The Annual Review Obligation

Section 162 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) requires every reporting entity to review its AML/CTF program at least once every 12 months, or whenever a material change occurs in the entity's business, risk environment, or the regulatory framework. This is not a discretionary best-practice recommendation — it is a statutory obligation that applies to every Tranche 2 entity from the date it first becomes a reporting entity.

The review obligation exists because an AML/CTF program that is not regularly assessed against current conditions cannot be said to be functioning effectively. Your client base changes. Your service mix changes. AUSTRAC's guidance and typologies evolve. New money laundering methodologies emerge. A program written in 2026 and never revisited will rapidly become a liability rather than a compliance asset.

For firms that have recently completed their first AML/CTF program under the Tranche 2 reforms, the 12-month clock starts from the date the program was adopted by senior management. Many firms will find that their first annual review falls due in mid-2027 — which is also close to the period when AUSTRAC is expected to begin active supervisory assessments of newly regulated Tranche 2 entities. Getting the review right in year one sets the standard for everything that follows.

What the Review Must Cover

The annual review is not simply a re-reading of your existing program. It is a structured assessment of whether the program remains adequate given your current circumstances. AUSTRAC's guidance identifies several areas that must be covered in every review.

First, the review must assess whether the risk assessment methodology in Part A continues to reflect the risks your firm actually faces. If your client demographic has shifted — more international clients, more complex ownership structures, higher average transaction values — the risk methodology must be updated to reflect that. If AUSTRAC has issued new guidance on typologies or high-risk sectors, those updates must be incorporated.

Second, the review must assess whether your customer due diligence procedures in Part B are being implemented in practice, and whether they are adequate for the transactions you are conducting. This requires looking at actual matter files, not just the policy document. Are staff identifying and applying enhanced due diligence for high-risk clients? Are SoW assessments being documented to the required standard? Are there recurring gaps in the evidence obtained?

Third, the review must assess whether your training program is being delivered as documented and whether staff knowledge is at the required level. This may involve reviewing training attendance records, testing staff comprehension, or assessing whether staff can correctly identify red flags in practice scenarios.

Fourth, the review must assess the functioning of your AMLRO — whether the designated officer has the resources and authority to discharge their obligations, whether internal suspicious matter reports are being received and assessed, and whether the firm's reporting record with AUSTRAC is proportionate to its transaction volume and client risk profile.

The Independence Requirement

The AML/CTF Act and Rules require that the annual review be conducted by a person who is independent of the function being reviewed. This independence requirement is often misunderstood. It does not necessarily require an external consultant — in a sufficiently large firm, an internal compliance function that is separate from the operational team conducting designated services can satisfy the independence requirement.

For most small law firms, conveyancing practices, and real estate agencies, however, genuine internal independence is difficult to achieve. The AMLRO is typically a senior partner or principal who is also operationally involved in client matters. A review conducted by the AMLRO of their own compliance function does not satisfy the independence requirement.

In practice, small-to-medium Tranche 2 entities will typically need to engage an external reviewer — either a specialist AML/CTF consultant, a law firm with compliance expertise, or an accounting firm with regulatory advisory capability. The cost of an external review varies significantly depending on firm size and complexity; for a small firm with straightforward operations, a focused review engagement might cost $2,000-5,000. For a larger firm with complex structures and higher transaction volumes, $10,000-25,000 is more typical.

What the independent reviewer must produce is a written report: documenting what they reviewed, what they found, and what recommendations they are making. The report must be provided to senior management or the board — not just filed away by the AMLRO — so that appropriate oversight is demonstrated. If the reviewer identifies material deficiencies, the firm's response to those findings must also be documented.

Documenting the Review Findings

Documentation of the annual review is as important as the review itself. AUSTRAC will look for evidence that the review was actually conducted, what it found, and what the firm did in response. A review that was supposedly conducted but produced no written record will be treated sceptically.

The review documentation should include: the date the review was conducted; the name and credentials of the reviewer; the scope of the review — which elements of the program were assessed and which files or records were examined; the key findings — both positive (what is working well) and negative (what requires improvement); recommendations for specific changes to the program or procedures; and the firm's response to those recommendations, including a timeline for implementation.

Where the review identifies deficiencies, the firm's response must be documented and tracked. A finding that staff training is not being delivered annually is not resolved by writing a note about it — it is resolved by implementing the training, recording attendance, and confirming in next year's review that the finding has been addressed. AUSTRAC will trace the thread of findings across multiple annual reviews to assess whether the firm is genuinely improving or simply going through the motions.

The review record, along with the updated program documentation that reflects the review's findings, must be retained for seven years. This retention obligation applies to each annual review independently — the records must be accessible and retrievable for the full retention period, not just the most recent cycle.

Triggers for an Out-of-Cycle Review

The annual review is the minimum. The AML/CTF Act also requires a review whenever there is a material change that affects your program's adequacy. Several categories of change will typically trigger an out-of-cycle review obligation.

Regulatory changes are the most common trigger. If AUSTRAC amends its Rules, issues new guidance, or publishes updated typologies or risk assessments that are relevant to your sector, your program must be assessed for adequacy against those changes. The pace of regulatory evolution in the Tranche 2 period is expected to be significant — AUSTRAC has indicated it will continue to develop sector-specific guidance throughout 2026 and 2027.

Business changes also trigger review obligations. If your firm opens a new office, acquires another practice, takes on a materially different client type, begins providing a new designated service, or loses its AMLRO, the program should be assessed for continued adequacy in light of those changes. These changes do not necessarily require a complete review, but they do require a documented assessment of whether the existing program remains fit for purpose.

Significant compliance incidents — a suspicious matter report that reveals a gap in your detection procedures, a client who passed your CDD process but was subsequently identified in law enforcement intelligence, or a failed internal audit — should also trigger a review of the specific procedures involved. Waiting for the annual cycle in those circumstances would leave a known gap unaddressed for up to 12 months.

Common Annual Review Failures

AUSTRAC's published enforcement guidance and industry supervisory findings identify recurring patterns of annual review non-compliance that Tranche 2 entities should be aware of and actively guard against.

The most common failure is not conducting the review at all. Firms intend to do it, put it on the compliance calendar, but it slips — and then another year passes. Without a formal tracking system and accountable ownership, the annual review becomes one of those things that is perpetually planned but never executed. Tranche's compliance calendar feature automates the reminder cycle and tracks the review status, ensuring the deadline is not lost in the day-to-day press of client work.

The second common failure is conducting a review that is not genuinely independent. This includes the AMLRO reviewing their own function, or a senior partner reviewing a program that they themselves wrote, without any external input. The independence requirement exists precisely to catch blind spots — a self-review will not identify what the reviewer cannot see about their own practice.

The third common failure is conducting a review that is thorough on paper but does not lead to any program updates. If your annual review finds that everything is adequate and no changes are needed, that conclusion will only be credible if it is well-supported with evidence of what was tested and what was found. A clean bill of health with no supporting evidence will be questioned; a clean bill of health with documented file reviews, training records, and AMLRO activity logs is defensible.

Senior Management Accountability

One element of the annual review that is frequently underweighted is the requirement for senior management accountability. The AML/CTF Act requires that the results of the annual review be reported to senior management — the partners, directors, or principals of the firm — and that those individuals take responsibility for the program's adequacy.

This means the annual review is not purely a compliance function activity. It is a governance event. The partners of a law firm or the directors of a conveyancing company must receive the review findings, approve any program updates, and be on record as having done so. A review that is conducted by the AMLRO and filed without being reported to the principals does not satisfy the governance requirement.

For firms with a management committee or board, the annual review findings should appear as an agenda item at the appropriate governance meeting. The minutes of that meeting — confirming that the review was presented and considered — become part of the compliance record. This is exactly the kind of documented senior management oversight that AUSTRAC looks for when assessing whether a firm's AML/CTF governance is genuinely embedded or merely nominal.

Tranche's compliance review module is designed to support this governance process. Review findings are structured, dated, and associated with the compliance program version they assessed. Senior management acknowledgement is recorded in the platform, creating a timestamped audit trail that demonstrates governance engagement across each annual cycle.

How Tranche Manages Your Review Cycle

Tranche tracks your annual review cycle from the moment your AML/CTF program is generated. The compliance calendar automatically sets a review due date 12 months from your program adoption date and sends reminder notifications to the designated AMLRO and firm administrator as the due date approaches.

The review module in Tranche provides a structured checklist covering each required review element — risk assessment currency, Part B procedure adequacy, training delivery, AMLRO function, and reporting proportionality — so the reviewer can work through each area systematically and document their findings against each item. The module captures the reviewer's name and credentials, the date of review, and the outcome for each checklist item.

Where the review identifies required updates to the program, those updates are made through the wizard interface, generating a new program version with a clear version history. The audit trail shows: version 1 adopted on date X, annual review completed on date Y by reviewer Z, version 2 adopted on date W in response to findings. That version history is exactly what AUSTRAC expects to see when it assesses whether a firm's program has been maintained, not merely created and forgotten.

For firms that engage an external reviewer, Tranche can generate a review summary report — in PDF format — that the external reviewer can use as the basis for their written findings. This reduces the time the external reviewer spends on administrative documentation and keeps the engagement focused on substantive assessment.