The independent evaluation (previously called the independent review) is required under AML/CTF Act 2006 (Cth) s 26F ↗(4)(f), conducted by an evaluator independent of day-to-day operations, with sharper documentation expectations under the post-31-March-2026 framework. What the evaluation looks at, how the report shapes up, and the venue's response obligation. Working reference for AMLCOs and directors — not legal advice.
Working reference, not legal advice
Independent-evaluation obligations turn on the venue's specific program and risk profile. For a definitive view, talk to an AML lawyer or your external AML consultant.
The independent review is the structural backstop on the venue's ongoing self-assessment of its AML/CTF program. The AMLCO can't review their own program — that's the structural integrity issue the requirement is designed to prevent. An outside view is needed at appropriate intervals to catch what self-assessment misses and to provide the venue with documented evidence that the program holds up.
The evaluator's independence has to be from day-to-day operations. An external AML consulting firm is the typical choice — RCA Group, The AML Company, and similar firms have formal independence frameworks. Some larger clubs use mid-tier accounting firms with AML practices. What doesn't satisfy the independence requirement: the AMLCO themselves, or another internal staff member who is part of the AML chain. A common good-practice expectation is that a consulting firm that authored or substantively advised on the program won't also conduct the same evaluation cycle — though this is a practice convention, not a statutory rule.
The post-31-March-2026 framework sharpens documentation expectations on the evaluation specifically (AML/CTF Rules 2025 (Cth) r 5-10 ↗): findings have to be categorised, remediation timelines have to be documented, and remediation has to be tracked through to completion. Generic findings without the response chain don't reach the standard.
Reports run 30-80 pages depending on venue size and complexity, with findings categorised typically as critical / significant / minor. The reviewer's conclusion states whether the program is operating to the required standard — and where it isn't.
It's a structured external evaluation of the venue's AML/CTF program — the venue's ML/TF risk assessment and its AML/CTF policies (AML/CTF Act Part 1A, in force from 31 March 2026) — required under AML/CTF Act s.26F(4)(f) and conducted by a person independent of day-to-day operations. The evaluator assesses whether the program meets the program requirements in Part 1A of the Act (ss.26B–26F) and the AML/CTF Rules 2025, whether it reflects the venue's current ML/TF risk profile, whether operational records demonstrate the program is being followed, and what remediation any identified gaps require. The independent evaluation is the structural backstop on the venue's self-assessment — the AMLCO can't evaluate their own program, so an outside view is required at least every three years.
Any suitably qualified person independent of day-to-day operations — typically an external AML consultant, accounting firm, lawyer, or other qualified independent person. In practice, NSW registered clubs commonly engage AML consulting firms (RCA Group, The AML Company, and similar firms specialise in independent evaluations and have formal independence frameworks). Some larger clubs use mid-tier accounting firms with AML practices. Self-evaluation by the AMLCO doesn't satisfy the independence requirement; evaluation by another internal staff member also typically doesn't, unless that person genuinely sits outside the AML chain. The evaluator's independence is structural — the integrity of the evaluation depends on it. (Note: AUSTRAC does not maintain a register of AML consultants; phrases like 'registered AML consultant' or 'registered AML consulting firm' are not statutory categories.)
The AML/CTF Act sets a statutory floor: independent evaluations of the AML/CTF program must be conducted at least once every three years, and at a frequency appropriate to the venue's nature, size and complexity (AML/CTF Act s.26F(4)(f)). Three years is the minimum — higher-risk venues (large urban clubs with high cash flow, active enforcement engagement) commonly run an annual or biennial cadence; lower-risk venues (smaller community clubs with modest cash flow and a clean operating record) commonly sit at the three-year floor. The venue's AML/CTF policies document the schedule, and the AMLCO maintains it. AUSTRAC supervisory engagement may push the cadence shorter where issues are identified — but a venue cannot lawfully stretch beyond the three-year statutory floor.
Five areas, mapped to AML/CTF Rules 2025 r.5-10. (1) Program documents — the ML/TF risk assessment and the AML/CTF policies, assessed against ss.26B–26F of the Act, the AML/CTF Rules 2025 and the regulations, with currency of content, version control, and internal consistency. (2) Risk-based methodology — whether it reflects the venue's actual operating context, whether the rating framework is reproducible, whether the mitigation procedures are operational. (3) Operational records — sample testing of CDD records, transaction monitoring outputs, SMR/TTR submissions, training records, against the program's specifications. (4) Governance and oversight — governing-body engagement evidence, AMLCO authority and reporting, senior-management attestations. (5) Update cycle — whether the program has been kept current with operational changes and regulatory changes. The output is a written report with findings categorised by severity.
A structured written document with: executive summary covering overall program assessment, scope and methodology of the evaluation, findings categorised (typically critical / significant / minor), recommendations for each finding, remediation timeline expectations, and the evaluator's conclusion on whether the program is operating to the required standard. Most reports run 30-80 pages depending on the venue's size and complexity. The report is shared with the governing body and the senior manager with overall responsibility for compliance with the AML/CTF program (AML/CTF Rules 2025 r.5-10(2)(f)) — and retained for seven years under AML/CTF Act s.116, which governs AML/CTF program (Part 1A) records.
The venue must respond to findings — typically with a documented action plan covering each significant or critical finding, remediation timeline, and assigned ownership. The AML/CTF Rules 2025 (r.5-3, r.5-4, and r.5-10(3)) anchor the response-and-remediation expectation: the response and the actual remediation completion need to be documented. Generic 'we noted the findings and will consider them' doesn't reach the standard. Findings without remediation become a structural risk indicator the next evaluation picks up — recurring findings across multiple evaluation cycles signal a systemic gap.
Yes, technically — the independence requirement is from day-to-day operations, not from prior reviews. In practice, many NSW clubs use the same firm for several review cycles because the relationship and institutional knowledge make subsequent reviews more efficient and findings more actionable. Some clubs rotate firms periodically (every 3-5 years) for fresh perspectives, particularly when the program has been operating without major issues for an extended period. Best practice is to consider rotation when reviews start surfacing the same observations cycle after cycle without meaningful new content.
Two ways. First, the review is a self-assessment artefact — the venue runs it, owns the report, and uses it internally for program improvement. AUSTRAC doesn't routinely receive copies of independent review reports unless requested. Second, AUSTRAC can request the report or the underlying records as part of supervisory engagement (a routine review of the venue, an enforcement matter, an annual return audit). When the report is requested, the venue's response to findings — what was identified, what was actioned, how completion was documented — becomes evidence of the venue's compliance posture. A venue with consistent independent review and demonstrable remediation is in a structurally stronger position.
The document the independent evaluation actually examines — the venue's ML/TF risk assessment and its AML/CTF policies.
The role that arranges and responds to the review — and that the review explicitly assesses.
Where the board's engagement with independent review findings sits in director-level oversight.
Operational records pre-assembled for the reviewer's sample, findings tracked through to documented remediation, governance evidence on the same audit trail. First three months free, no card up front.