The governing body must exercise appropriate ongoing oversight of your identification and assessment of money laundering, terrorism financing and proliferation financing risk (we refer to these as ML/TF risks) in your risk assessment.

It also oversees your compliance with: 

• your AML/CTF policies
• the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act)
• the Anti-Money Laundering and Counter-Terrorism Financing Rules (the Rules)
• the regulations (your AML/CTF obligations).

The governing body must also take reasonable steps to make sure your business is:

• appropriately identifying, assessing, managing and mitigating its ML/TF risks
• complying with its AML/CTF policies
• complying with its AML/CTF obligations.

The governing body must receive reports from the AML/CTF compliance officer at least once every 12 months about both:

• compliance with your AML/CTF policies and obligations
• ML/TF risk mitigation and management.

The governing body must also receive a written notification of any updates to the risk assessment as soon as practicable after the update is made.

We expect your governing body to take an active role in AML/CTF compliance. This will support your governing body to appropriately oversee and take reasonable steps to manage its obligations.

Appropriate ongoing oversight

Your governing body must be engaged to appropriately oversee your AML/CTF compliance. To help meet this obligation, we expect your governing body to both:

• question and review matters included in reports, where appropriate
• take reasonable steps to address non-compliance and any failure to identify and assess risks. 

There are certain behaviours that may indicate that your governing body is exercising appropriate ongoing oversight. 

Examples that may demonstrate appropriate AML/CTF oversight

Below are examples that may show appropriate AML/CTF oversight:

• having AML/CTF compliance and ML/TF risk as a regular standing agenda item in meetings
• reviewing relevant matters included in AML/CTF compliance officer and independent evaluation reports
• questioning how the business will address adverse findings included in compliance officer and independent evaluation reports
• questioning the root causes of non-compliance or ongoing compliance breaches and the effectiveness of any controls
• understanding the risk assessment and the risk assessment methodology – how it has been designed
• keep meeting minutes to show how you’ve engaged with related matters
• monitor progress of any actions to address non-compliance.

Examples that may demonstrate inappropriate AML/CTF oversight

Below are examples that may show inappropriate AML/CTF oversight:

• limiting the compliance officer’s ability to provide candid and regular updates on relevant matters
• not considering compliance officer reports
• not understanding, reviewing or questioning matters included in reports or other updates
• not questioning the root cause of ongoing compliance breaches
• not understanding the risk assessment and its design
• not having a regular standing item for ML/TF risk and AML/CTF compliance on your agenda.

Taking reasonable steps

Your governing body must take reasonable steps to make sure you’re both: 

• appropriately identifying, assessing, mitigating and managing ML/TF risk
• complying with your AML/CTF obligations. 

This will typically involve your governing body making sure that your business does all of the following: 

• aligns its AML/CTF policies to the ML/TF risks of your business
• reviews its risk assessments to identify and assess new or changed risks
• aligns its policies with any changes to risk assessments
• has appropriate assurance and monitoring processes built into the program
• puts in place independent reviews of AML/CTF capabilities and compliance at appropriate intervals
• adopts a strong AML/CTF culture
• engages, resources and empowers appropriate people to meet its obligations
• escalates compliance issues appropriately to its governing body, particularly when changes to resourcing or wider business practices are required
• makes sure that they understand the business’ risks, the way it meets its obligations and any significant compliance issues
• supports your compliance officer to address any AML/CTF compliance issues. 

The table below shows the typical AML/CTF obligations that governing bodies focus on. It also outlines examples that may demonstrate they’ve taken reasonable steps to ensure the business complies with them.

Governing bodies don’t need to discharge these obligations directly. The table also doesn’t provide a comprehensive list of all AML/CTF obligations. 

Implementation tips for governing bodies

To help you implement governance and oversight, you can:

• get regular training (for example, annually) to develop an understanding of your AML/CTF obligations
• set out how your business will maintain ongoing oversight of risk and compliance
• proactively request updates on AML/CTF matters, including resourcing requirements for AML/CTF compliance
• document how your AML/CTF compliance officer meets the eligibility requirements.

Related pages

• AML/CTF governance
• Senior manager (Reform)
• AML/CTF compliance officer (Reform)
• Governance and oversight for sole traders and micro businesses (Reform)
• Establishing a strong AML/CTF culture (Reform)