As the national regulator of charities, the ACNC:
- is committed to supporting charities to understand and meet their ongoing ACNC obligations
- will not hesitate to act where there is a risk of harm to the public or serious wrongdoing.
Our Regulatory Approach Statement provides more detail about our compliance and enforcement approach.
Enduring compliance and enforcement priorities for the ACNC
The ACNC uses a range of methods and powers to encourage compliance with the ACNC Act and Regulations.
We will always focus on conduct that poses the greatest risk to people, funds and assets. Consistent with our statutory objectives, we take enforcement action when there is a significant risk to public trust and confidence in registered charities.
We consider the following matters so detrimental that we will always regard them as a priority:
- conduct that harms people, particularly children and vulnerable adults
- misuse of a charity for terrorist purposes or to foster extremism, indirectly or directly
- financial mismanagement including fraud and significant private benefit
- activities that put a charity at risk of having a disqualifying purpose so they are no longer eligible to be registered with the ACNC.
We continue to work closely with, and prioritise matters referred to us by, other regulators and government agencies. Referrals from other regulators can help us to identify and pursue organisations that are operating registered charities as part of broader criminal or other illegal activities. We work with agencies across state, territory, Commonwealth, and international borders to curtail activities that threaten public trust in the charity sector.
When our intelligence work uncovers broader illegal activity, we refer these matters as a priority to appropriate authorities. Examples include the detection of suspicious conduct that could be related to terrorism financing, money laundering or serious fraud.
Emerging areas of focus
Complex structures to conceal non-compliance
The ACNC is becoming increasingly concerned about the use of complex structures that may be part of attempts to conceal non-compliance with the ACNC Act and Regulations.
Charities are free to use a variety of corporate structures to suit their purpose, and we acknowledge that there can be good and legitimate reasons for these structures. The decision to utilise complex corporate structures, or the gradual (perhaps ad hoc) development of complex structures, also comes with increasingly complex compliance and governance obligations.
While many charities are well advised and adhere to robust compliance regimes, there are others which may not appreciate that complex structures bring associated governance complexity. These charities are at heightened risk of inadvertent non-compliance because they fail to understand the regulatory obligations that arise from some or all of the entities being registered charities.
At the more extreme and rarer end, we are concerned about entities that may deliberately use complex corporate structures to obscure illegal activities.
Our enforcement and compliance activities will be targeting charities that attempt to conceal non-compliance with the ACNC Act and Regulations by deliberately using complex structures to avoid adherence to the laws we administer. We will also continue to refer matters to other appropriate government agencies where we have concerns about suspected breaches of relevant law.
Focus of compliance reviews
The ACNC conducts a program of compliance reviews which are funded by the Australian Government. The purpose of the reviews has been to help us work with charities so they can better address issues early on, and then respond proactively to emerging risks. We publish compliance review reports which summarise the ACNC findings. We also use reviews to improve and better direct our education activities and resources.
Helping charities maintain good governance supports the sustainability of the charity sector, as well as helping maintain public trust and confidence.
In 2024-25, our compliance reviews are focused on challenges being faced by the charities sector relating to cyber security, as this is a key emerging issue.
In our reviews, we work with charities to better understand how they protect themselves from cyber risks and manage cyber security incidents.
We will look at whether charities have policies and procedures about:
- the types of sensitive and personal information the charity holds
- the collection, storage, management, and disposal of electronic information
- the management of sensitive or personal information
- incident management in the case of a cyber security breach, including data breaches, viruses, and cyber attacks
- training employees and volunteers on how to avoid and manage cyber threats.
We are also interested in understanding how:
- activities undertaken by charities could make them vulnerable to cyber security risks
- charities manage and mitigate financial risks arising from cyber security vulnerabilities
- charities ensure that the third parties they engage with also have suitable policies and processes in place for managing risks associated with cyber security vulnerabilities.
We continue to work on our safeguarding compliance reviews. Conduct that harms people, especially children and vulnerable adults, is always a priority. Safeguarding is a sub-set of this priority.
Determination of priorities
The ACNC’s approach to priority setting is informed by the Commissioner's Policy Statement: Compliance and enforcement and the ACNC Regulatory Approach Statement. These documents are subject to review, and we will publish updates in 2024-25 after consultation.
We have developed these regulatory priorities having considered a range of inputs, including emerging risks and their potential for harm, and concerns received from the public.
Our priorities are determined from a range of sources.
- Annually we receive about 2,300 reports relating to registered charities.
- Our work is both intelligence and data led – for example, data from the Annual Information Statements feeds into our assessments.
- We have an active stakeholder engagement program that helps us understand issues and pressures the sector is facing.
- We work closely with a broad range of other regulators (state and territory and other Commonwealth agencies, and international regulators), which continue to add to our insights.
The ACNC has discretion in how we exercise our functions and address non-compliance and its impacts. This discretion includes prioritising and allocating resources, how we manage cases and the compliance action we take. We are not resourced to investigate every regulatory concern that is brought to our attention.
The ACNC does not act in response to all concerns about charities. It is not our role to run charities. We are unlikely to be become involved in:
- internal differences of opinion
- employment disputes
- regulating the quality of services provided by charities (for example, charities that provide health, education, or aged care services)
- some circumstances where another regulator is better placed to address the issue.
Overview of compliance and enforcement activities
The ACNC has developed a range of interventions that allow for a proportionate and risk-based approach to address risks of harm. The degree of risk determines the intervention and assurance required of the charity to demonstrate compliance with their obligations. Each of our interventions focuses on one or more of our key focus areas.
Education and guidance
We use the insights gained from our work to support all charities to comply with our laws through published guidance and our other communication channels (newsletters, podcasts, social media, and website).
Self-evaluations
Through our compliance work, we identify charities that share similar characteristics which make them vulnerable to certain risks, and provide them with a self-evaluation. The self-evaluation tool is for charities to assess their compliance with the ACNC Act and Regulations and is available on our website.
Reviews
We meet with charities to understand how they operate, including their activities, governance, and risk mitigation strategies for specific issues such as working with vulnerable people. We help them address governance gaps. This year our reviews will continue to look at safeguarding, and also have a special focus on the emerging issue of managing cyber security.
Self-audits
Charities are asked to undertake a self-audit across a range of governance areas. Charities must submit the results of a self-audit to the ACNC and are encouraged to develop an action plan to address deficits. We provide education and guidance to charities to address governance gaps and investigate serious matters when needed.
Investigations
We investigate charities when we believe there is a high likelihood of serious non-compliance, or the consequences of governance failures presents the greatest risk of harm. Charities under investigation are required to provide evidence to demonstrate compliance.
Where charities show a willingness and capacity to improve, we work with them to address non-compliance by using targeted regulatory advice. For serious breaches and persistent non-compliance, we will assess whether it is appropriate to use compliance powers. In the most serious cases, we may revoke a charity’s registration.
Investigation outcomes mitigate the most significant harms and inform our understanding of significant risks in the sector.
Date of issue: 20 March 2024