AUSTRAC Tranche 2 reforms are coming — accountants, lawyers, conveyancers, real estate & dealers are being brought into the AML/CTF regime.
AMLCompliant
BlogAm I captured? — free check
AML/CTF · Tranche 2 guide

The AML/CTF Independent Review: What It Is and How to Prepare for Your First One

9 min read · General information, not legal advice · Updated 2026-06-12

Key takeaways

  • An independent review tests whether your AML/CTF program is appropriate, being followed, and working — examining both design and day-to-day operation, not just paperwork.
  • It is a core part of the regime for reporting entities, alongside enrolment, the program itself, CDD, reporting SMRs and TTRs (AUD 10,000+ physical currency), record-keeping and appointing an AMLCO; Tranche 2 obligations commence 1 July 2026.
  • The reviewer must be independent of the program they assess — either a qualified external specialist or a genuinely separate internal reviewer — and competent in AML/CTF and your sector.
  • Expect the review to cover governance, the risk assessment, CDD, transaction monitoring, reporting, record-keeping and training, and to sample real client files to test what staff actually did.
  • Prepare by assembling your program, evidence of oversight, sample files, reports and training records — and act on the findings. This is general information, not legal advice.

You run a real estate agency, a conveyancing or accounting practice, a law firm, or you deal in precious metals or stones. You have stood up an AML/CTF program ahead of the Tranche 2 obligations commencing on 1 July 2026, and now you have heard a new phrase: your program must be independently reviewed. The decision in front of you is who should do that review, what they will look at, and what you need to have in order before they arrive.

This article explains the AML/CTF independent review in plain terms — what it is, why it exists, who can perform it, and how to walk into your first one prepared rather than exposed. It is general information, not legal advice, and your specific obligations depend on the designated services you provide.

What an AML/CTF independent review actually is

An independent review is a structured assessment of your AML/CTF program by someone who did not build or run it. Its job is to test whether your program is appropriate for your business, whether it is actually being followed, and whether it is working as intended. It is not a tick-box audit of paperwork — it looks at both the design of your controls and how they operate in practice.

The review exists because a program can look complete on paper and still fail in the real world. Staff may not follow the procedures. The risk assessment may have drifted out of date as the business changed. Customer due diligence may be inconsistent. An independent set of eyes is there to surface those gaps before they become a problem with the regulator — AUSTRAC, the Australian Transaction Reports and Analysis Centre.

Think of it as a health check with teeth. A good review gives you a clear-eyed picture of where your program is strong, where it is weak, and a prioritised list of what to fix.

Why reporting entities have to do this

Tranche 2 refers to the reforms under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which extend Australia's AML/CTF regime to new sectors often called 'tranche 2 entities'. The new obligations are due to commence on 1 July 2026.

If you are a reporting entity, the independent review sits alongside your other core obligations:

  • Enrol with AUSTRAC — handled through AUSTRAC Online.
  • Develop and maintain an AML/CTF program — governance, an ML/TF risk assessment, and policies, procedures, systems and controls.
  • Conduct customer due diligence (CDD/KYC) — including ongoing CDD and transaction monitoring.
  • Report suspicious matters and threshold transactions — SMRs, and TTRs for physical currency of AUD 10,000 or more.
  • Keep records — generally for seven years.
  • Appoint an AML/CTF compliance officer (AMLCO).

The review is the mechanism that keeps the program honest over time. A program is meant to be a living system, not a document you finalise once and forget. The independent review is how you — and AUSTRAC — get assurance that the system is still fit for purpose. Serious failures across the regime can attract significant civil and criminal penalties, which is part of why getting the program right, and keeping it right, matters.

Who can perform the review

The defining feature is independence. The reviewer must not have been responsible for designing, implementing or running the parts of the program they are assessing. The point is to avoid someone marking their own homework.

That independence can be achieved in different ways:

  • An external specialist — an AML/CTF consultant, audit firm, or legal adviser engaged specifically to review the program. This is the common route for smaller firms that lack internal capacity.
  • An internal reviewer who is genuinely separate — for example, someone in a different team or function who had no role in building or operating the program. Larger organisations with an internal audit function may use this approach.

Whoever does it, two things matter most: independence from the program being reviewed, and the competence to understand AML/CTF obligations and your sector. A reviewer who is independent but does not understand your designated services is little better than one who is competent but conflicted. As the AUSTRAC rules are finalised, expect further detail on review expectations for your sector — confirm the specifics rather than assuming.

What the review will cover

A thorough review tends to work through the whole program rather than a single slice of it. Expect the reviewer to examine:

  • Governance and oversight — whether your AMLCO is appointed, has real authority, and whether senior management is genuinely across the program.
  • The ML/TF risk assessment — whether it reflects your actual customers, services, channels and jurisdictions, and whether it is current.
  • Customer due diligence — whether identification, verification, beneficial ownership checks, enhanced due diligence and ongoing CDD are being applied consistently.
  • Transaction monitoring and escalation — whether unusual activity is being detected and raised the way the procedures say it should be.
  • Reporting — whether SMRs and TTRs are lodged correctly and on time through AUSTRAC Online, with tipping-off safeguards in place.
  • Record-keeping — whether records are being kept, organised, and retained (generally for seven years).
  • Training and screening — whether staff are trained and understand their obligations.

Crucially, the reviewer tests operation, not just design. They will likely sample real files — for example, a set of recent client onboardings — to see whether what staff actually did matches what the program requires.

How to prepare: a practical checklist

Preparation is mostly about being able to show your work. Use this checklist to get ready, and treat each line as done only when the evidence exists and someone can produce it on request.

  • Assemble your program documents — the current AML/CTF program, the ML/TF risk assessment, and all written policies and procedures, in their latest approved versions.
  • Confirm your AMLCO is appointed and documented — with their authority and responsibilities recorded.
  • Gather evidence of senior management oversight — approval records, meeting notes, or sign-offs showing the program has been reviewed by leadership.
  • Pull a sample of customer files — recent onboardings showing identification, verification and beneficial ownership checks were actually performed.
  • Collate your reports — copies or records of any SMRs and TTRs lodged, and evidence of your AUSTRAC Online enrolment.
  • Show your transaction monitoring in action — examples of alerts or escalations, and how they were handled.
  • Produce training records — who was trained, when, and on what.
  • Check your record-keeping — confirm records are organised and retrievable, with the seven-year retention rule applied.
  • List known gaps yourself — a reviewer respects a firm that already knows where its weak points are and has a plan for them.
  • Brief your team — let relevant staff know the review is happening and what may be asked of them.

If you can produce these without scrambling, the review will go far more smoothly — and the findings will be about genuine improvements rather than missing paperwork.

Common mistakes to avoid

First-time reviews tend to trip on the same few issues:

  • Treating the review as a formality. The value is in acting on the findings. A review with no follow-up changes nothing and offers little protection.
  • Choosing a reviewer who is not truly independent. If the person who built the program also reviews it, the independence requirement is not met.
  • Confusing 'documented' with 'done'. A reviewer who samples files will quickly see if procedures exist on paper but are not followed in practice.
  • Letting the risk assessment go stale. If your business has changed and the risk assessment has not, that is one of the first things a reviewer will flag.
  • Leaving preparation to the last minute. Gathering evidence and reconstructing what happened on past files is far harder under time pressure.
  • Ignoring the findings report. The output of the review is a roadmap. Filing it away unread is a missed opportunity and a poor look if AUSTRAC ever asks what you did about it.

A faster way to walk in review-ready

A large part of a smooth review is simply having a complete, well-organised program in the first place. A well-built, audit-ready template kit gives you the structure — governance arrangements, a risk assessment framework, CDD procedures, reporting and record-keeping policies, and the supporting registers — so the documents a reviewer asks for already exist and hang together. That turns review preparation from a frantic document hunt into a tidy handover, and your effort goes into tailoring rather than reinventing the format.

Whichever way you get there, the substance is what counts: the program has to match your designated services, your real risks, and your day-to-day practice. This article is general information and not legal advice, and your obligations depend on the specific designated services you provide. Confirm the detail with AUSTRAC (austrac.gov.au) or a qualified adviser before you act.

Frequently asked questions

What is an AML/CTF independent review?
It is an assessment of your AML/CTF program by someone who did not design or run it, checking whether the program is appropriate for your business, is being followed, and is working. The reviewer looks at both how the controls are designed and how they operate in practice, often by sampling real customer files. The output is a findings report you are expected to act on.
Who can carry out the independent review?
Anyone who is genuinely independent of the parts of the program they are reviewing and competent in AML/CTF and your sector. That can be an external consultant, audit firm or legal adviser, or an internal person from a separate team who had no role in building or running the program. The key tests are independence and competence.
How often does an AML/CTF program need to be independently reviewed?
The review is meant to be periodic, so that weaknesses surface before they become a regulatory problem. The exact cadence and detailed expectations are being settled as the AUSTRAC rules are finalised, so confirm the current requirements with AUSTRAC or a qualified adviser rather than relying on a fixed assumption.
What do I need to have ready for my first review?
Have your current AML/CTF program and risk assessment, evidence that your AMLCO is appointed and that senior management oversees the program, a sample of recent customer files showing CDD was performed, records of any SMRs and TTRs lodged, transaction monitoring examples, training records, and proof of record-keeping. Being able to produce these on request is most of the battle.
What happens if the review finds problems?
Findings are normal — the point of the review is to identify gaps so you can fix them. You should treat the findings report as a prioritised roadmap, assign owners and timeframes to each item, and document what you did. Acting on the findings is far more important than achieving a perfect first review.
Does the independent reviewer report my firm to AUSTRAC?
The independent review is an assurance exercise for your firm, and the reviewer's report is generally provided to you and your senior management rather than lodged with the regulator as a matter of course. That said, your separate reporting obligations — such as suspicious matter reports — still apply, and you should confirm any reporting expectations with AUSTRAC or a qualified adviser.

Sources

This article is general information only and is not legal or compliance advice. Your obligations depend on the designated services you provide. Confirm your position with AUSTRAC (austrac.gov.au) or a qualified adviser.

The Complete AML/CTF Kit

Get your AML/CTF program sorted — without the consultant bill

Audit-ready, editable Word templates for Australian Tranche 2 reporting entities — AML/CTF program, ML/TF risk assessment, CDD/KYC, SMR & threshold registers, record-keeping and an AUSTRAC enrolment checklist. Instant download.

Get the Complete AML Kit — $197Am I captured? — free check