Governing Body

What is a Governing Body

AUSTRAC’s reforms guidance defines the governing body as the person or group primarily responsible for the governance and executive decisions of the business. For larger businesses, this may be the board. For smaller businesses, this may be the business owner.

AUSTRAC also explains the broader governance framework and identifies three roles in the AML and CTF governance structure. These are the governing body, senior manager or managers, and the AML and CTF compliance officer. AUSTRAC notes that in small businesses, one person may hold multiple roles.

This matters because it removes ambiguity. Under the reformed framework, regulators are not only interested in policies and procedures. They are interested in who owns risk decisions, who allocates resources, and who is accountable when controls fail.

Governing body obligations under the reforms guidance

AUSTRAC’s governing body reforms page sets out obligations and refers to Act sections 26H and 26P(2) and Rules section 5 to 7. It states that the governing body must exercise appropriate ongoing oversight of the identification and assessment of money laundering, terrorism financing and proliferation financing risks in the risk assessment, and oversee compliance with AML and CTF policies and obligations.

AUSTRAC also states that the governing body must take reasonable steps to make sure the business is appropriately identifying, assessing, managing and mitigating its ML and TF risks and complying with AML and CTF obligations.

A particularly practical requirement is reporting cadence. AUSTRAC states the governing body must receive reports from the AML and CTF compliance officer at least once every 12 months on compliance with AML and CTF policies and obligations and on ML and TF risk mitigation and management. It must also receive written notification of updates to the risk assessment as soon as practicable after the update is made.

Why this is a big shift for Tranche 2 businesses

Many Tranche 2 firms have historically treated AML and CTF controls as operational admin. The reforms push the topic into executive governance.

Government reform material explains that the Amendment Act updates AML and CTF program requirements, shifting away from a check box approach and requiring appropriate measures focused on identifying, assessing and mitigating ML, TF and PF risk, including clearer roles and responsibilities for governing bodies and compliance officers.

AUSTRAC’s own reform summary also emphasises that the new framework highlights the role of governing bodies and senior management in overseeing ML and TF risk and AML and CTF compliance, and makes it an explicit requirement to appoint a fit and proper AML and CTF compliance officer responsible for implementing the AML and CTF program.

For Tranche 2 firms, this means your AML program is not just a compliance document. It is a governance system that must be owned at the top.

Practical examples of a governing body in Tranche 2 sectors

Example 1: Law firm partnership as governing body

In a partnership structure, the partnership committee or equity partners who make executive decisions will usually act as the governing body. They should formally allocate AML responsibilities, approve resourcing, and receive scheduled compliance reports.

Example 2: Real estate agency owner as governing body

In a small business, the owner may be the governing body, senior manager, and compliance officer. AUSTRAC explicitly recognises that one person may hold multiple governance roles in small businesses.

Example 3: Accounting firm board or director group

For incorporated firms, the board or director group is usually the governing body. They should approve the governance framework, confirm risk appetite, and require evidence that the program works.

Best practice governance for Tranche 2 AML and CTF readiness

1. Define governance roles clearly

Document who is the governing body, who is the senior manager for AML approvals, and who is the AML and CTF compliance officer. AUSTRAC’s governance framework guidance makes clear these roles are distinct even if held by one person.

2. Put the risk assessment on the agenda

Governing bodies must oversee identification and assessment of ML and TF risks. In practice, make the ML and TF risk assessment a standing agenda item at least quarterly during implementation, then on a sensible periodic basis once stable.

3. Set reporting expectations for the compliance officer

AUSTRAC requires at least annual reporting from the compliance officer to the governing body. Create a standard reporting pack that covers training, suspicious matters, key control testing outcomes, breaches, and upcoming regulatory milestones.

4. Allocate resources and document the rationale

Reasonable steps often come down to resourcing. If you decide not to buy screening tools or not to add staff, record the rationale and the compensating controls.

5. Build an AML culture that survives busy periods

AUSTRAC explicitly expects governing bodies to take an active role. A visible tone from the top helps staff ask the hard questions even when matters are urgent.

Common challenges

• Governing bodies delegate everything and never receive meaningful reporting.
• Compliance officers are appointed but not empowered, under resourced, or isolated.
• Risk assessments are drafted once and never refreshed, despite service and customer changes.
• Firms treat AML governance as an annual tick, rather than continuous oversight.

Conclusion: Governing Bodies and AML Compliance

Governing body is now a core AML and CTF concept, not just a corporate governance phrase. Under the reformed regime, AUSTRAC expects the governing body to actively oversee ML, TF and PF risk and ensure the business takes reasonable steps to comply. Tranche 2 firms that treat governance as a real control, with clear roles, regular reporting, and proper resourcing, will find implementation far smoother and far more defensible.