Governing Body Obligations

AML Comply has provided a summary of AUSTRAC’s guidance relating to your governing body below. Please note that this overview is intended as a guide only; for comprehensive details, the full AUSTRAC documentation is included further down this page.

Summary

The governing body is responsible for ongoing oversight of your business’s money laundering, terrorism financing, and proliferation financing (ML/TF) risks, as well as compliance with AML/CTF policies, obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, the associated Rules, and relevant regulations.

Key Responsibilities:

Ensure ML/TF risks are appropriately identified, assessed, managed, and mitigated.
Oversee compliance with AML/CTF policies and obligations.
Receive reports from the AML/CTF compliance officer at least annually, covering compliance and ML/TF risk mitigation.
Be promptly notified in writing of any updates to the risk assessment.
Take an active role in AML/CTF compliance, questioning reports, understanding risk assessments, and addressing non-compliance.

Indicators of Appropriate Oversight:

AML/CTF and ML/TF risk are regular agenda items at meetings.
Reports from compliance officers and independent evaluations are reviewed and challenged.
Root causes of compliance issues are examined, and progress on corrective actions is monitored.
Meeting minutes demonstrate engagement with AML/CTF matters.

Indicators of Inappropriate Oversight:

Limiting compliance officer reporting or not reviewing reports.
Failing to understand risk assessments or ongoing compliance breaches.
Not having AML/CTF matters regularly discussed at governing body meetings.

Reasonable Steps Expected:

Ensure AML/CTF policies align with ML/TF risks and are updated with risk assessments.
Implement monitoring, independent reviews, and appropriate resourcing.
Appoint eligible AML/CTF compliance officers and senior managers with clear responsibilities.
Provide the compliance officer with authority, independence, resources, and direct access to the governing body.
Support the compliance officer in addressing non-compliance and allocate resources to manage risks effectively.

Implementation Tips:

Undertake regular training to understand AML/CTF obligations.
Establish and document processes for ongoing oversight of risk and compliance.
Proactively request updates on AML/CTF matters, including resource needs.
Maintain documentation demonstrating the compliance officer meets eligibility requirements.

Governing Body Obligations

Author: AUSTRAC

This section refers to the Act sections 26H and 26P(2) and the Rules section 5–7.

The governing body must exercise appropriate ongoing oversight of your identification and assessment of money laundering, terrorism financing and proliferation financing risk (we refer to these as ML/TF risks) in your risk assessment.

It also oversees your compliance with:

your AML/CTF policies
the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act)
the Anti-Money Laundering and Counter-Terrorism Financing Rules (the Rules)
the regulations (your AML/CTF obligations).

The governing body must also take reasonable steps to make sure your business is:

appropriately identifying, assessing, managing and mitigating its ML/TF risks
complying with its AML/CTF policies
complying with its AML/CTF obligations.

The governing body must receive reports from the AML/CTF compliance officer at least once every 12 months about both:

compliance with your AML/CTF policies and obligations
ML/TF risk mitigation and management.

The governing body must also receive written notification of any updates to the risk assessment as soon as practicable after the update is made.

We expect your governing body to take an active role in AML/CTF compliance. This will support your governing body to appropriately oversee and take reasonable steps to manage its obligations.

Appropriate ongoing oversight

This section refers to the Act section 26H and the Rules division 1 of part 3.

Your governing body must be engaged to appropriately oversee your AML/CTF compliance. To help meet this obligation, we expect your governing body to both:

question and review matters included in reports, where appropriate
take reasonable steps to address non-compliance and any failure to identify and assess risks.

There are certain behaviours that may indicate that your governing body is exercising appropriate ongoing oversight.

Examples that may demonstrate appropriate AML/CTF oversight

Below are examples that may show appropriate AML/CTF oversight:

having AML/CTF compliance and ML/TF risk as a regular standing agenda item in meetings
reviewing relevant matters included in AML/CTF compliance officer and independent evaluation reports
questioning how the business will address adverse findings included in compliance officer and independent evaluation reports
questioning the root causes of non-compliance or ongoing compliance breaches and the effectiveness of any controls
understanding the risk assessment and the risk assessment methodology – how it has been designed
keep meeting minutes to show how you’ve engaged with related matters
monitor progress of any actions to address non-compliance.

Examples that may demonstrate inappropriate AML/CTF oversight

Below are examples that may show inappropriate AML/CTF oversight:

limiting the compliance officer’s ability to provide candid and regular updates on relevant matters
not considering compliance officer reports
not understanding, reviewing or questioning matters included in reports or other updates
not questioning the root cause of ongoing compliance breaches
not understanding the risk assessment and its design
not having a regular standing item for ML/TF risk and AML/CTF compliance on your agenda.

Taking reasonable steps

This section refers to the Act sections 26F(4), 26H, 26J and 26P(2) and the Rules section 5–7.

Your governing body must take reasonable steps to make sure you’re both:

appropriately identifying, assessing, mitigating and managing ML/TF risk
complying with your AML/CTF obligations.

This will typically involve your governing body making sure that your business does all of the following:

aligns its AML/CTF policies to the ML/TF risks of your business
reviews its risk assessments to identify and assess new or changed risks
aligns its policies with any changes to risk assessments
has appropriate assurance and monitoring processes built into the program
puts in place independent reviews of AML/CTF capabilities and compliance at appropriate intervals
adopts a strong AML/CTF culture
engages, resources and empowers appropriate people to meet its obligations
escalates compliance issues appropriately to its governing body, particularly when changes to resourcing or wider business practices are required
makes sure that they understand the business’s risks, the way it meets its obligations and any significant compliance issues
supports your compliance officer to address any AML/CTF compliance issues.

The table below shows the typical AML/CTF obligations that governing bodies focus on. It also outlines examples that may demonstrate they’ve taken reasonable steps to ensure the business complies with them.

Governing bodies don’t need to discharge these obligations directly. The table also doesn’t provide a comprehensive list of all AML/CTF obligations.

Obligation	Examples that may show taking reasonable steps
Appoint an eligible AML/CTF compliance officer	Make sure a person at management level: is appointed as an AML/CTF compliance officer meets the residency and fit and proper person requirements.
Make sure senior manager roles with AML/CTF responsibilities are appropriately staffed	Make sure the business appoints a senior manager(s) to approve the AML/CTF program and make key AML/CTF decisions.
Make sure the AML/CTF compliance officer provides regular reports on ML/TF risk and compliance at least once every 12 months Make sure the governing body receives updates on changes to its risk assessment	Require the compliance officer to provide periodic reports on risks, compliance and key updates. Provide the compliance officer and people providing updates on risk assessments: a direct line of communication to the governing body the authority to escalate issues. Make sure that no other person amends or removes significant findings or recommendations in reports from the compliance officer before reaching the governing body.
The AML/CTF compliance officer must have sufficient: authority independence from external and internal influence access to resources and information. So they can perform their functions.	Make sure the compliance officer can coordinate and oversee implementation of the AML/CTF program. Ensure this by making sure they have sufficient: staff funding technology access to information.
Take reasonable steps to make sure the business is identifying, assessing, mitigating and managing ML/TF risk and complying with AML/CTF obligations	Question the basis for conclusions reached in the AML/CTF compliance officer’s reports and the reasons for any non-compliance. Support the compliance officer in addressing any non-compliance. Show an understanding of how the risk assessment: reflects current ML/TF risks effectively identifies, mitigates and manages those risks. Allocates appropriate resources to: identify, assess, mitigate and manage ML/TF risks comply with AML/CTF obligations.

Implementation tips for governing bodies

To help you implement governance and oversight, you can:

get regular training (for example, annually) to develop an understanding of your AML/CTF obligations
set out how your business will maintain ongoing oversight of risk and compliance
proactively request updates on AML/CTF matters, including resourcing requirements for AML/CTF compliance
document how your AML/CTF compliance officer meets the eligibility requirements.

13 March 2026