. The following criteria should guide the selection process.
Independence Requirements
The reviewer must not have been involved in any part of developing, implementing, or maintaining the AML/CTF program being reviewed. This includes assessing ML/TF risks, drafting policies, building transaction monitoring rules, or providing ongoing compliance support. Where a service provider performs both implementation and review functions, the independence requirement will not be satisfied, regardless of whether the reviewer is a different individual within the same firm.
There must be no conflict of interest that could compromise the reviewer’s objective. Before engagement, the reviewer should provide a written declaration of independence confirming they have no such conflict. Measures to protect independence, such as the reviewer’s professional standards or organisational separation, are relevant factors in assessing suitability.
Regulatory and Enforcement Experience
The reviewer should have direct familiarity with AUSTRAC’s regulatory expectations, supervisory approach, and enforcement priorities. An understanding of the AUSTRAC guidance notes, current enforcement trends, and the evolving regulatory landscape under the AML/CTF Amendment Act 2024 is essential. Generic compliance or audit experience, without specific AML/CTF knowledge, is unlikely to produce the depth of assessment that AUSTRAC expects.
Reviewers who have experience engaging with AUSTRAC, either directly on behalf of reporting entities or through supervisory interactions, will bring contextual knowledge that translates into more accurate, relevant, and defensible findings. Experience with AUSTRAC’s compliance report questions and the regulator’s focus areas for each reporting cycle is a useful indicator of current regulatory knowledge.
Sector-Specific Expertise
AML/CTF risks vary materially across sectors. A reviewer with deep experience in financial services may lack the knowledge to assess the specific risks faced by a remittance provider, a digital currency exchange, or a licensed casino. Sector-specific expertise allows the reviewer to calibrate the review against realistic ML/TF risk indicators for the entity’s operating environment, rather than applying a generic framework.
This is particularly important for Tranche 2 entities preparing for obligations that commence 1 July 2026. Law firms, accounting practices, real estate agents, and dealers in precious metals and stones face AML/CTF risks that are distinct from those of traditional financial services providers. Reviewers with direct experience in these sectors and with the specific ML/TF typologies relevant to each will produce more useful and actionable findings.
Strengthen Your AML/CTF Program
Improve your risk assessment, transaction monitoring, and governance with expert AML insights.
The Business Risk of Not Conducting an AML Independent Review
Failing to conduct an independent AML review or conducting one that does not meet the regulatory standard that exposes reporting entities to significant legal, financial, and reputational consequences. AUSTRAC’s enforcement record makes clear that these are not hypothetical risks.
Civil penalties under the AML/CTF Act can be substantial. The Federal Court has ordered penalties ranging from $45 million (Tabcorp, 2017) to $700 million (CBA, 2018), $1.3 billion (Westpac, 2020), and $450 million (Crown, 2023). While these cases involved systemic failures across multiple compliance areas, they consistently included inadequate or non-compliant independent review processes as contributing factors. The more recent proceedings against SkyCity ($67 million, 2024), Entain (commenced December 2024), and Mounties (commenced July 2025) continue this pattern.
Beyond civil penalties, AUSTRAC can issue enforceable undertakings requiring public disclosure of compliance failures and binding remediation commitments. The regulator can also appoint an external auditor at the entity’s expense, which is a a punitive measure that effectively substitutes AUSTRAC’s choice of reviewer for the entity’s own. AUSTRAC can issue remedial directions compelling specific actions and can cancel or suspend registration for remittance and digital currency exchange providers.
The reputational consequences of enforcement action can be severe and lasting. For entities that depend on correspondent banking relationships, insurance arrangements, or contractual access to payment systems, public enforcement action can directly threaten business viability. For Tranche 2 entities entering the regulatory framework from 1 July 2026, the reputational risk is amplified by the relative novelty of their AML/CTF obligations.
Why Tranche 2 Consultants Is Trusted for Independent AML Reviews in Australia
Tranche 2 Consultants provides independent AML reviews that are built on deep regulatory expertise, a genuine understanding of AUSTRAC’s supervisory expectations, and a practical, remediation-focused methodology. Our reviews are designed to produce findings that are accurate, defensible, and immediately actionable not just a documented summary of what the program says on paper.
Our team has direct experience with the full spectrum of AML/CTF compliance challenges faced by Australian reporting entities: from complex financial services businesses navigating rapidly evolving transaction monitoring obligations, to remittance providers managing high-volume, cross-border payment risk, to organisations preparing for Tranche 2 obligations for the first time.
Every review we conduct is anchored in a clear methodology: we assess the design adequacy of the AML/CTF program against the current legislative and regulatory framework; we test operational effectiveness through targeted sampling of real transactions, SMRs, CDD files, and ECDD cases; and we assess governance structures to confirm that board and senior management oversight is not just documented, but evidenced.
Our reports are written for two audiences simultaneously: compliance professionals who need technical precision, and boards and senior management who need clear, prioritised findings they can act on. We present findings with a practical remediation roadmap, including risk-rated actions, ownership recommendations, and timeline guidance.
As the AML/CTF reforms take effect in 2026, organisations that have been through a rigorous, independent review process will be better positioned, both in terms of program quality and regulatory standing than those who have deferred the exercise. Our Tranche 2 readiness advisory services are available to entities who want to use the independent review as a foundation for transition planning.
Get Expert AML Compliance Support
Work with AML specialists who understand AUSTRAC regulations and independent review requirements.
Conclusion: Staying Ahead of AUSTRAC Expectations
An independent AML review is not an administrative formality. It is one of the most important risk management and governance mechanisms available to a reporting entity and one of the clearest signals to AUSTRAC that a business takes its AML/CTF obligations seriously.
The regulatory environment in Australia is unambiguous. AUSTRAC’s enforcement record demonstrates a consistent willingness to pursue civil penalties against entities that fail to maintain effective AML/CTF controls including those that conduct reviews in name only, without genuine independence or operational substance. The Mounties proceedings in 2025 are a direct and recent warning: five reviews over four years that failed to test and verify program effectiveness were treated as non-compliance with the independent review obligation.
With AML/CTF reforms taking effect on 31 March 2026 for current reporting entities and 1 July 2026 for newly regulated Tranche 2 sectors, the compliance landscape is changing significantly. The shift to a risk-based, outcomes-focused framework places greater responsibility on governing bodies, senior management, and compliance officers to demonstrate that their AML/CTF programs are not merely documented but genuinely effective.
Proactive compliance is a competitive and reputational advantage. Organisations that have invested in rigorous, regular independent reviews and acted on findings will be better placed to navigate the transition, withstand regulatory scrutiny, and protect their banking and business relationships. Those that have deferred the exercise face compounding risk.
"Precious metals and stones concentrate high value in small, easily transferable forms, making the sector inherently attractive to money laundering. Tranche 2 reflects AUSTRAC’s view that dealers now sit on the front line of financial crime prevention."
Frequently Asked Questions About AML Independent Reviews
What is the difference between an AML audit and an AML independent review?
An “AML audit” is a general term used informally across industry and may refer to any compliance review process. An AML independent review is a specific statutory obligation under the AML/CTF Act 2006 (Cth). The key distinction is independence: the reviewer must not have been involved in developing, implementing, or maintaining the program being assessed. A general audit conducted by the same provider who built the program will not satisfy AUSTRAC’s requirements. The substance, methodology, and documented findings of the review determine compliance, not the label applied to the exercise.
How often does AUSTRAC require an independent AML review?
AUSTRAC requires that independent reviews be conducted “regularly”, with frequency determined by the size, nature, and complexity of the business. There is no fixed statutory interval. In practice, most mid-to-large reporting entities review annually or biennially. Additional trigger events such as rapid growth, a new product launch, regulatory engagement, or a material change in risk profile should prompt an unscheduled review outside the regular cycle.
Can our internal compliance team conduct the AML independent review?
Not if those individuals were involved in developing or maintaining the program. AUSTRAC permits internal reviewers, for example, an internal auditor with no compliance role who played no part in building the program. However, for most organisations, satisfying both the independence and competency requirements internally is difficult. Where the compliance team developed and maintains the program, they cannot review it. An external specialist is typically the most practical and defensible solution.
What happens if deficiencies are identified during the review?
Findings are expected because a review that identifies no deficiencies is rarely a sign of a perfect program. When deficiencies are identified, the entity must produce and implement a documented remediation plan, with risk-rated actions, clear ownership, and target timeframes. Findings should be formally reported to senior management and the board. Timely and demonstrable remediation is critical; AUSTRAC expects evidence that entities act on review findings and do not simply acknowledge them. Unaddressed findings can become the basis for regulatory concern in subsequent supervisory interactions.
Are Tranche 2 entities required to complete an AML/CTF independent review?
Yes. From 1 July 2026, Tranche 2 entities including law firms, accounting practices, real estate agents, and dealers in precious metals and stones will become reporting entities under the amended AML/CTF Act. This brings with it the full suite of AML/CTF obligations, including the obligation to have their AML/CTF program independently reviewed on a regular basis. Tranche 2 entities should begin building their compliance programs now to ensure they are in a reviewable state by the commencement date.
How long does an independent AML review take in Australia?
The duration of an independent AML review depends on the size and complexity of the entity, the scope of the review, and the completeness of the documentation available. For a smaller reporting entity with a well-documented program, a review may be completed within two to four weeks. For a larger, more complex organisation or where document retrieval and stakeholder interviews are required four to eight weeks is a more realistic timeframe. Entities should build review timelines into their compliance calendars and allow sufficient lead time before regulatory reporting obligations fall due.
