Risk, Safeguarding and AML for Australian Charities
Child-safe and PSEAH obligations, how to screen partners against DFAT and UN sanctions, and what good whistleblower and complaints handling actually looks like.
Risk, safeguarding and anti-money-laundering are the three areas where mistakes hurt people, not just balance sheets. They are also where ACNC compliance reviews tend to land hardest. This guide covers what's expected of charity boards and staff under each, in language a new program manager can use on day one.
Child-safe and PSEAH: what applies and to whom
If your charity works with children — even occasionally, even overseas — the National Principles for Child Safe Organisations apply. Several states layer their own Child Safe Standards on top, with reportable conduct schemes that come with legal obligations.
PSEAH (Protection from Sexual Exploitation, Abuse and Harassment) is the humanitarian sector equivalent and applies whether or not your direct beneficiaries are children. If you receive DFAT funding, PSEAH is contractual.
A working minimum:
- A child safety / PSEAH policy that covers staff, volunteers, contractors and partners.
- Working With Children Checks for every Australian role with child contact.
- Recruitment screening that includes referee questions about safeguarding behaviour.
- A trained safeguarding focal point, separate from the alleged perpetrator's line manager.
- Mandatory annual training, with attendance tracked.
- A reporting pathway that does not require the survivor to confront the perpetrator.
- An investigation protocol that loops in law enforcement and the ACNC where Reportable Incident criteria are met.
The mistake to avoid: writing the policy, training staff once, and never refreshing it. Safeguarding capability decays.
Screening partners against DFAT, UN and other sanctions lists
Australian charities cannot transfer funds or provide resources to individuals or entities on sanctions lists. The primary lists to check:
- DFAT Consolidated List — Australia's autonomous and UN-derived sanctions.
- UN Security Council Consolidated List — covered by DFAT, but worth checking independently for currency.
- US OFAC SDN List — relevant if any partner touches USD or US-correspondent banking.
- EU Financial Sanctions List — relevant for European-routed payments.
Practical workflow:
- Screen every new partner organisation, plus its board and senior leadership.
- Re-screen before every transfer (lists change weekly).
- Keep a dated record of the screening result for each transfer.
- If you get a hit, stop the transfer, document, and take advice before proceeding.
Free tools exist (DFAT's own search, some open-source aggregators). Paid tools automate the workflow and keep the audit trail in one place. Either is acceptable; doing nothing is not.
Counter-terrorism financing risk is also covered by AUSTRAC for charities that meet "designated service" thresholds — our AUSTRAC and Travel Rule guide covers when this applies.
Whistleblower and complaints handling
These are two related but distinct mechanisms.
Whistleblower channels are for staff, volunteers and contractors raising concerns about misconduct (fraud, safeguarding, corruption, breaches of law or policy). For larger charities (public companies, large proprietary companies), the Corporations Act whistleblower protections apply with legal force. Smaller charities should still meet the spirit:
- Confidential reporting channel (email, hotline, web form, external service).
- Protection against retaliation, in writing.
- Independent triage — usually the chair or an audit committee member.
- Documented investigation and outcome (anonymised where appropriate).
Complaints handling is for beneficiaries, donors, partners and the public. Good complaints handling:
- Is easy to find on your website and in field materials.
- Acknowledges within a stated timeframe (often 5 business days).
- Resolves within a stated timeframe (often 30 days).
- Escalates serious matters to the ACNC, AUSTRAC or law enforcement as required.
- Feeds learning back into operations — repeated complaints about the same thing mean the process is broken.
Bringing it together: a risk register that earns its keep
If you only have one document tying all this together, make it a risk register. A workable risk register:
- Lists each material risk (safeguarding, fraud, sanctions, financial, reputational, operational).
- Rates likelihood and impact before and after controls.
- Names a control owner.
- Logs each material incident and the lesson learned.
- Goes to the board at least quarterly with movement, not just a snapshot.
A risk register that never changes is a tick-box. A risk register that moves every quarter is a working tool.
Where to get help
Safeguarding, AML and sanctions work sit awkwardly between operations, finance and the board, which is usually why they fall through cracks. Synergaid's operations and compliance support helps charities build the policies, screening workflows and incident-response playbooks that meet ACNC, DFAT and AUSTRAC expectations together.
Related reading
Related Resources
More from the AidSynergy briefing.
ACNC External Conduct Standards: What Overseas Work Actually Requires
A working guide to the four ECS — covering activities and control, fund movement, safeguarding, and record-keeping for charities working outside Australia.
Cross-Border Transfers, AUSTRAC and the Travel Rule — What Charities Need to Know
AUSTRAC obligations don't stop at banks. If your charity moves money across borders, the Travel Rule, IFTI reporting and beneficiary identification all apply — and the cost of getting them wrong is rising.
ACNC Registration and Eligibility Explained for New Australian Charities
Plain-English answers on whether you need to register with the ACNC, how DGR status differs, which subtype to pick, and what changes if you work overseas.
About the Author
AidSynergy Editorial is dedicated to supporting humanitarian organisations through practical technology, compliance expertise, and operational insight.