The impact of anti-money laundering deficiencies: A technical analysis

In March 2025, AUSTRAC filed a civil penalty proceeding against a leading venue entertainment group (the Group), alleging serious and systemic non-compliance with Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act. This article provides a technical analysis of the key areas of deficiency that were identified by AUSTRAC, recommended steps to achieve compliance, and lessons that other reporting entities can learn from.

Key areas of deficiency

1. Inadequate risk assessment

According to the statement of claim, AUSTRAC alleged that the Group failed to adequately assess the money laundering and terrorism financing (ML/TF) risks associated with its gambling services. Further, it stated that their risk assessments were not tailored to the nature, size, and complexity of its operations, leading to significant gaps in identifying and mitigating potential risks.

In summary, the areas of alleged oversight included:

• Incomplete risk identification: That the Group failed to comprehensively identify or assess the inherent ML/TF risks related to each designated service it provided (under Table 1 and Table 3, Section 6 of the AML/CTF Act), each delivery channel used to provide those services, the types of customers receiving those services and foreign jurisdictions involved in service delivery.
• Inadequate risk evaluation framework: It was alleged that the risk criteria and matrix used as part of the risk assessment methodology were not robust or appropriately applied. The statement of claim cited that risk ratings lacked a sound methodological basis for application and assessment.
• Lack of risk-based controls: That the Group did not define or implement appropriate risk-based systems and controls for each identified ML/TF risk. In AUSTRAC’s view, the controls utilised were not proportionate to the risks faced in the provision of designated services.

2. Deficiencies of AML/CTF Program Part A and Part B breaching Rule 8.4.1 and sections 84(2)(a) and (c) of the AML/CTF Act.

According to the AUSTRAC filing, the ‘Part A Program’ was found to be lacking sufficient detail and operational effectiveness, stating that the areas of alleged oversight included:

• Lack of board oversight: That the Group’s board and senior management failed to exercise ongoing oversight of the AML/CTF Part A Program.
• Deficient transaction monitoring: That the transaction monitoring program (TMP) was not aligned with the Group’s risk profile, and that it failed to detect suspicious activity across multiple accounts or channels.
• Weak Enhanced Customer Due Diligence (ECDD): That ECDD was inconsistently applied and lacked clear triggers and escalation procedures. As a result, high-risk customers were not reliably identified or reviewed.
• Insufficient Suspicious Matter Reporting (SMR) controls: The Group lacked systems to ensure timely and accurate SMR submissions. SMR decisions were often discretionary and lacked documentation on grounds for suspicions and the investigation process applied to review potential suspicious activity.

The statement of claim referenced that the ‘Part B Program’ lacked risk-based application and operational effectiveness.

The statement alleged that areas of oversight included:

• Minimum KYC only: That the Group’s program focused solely on minimum KYC collection and verification (name, date of birth and address) and did not include risk-based procedures to collect or verify additional KYC information. The verification of information was not risk-based. The Part B lacked controls to determine when further KYC verification was needed beyond the minimum.
• Non-compliance with verification standards: That the Group did not use reliable and independent electronic data from at least two sources, as required for medium or low-risk customers.

3. Deficiencies in the Group’s Transaction Monitoring Program (TMP) breaching Rules 8.1.3, 8.1.4, 8.1.5(1), 8.2, 15.4, 15.5, 15.6 and 15.7 of the AML/CTF Rules, and Sections 84(2)(a) and 84(2)(c) of the AML/CTF Act.

According to the complaint in the proceedings, the Group’s systems failed to detect and report suspicious transactions in a timely manner. Areas of alleged structural and systemic issues included:

• High transaction volume and inadequate systems: That the Group processed large volumes of transactions across numerous betting accounts but lacked a scalable, enterprise-wide monitoring system.
• No end-to-end automated monitoring: That the TMP lacked comprehensive, automated, rules-based alerts across all accounts and customer profiles.
• Single-dimension exception reports: Reports were based on narrow, isolated queries rather than holistic, risk-based analytics.
• Manual, ad-hoc monitoring: That monitoring relied heavily on staff observations of individual transactions, which failed to detect patterns or cross-account activity.
• No assurance processes: The TMP lacked internal assurance mechanisms to validate the effectiveness of monitoring controls.
• Inadequate procedures and guidance: There were no formal procedures for reviewing or escalating exceptions-based reports before July 2022.
• Red flags not operationalised: Although AML red flags were listed in the TMP Guide, they were not supported by actionable procedures or training.

4. Failures in identifying and reporting suspicious activity breaching Rule 8.9.1(2) of the AML/CTF Rules, and Sections 84(2)(a) and 84(2)(c) of the AML/CTF Act.

 Key areas of alleged inefficiencies included:

• No comprehensive ML/TF risk assessment: That the Group lacked a foundational risk assessment, impairing its ability to detect suspicious activity.
• SMR criteria was not risk-based: The triggers for SMR reporting were not aligned with actual ML/TF risks.
• Inadequate customer risk rating processes: That the Group failed to identify and escalate high-risk customers consistently.
• Weak source of wealth/funds controls: The inability to verify customer funding sources limits the detection of unusual transactions.
• Over-reliance on staff discretion: Suspicious activity identification depended heavily on subjective judgment without clear criteria.
• Insufficient staff training: That employees lacked adequate AML/CTF risk awareness training.
• Inadequate processes for high-risk customer groups: That business development managers (BDM), VIP managers, and exclusive affiliates were not subject to robust SMR procedures.
• Weak controls for high-risk channels: That cash-in retail venues and voucher-based services lacked proper SMR escalation mechanisms.
• Failure to monitor ongoing suspicious activity: That there was no requirement to reassess or report ongoing suspicious behaviour if an SMR has been lodged in the past 6 months or 30 days.
• Inability to monitor certain customer groups: That the Group could not identify or report suspicious activity in affiliate and BDM Punt Clubs.
• Pseudonym reporting risk: SMRs could be submitted under pseudonyms, obscuring true customer identities.
• No assurance framework: That the Group lacked internal controls to verify the quality and completeness of its SMR processes.

5. Governance and oversight failures

In the proceedings, it was claimed that senior management did not ensure the AML/CTF program was implemented effectively. There was also insufficient board-level oversight of compliance risks, leading to a lack of accountability and strategic direction in managing AML/CTF obligations.

Impact on gaming venues

It is crucial for the gaming industry, and the broader tourism, hospitality and leisure sector, to be prepared for the potential impacts that AML/CTF legislation will have. These include:

• Technology: Outdated systems can lead to regulatory breaches. Investing in advanced compliance technology is crucial for effective monitoring and detection.
• Culture: Boards and senior management will be expected to demonstrate active oversight of AML/CTF programs. A shift toward a compliance-first culture will be necessary, with clear accountability and escalation pathways.
• Regulatory scrutiny: There will likely be heightened expectations for AML/CTF compliance, especially around customer due diligence and transaction monitoring.

Venues will need to strengthen their AML/CTF Programs (Part A and B), including:

• Comprehensive ML/TF risk assessments
• Risk-based transaction monitoring systems capable of detecting all ML/TF risks reasonable faced by a reporting entity
• ECDD for high-risk customers and third-party service arrangements (e.g. affiliates, cash-in terminals) that require effective control and oversight.

AUSTRAC’s civil penalty proceeding imparts valuable lessons for reporting entities to enhance their AML/CTF compliance frameworks and mitigate the risks of non-compliance. This case serves as a stark reminder of the importance of robust risk management, effective governance, and a proactive approach to compliance.

How BDO can help

BDO is a trusted adviser to clients providing preventative financial crime risk management services. BDO’s forensic services team conduct AML/CTF independent reviews, ML/TF risk assessments, ECDD, and financial crime risk assessments for regulated institutions to ensure compliance with independent review requirements under the AML/CTF Act. Contact us to learn more about how we can assist.