An independent evaluation does all of the following:

• evaluates how you undertook or reviewed your ML/TF risk assessment against the requirements in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act), the regulations and Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (the Rules)
• evaluates the design of your AML/CTF policies against the requirements of the Act, regulations and Rules
• tests and evaluates whether you appropriately identified, assessed, mitigated and managed your money laundering, terrorism financing and proliferation financing (ML/TF) risks and complied with your AML/CTF policies. 

You must conduct an independent evaluation in addition to your own reviews of your AML/CTF program.

Frequency of independent evaluations

Your AML/CTF policies must set out the frequency of your independent evaluations. The frequency must be appropriate to the nature, size and complexity of your business.

At a minimum, an independent evaluation must occur at least once every 3 years.

Newly enrolled reporting entities may wish to consider conducting their first independent evaluation earlier, rather than waiting for the 3-year deadline. This may benefit your business because:

• you can identify any major compliance or ML/TF risk management and mitigation issues and correct them early, reducing risks to your business
• independent evaluators with appropriate skills may be more readily available.

We expect you to document the rationale for the frequency of your independent evaluation. This includes the factors related to your business’s nature, size and complexity that contributed to the decision.

Who can do an independent evaluation

We expect that your AML/CTF policies set out how you’ll determine if an evaluator is both:

• independent  
• suitable given your business’s nature, size and complexity. 

If you don’t do this, you’ll be unlikely to meet your obligations to: 

• make sure your evaluations are independent and your AML/CTF policies are suitable to your business’s nature size and complexity
• keep records showing how you comply with this obligation. 

Selecting an independent evaluator

Independence refers to the evaluator's ability to conduct evaluations without:

• bias
• influence
• conflicts of interest.

This means the evaluator must be free from relationships and circumstances that could compromise their objectivity and professional judgment. This helps ensure the integrity of the evaluation and the reliability of findings.

As long as they’re sufficiently independent, an evaluator can be someone who is either: 

• internal (for example, a member of an internal audit team)
• external to your organisation.

For an evaluation to be independent, we expect that your evaluator:

• has the authority to exercise independent judgement
• be empowered to conduct the evaluation as they see fit
• not be responsible for implementing or maintaining the program
• not be involved in developing your AML/CTF program, systems and controls
• not be involved in assessing your ML/TF risks
• be independent of the work areas they’re evaluating. For example, isn’t your AML/CTF compliance officer or a member of the compliance team. 

Selecting a suitable evaluator

There are no mandatory qualifications for the person carrying out the independent evaluation. However, we expect your evaluator to have knowledge of the AML/CTF obligations that apply to your business.

If they don’t have this knowledge, the findings of your independent evaluation may not be useful. This could increase the risk that your AML/CTF program doesn’t meet the requirements of the Act.

We expect that your evaluator has sufficient experience and knowledge of both: 

• the sector you operate in
• the ML/TF risks that businesses in your sector may reasonably face.

You could also consider any of the following:

• their experience in AML/CTF compliance, including with businesses of a similar nature, size and complexity to yours
• their experience in evaluating the effectiveness of systems, controls, policies or procedures
• their experience preparing reports to document findings
• any AML/CTF qualifications or certifications they hold
• whether they belong to a professional body that requires its members to meet relevant professional standards.

Independent evaluations help you ensure your AML/CTF program appropriately identifies, assesses, manages and mitigates your ML/TF risks. Failure to select an appropriate evaluator increases the risk that your program won’t comply with the Act. 

Conduct of independent evaluations

Your AML/CTF policies must set out the conduct of independent evaluations. Your policies must be appropriate to the nature, size and complexity of your business.

Your AML/CTF polices must require your independent evaluator to do all of the following:

• evaluate how you undertook or reviewed your ML/TF risk assessment against the requirements in the Act, regulations and Rules
• evaluate the design of your policies against the requirements of the Act, regulations and Rules
• test and evaluate whether you appropriately identified, assessed, mitigated and managed your ML/TF risk and complied with your policies.

For larger, more complex reporting entities, you may wish to conduct independent evaluations consistent with best practice assurance standards.

For independent evaluations performed on an organisation that operates in multiple jurisdictions, including your business, we expect you make sure that both:

• your compliance with your Australian AML/CTF obligations is thoroughly evaluated
• any testing of processes, customers or transactions includes a reasonable sample from your Australian operations.

Preparing for an independent evaluation

We expect you to make sure your evaluator has access to documents, key personnel and systems to conduct the evaluation. For example, during the independent evaluation, your evaluator may request:

• documents about the development of your ML/TF risk assessment and AML/CTF policies
• your ML/TF risk assessment
• your AML/CTF policies
• access to relevant staff members and senior managers
• access to records, such as customer identification and transactions
• the results of your own monitoring and reviews of your ML/TF risk assessment and AML/CTF policies
• previous independent evaluation reports
• other documents relevant to the evaluation.

Failing to provide your evaluator with appropriate access will impact the reliability and effectiveness of any evaluation. It may increase the risk that your AML/CTF program doesn’t meet your obligations and the risk of civil penalties.  

Written report following the independent evaluation 

Your AML/CTF policies must require any independent evaluator to produce a written report with their findings once they’ve completed their evaluation. Your policies must specify that you provide this report to both:

• your governing body
• any senior manager responsible for approving your AML/CTF program.

We expect that the governing body and relevant senior managers receive these reports as soon as reasonably practicable once the independent evaluation report is prepared. 

This will help your organisation be aware of deficiencies and begin to address any adverse findings and any ongoing non-compliance.

This written report will typically include all of the following: 

• a summary of the evaluation process, including the aspects of the business reviewed and the evaluation method used
• their findings in relation to how you undertook or reviewed your ML/TF risk assessment and the design of your AML/CTF policies
• their findings about whether you’re complying with your AML/CTF policies
• what they tested, the files they sampled, and how they conducted the tests or sampling.

Responding to an independent evaluation

Your AML/CTF policies must set out how your business will respond to an independent evaluation. This includes how you’ll review and, if required, update your ML/TF risk assessment and AML/CTF policies in response to adverse findings.

Adverse findings in an independent evaluation report

The independent evaluation report may contain adverse findings.

For example, an adverse finding could relate to:

• how you undertook or reviewed your ML/TF risk assessment
• the design of your AML/CTF policies
• your compliance with your AML/CTF policies
• whether you’re appropriately managing and mitigating your ML/TF risks.

If you don’t update your AML/CTF program in response to adverse findings, this may lead to ongoing non-compliance and failure to appropriately manage and mitigate your ML/TF risks. 

You don’t have to agree with all of the adverse findings. However, we expect that you’ll take adverse findings seriously.

We expect that you keep records on how you’ve addressed any adverse findings in the independent evaluation report. This includes the reasons why you haven’t updated your AML/CTF program in response to any adverse finding.

You may document how you plan to address the findings in the independent evaluation report, or in a separate document. 

If you update your ML/TF risk assessment or AML/CTF policies following the independent evaluation, you must document these updates within 14 days after making the update.

Once you complete your review and update, we expect you to take steps to make sure you appropriately communicate and implement any updates across your business. If you don’t do this, your staff will likely fail to comply with your updated AML/CTF policies.

Monitor effectiveness of updates

We expect you to monitor any changes you make to your AML/CTF program to make sure the changes have addressed the adverse findings in your independent evaluation.

If the issues persist after updating your AML/CTF program, we expect you to conduct further reviews and updates to address these.

Record keeping

You must keep records that are reasonably necessary to demonstrate compliance with your independent evaluation obligations. This could include: 

• the sampled or evaluated records and files
• the independent evaluation report
• records of discussions about evaluation findings with your senior managers and your governing body
• why your business considers the evaluator suitable and how you selected them
• how you’ve addressed any adverse findings
• how you’ll track progress
• who’s responsible for addressing the findings
• any reasons for not addressing the findings. 

Example: Updating your AML/CTF program after an independent evaluation

A small business received its written independent evaluation report. The report contains the following adverse findings:

• The business didn’t consider all relevant delivery channels when conducting its ML/TF risk assessment.
• Specifically, the business didn’t consider the ML/TF risks of designated services provided via its website.
• There are deficiencies in its customer due diligence (CDD) procedures and transaction monitoring systems.

The business’s governing body and senior managers receive the written evaluation report. They identify that, as their ML/TF risk assessment is out of date, they’ll breach their AML/CTF obligations when they provide designated services. To remedy this breach, the business urgently completes the following steps.  

The AML/CTF compliance officer updates the risk assessment to make sure it considers the risks of providing its services through its website. They also develop new AML/CTF policies to deal with these risks. 

The AML/CTF compliance officer also: 

• reviews the business’s CDD and transaction monitoring policies
• updates the policies to respond to the deficiencies the independent evaluator found.
• communicates the updates to affected staff once approved. 

Relevant senior managers review and approve the updates to the risk assessment and the AML/CTF policies. They decide to conduct an internal review of these policies and procedures in 3 months to monitor whether the changes are effective.

Next step

Go to record keeping.

Related pages

• Review and update your AML/CTF program