Annual AML/CTF Program Review: What You Need to Check

Having an AML/CTF program is a legal requirement. Keeping it up to date is equally important — and often overlooked. Under the AML/CTF Act, reporting entities must conduct an independent review of their AML/CTF program at least once every 12 months. This is not optional. AUSTRAC expects to see evidence that your program is being actively maintained and improved, not just gathering dust in a filing cabinet.

Why the Annual Review Matters

The annual review serves several purposes:

Ensures your program reflects current risks. Your business, client base, and the regulatory environment all change over time. A program written in 2026 may not adequately address risks that emerge in 2027.
Demonstrates regulatory compliance. If AUSTRAC audits your business, one of the first things they will ask for is evidence of your most recent program review.
Identifies gaps before they become breaches. A thorough review catches weaknesses — missing training records, outdated CDD procedures, incomplete risk assessments — before a regulator or a real-world incident exposes them.

Who Should Conduct the Review?

The review must be conducted by someone with sufficient independence from the day-to-day operation of the program. This can be:

An external consultant or auditor with AML/CTF expertise
A senior staff member who is not the AML/CTF compliance officer (to avoid self-review)
For very small businesses, the compliance officer can conduct the review if no alternative is available, but they should document this limitation and apply extra rigour

The reviewer should have a clear understanding of the AML/CTF Act, your business's designated services, and the specific risks your practice faces.

What to Assess: A Practical Checklist

Use the following checklist to structure your annual review. Each item should be assessed, and your findings should be documented in a written review report.

1. Risk Assessment Currency

Has your ML/TF risk assessment been updated in the past 12 months?
Does it reflect any changes to your services, client base, delivery channels, or geographic exposure?
Have any new typologies or AUSTRAC advisories been published that affect your risk profile?
Are risk ratings assigned to each client consistent with your risk assessment methodology?

2. Part A — Systems and Controls

Is your AML/CTF program document current and accessible to relevant staff?
Are your policies and procedures aligned with the current legislation and AUSTRAC rules?
Is your compliance officer named and their responsibilities clearly defined?
Are reporting procedures for suspicious matters clear and well-understood?
Is there a process for escalating compliance concerns within the business?

3. Part B — Customer Identification

Are your customer identification procedures being followed consistently?
Have you verified the identity of all clients before providing designated services?
Are beneficial ownership records complete for corporate and trust clients?
Are there any clients whose identification has not been verified or is overdue for re-verification?

4. Ongoing Customer Due Diligence

Are higher-risk clients subject to enhanced due diligence?
Is transaction monitoring being conducted where applicable?
Are client risk profiles being reassessed when circumstances change?
Is there a schedule for periodic CDD reviews?

5. Suspicious Matter Reporting

Have any suspicious matters been identified in the review period?
Were all SMRs lodged within the required timeframes?
Is there a process for staff to report internal suspicions to the compliance officer?
Are SMR records stored securely and separately from general client files?

6. Staff Training

Have all relevant staff completed AML/CTF training?
Was training delivered within 30 days of commencement for new employees?
Is training content current and tailored to your business?
Are training completion records maintained?

7. Record Keeping

Are CDD records, transaction records, and SMRs being retained for at least seven years?
Are records stored securely with appropriate access controls?
Can records be retrieved promptly if requested by AUSTRAC?

8. Technology and Systems

Are any technology tools or software used for CDD, screening, or monitoring functioning correctly?
Have there been any system failures, data breaches, or access issues during the review period?
Are PEP and sanctions screening lists being updated regularly?

Documenting the Review

Your review must produce a written report that includes:

The date of the review and the period covered
The name and qualifications of the reviewer
A summary of findings for each area assessed
Any deficiencies or gaps identified
Recommended actions to address deficiencies
A timeline for implementing those actions

Keep the review report on file. AUSTRAC may request it during a compliance assessment, and it serves as evidence that your business takes its obligations seriously.

Common Gaps Found in Annual Reviews

Based on industry experience, these are the issues that come up most frequently:

Training records missing or incomplete. Staff have been trained, but no records exist to prove it.
Risk assessment not updated. The original risk assessment has not been revisited despite changes to the business.
CDD records incomplete for legacy clients. Clients onboarded before the AML/CTF program was established have not been retrospectively verified.
No evidence of ongoing monitoring. The program describes ongoing CDD, but there is no documented process for how it is carried out.
SMR procedures unclear. Staff are unsure how to escalate a suspicion internally.

Make Your Annual Review Effortless

Tracking compliance across risk assessments, training records, CDD files, and SMR logs is manageable when you have the right tools. ComplyReady gives you a centralised dashboard that tracks every element of your AML/CTF program, flags overdue reviews, and generates audit-ready documentation.

Start your free trial and take the stress out of your next annual review.

Why the Annual Review Matters

The annual review serves several purposes:

Ensures your program reflects current risks. Your business, client base, and the regulatory environment all change over time. A program written in 2026 may not adequately address risks that emerge in 2027.
Demonstrates regulatory compliance. If AUSTRAC audits your business, one of the first things they will ask for is evidence of your most recent program review.
Identifies gaps before they become breaches. A thorough review catches weaknesses — missing training records, outdated CDD procedures, incomplete risk assessments — before a regulator or a real-world incident exposes them.

Who Should Conduct the Review?

The review must be conducted by someone with sufficient independence from the day-to-day operation of the program. This can be:

An external consultant or auditor with AML/CTF expertise
A senior staff member who is not the AML/CTF compliance officer (to avoid self-review)
For very small businesses, the compliance officer can conduct the review if no alternative is available, but they should document this limitation and apply extra rigour

The reviewer should have a clear understanding of the AML/CTF Act, your business's designated services, and the specific risks your practice faces.

What to Assess: A Practical Checklist

Use the following checklist to structure your annual review. Each item should be assessed, and your findings should be documented in a written review report.

1. Risk Assessment Currency

Has your ML/TF risk assessment been updated in the past 12 months?
Does it reflect any changes to your services, client base, delivery channels, or geographic exposure?
Have any new typologies or AUSTRAC advisories been published that affect your risk profile?
Are risk ratings assigned to each client consistent with your risk assessment methodology?

2. Part A — Systems and Controls

Is your AML/CTF program document current and accessible to relevant staff?
Are your policies and procedures aligned with the current legislation and AUSTRAC rules?
Is your compliance officer named and their responsibilities clearly defined?
Are reporting procedures for suspicious matters clear and well-understood?
Is there a process for escalating compliance concerns within the business?

3. Part B — Customer Identification

Are your customer identification procedures being followed consistently?
Have you verified the identity of all clients before providing designated services?
Are beneficial ownership records complete for corporate and trust clients?
Are there any clients whose identification has not been verified or is overdue for re-verification?

4. Ongoing Customer Due Diligence

Are higher-risk clients subject to enhanced due diligence?
Is transaction monitoring being conducted where applicable?
Are client risk profiles being reassessed when circumstances change?
Is there a schedule for periodic CDD reviews?

5. Suspicious Matter Reporting

Have any suspicious matters been identified in the review period?
Were all SMRs lodged within the required timeframes?
Is there a process for staff to report internal suspicions to the compliance officer?
Are SMR records stored securely and separately from general client files?

6. Staff Training

Have all relevant staff completed AML/CTF training?
Was training delivered within 30 days of commencement for new employees?
Is training content current and tailored to your business?
Are training completion records maintained?

7. Record Keeping

Are CDD records, transaction records, and SMRs being retained for at least seven years?
Are records stored securely with appropriate access controls?
Can records be retrieved promptly if requested by AUSTRAC?

8. Technology and Systems

Are any technology tools or software used for CDD, screening, or monitoring functioning correctly?
Have there been any system failures, data breaches, or access issues during the review period?
Are PEP and sanctions screening lists being updated regularly?

Documenting the Review

Your review must produce a written report that includes:

The date of the review and the period covered
The name and qualifications of the reviewer
A summary of findings for each area assessed
Any deficiencies or gaps identified
Recommended actions to address deficiencies
A timeline for implementing those actions

Keep the review report on file. AUSTRAC may request it during a compliance assessment, and it serves as evidence that your business takes its obligations seriously.

Common Gaps Found in Annual Reviews

Based on industry experience, these are the issues that come up most frequently:

Training records missing or incomplete. Staff have been trained, but no records exist to prove it.
Risk assessment not updated. The original risk assessment has not been revisited despite changes to the business.
CDD records incomplete for legacy clients. Clients onboarded before the AML/CTF program was established have not been retrospectively verified.
No evidence of ongoing monitoring. The program describes ongoing CDD, but there is no documented process for how it is carried out.
SMR procedures unclear. Staff are unsure how to escalate a suspicion internally.

Make Your Annual Review Effortless

Start your free trial and take the stress out of your next annual review.

Annual AML/CTF Program Review: What You Need to Check

Why the Annual Review Matters

Who Should Conduct the Review?

What to Assess: A Practical Checklist

1. Risk Assessment Currency

2. Part A — Systems and Controls

3. Part B — Customer Identification

4. Ongoing Customer Due Diligence

5. Suspicious Matter Reporting

6. Staff Training

7. Record Keeping

8. Technology and Systems

Documenting the Review

Common Gaps Found in Annual Reviews

Make Your Annual Review Effortless

Ready to get AML/CTF compliant?

Annual AML/CTF Program Review: What You Need to Check

Why the Annual Review Matters

Who Should Conduct the Review?

What to Assess: A Practical Checklist

1. Risk Assessment Currency

2. Part A — Systems and Controls

3. Part B — Customer Identification

4. Ongoing Customer Due Diligence

5. Suspicious Matter Reporting

6. Staff Training

7. Record Keeping

8. Technology and Systems

Documenting the Review

Common Gaps Found in Annual Reviews

Make Your Annual Review Effortless

Ready to get AML/CTF compliant?