The role of Boards in Australia's evolving AML/CTF landscape

Upbeat intro music

Rebecca Archer

Welcome to Season Six of Beyond the Numbers with Grant Thornton – a podcast exploring marketplace and business trends. We are excited to bring you another year of insightful content and look forward to sharing our lineup of experts for 2025.

I’m Rebecca Archer, and in the first episode of this new season, we will discuss the new Anti-Money Laundering and Counter-Terrorist Financing Amendment Act. Australia is reforming its AML/CTF regime to better align with the international standards. 

These new laws will require stricter governance from Boards and Directors and with so many changes, staying on top of what needs implementing will ultimately be their responsibility too.

To explain the changes and why Boards and Directors should be concerned, I am joined by Partners in Risk Consulting – Neil Jeans and Katherine Shamai. Neil has a unique background in financial crime risk management spanning 30 years, and Katherine brings over 23 years of experience working closely with c-suite and Boards on financial crime, compliance, and good governance.

Welcome, Neil and Katherine!

Neil Jeans

Thank you. Good to be here.

Katherine Shamai 

Thanks, Rebecca.

Rebecca Archer

Before we begin, can you explain a little bit about your roles and how you help clients at Grant Thornton?

Katherine Shamai 

Sure. So, I would position us as trusted advisers and we help our clients to meet their compliance obligation with regards to AM, and that could be anywhere from advising the Board, advising them of their obligations all the way through to performing periodic reviews of the program and the adherence to the program.

Neil Jeans

Again, my role is the same as Katherine’s. We again are trusted advisors to Boards and senior management. We focus very much on AML/CTF compliance, which is a particularly hot topic at the moment, and that ranges from sort of advising them what compliance should be all the way through to advising them how to navigate AUSTRAC enforcement investigations and AUSTRAC enforcement activity and ensure that the organisation can go through those in the best possible way.

Rebecca Archer 

All right, so can you give us a bit of an overview of what this new legislation entails?

Katherine Shamai 

Well, I would describe the reforms as a generational change – something that happens once in a generation. The AML Act was originally introduced in 2006 and whilst it's gone through a maturity over this time, the 2024 AML Amendment Act is the most significant change since 2006, and what it's really seeking to do is to protect the Australian economy from being exploited by criminal elements who use legitimate businesses and our financial systems to launder money from illicit activities such as child exploitation, drug trafficking, scams, fraud, etc. They're not things that we really want to encourage and grow in our society. 

So, the criminal element – because it's constantly changing – the existing AML laws needs to evolve with it as well, and I will also say community expectation of our financial systems being protected is lifting as well. So, it's really important that the legislation is updated to reflect new practices and new products and service offering and channels out there to facilitate money laundering. 

The reforms also seek to ensure that Australia's AML regime aligns with international standards set by the Financial Action Task Force, also known as FATF, and the reforms are in response to the risk of Australia being grey listed by FATF at the next mutual evaluation in late 2026. What this means is it can harm a country's reputation and our ability to have international trade and economic strength and parity and competition in the global stage. 

The expansion of the Act meant that new designated services were added to the Act, which now captures lawyers, accountants, real estate agents and conveyancers if they provide those designated services. So, an example of that is for real estate agents, it may be that they are brokering the sale, purchase or transfer of real estate on behalf of a client, whether they're a buyer, seller, etc. and those services will be captured as a new designated service, and for lawyers and accountants, it may be assisting a client with a business going through capital or debt raising or the structuring of legal entities within the group.

Rebecca Archer 

Now, the act does give AUSTRAC further investigative and information gathering powers, which came into effect, of course, on the 7th of January this year – 2025 – what exactly does this mean in practice?

Neil Jeans 

So, what this means in practice is that the AUSTRAC regime is becoming more closely aligned to what people will be familiar with – the ASIC regime and the APRA regime. So, the CEO of AUSTRAC has been given additional powers to collect information for particular purposes. 

So, this is the first reform that really has come in place for the whole suite of reforms that are going to sort of roll out between now and July 2026. These examination powers are effective, or these investigation powers can be split, I think, into three areas. There is a new set of powers where the AUSTRAC CEO can request information from you if they are seeking to investigate compliance and non compliance, and you may have information that you are prohibited from providing for other reasons. So effectively, the information gathering powers are in part designed to protect the person providing the information. 

We then go on to what we call the examination powers. So, the AUSTRAC CEO has the ability to effectively launch what is an examination if they believe that a person has information that would be relevant to understanding the level of compliance with the AML/CTF Act and the AML/CTF rules where the key requirements are set out for the AML/CTF regime, but also if there is information regarding contraventions of the Criminal Code and other criminal legislation. These are what are commonly known as coercive powers. So effectively you can't refuse to answer the questions; you have to basically provide the information, and effectively, the way these will work is that the CEO of AUSTRAC will appoint an examiner who will require you to produce documentation and/or provide evidence verbally or in a written format. 

The third pillar of these is what's known as the Keep Open notices, which effectively give AUSTRAC the power to request you to keep an account or maintain a relationship with somebody that is under investigation for criminal activity, and effectively this protects the reporting entity from breaching some of its obligations. So obviously, if you were asked to keep open an account, but you needed to undertake ongoing customer due diligence, and that ongoing customer diligence might tip off the customer that, you know, there's an investigation going on, you don't have to undertake those requirements. That would mean that you would disclose the Keep Open notice to the person that's the subject of it.

So, they're pretty broad. Again, it'll be very interesting to see how AUSTRAC sort of starts to use these powers as part of its enforcement toolbox.

Rebecca Archer 

Given all of this, what roles do Boards and Directors play in ensuring good governance and risk assessments for this new legislation? It seems to me, at the face of it, quite a huge regulatory change for these entities.

Katherine Shamai 

I think that's right, Rebecca, but at the same time, I think it's formalising what AUSTRAC has been expecting of Boards for a while now. It's not a completely foreign concept and I think… to summarise essentially the four different things that governing bodies are expected to do under the new legislation… 

One is to manage the Money Laundering and Terrorism Financing risk to the organisation. They must oversee the reporting entity's risk assessment and compliance with the program and the regime in general, which if you unpack just that one line, it's not just, you know, having a program in place, it's not just your management reporting every now and then, it's also making sure you have the appropriate resourcing and whether that's budget or people allocated to adequately manage the risk and ensure the running of the compliance function. The governing body must also identify and assess, mitigate, manage risk, which is kind of covered, implicit and some of the other elements, and of course, notice, notify AUSTRAC of any updates, but also update the risk assessment as things change in the environment. 

So, it's a pretty broad spectrum of obligations, and on top of that, of course, you have your Corporations Act, fiduciary duties of care and diligence, the expectations that Boards set the tone at the top. So, you know, that culture of compliance, how seriously are we taking this, and it sort of filters down into senior management and further into the organisation. 

So, there's a lot for Board members to think about and how to manage this appropriately.

Rebecca Archer

Can I ask about the kind of culture that this is going to promote within organisations from the top down, in terms of ethical conduct?

Katherine Shamai 

I think that's a really interesting question, Rebecca, and it feeds into a lot of more recent legislation that I work with. So, for example, it's tangential to modern slavery, you know, underpayment of wages, etc. It talks to doing the right thing when no one's looking, and that's what ethical conduct, in a very simplistic term – it's integrity – doing the right thing without anybody hovering over you or making sure you're doing the right thing. 

So, I think it adds to another element of corporate responsibility and accountability and culture. How an organisation choose to adopt it is set by the tone set by the Board, and we've seen in recent cases which, you know, Neil can talk to, he knows some of those in great detail, where the Board hasn't necessarily set the right tone at the time and whether that's through decision making around resourcing allocation priorities, where the focus is at, from a strategic level, that all influences culture and compliance and integrity, and I think that's where sometimes the decision making isn't necessarily clear. What does it mean when a Board makes a decision? What's the flow and impact to culture and integrity?

Rebecca Archer

Well, let's indeed delve more into that with you, Neil. I guess in your opinion, how is the role of Boards evolving?

Neil Jeans

Again, that's a very good question. From my perspective, I don't think the role of the Board is evolving. I think the role of the Board is being greater understood and the role of the Board – also that understanding – is expanding into more and more areas. 

So as Katherine mentioned, under Section 180 of the Corps Act, the Board has responsibilities of care and diligence that includes ensuring it complies with its legal and regulatory obligations. So those responsibilities and accountabilities have already been there. They have been, to a certain degree, sort of not drawn out and not clarified and not been specific, and that's what we're seeing in the AML/CTF reforms. So, the expectations of AUSTRAC and other regulators have always been there. We're seeing a greater clarification of those and a greater explanation of those, which hopefully will leave Boards and Directors and managers in no doubt about their responsibilities for managing and mitigating the Money Laundering risks they face and ensuring they are complying with their legal and regulatory obligations under the AML/CTF Act and the AML/CTF rules.

So, that evolution or that clarification, I think, will mean a change in approach, will require increasing levels of oversight, increasing levels of focus by the Board and dedicated focus by the Board because their accountabilities and the impacts for not discharging those accountabilities are very, very clear, and under these reforms are far easier to enforce because effectively, unlike the current regime where they're sort of, you have to breach the rules to then breach the Act, then breach another part of the Act. These are now direct civil penalty provisions in the Act. So, it's a simple, you've breached that provision. We can take you to court if we feel, if we feel like it.

Rebecca Archer 

So, for Boards and management teams, if they're not proactive or perhaps asking the right questions, what could happen? What could go wrong?

Neil Jeans

Effectively they become personally liable under the AML/CTF Act. There are requirements already in place in the current regime where AUSTRAC can join individuals to a civil claim if they feel that's appropriate. They've never used that power, although the General Counsel of AUSTRAC and the CEO of AUSTRAC have pointed to this power and their potential ability to use it in the future. So, with the clarity of the accountability and responsibility of Boards and clearly a focus on this by AUSTRAC, there are, I think, increasing risk that those powers could be used, but also, we've seen in other forum people being focused on. 

As we sit here today, on Monday 10th February, a case begins in the Federal court where ASIC have taken 11 officers and Directors of the Star Casino to court for failure to comply with Section 180 of the Corps Act. That trial is due to run to three to four weeks. It's going to be a very interesting trial because this is the first time anywhere in the world that officers and Directors prosecuted for AML non compliance. So not only is a lot of people in Australia looking at this – and I would recommend that every Board and every Director should consider this – once the case is starts to unfold, but this international precedent about how Directors and officers of organisations should behave and how they should act to ensure that they are complying with their AML/CTF obligations.

Rebecca Archer 

Given that international precedent, as you said, that strikes me as Australia really leading the way in terms of this kind of regulation. Would that be an overstatement perhaps or is that quite accurate?

Neil Jeans

I'm not sure it's an overstatement. I think it is…we are leading the way. It's been decided we are taking this action. It always is internationally very difficult to assign responsibility to an officer that may be removed or a Director that may be removed from the day to day decisions and therefore, there's undoubtedly going to be reasonable doubt in a lot of cases. So hence a lot of cases don't get prosecuted. 

I think in this case, and again not being involved in detail, but it appears that there is this evidence that links them to making or be involved in those decisions. And again this will unfold in the next two to three weeks. 

So, it'll be fascinating to see how the allegations are prosecuted, what evidence is brought to the court, one, to demonstrate these offences have occurred, but also secondly the defences that are being mounted, why this isn't a breach of the Section 180 of the Corps Act. So again, we're at a very interesting inflection point which will study the outcomes pretty closely.

Rebecca Archer

Could you possibly run through what the top five questions Boards and Directors should be asking management to have confidence in the AMLCTF governance of the organisation, Katherine?

Katherine Shamai

I guess some really practical things to ask. Do you have a current AML program in place and risk assessment in place? Is it up to date? Does it reflect our business and the size, nature and complexity of it? Do we provide training for staff members so that it is an embedded practice across the organisation and do we provide training to ourselves? 

Quite often Boards forget that they also need some training around the material because how can you question and challenge management if you don't understand the topic yourself? So, training across all levels is important. 

How do we monitor and report as a Board? And this is often quite challenging because a lot of reporting can be quite operational and at which point the board reads it and go great, but not necessarily know how to challenge. So, challenge like the management and the assumptions behind it. So how do you meaningfully monitor and get reporting from management? 

Do we have the right expertise? Have we regularly conducted reviews and from a technical knowledge perspective, do we need more resources or external consultants to give us some guidance and some check and challenge? And have we action findings from previous reviews? So, if a review was done and there were findings, obviously there were deficiencies or gaps that are identified. Have we addressed those in a timely manner and in a meaningful way as well? And I think the last one, Rebecca, that I'll bring into play is some self-reflection. It may be time to dust off the skills matrix and say do we have the right skills on the Board? Do we need to think about other skill sets and knowledge or technical expertise and whether they're a director or an advisor to the Board. That's something that should be considered to make sure you are covering off on what you're obligated to look after.

Rebecca Archer

Have you got any examples of things going wrong and what companies or organisations can do to get back on track and try to rectify things?

Katherine Shamai 

I think Neil cited the example that's in the courts at the moment, but you know, we see other reporting entities where they haven't implemented the right controls or programs in place and they go through different pathways of enforcement activity with AUSTRAC and that would usually involve some sort of remediation program, which can be quite costly to run, as well as the requirement to have some oversight over that remediation program to ensure that it addresses the gaps that's been identified. So again, quite a costly exercise to remediate and at a speed dictated by an external party as well.

Neil Jeans

And to sort of follow on from that, we've seen particular examples in particular industries where similar businesses have been engaged by AUSTRAC at the same time and how they respond and more importantly, how the Board responds to that engagement has meant different outcomes for the reporting entities. From basically being left alone to fix what's required through to putting them into enforcement and taking fairly punitive action against them. 

So again, this is all about making sure that the Board is aware of what's going on and ensures that the organisation responds correctly and accurately to the risk they're facing, and that's no different from any other risk or any other compliance obligation. The Board responsibility is to make sure that the organisation operated by the CEO or the management are taking these things seriously and mitigating the risks for the organisation and therefore the risk for the investors or the shareholders.

Rebecca Archer 

From your perspective, are you able to maybe step us through the process of… so maybe a Board has contacted Grant Thornton and said, look, we need some expert advice and help with this. How do you go about setting them on the right path? 

Neil Jeans

As that trusted advisor role, usually we get involved when they've had that contact from AUSTRAC and really at that point the Board is trying to grapple with, you know, what is the extent of this? They may be dealing with competing views both internally and externally, and really what they then do to bring us into is effectively to be that independent mediator, to basically say, look, okay, you've got a report from over here that says X, you've got a report from over here that says Y. This is really the path and this is the path of true. So, in that way we bring clarity to the organisation and that then hopefully then allows them to make the decisions about what, what to do to go forward to, to address these issues and navigate a path out of the regulatory challenges that they may have.

Rebecca Archer 

And for entities that haven't had that first contact from AUSTRAC, do you do any work that is sort of proactive, making sure that they're all, all doing the right thing and ticking all of the correct boxes before there's any action that intervenes?

Neil Jeans

Boards can get this information from many sources, so it can be part of an internal review that you identify there's a non compliance or you recruit a new person who looks at the problem in a different way and identifies non compliance. So, part of what we do is also to work with that organisation to come up with a regulatory strategy to one, to normalise the situation, to mitigate the non compliance, but also then to actively and proactively engage with AUSTRAC to explain the background and the context of the non compliance, what's being done or what has been done to remediate and fix the non compliance and hopefully sort of get a good outcome for them. 

So, it's not only sort of when AUSTRAC have proactively gone and engaged with them, usually a lot of this stuff is self-disclosed or self-discovered and then you've got to work out whether you self-disclose and sort of work through that, and that's what we do for organisations as well.

Rebecca Archer 

So, the reforms have officially started. Can you maybe set us out, give us a picture of what the timetable is for the milestones people have to really hit here?

Neil Jeans

Absolutely. Rebecca. So obviously legislation's now been passed; the Act has been enacted. Obviously, we've seen the first bits roll out. The next rollout is the Tipping Off Provisions go live on the 31 March this year. We've also understand from AUSTRAC that they intend to issue the rules in June, and then they will start to roll guidance out from August through to December. All existing reporting entities – so, if you're an existing reporting entity – you need to be compliant with the legislation by 31 March 2026, and if you're one of the new ‘Tranche 2’ entities – so lawyers, accountants and real estate agents, etc – you need to be compliant with these new standards, including the governance standards by 1 July 2026. 

So, in reality, existing reporting, the 17,000 existing reporting entities have less than 14 months to become compliant and the new ‘Tranche 2’ entities, of which there's 90,000 of them have somewhere around 17 months to become compliant.

Neil Jeans

People should start now. There's things you can do now to prepare because blink and it'll be Christmas and yeah, we'll be up against it.

Rebecca Archer

Well, Neil and Katherine, thank you so much for being part of today's episode. For those who are listening who would like to get in touch and connect with you and maybe delve deeper into your work and explore perhaps potential ways that you can even assist them, what's the best way for them to reach out?

Katherine Shamai 

The best way to get some information in real time is to hop onto our website’s AML Reform Hub. We're publishing regular pieces of thought leadership and guidance material, etc. which you may find useful, but you know, I know Neil and I are always more than happy for a coffee catch up in a chat on the topic.

Neil Jeans

Absolutely, and again through, through socials through LinkedIn. We're visible on LinkedIn. So yeah. So, if anybody has any questions or wants to explore any of these topics further, we're always happy to talk to.

Rebecca Archer 

Interested in who we interview outside of our firm? Have you heard about our other podcast series The Remarkables? Listen as we uncover and explore remarkable stories about incredible people working to better their local (and sometimes global!) communities and inspire younger generations. A link to series will be in the show notes.

If you liked this podcast and would like to hear more, you can find and subscribe to Grant Thornton Australia on Apple Podcasts or Spotify. Leave us a review or ideas on who you’d like to hear from next. Thank you for listening!

Upbeat outro music