Governing Body

What is a Governing Body Under AUSTRAC Rules??

AUSTRAC’s reforms guidance defines the governing body as the person or group primarily responsible for the governance and executive decisions of the business. For larger businesses, this may be the board. For smaller businesses, this may be the business owner.

AUSTRAC also explains the broader governance framework and identifies three roles in the AML and CTF governance structure. These are the governing body, senior manager or managers, and the AML and CTF compliance officer. AUSTRAC notes that in small businesses, one person may hold multiple roles.

This matters because it removes ambiguity. Under the reformed framework, regulators are not only interested in policies and procedures. They are interested in who owns risk decisions, who allocates resources, and who is accountable when controls fail.

Why the Governing Body Matters in AML/CTF Compliance

The governing body plays a central role in AML/CTF compliance because accountability sits at the top of the organisation. Under the framework overseen by AUSTRAC, it must oversee ML, TF, and PF risk, ensure appropriate controls are in place, and take reasonable steps to maintain compliance.

It also sets the tone from the top, approves resourcing, and receives regular compliance reports. Strong governance makes an AML/CTF program practical, effective, and defensible — especially for Tranche 2 businesses.

Governing Body Obligations Under the Reforms Guidance

AUSTRAC’s governing body reforms page sets out obligations and refers to Act sections 26H and 26P(2) and Rules section 5 to 7. It states that the governing body must exercise appropriate ongoing oversight of the identification and assessment of money laundering, terrorism financing and proliferation financing risks in the risk assessment, and oversee compliance with AML and CTF policies and obligations.

AUSTRAC also states that the governing body must take reasonable steps to make sure the business is appropriately identifying, assessing, managing and mitigating its ML and TF risks and complying with AML and CTF obligations.

A particularly practical requirement is reporting cadence. AUSTRAC states the governing body must receive reports from the AML and CTF compliance officer at least once every 12 months on compliance with AML and CTF policies and obligations and on ML and TF risk mitigation and management. It must also receive written notification of updates to the risk assessment as soon as practicable after the update is made.

The Three Governance Roles in AUSTRAC’s Framework

AUSTRAC’s reformed framework separates AML/CTF responsibility into three linked governance roles: the governing body, the senior manager or managers, and the AML/CTF compliance officer. This matters because compliance is no longer treated as a background operational task. It is now a governed process with clear accountability at different levels.

The governing body is responsible for overall oversight and strategic accountability. The senior manager or managers help approve and supervise implementation. The AML/CTF compliance officer manages the program day to day and reports upwards. In smaller businesses, one person may hold more than one of these roles, but the responsibilities still need to be clearly assigned and evidenced.

What the Governing Body Must Receive and Review

The governing body cannot just approve the AML/CTF program once and step away. Under the reforms, it must actively oversee the identification and assessment of money laundering, terrorism financing, and proliferation financing risks, and oversee compliance with AML/CTF policies and obligations.

AUSTRAC also expects the governing body to receive a report from the AML/CTF compliance officer at least once every 12 months. That report should cover compliance with AML/CTF policies and obligations, as well as how ML and TF risks are being managed and mitigated. The governing body must also be notified of risk assessment updates as soon as practicable after they are made.

A practical governance pack should therefore include the current risk assessment, recent incidents or breaches, control testing results, training status, suspicious matter trends, and any upcoming regulatory changes. That gives the governing body enough information to make informed decisions and show that oversight is real, not symbolic.

Why this is a Big Shift for Tranche 2 Businesses

Many Tranche 2 firms have historically treated AML and CTF controls as operational admin. The reforms push the topic into executive governance.

Government reform material explains that the Amendment Act updates AML and CTF program requirements, shifting away from a check box approach and requiring appropriate measures focused on identifying, assessing and mitigating ML, TF and PF risk, including clearer roles and responsibilities for governing bodies and compliance officers.

AUSTRAC’s own reform summary also emphasises that the new framework highlights the role of governing bodies and senior management in overseeing ML and TF risk and AML and CTF compliance, and makes it an explicit requirement to appoint a fit and proper AML and CTF compliance officer responsible for implementing the AML and CTF program.

For Tranche 2 firms, this means your AML program is not just a compliance document. It is a governance system that must be owned at the top.

Practical Examples of a Governing Body

Example 1: Law firm partnership as governing body

In a partnership structure, the partnership committee or equity partners who make executive decisions will usually act as the governing body. They should formally allocate AML responsibilities, approve resourcing, and receive scheduled compliance reports.

Example 2: Real estate agency owner as governing body

In a small business, the owner may be the governing body, senior manager, and compliance officer. AUSTRAC explicitly recognises that one person may hold multiple governance roles in small businesses.

Example 3: Accounting firm board or director group

For incorporated firms, the board or director group is usually the governing body. They should approve the governance framework, confirm risk appetite, and require evidence that the program works.

Best Practice Governance for Tranche 2 AML and CTF Readiness

1. Define governance roles clearly

Document who is the governing body, who is the senior manager for AML approvals, and who is the AML and CTF compliance officer. AUSTRAC’s governance framework guidance makes clear these roles are distinct even if held by one person.

2. Put the risk assessment on the agenda

Governing bodies must oversee identification and assessment of ML and TF risks. In practice, make the ML and TF risk assessment a standing agenda item at least quarterly during implementation, then on a sensible periodic basis once stable.

3. Set reporting expectations for the compliance officer

AUSTRAC requires at least annual reporting from the compliance officer to the governing body. Create a standard reporting pack that covers training, suspicious matters, key control testing outcomes, breaches, and upcoming regulatory milestones.

4. Allocate resources and document the rationale

Reasonable steps often come down to resourcing. If you decide not to buy screening tools or not to add staff, record the rationale and the compensating controls.

5. Build an AML culture that survives busy periods

AUSTRAC explicitly expects governing bodies to take an active role. A visible tone from the top helps staff ask the hard questions even when matters are urgent.

Common Challenges

• Governing bodies delegate everything and never receive meaningful reporting.
• Compliance officers are appointed but not empowered, under resourced, or isolated.
• Risk assessments are drafted once and never refreshed, despite service and customer changes.
• Firms treat AML governance as an annual tick, rather than continuous oversight.

Conclusion: Governing Bodies and AML Compliance

Governing body is now a core AML and CTF concept, not just a corporate governance phrase. Under the reformed regime, AUSTRAC expects the governing body to actively oversee ML, TF and PF risk and ensure the business takes reasonable steps to comply.

Tranche 2 firms that treat governance as a real control, with clear roles, regular reporting, and proper resourcing, will find implementation far smoother and far more defensible.

At Tranchet Two Consultants, we see that Tranche 2 firms which treat governance as a real control with clear roles, regular reporting, and proper resourcing experience far smoother and far more defensible implementation outcomes.