Independent reviews

You must have Part A of your AML/CTF program independently and regularly reviewed. How you do this, and how often you do this, depends on the size, nature and complexity of your business or organisation. Your risk assessment helps you plan your independent reviews.

An independent review is an impartial assessment of Part A of your AML/CTF program. It checks that you’re complying with your program and that it:

  • properly addresses your money laundering and terrorism financing risks
  • complies with your legal obligations
  • is working as it should.

The independent reviewer must be someone who:

  • understands your business or organisation
  • understands ML/TF risks
  • was not involved in any part of developing the program, including assessing your money laundering/terrorism financing risk, developing controls or implementing or maintaining the program.

The reviewer can be someone in your organisation or someone external to it. An example of an internal reviewer might be an auditor in your business who doesn’t have a compliance role. An external reviewer might be a lawyer, an accountant or an AML/CTF consultant.

You must make sure there are measures in place to ensure the reviewer’s independence.

In assessing how suitable someone is to be an independent reviewer, you may want to consider:

  • whether they belong to a professional body that requires its members to meet relevant professional standards
  • whether they are influenced by the people who were involved in the risk assessment or developing the program
  • how well the person understands and applies AML/CTF obligations in relation to your business or organisation.

You can engage one reviewer for the whole of Part A or different reviewers for different sections of Part A.

The independent reviewer should not have been involved in:

  • performing any of the functions or measures being reviewed
  • designing, implementing or maintaining Part A of your AML/CTF program
  • developing your money laundering/terrorism financing risk assessment or related internal systems and controls.

The methodology you apply and the scope of your review depends on your business or organisation. You should take into account your business or organisation’s money laundering/terrorism financing risk and any changes to your business or organisation and/or its risk profile since the last review.

The review could examine and/or test some or all of the following:

  • whether Part A of your AML/CTF program is current and properly assesses that your policies and procedures are adequate to manage your money laundering/terrorism financing risks
  • the assumptions on which the ML/TF risk assessment was based
  • any changes to your money laundering/terrorism financing risk profile
  • any changes to your AML/CTF practices and policies
  • how well your employees understand and comply with your program
  • how well the business responded to previous recommendations
  • post implementation reviews of how effective changes to Part A of your program were
  • what caused any deficiencies or violations found – and your plans to rectify them
  • whether your AML/CTF employee training program is adequate and effective
  • how you responded to previous recommendations
  • whether your compliance officer has enough seniority and authority
  • how well your transaction monitoring systems are working in identifying suspicious matters
  • whether functions you outsourced are complying with Part A of your program
  • how well your branches and subsidiaries (including those overseas) have implemented Part A of your program.

You must have a documented report of the review that includes findings and recommendations. The report must be provided to senior management, and, if applicable the governing board. Designated business groups must provide the report to each reporting entity. The report should also show:

  • what was tested
  • how the tests were done
  • the sample sizes used in the tests.

You must decide how often reviews are done. How you decide depends on:

  • the size of your business or organisation
  • what kind of business or organisation you have
  • how complex your business or organisation is
  • your level of money laundering/terrorism financing risk.

High-risk organisations should have independent reviews done at least every two to three years.

More frequent reviews

If your business or organisation has changed significantly you may need to get reviews done more often.

Examples of circumstances that may mean you need more frequent reviews include:

  • structural changes to your business, such as mergers and acquisitions
  • changes to the risk of your business or organisation being used for money laundering or terrorism financing
  • whether you have started accepting cash in transactions
  • whether you have started outsourcing some of its obligations to another entity
  • changes to the number or volume of transactions you report to us
  • whether significant changes have been made to Part A of your AML/CTF program since the last independent review
  • new customer types
  • whether you have had any issues with compliance
  • whether any deficiencies previously identified have been remedied
  • the status or outcome of any enforcement action taken against your competitors
  • if you are providing new products, new designated services or are offering services through new channels.

You may also need reviews more often if you currently have or previously had difficulties complying.

There may be other reasons you need to review Part A of your program more frequently – you must decide this based on your money laundering/terrorism financing risk profile and your business or organisation.

Hiring an external advisor to conduct an independent review

Greengage Pty Ltd is a small grocery business that also offers designated remittance services. There are three full-time employees and several casual and part-time workers. The manager of Greengage, who is one of the full-time employees, is the compliance officer and developed and maintains the business’s AML/CTF program. This means the manager is not suitable to conduct an independent review. None of the other employees have the knowledge or understanding of AML/CTF obligations to conduct a review either.

Greengage therefore hires an accounting firm, Plum Accountancy, as an external advisor. Plum Accountancy conducts an independent review every two years. Plum is an appropriate independent reviewer because they provide accounting and tax services to Greengage, and have expertise in reviewing AML/CTF programs.

Engaging an internal advisor to conduct an independent review

Maple Wealth Creation Ltd provides financial services to its customers. Maple is part of a corporate group that has three separate entities – Willow Ltd, Oak Ltd, and Ash Ltd.

Maple has separate compliance and internal audit functions. Ms Black is responsible for AML/CTF compliance and she developed and maintains Maple’s AML/CTF program.  Mr Grey is the internal auditor who usually conducts the independent reviews, however he is on long-service leave. The acting auditor has previously worked in Maple’s compliance team and helped to implement the AML/CTF program so can’t do the independent review.

Maple knows there is AML/CTF expertise in the corporate group it belongs to. It therefore appoints the General Counsel of Oak Ltd to do the independent review.

The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Last updated: 15 Jan 2024
Page ID: 21

Was this page helpful?

Was this page helpful?
Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.