By the time ASIC launched civil penalty proceedings against former directors and executives of Star Entertainment, the central failure was no longer money laundering. It was governance. Regulators were no longer asking whether criminal conduct occurred; they were asking whether the board understood what it had been told, what it chose not to interrogate, and why it failed to act when warning signs were already on the table.

That shift is now the defining feature of major fraud and integrity cases in Australia. Once misconduct becomes public, outcomes are determined less by the original breach than by what boards do next, how quickly they engage, how honestly they respond, and whether they demonstrate that governance still functions when pressure peaks.

Most organisations invest heavily in fraud prevention.

Far fewer prepare for the moment fraud becomes a board-level crisis.

Mistake 1: Treating regulators like technicians, not prosecutors

Many boards still behave as though regulators approach post-incident engagement as a technical compliance exercise. That assumption is no longer tenable.

In the Star Entertainment case, ASIC’s action against individual directors rests on alleged failures to respond to known risks, not on ignorance of wrongdoing. Reporting around the proceedings shows regulators focusing on information flow, escalation and decision-making. In other words, governance under stress.

This approach mirrors AUSTRAC’s landmark action against Westpac. The $1.3 billion penalty was not framed as an isolated control failure, but as a systemic breakdown in risk management as the bank expanded high-risk products without adequately reassessing exposure. The regulator’s concern was not volume alone, but whether the institution understood what its own data was telling it.

Boards often underestimate how quickly regulator posture hardens once engagement appears delayed, partial or defensive. At that point, regulators stop assuming good faith and start testing it.

Boards should assume that early regulator engagement will be interpreted as a signal of intent. Waiting to “get the facts straight” before engaging often looks less like prudence and more like avoidance.

Mistake 2: Confusing reassurance with oversight

One of the most consistent patterns across Australian fraud and integrity failures is that boards believed they had visibility, until they discovered, too late, that they did not.

At Crown Resorts, AUSTRAC’s enforcement action followed findings that AML controls failed to keep pace with evolving risk. Reporting revealed that boards received regular updates, but those updates did not meaningfully convey how exposure was compounding. Oversight existed in form, not substance.

This is not accidental. Boards are often presented with metrics that reassure rather than inform: policy completion rates, training attendance, control attestations, and incident counts. What they rarely see is trajectory, whether risk is accelerating, where controls are weakest, or where commercial pressure is overwhelming safeguards.

The PwC confidentiality scandal exposed a related governance failure. Internal awareness of misconduct existed well before public disclosure, yet escalation stalled. The Senate inquiry showed that procedural governance operated smoothly while substantive governance failed. Cultural risk was tolerated because it was inconvenient to confront.

Boards accept these conditions more often than they admit. Escalation brings friction. Reassurance is easier.

Directors should ask for metrics that make them uncomfortable: unresolved high-risk exceptions, control overrides, incentive-driven risk concentration, and management disagreement. If reporting never creates friction, it is not working.

Mistake 3: Treating fraud as a cost, not a strategic threat

Fraud is still commonly framed as a remediation expense rather than a strategic risk. That framing shapes how boards respond, and how regulators judge them.

The GST refund fraud scandal exposed by Four Corners highlighted how operational speed and volume incentives overwhelmed detection controls. Public reporting focused not only on criminal exploitation, but on how internal trade-offs were made, and who owned them. Fraud risk was treated as an operational inconvenience until losses forced attention.

This is the point many boards miss: fraud risk is rarely static. It grows at the intersection of automation, incentives and scale. When boards do not explicitly own those trade-offs, regulators infer that no one does.

Fraud risk should be debated in the same terms as growth strategy, technology investment and operational efficiency. Directors should ask not whether controls exist, but what business decisions are actively increasing exposure, and whether that increase has been consciously accepted.

Mistake 4: Waiting for regulators to demand independence

Once fraud becomes public, boards often commission independent reviews, but frequently only after regulators or parliament signal dissatisfaction. By then, credibility has already eroded.

PwC’s response to the tax confidentiality breach illustrates the cost of delay. What began as an internal conduct issue escalated into a reputational crisis precisely because external scrutiny reframed the issue before governance action did. Independence looked reactive rather than embedded.

Regulators now assess not just whether reviews occur, but when they occur and who initiated them.

Boards should commission independent forensic or governance reviews before regulators request them. Voluntary independence changes the power dynamic and signals that accountability is not being rationed.

Mistake 5: Using comfort language instead of consequence

After fraud incidents, boards often default to familiar language: controls strengthened, lessons learned, processes reviewed. That language now signals evasion rather than reassurance.

Regulators and parliamentarians are increasingly focused on consequence management, who was accountable, how decisions were made, and what changed as a result. Vague commitments undermine trust precisely when boards are being tested.

Boards should communicate in specifics: what failed, who owns remediation, how accountability is assessed, and what will be reported publicly. Ambiguity is no longer neutral; it is interpreted.

Fraud becomes a board problem not when misconduct occurs, but when governance fails to surface, interrogate and act on risk under pressure. Australian regulators have made clear that boards are expected to understand not just what happened, but why they did not see it sooner.

Directors who still treat fraud as a compliance issue misunderstand the environment in which they operate. The decisive question is no longer whether fraud can be prevented entirely; it cannot, but whether boards are willing to confront uncomfortable information before someone else does it for them.

The boards that fare worst after fraud are rarely those that knew least. They are the ones who waited longest to admit what they already suspected.

---

To learn more about building board, audit committee, and stakeholder confidence in the aftermath of fraud going public, visit the FraudCon website today to learn more.