The AML/CTF Independent Evaluation Every AFSL Firm Must Plan For | AML/CTF Australia 2026
Buried in the AML/CTF obligations — and easy to forget because it's not a daily task — is the independent evaluation requirement. If you've stood up a program as an AFSL firm, this is the obligation that quietly comes due, and turning up to it unprepared is a recurring source of pain. The reforms also changed its name and its scope, which catches a lot of people out.
"Independent review" is now "independent evaluation" — and it's bigger
Under the old regime, you only had to commission an independent review of Part A of your program. From the 2026 reforms, that's replaced by a more demanding independent evaluation of your entire AML/CTF program — your ML/TF risk assessment, your AML/CTF policies, governance, and how it all works in practice. The obligation sits at section 26F(4)(f) of the AML/CTF Act, with the detail filled out in Rule 5-10 of the AML/CTF Rules 2025.
How often you must do it
Your AML/CTF policies must set the frequency of evaluations, satisfying two conditions:
- It must be appropriate to the nature, size and complexity of your business (s 26F(4)(f)(i)) — higher-risk firms should evaluate more often.
- It must happen at least once every three years (s 26F(4)(f)(ii)).
For your first evaluation, the transitional rules stagger the deadline to avoid an industry bottleneck — generally falling between 30 June 2029 and 31 December 2030, determined by the last two digits of your AUSTRAC account number. If you already completed an independent review under the old Rules, a different transitional calculation applies.
What "independent" actually means
This is the part firms get wrong. "Independent" means the evaluator cannot have been responsible for designing, implementing or maintaining the program they're evaluating. Your AML/CTF compliance officer can't evaluate their own program. The person who wrote your policies can't sign off that the policies are sound.
That leaves two routes:
- External evaluator — an outside specialist. Clean independence, higher cost, less internal context.
- Internal evaluator — someone within your business who is genuinely separate from the program's design and operation. Cheaper and better-informed, but only valid if the separation is real and can be demonstrated.
Either way, the independence has to be documented and defensible, not assumed.
What the evaluation must cover
A credible evaluation tests the design and the operational effectiveness of the whole program, typically including:
- Your ML/TF risk assessment (s 26C) — is the methodology sound, and is it current?
- Your AML/CTF policies (s 26F) — are they adequate and actually being followed?
- Customer due diligence and beneficial ownership in practice.
- Transaction monitoring and reporting — are SMRs (s 41) and TTRs (s 43) being identified and lodged?
- Governance, training and record keeping (records kept seven years under Part 10).
- Findings and remediation — what's broken and how it'll be fixed.
The written report goes to your governing body and senior management so adverse findings are actually addressed.
Make the evaluation routine, not a fire drill
Done manually, the evaluation is a scramble: chasing evidence across inboxes and folders, reconstructing what was done and when, writing a workpaper from scratch, then losing track of whether the findings ever got fixed. The remediation half — the part regulators actually care about — usually falls through the cracks.
Veriqua's Independent Review module generates the evaluation workpaper, tracks findings and remediation actions, and produces an auditable completion certificate. Instead of assembling evidence from nothing, the evaluator works from a structured workpaper drawn from your live program; each finding is logged with an owner and a remediation action tracked to closure; and when it's done, you hold a completion certificate evidencing that the evaluation happened, what it found, and what was done about it.
For an AFSL firm, that turns the independent evaluation from a once-every-few-years fire drill into a repeatable, evidenced process. See the evaluation workflow in two minutes, no login: demo.veriqua.com.au/start.
Frequently Asked Questions
What is the AML/CTF independent evaluation and when is it required?↓
How often must an AFS licensee conduct an AML/CTF independent evaluation?↓
What does 'independent' mean for the AML/CTF program evaluation?↓
What must the AML/CTF independent evaluation cover?↓
Related articles
What Tranche 2 AML/CTF Changes for Your AFSL Business
The new ML/TF risk assessment, AML/CTF policies and what the 31 March 2026 transition means for existing AFSL firms.
Stop Managing Two Compliance Registers: AFSL + AML
How to run ASIC and AUSTRAC obligations as one integrated program rather than two parallel registers.
AML/CTF Program Checklist for Accountants Australia 2026
Related program-build guidance for another Tranche 2 sector — useful cross-sector reference.
See how Veriqua handles this
Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.
Disclaimer: This article is general information only and is current as at June 2026. It reflects our understanding of the AML/CTF Act, AML/CTF Rules 2025, AML/CTF Transitional Rules 2026 and AUSTRAC guidance as at that date, all of which may change. It is not legal, financial or compliance advice. Transitional deadlines depend on your AUSTRAC account number and prior review history. Obtain advice from a qualified professional and refer to current AUSTRAC guidance at austrac.gov.au before acting.