When businesses build their AML/CTF compliance programs, the focus tends to fall on the operational layer — the customer due diligence forms, the transaction monitoring processes, the staff training. These things matter enormously. But AUSTRAC's framework is built on a foundational principle that sometimes gets lost in the operational detail: ultimate responsibility for AML/CTF compliance sits with the governing body.
This isn't a formality. The AML/CTF Act imposes specific obligations on the governing body of every reporting entity, and AUSTRAC scrutinises governance closely when assessing whether a compliance program is functioning as it should. Understanding what the governing body is required to do — and how that obligation translates into day-to-day practice — is essential for anyone responsible for building or overseeing an AML/CTF program.
1. What Is a "Governing Body" Under the AML/CTF Framework?
The term "governing body" isn't limited to a formal board of directors. Under the AML/CTF framework, it refers to whoever holds ultimate decision-making authority and accountability for the entity — and that looks different depending on how your business is structured.
| Entity Structure | Governing Body |
|---|---|
| Company (including professional services firm structured as a company) | Board of directors |
| Partnership | The partners (acting collectively, or a designated managing partner) |
| Sole trader | The individual proprietor |
| Trust | The trustee (individual or corporate) |
| Incorporated association or cooperative | The committee or board of management |
For most accounting, legal, and financial planning practices — the businesses captured by Tranche 2 — the governing body will typically be the partners, directors, or the principal of a sole trader practice. The label matters less than the substance: whoever has the authority to approve the program, allocate resources to it, and be held accountable for its performance is the governing body.
2. What Is the Governing Body Required to Do?
The AML/CTF Act places four core obligations on the governing body of a reporting entity. These are not obligations that can be delegated away entirely — the governing body retains accountability even where day-to-day compliance activities are managed by a Compliance Officer or other staff.
It bears repeating: these obligations attach to the governing body, not just to the Compliance Officer. A Compliance Officer who identifies a problem and escalates it has done their job. A governing body that receives that escalation and does nothing has not.
3. What This Looks Like in Practice
For businesses that aren't used to thinking about AML/CTF compliance in governance terms, translating these obligations into practical action can feel abstract. Here's what genuinely good governing body engagement looks like across different practice sizes.
In a larger firm with a dedicated Compliance Officer
The governing body — whether a board or a management committee — should receive a regular AML/CTF compliance report, ideally at least annually but more frequently if the business is higher-risk or undergoing change. That report should cover the program's performance against key indicators: ICDD completion rates, training completion, escalations logged, suspicious matter reports lodged, and any findings from independent evaluation or internal review. The governing body should formally consider the report, ask questions, and document its response — particularly where action is required.
In a small-to-mid-size practice
In a two- or three-partner practice, the governing body and the Compliance Officer may be the same person, or closely overlapping. This doesn't reduce the obligation — it simply means the principals need to be deliberate about wearing the governance hat at the right moments. A practical approach is to build a short, formal annual governance review into the practice calendar: a documented meeting where the partners collectively consider the program's status, approve any updates, and record their decisions. Brief minutes kept on file demonstrate that governance is happening — which is exactly what AUSTRAC wants to see.
In a sole trader practice
For a sole trader, the principal is both the governing body and, in most cases, the Compliance Officer. The obligation to oversee the program still exists — it's self-oversight, but it must be genuine and documented. An annual self-review that considers whether the program remains adequate, whether anything has changed that warrants an update, and whether any issues have arisen that need to be addressed is the minimum standard. Documenting that review — even briefly — is important.
4. The Governing Body and the Compliance Officer
The relationship between the governing body and the Compliance Officer is central to how the AML/CTF framework is designed to work. The Compliance Officer is responsible for the day-to-day operation of the program — implementing processes, training staff, managing escalations, and keeping records. The governing body is responsible for oversight: ensuring the Compliance Officer is effective, properly resourced, and genuinely independent in their role.
This distinction matters for a few reasons:
- The Compliance Officer must have a clear reporting line to the governing body — not just to a line manager who may have competing commercial interests
- The governing body must act on what the Compliance Officer reports, particularly where the Compliance Officer identifies risks or weaknesses in the program
- Where the Compliance Officer is a principal of the practice (common in smaller firms), there should still be a documented mechanism for escalating material compliance issues to the full governing body
5. Common Governance Failures — and What They Cost
AUSTRAC's enforcement history offers a clear picture of the governance failures that attract regulatory scrutiny. They're rarely dramatic or deliberate — they're almost always the result of governance that was nominal rather than real: a program that existed on paper but wasn't genuinely owned at the top of the organisation.
The most common patterns include:
- Program never formally approved. The Compliance Officer built the framework, but the partners or directors never formally signed off on it. There's no documented approval, no record of the governing body having reviewed it, and no evidence that senior leadership was engaged with it.
- No reporting line to the governing body. The Compliance Officer reports to a department head or practice manager, who filters what gets escalated. Material issues that should reach the principals don't, and the governing body has no meaningful visibility of how the program is performing.
- Independent evaluation findings not acted on. An evaluation was conducted, a report was produced, and it sat in a drawer. The governing body received the findings but took no documented action. This is treated by AUSTRAC as more serious than not conducting an evaluation at all.
- Governance confused with delegation. The governing body assumed that appointing a Compliance Officer meant the compliance obligation was fully delegated. It isn't. The governing body retains accountability, and "we left it to the compliance team" is not a defence.
6. How RUCK Compliance Can Help
RUCK Compliance is an Australian AML/CTF compliance platform built specifically for accountants, lawyers, bookkeepers and financial planners. Our AML Portal gives your business everything it needs to build and maintain a compliant AML/CTF program — from your Risk Assessment and Policy documents through to ICDD forms, escalation registers, training records and ongoing monitoring tools. The portal is designed to make governance visible: document saves are timestamped with named authorship, so you always have a clear record of who approved what and when.
For businesses that want expert guidance on structuring their governance framework, or help preparing the documentation that a governing body needs to formally adopt and oversee their program, RUCK's compliance specialists can work with you directly.