What should a board know about AML/CTF Reviews?

Written By Andrew McNeil

What should a company board know about the AML/CTF regular review?

 

Introduction

2025 has been a significant year for boards to consider their money laundering and counter-terrorism financing (‘AML/CTF’) obligations. Apart from the ‘forward looking’ regulatory changes that are due to be enforced in 2026, companies are also required to comply with their existing obligations including their ‘regular reviews’.

Best practice corporate governance suggests that the company board should be actively engaged with their company’s monitoring of AML/CTF compliance. The ramifications of AML/CTF non-compliance can be significant for companies and their boards, such as receiving substantial fines as penalties for non-compliance.

If you a director of an Australian company that is required to comply with the Government’s AML/CTF laws and report to the Australian Transaction Reports and Analysis Centre (‘AUSTRAC’), the board you are part of should understand the obligations of the AML/CTF regular review process.

As part of overall compliance with the AML/CTF laws, the company must have their ‘Part A’ of the AML/CTF program independently and regularly reviewed. How the company performs this review, and how often the review is done, depends on the size, nature and complexity of the business.

 

What is ‘Part A’

Part A of the AML/CTF program refers to the overall process a company board considers regarding the policies and procedures the business implements to meet the requirements of ongoing AUSTRAC compliance.

The Part A AML/CTF policies and procedures should be designed to identify, mitigate, and manage money laundering and terrorism financing risks. The Part A process involves developing and maintaining an AML/CTF program including risk assessments and ongoing customer due diligence (‘OCDD’) and transaction monitoring.

OCDD systems and controls help compliance teams decide whether additional customer and beneficial owner information should be collected and verified on an ongoing basis. From an AML/CTF perspective, the company is actually responsible to be proactive regarding OCDD and to monitor their customers throughout the company’s ongoing relationship with the client.

 

What is the regular review?

The regular review is an independent review and an impartial assessment of Part A of the company’s AML/CTF program and checks that the company is effectively complying with the program. For example, the program should:

·       properly addresses the company’s money laundering and terrorism financing risks;

·       comply with the AML/CTF legal obligations; and

·       be working as it should be.

 

What is ‘regular’ with regard to timing?

The Company board must decide how often reviews are done. How the board decides on the regularity of reviews depends on, for example:

·       the size of the business or organisation;

·       what type of business is being conducted;

·       how complex the business or organisation is; and

·       the level of money laundering/terrorism financing risk.

AUSTRAC states that ‘high-risk’ organisations should have independent reviews done at least every two to three years. From experience, most organisations I’ve assisted with the review process, generally would adopt a two to three year Part A review cycle.

If your business or organisation has changed significantly you may need to get reviews done more often. For example, if your business has had significant change due to M&A activity, or there have been increases to the risk of your business or organisation being used for money laundering or terrorism financing.

 

Who can conduct the regular review?

AUSTRAC suggests that the independent reviewer must be someone who:

·       understands the underlying business or organisation under review;

·       understands money laundering and terrorism financing risks; and

·       was not involved in any part of developing the program, including assessing the money laundering/terrorism financing risk, developing controls or implementing or maintaining the program.

The reviewer can be someone internal to the organisation under review or someone external to it. An example of an internal reviewer could be an internal auditor who doesn’t serve in an AML/CTF compliance role. An external reviewer might include a lawyer or a corporate governance expert.

 

Conclusion

Boards should be aware of their AML/CTF obligations as part of the Board’s commitment to best practice corporate governance.

As mentioned in a previous post, significant regulatory change is also coming to the AML/CTF space over the next 12 months. AUSTRAC will expect not just updates to policy documents, but clear evidence that boards and senior management understand the changes to the laws and have considered their own AML/CTF obligations.

If your company is due to conduct a Part A review in 2025, there are five months remaining to complete your review. The Part A review can also be done in conjunction with board consideration with how best to comply with AML/CTF regulatory change that is coming in 2026. There may be merit for a board to map out and project manage their Part A review AND their updates to AML/CTF policy, prior to the end of the calendar year.  

If your board does not yet have a compliance expert or governance professional who is experienced with AML/CTF Part A reviews, OR the impending regulatory reforms, I can offer your team guidance or support by reviewing your current AML/CTF Program, advising your Governance/Risk/Compliance Committee, or joining your board sub-committee to help your board navigate these significant compliance changes.

 

https://www.andrewsmcneil.com/

 

  

 

 

Andrew McNeil
Next

How a Governance Committee adds value to your business