From compliance to culture - AML lessons from AUSTRAC’s civil action

Recent civil proceedings launched by AUSTRAC for serious and systemic breaches of Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) laws highlight the strict approach taken by the regulator in enforcing compliance. The case centres on failures to monitor high-risk customers and maintain a compliant AML/CTF program, despite the entity leveraging the services of an outsourced third-party provider used widely across the sector. This oversight serves as a valuable lesson for all entities captured by the legislated requirements.

The action was the first AUSTRAC civil penalty case to target pubs and clubs following years of regulatory warnings across the sector. The club in question operated more than 1,400 poker machines across 10 venues and generated hundreds of millions in revenue. That scale demands robust AML controls.

AUSTRAC raised concerns that the large volume of cash moving through poker machines in pubs and clubs makes them potentially attractive for laundering the proceeds of crime, placing the sector under increased regulatory scrutiny. As casinos have become more tightly regulated, there is an increasing risk that criminals may shift more laundering activity to smaller venues like pubs and clubs.

The legal action serves as a reminder for the industry to ensure it is appropriately mitigating risk, and underscores an important lesson that operating a community-run club in a suburb or town does not reduce exposure to money laundering risks, nor does it lessen the legal responsibility to manage those risks. Insufficient investment in comprehensive risk management frameworks and AML/CTF compliance can present challenges. Transitioning from older, minimal compliance approaches to a more integrated culture of transparency, accountability, and ongoing trust may offer competitive benefits.

In response to this enforcement action, AUSTRAC has re-released its regulatory guide for pubs and clubs to help venues with electronic gaming machines (EGMs) better understand and meet their AML/CTF obligations. The updated guide shares insights to help venues strengthen compliance and manage risk more effectively. Key updates include:

• Clarification of risks where customers may use proceeds of crime to fund gambling
• Expanded examples of ML/TF risks and effective controls
• Guidance on engaging AML/CTF consultants and conducting independent reviews.

Key allegations

AUSTRAC alleges the organisation:

• Failed to conduct and maintain an adequate money laundering/terrorism financing (ML/TF) risk assessment. This foundational oversight meant the board lacked visibility into the club’s exposure to ML risks
• Did not provide tailored AML training to staff
• Lacked risk-based transaction monitoring and enhanced customer due diligence (ECDD) systems
• Did not subject its AML/CTF program to a compliant independent review
• Failed to monitor high-risk customers, including 10 individuals who collectively turned over more than $139 million.

The outsourcing trap

There is an important lesson for all entities caught by the AML/CTF legislation. Like many in the industry, the organisation that was the subject of the proceedings outsourced key AML functions to a third-party provider, which is not uncommon in the sector. AUSTRAC clarified that outsourcing does not remove an entity’s legal obligations or responsibilities. The regulator criticised the common ‘set and forget’ approach, where templated programs are adopted without tailoring or active oversight. Affected entities would do well to heed this advice, particularly with the plethora of new entrants into the market ahead of the Tranche 2 changes taking effect. There are two key areas for consideration. Firstly, conduct thorough checks on third-party providers: request demonstrations, consult independent referees, and confirm their solutions can be customised for your business. Make sure they know AML/CTF and have sector-specific qualifications. Secondly, conduct a thorough internal review of policy and procedures, AML/CTF risk frameworks and associated processes to understand your own risk appetite and ensure that any third-party materials are fit for your specific purposes and environment.

It is clear from the recent regulatory action that ultimately organisations themselves bear the obligations and responsibility for the effectiveness of their AML/CTF programs regardless of any third-party arrangements.

Why templated AML programs fall short

‘One size fits all’ templated AML frameworks often:

• Misclassify risk levels, for example, rating high-risk activities as ‘low’
• Lack operational detail for staff to implement controls
• Miss emerging typologies such as ‘bill stuffing’ or collusion with staff
• Fail to reflect the unique risk profile of each venue due to a lack of customisation.

What clubs should do now

To meet regulatory expectations and genuinely mitigate risk, clubs must move beyond generic AML solutions. We recommend conducting an independent review to ensure your AML/CTF program:

• Reflects your venue’s size, structure, location and customer base
• Includes practical, role-specific training
• Has robust transaction monitoring and ECDD processes
• Is regularly reviewed and updated to reflect evolving risks.

Selecting a reviewer with a comprehensive scope, proven methodology, and deep sector experience ensures meaningful insights and credible assurance. The review must also include sample testing of key AML/CTF controls. When selecting an AML independent reviewer, clubs should prioritise independence, sector experience, and a comprehensive scope over cost alone. A reputable provider brings strategic insight, rigorous methodology, and ethical clarity, delivering not just compliance assurance, but genuine value to the organisation’s AML resilience. This case is a timely reminder that AML compliance is a critical governance safeguard and not just a compliance checkbox. With major reforms to the AML/CTF regime taking effect on 1 July 2026, now is the time to act. Clubs must invest in tailored, risk-based frameworks that withstand regulatory scrutiny and protect their operations, reputation, and community standing.

Establishing a well-defined risk appetite and robust risk frameworks is essential for effective governance. Ethical leadership requires clubs to take full responsibility for their risk management practices. Directors should proactively inquire about potential risks, be willing to challenge the information put in front of them, be well-versed in escalation procedures, and ensure that all reporting is both thorough and delivered in a timely manner. The appointment of board-level AML champions is crucial to foster cultural transformation within the organisation.

A robust risk framework includes a tailored ML/TF risk assessment, defined risk appetite and escalation pathways, integrated transaction monitoring and due diligence systems and ongoing staff training aligned to role and risk exposure. Importantly, the risk framework must be structured and embedded across all products and services, and operational processes from the outset - not as an afterthought.

 

How BDO can help 

BDO is a trusted adviser to clients across a broad range of services and provides forensic services support, including preventative financial crime risk management. BDO’s forensic services team conduct AML/CTF independent reviews and proactive financial crime risk assessments for highly regulated institutions to ensure they comply with their independent review requirements under the AML/CTF Act. If you would like to learn more about our services, contact us today.