Site search
A guide for boards: ESG governance and reporting
A guide for boards: ESG governance and reporting

Anti-money laundering

by Caroline Marshall and Bronte Hearn  ·  8 April 2025

Is your AML/CTF program in place, up to date and rigorously reviewed?

With the uptick in anti-money laundering and counter-terrorism financing (AML/CTF) enforcement, and the recent reforms to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act), boards of entities that are or will be subject to the AML/CTF Act must ensure that they are adequately monitoring AML/CTF compliance.

Under the Banking Executive Accountability Regime (BEAR)/Financial Accountability Regime (FAR), AML/CTF is also a prescribed responsibility, requiring to be appointed an accountable person, who oversees and assesses the effectiveness of the AML/CTF framework and AML/CTF compliance functions. FAR has extended the AML/CTF accountabilities to a wider set of entities in the banking, insurance and superannuation industries.

What are the responsibilities of the board?

  • Under the current AML/CTF Act, the board is essentially responsible for the effective implementation of an AML/CTF program, including its approval and ongoing oversight. It must also ensure that an entity's AML/CTF program is subject to an independent review on a periodic basis, and that it is kept apprised of key AML/CTF risks and issues as they arise. Boards must also be comfortable that the level of AML/CTF reporting and escalation is adequate, so that they can discharge their ongoing oversight obligation.
  • The Australian Transaction Reports and Analysis Centre (AUSTRAC) has published guidance on board and senior management responsibilities, which points to the importance of good governance and adequate oversight of AML/CTF matters by boards. AUSTRAC expects boards and senior management to have ongoing access to coordinated, structured and quality information on a consistent basis, not limited to specific events or incidents.
  • The recent reforms to the AML/CTF Act, which largely commence in March 2026, have amended the requirements regarding board oversight of AML/CTF compliance. In particular:
    • The board will no longer be required to approve an AML/CTF Program. Under the amended AML/CTF Act, instead of having an AML/CTF Program, regulated entities are required to have an AML/CTF risk assessment and AML/CTF policies. These documents need to be approved by the senior manager of the entity, with any updates to the ML/TF risk assessment notified to the board in writing; and
    • The board will be required to:
      • exercise appropriate oversight over: (a) the entity's identification and assessment of risks for the purposes of the entity's risk assessment; and (b) the entity's compliance with its AML/CTF policies and the AML/CTF laws; and
      • take reasonable steps to ensure that the entity: (a) is appropriately identifying, assessing, managing and mitigating the risks of money laundering, financing of terrorism and proliferation financing that the entity may reasonably face in providing its services; and (b) is otherwise complying with its AML/CTF policies and the AML/CTF laws.

What are the risks to be aware of?

  • AUSTRAC's focus on board accountability and good governance regarding AML/CTF compliance is clear. Allegations made in recent AUSTRAC proceedings against the casino industry highlight its concern regarding the alleged lack of board and senior management oversight of AML/CTF compliance. We expect AUSTRAC to continue its focus on this area, including after the commencement of the recent reforms to the AML/CTF Act.
  • As part of its wider risk governance management mandate, APRA is taking an increased interest in AML/CTF compliance. It recently worked closely with AUSTRAC to review a bank's risk and compliance culture, and entered into separate but simultaneous enforceable undertakings given by the bank as to its AML/CTF failures.
  • Under BEAR/FAR, regulated entities are subject to a strengthened responsibility and accountability framework. Accountabilities under the BEAR/FAR regime sit alongside (and are not inconsistent with) existing directors' and officers' duties under the common law and the Corporations Act, as well as oversight obligations in the AML/CTF Act. The key obligations relevant to AML/CTF (both for an entity and accountable persons) are to:
    • act with honesty and integrity, and with due skill, care and diligence; and
    • take reasonable steps in conducting their business/responsibilities to prevent matters from arising that would adversely affect the entity’s prudential standing or prudential reputation.
  • Directors can face civil penalty proceedings for breaches of their directors' duties following AML/CTF compliance failings. Recent ASIC cases against current and former directors and officers of a casino operator, for alleged breaches of their duties under section 180 of the Corporations Act, have shown the importance of directors' attention to ML/TF risks.
  • Directors can also be personally liable under the AML/CTF Act for breaches of it if they are, either directly or indirectly, knowingly concerned in or a party to those breaches. AUSTRAC has evinced in its 2024 Regulatory Priorities that it intends to pursue individuals concerned in breaches of the AML/CTF Act. In our view, this indicates that there is a higher risk AUSTRAC will join directors / officers to civil penalty proceedings where it identifies, for example, evidence of a corporate culture created by the board / relevant individuals that disincentivises or seeks to circumvent compliance with AML/CTF obligations, or the board / relevant individuals are involved in decision-making that prioritises profit over compliance.