AML/CTF · AFSL

The AML/CTF Independent Evaluation Every AFSL Firm Must Plan For | AML/CTF Australia 2026

Published 24 June 2026Last reviewed June 20266 min readBy Paul Wise

Buried in the AML/CTF obligations — and easy to forget because it's not a daily task — is the independent evaluation requirement. If you've stood up a program as an AFSL firm, this is the obligation that quietly comes due, and turning up to it unprepared is a recurring source of pain. The reforms also changed its name and its scope, which catches a lot of people out.

"Independent review" is now "independent evaluation" — and it's bigger

Under the old regime, you only had to commission an independent review of Part A of your program. From the 2026 reforms, that's replaced by a more demanding independent evaluation of your entire AML/CTF program — your ML/TF risk assessment, your AML/CTF policies, governance, and how it all works in practice. The obligation sits at section 26F(4)(f) of the AML/CTF Act, with the detail filled out in Rule 5-10 of the AML/CTF Rules 2025.

How often you must do it

Your AML/CTF policies must set the frequency of evaluations, satisfying two conditions:

  • It must be appropriate to the nature, size and complexity of your business (s 26F(4)(f)(i)) — higher-risk firms should evaluate more often.
  • It must happen at least once every three years (s 26F(4)(f)(ii)).

For your first evaluation, the transitional rules stagger the deadline to avoid an industry bottleneck — generally falling between 30 June 2029 and 31 December 2030, determined by the last two digits of your AUSTRAC account number. If you already completed an independent review under the old Rules, a different transitional calculation applies.

The smart move is to run your first evaluation early to catch program gaps while there's still time to remediate — rather than discovering problems at the regulatory deadline.

What "independent" actually means

This is the part firms get wrong. "Independent" means the evaluator cannot have been responsible for designing, implementing or maintaining the program they're evaluating. Your AML/CTF compliance officer can't evaluate their own program. The person who wrote your policies can't sign off that the policies are sound.

That leaves two routes:

  • External evaluator — an outside specialist. Clean independence, higher cost, less internal context.
  • Internal evaluator — someone within your business who is genuinely separate from the program's design and operation. Cheaper and better-informed, but only valid if the separation is real and can be demonstrated.

Either way, the independence has to be documented and defensible, not assumed.

What the evaluation must cover

A credible evaluation tests the design and the operational effectiveness of the whole program, typically including:

  • Your ML/TF risk assessment (s 26C) — is the methodology sound, and is it current?
  • Your AML/CTF policies (s 26F) — are they adequate and actually being followed?
  • Customer due diligence and beneficial ownership in practice.
  • Transaction monitoring and reporting — are SMRs (s 41) and TTRs (s 43) being identified and lodged?
  • Governance, training and record keeping (records kept seven years under Part 10).
  • Findings and remediation — what's broken and how it'll be fixed.

The written report goes to your governing body and senior management so adverse findings are actually addressed.

Make the evaluation routine, not a fire drill

Done manually, the evaluation is a scramble: chasing evidence across inboxes and folders, reconstructing what was done and when, writing a workpaper from scratch, then losing track of whether the findings ever got fixed. The remediation half — the part regulators actually care about — usually falls through the cracks.

Veriqua's Independent Review module generates the evaluation workpaper, tracks findings and remediation actions, and produces an auditable completion certificate. Instead of assembling evidence from nothing, the evaluator works from a structured workpaper drawn from your live program; each finding is logged with an owner and a remediation action tracked to closure; and when it's done, you hold a completion certificate evidencing that the evaluation happened, what it found, and what was done about it.

For an AFSL firm, that turns the independent evaluation from a once-every-few-years fire drill into a repeatable, evidenced process. See the evaluation workflow in two minutes, no login: demo.veriqua.com.au/start.

Frequently Asked Questions

What is the AML/CTF independent evaluation and when is it required?
The independent evaluation is a mandatory review of your entire AML/CTF program — its design and operational effectiveness — required under section 26F(4)(f) of the AML/CTF Act and Rule 5-10 of the AML/CTF Rules 2025. It replaced the old independent review obligation, which only covered Part A of the program. The evaluation must be conducted at a frequency set in your AML/CTF policies, at least once every three years.
How often must an AFS licensee conduct an AML/CTF independent evaluation?
At least once every three years (s 26F(4)(f)(ii)), but your AML/CTF policies must set a frequency appropriate to your business's nature, size and complexity — so higher-risk firms should evaluate more frequently. Your first evaluation deadline under the transitional rules falls between 30 June 2029 and 31 December 2030, determined by the last two digits of your AUSTRAC account number, unless you already completed a review under the old rules.
What does 'independent' mean for the AML/CTF program evaluation?
The evaluator must not have been responsible for designing, implementing or maintaining the program being evaluated. This means your AML/CTF compliance officer cannot evaluate their own program, and the person who drafted your policies cannot sign off on them. The evaluator can be external (an outside specialist) or internal (someone within your business who is genuinely separate from the program's operation), but in either case the independence must be documented and demonstrable.
What must the AML/CTF independent evaluation cover?
A credible evaluation must test both the design and the operational effectiveness of the whole program: the ML/TF risk assessment (s 26C), AML/CTF policies (s 26F), CDD and beneficial ownership practices, transaction monitoring and reporting (SMRs under s 41, TTRs under s 43), governance, training and record keeping (seven years under Part 10), and findings with remediation actions. The written report must go to your governing body and senior management.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at June 2026. It reflects our understanding of the AML/CTF Act, AML/CTF Rules 2025, AML/CTF Transitional Rules 2026 and AUSTRAC guidance as at that date, all of which may change. It is not legal, financial or compliance advice. Transitional deadlines depend on your AUSTRAC account number and prior review history. Obtain advice from a qualified professional and refer to current AUSTRAC guidance at austrac.gov.au before acting.