AUSTRAC Enforcement Landscape 2025

​

Executive Summary

Australia’s anti-money laundering landscape has fundamentally transformed. Over the past seven years, AUSTRAC has evolved from a compliance-focused regulator into an enforcement powerhouse, issuing penalties exceeding $2.5 billion against major financial institutions. As we approach the July 2026 implementation of expanded AML/CTF laws—bringing approximately 80,000 new businesses under regulatory oversight—boards and senior executives are witnessing an inflection point. This article distils eight years of AUSTRAC enforcement actions, regulatory guidance, and strategic priorities into actionable intelligence for board members and senior executives navigating this new terrain.

​

Key Takeaways for Time-Pressed Executives

• $2.5B+ in penalties since 2017—compliance failure is now an existential risk
• Regulatory philosophy has shifted from compliance-checking to harm prevention
• Gambling, crypto, and remittance sectors face intense scrutiny
• 80,000 new businesses join the regime in July 2026 (Tranche 2)
• Board governance failures feature in every major enforcement action
• Self-disclosure and cooperation materially influence regulatory outcomes

---

​

The Billion-Dollar Wake-Up Call

​

When Compliance Failures Become Existential Threats

The numbers tell a stark story. Since 2017, AUSTRAC has secured penalties that have redefined corporate Australia’s understanding of AML/CTF risk: Behind every penalty lies a common thread: criminals successfully exploited weak controls to launder proceeds from drug trafficking, child exploitation, human trafficking, and terrorism.

​

The Human Cost of Compliance Failure

Behind every enforcement action lies human tragedy that compliance failures enabled. Consider the Westpac matter. The bank admitted to failures in customer due diligence relating to suspicious transactions associated with possible child exploitation. These weren’t abstract technical breaches, they represented missed opportunities to disrupt the funding of child abuse. As AUSTRAC noted, the bank’s failures meant law enforcement was denied access to intelligence that supports criminal investigations. Or consider AUSTRAC’s crypto ATM investigation in 2025. Analysts examining the most prolific users discovered something disturbing: a woman in her 70s who had deposited more than $430,000** into crypto ATMs after falling victim to romance and investment scams. She has no way of recovering that life-changing sum. Another woman in the same age bracket lost over **$200,000 to what she believed was a legitimate trading firm. Crown’s contraventions were equally sobering. The casino continued business relationships with suspect operators despite being aware of allegations connecting them to organised crime. High-risk customers moved millions through the casino in ways that obscured the source and ownership of funds. These represent the human cost of weak controls, victims whose lives are devastated because financial institutions failed to ask the right questions or raise the right flags. The regulatory response has been clear. Compliance failures that enable serious crime will attract severe consequences, regardless of the institution’s size or reputation.

---

​

A Regulatory Philosophy Transformed

​

From Box-Ticking to Harm Prevention

AUSTRAC’s 2025-26 regulatory priorities signal a fundamental philosophical shift. The regulator is moving beyond assessing whether businesses have policies in place, toward evaluating whether those policies actually prevent criminal exploitation. Three dimensions of this transformation stand out: 1. Sector-Wide Risk Focus AUSTRAC now examines risk and behaviour at an industry level rather than solely targeting individual entities. This means that sector-wide deficiencies, such as the concerning patterns identified in the non-bank lending sector, will trigger coordinated regulatory responses. 2. Outcome-Based Assessment The question is no longer “Do you have an AML/CTF program?” but rather “Is your program effectively preventing money laundering?”. This requires boards to move beyond compliance attestations toward substantive risk management. 3. Proactive Intelligence Integration AUSTRAC is enhancing its intelligence capabilities to identify sectors failing to manage risk, using these insights to inform regulatory priorities and enforcement activities.

​

The Tipping Point Test

For boards, a useful frame is the “tipping point test”: Would your AML/CTF controls have identified and escalated the specific fact patterns that led to recent enforcement actions? Consider the crypto ATM sector. AUSTRAC’s Cryptocurrency Taskforce found that 60-70 year olds accounted for 29% of all transactions by value, a demographic pattern inconsistent with legitimate cryptocurrency adoption but highly consistent with scam victimisation. Businesses with effective transaction monitoring should have detected these anomalies.

---

​

Sectors Under Intense Scrutiny

​

The 2024-25 Priority Landscape

AUSTRAC has been explicit about where regulatory attention is focused. Understanding these priorities is essential for boards assessing their risk exposure.

​

Gambling and Gaming

The gambling sector remains AUSTRAC’s most active enforcement frontier. Beyond the major casino actions, recent developments include:

• Entain (Ladbrokes/Neds): Federal Court proceedings commenced December 2024, alleging serious and systemic non-compliance including poor board oversight and failure to verify customer identity when third parties processed transactions
• Sportsbet: Enforceable undertaking accepted May 2024 following external audit
• Bet365: Enforcement investigation ongoing since March 2024
• Mounties Club: Civil penalty proceedings launched July 2025, highlighting that even venues outsourcing AML/CTF functions remain responsible for compliance

The message to gambling operators is clear. Size provides no immunity, and outsourcing provides no excuse.

​

Digital Currency Exchanges

AUSTRAC has identified the DCE sector as presenting high money laundering vulnerability. Regulatory actions in 2024-25 include:

• Binance Australia: External audit ordered August 2025 over concerns about localised risk understanding and governance
• Crypto ATM operators: Industry-wide conditions imposed including $5,000 transaction limits and mandatory scam warnings
• Registration blitz: 22 businesses voluntarily withdrew registration; 100+ slated for cancellation

The disturbing finding that almost all high value crypto ATM users referred to law enforcement were victims rather than criminals, underscores the exploitation occurring in this sector.

​

Remittance Services

Western Union was ordered to appoint an external auditor in July 2025 following ongoing concerns about customer due diligence, suspicious matter reporting, and program functionality. The sector’s vulnerability to cross-border criminal exploitation makes it a perennial priority.

​

Non-Bank Lenders and Financiers

A recent regulatory campaign revealed stark deficiencies:

• 89% of businesses reported having no high-risk customers
• Almost 90% did not report a single suspicious matter in 2024
• Just two businesses reported approximately half of all suspicious matters for the entire sector

Mercedes Benz Financial Services was ordered to appoint an external auditor in May 2025 following these findings.

---

​

What AUSTRAC Expects from Boards

​

The Governance Imperative

Across every major enforcement action, governance failures feature prominently. AUSTRAC’s expectations for board and senior management oversight are now well-established: 1. Active Oversight, Not Passive Receipt Boards must demonstrate ongoing engagement with AML/CTF risk, not merely receive periodic compliance reports. The SkyCity judgment specifically cited failure to establish an appropriate framework for board and senior management oversight. 2. Resource Adequacy Programs must be resourced commensurate with business size and risk profile. One of the cases with another Big4 bank highlighted that three years passed between intelligent deposit machine rollout and any ML/TF risk assessment. 3. Third-Party Accountability Outsourcing AML/CTF functions does not outsource legal obligations. The Mounties proceedings specifically allege that reliance on a third party provider without proper oversight contributed to non-compliance. 4. Customer Due Diligence Culture High risk customer relationships require genuine scrutiny. Crown’s admission that it deliberately obscured some high-risk customer identities on its own systems using pseudonyms to “protect their privacy” represents exactly the culture AUSTRAC is targeting.

​

The Independent Review Question

AUSTRAC has flagged concerns about independent reviews that are limited in scope relative to business size, offerings, and risks. Boards should ask:

• Does our independent review genuinely stress test our controls?
• Are we seeking challenge and rigour, or comfort?
• Would our review have identified the issues found in recent enforcement actions?

---

​

Tranche 2—The Coming Expansion

​

80,000 New Businesses, One Year to Prepare

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 represents the most significant expansion of Australia’s AML/CTF regime since its inception. From July 2026, new sectors will fall under AUSTRAC supervision:

• Real estate agents
• Lawyers and conveyancers
• Accountants
• Trust and company service providers
• Dealers in precious metals and stones
• Other designated service providers

AUSTRAC has committed to a pragmatic approach, but expectations remain clear. New sectors should be making sustained progress toward compliance now.

​

Implications for Existing Regulated Entities

For banks and established financial services providers, tranche 2 presents both obligations and opportunities: Due Diligence Requirements: Correspondent relationships and business customer assessments may need to account for whether professional service providers are meeting their new AML/CTF obligations. A real estate agent facilitating suspicious property transactions or an accountant structuring arrangements to obscure beneficial ownership becomes a risk vector for financial institutions providing associated services. Benchmark Setting: AUSTRAC has noted that new sectors will look to established businesses for examples of effective ML/TF risk management. The opportunity to demonstrate industry leadership exists, and institutions that help lift sectorwide standards may find themselves with enhanced regulatory standing. Supply Chain Awareness: Entities using services from tranche 2 providers (legal, accounting, real estate) should understand how those providers are preparing for their new obligations. Due diligence on professional service providers may need to expand. Suspicious Matter Reporting: As tranche 2 entities begin submitting reports, AUSTRAC’s intelligence picture will expand significantly. Patterns and networks currently invisible may become apparent, potentially triggering retrospective questions about existing customer relationships.

---

​

Intelligence Partnerships—The Fintel Alliance Model

​

When Collaboration Becomes Competitive Advantage

AUSTRAC’s Fintel Alliance represents a distinctive approach to financial crime disruption. This public-private partnership brings together major banks, remittance providers, gambling operators, and law enforcement agencies to share data and intelligence in real time. Recent outcomes demonstrate the model’s effectiveness:

• Analysis of 50 million+ cash deposit transaction data points across four major banks identified major criminal networks now subject to law enforcement action
• Joint operations have led to arrests for child exploitation, money laundering, fraud, and tax evasion
• The collaborative data analytics hub is now becoming a central AUSTRAC function

For member institutions, Fintel Alliance participation provides:

• Early visibility of emerging threat patterns
• Collective capability against criminal networks operating across institutions
• Demonstration of proactive compliance culture to regulators

The expansion of Fintel Alliance to include tranche 2 entities signals that collaborative intelligence will be central to the regime’s future.

​

International Reach: The Pacific Financial Intelligence Community

AUSTRAC’s influence extends well beyond Australian shores. Through the Pacific Financial Intelligence Community (PFIC), AUSTRAC works with financial intelligence units across 13 Pacific nations to combat transnational financial crime. The TAIPAN system—a data analytics platform developed by AUSTRAC—has now been deployed to FIUs across the Pacific, including Papua New Guinea, Vanuatu, Samoa, Palau, Marshall Islands, and Cook Islands. This technological uplift means suspicious financial patterns crossing regional borders are increasingly visible to coordinated analysis. For Australian institutions with Pacific exposure, this matters. The intelligence net is widening. Transactions that might previously have disappeared into less-monitored regional financial systems are increasingly subject to scrutiny.

​

The Scambling Case Study

A recent Fintel Alliance campaign highlights the model’s agility. “Scambling”—where unlicensed online gambling platforms use social media to direct victims to scam websites, was identified as disproportionately targeting regional and remote Aboriginal communities. The pattern (frequent small transactions) meant traditional mandatory reporting would not capture the activity. However, by combining data from multiple sources about sub-threshold cash transactions, Fintel Alliance quickly understood the nature and extent of criminality and disseminated alerts to members.

---

​

The Enforcement Toolkit

​

Understanding AUSTRAC’s Escalation Ladder

AUSTRAC employs a graduated enforcement approach. Understanding this progression helps boards assess the seriousness of any regulatory engagement: Level 1: Education and Guidance Industry wide communications, sector risk assessments, and compliance guidance. Currently, AUSTRAC is actively engaging tranche 2 sectors at this level. Level 2: Supervisory Campaigns Targeted assessments across a sector or theme. The non-bank lending campaign and corporate bookmaker assessments exemplify this approach. Level 3: External Audit Orders Section 162 directions requiring appointment of an external auditor at the entity’s expense. Recent examples include Binance, Mercedes Benz Financial Services, Western Union, The Ville Resort-Casino, and Mindil Beach Casino. Level 4: Infringement Notices Financial penalties for specific contraventions. Recent notices include:

• Revolut: $187,800 for late IFTI reporting
• Cointree: $75,120 for late SMR reporting
• 16 businesses: Penalties for failure to lodge compliance reports

Level 5: Enforceable Undertakings Binding agreements requiring specific remediation actions with independent oversight. NAB, PayPal, Perth Mint, Sportsbet, ING, and Cash Converters have all been subject to enforceable undertakings in recent years. Level 6: Civil Penalty Proceedings Federal Court action seeking substantial financial penalties. Reserved for serious and systemic non-compliance.

​

Regulatory Change: The Tipping Off Offence

A significant change effective March 2025 modified the “tipping off” offence. Previously, the offence was broadly framed; now it focuses specifically on whether a disclosure could reasonably be expected to prejudice an investigation. This represents a more nuanced approach that enables legitimate information sharing between businesses while still protecting law enforcement investigations. Boards should ensure their policies reflect this updated framework.

​

The Self-Disclosure Consideration

Several recent cases highlight that AUSTRAC’s response is influenced by entity behaviour. Revolut self disclosed its late reporting and promptly remediated the infringement notice, while significant, represented a measured response. Cointree similarly received acknowledgment for cooperation and proactive remediation. Boards should ensure clear escalation pathways exist for self identified compliance issues, recognising that transparent engagement with AUSTRAC can influence regulatory outcomes.

---

​

Strategic Imperatives for 2025-26

​

Ten Questions Every Board Should Ask

As AUSTRAC’s regulatory posture intensifies, boards should be equipped to interrogate their institution’s AML/CTF effectiveness:

1. Risk Assessment Currency: When was our ML/TF risk assessment last substantively updated? Does it reflect current products, channels, and customer base?
2. Transaction Monitoring Effectiveness: What percentage of suspicious matter reports originate from automated monitoring versus manual identification? Is this ratio appropriate?
3. High-Risk Customer Identification: How many customers do we classify as high-risk? Is this proportion credible given our business model?
4. Reporting Timeliness: What is our average time from suspicion formation to SMR submission? Are we consistently meeting the 3-day (ML) and 24-hour (TF) requirements?
5. Resource Adequacy: How has AML/CTF resourcing changed relative to business growth? Are we investing commensurate with risk?
6. Third-Party Oversight: For outsourced AML/CTF functions, what assurance do we have that providers are performing effectively?
7. Independent Review Rigour: Does our independent review genuinely challenge our controls, or primarily validate existing approaches?
8. Regulatory Engagement: What is the nature and frequency of our AUSTRAC engagement? Are there outstanding concerns?
9. Industry Benchmarking: How do our SMR volumes and patterns compare to peers? Are anomalies explicable?
10. Tranche 2 Readiness: Have we assessed how the regime expansion affects our customer and supplier relationships?

​

The Cost of Inaction

The financial risk is stark. A $1.3 billion penalty exceeds most institutions’ annual AML/CTF compliance budgets by orders of magnitude. But the costs extend beyond penalties:

• Reputational damage affecting customer acquisition and retention
• Regulatory remediation costs often exceeding penalty amounts
• Management distraction during extended enforcement processes
• Board and executive accountability including potential personal consequences

Investment in effective AML/CTF programs is not merely a compliance cost—it is a strategic imperative.

---

​

The Board’s Moment

In December 2024, when AUSTRAC launched proceedings against Entain, CEO Brendan Thomas made an observation that should resonate in every boardroom: “Money laundering is often a symptom of serious criminal activity, including fraud, scams and corruption, all of which have equally serious effects on our communities.” Australia’s AML/CTF regime has matured. The era of box-ticking compliance has ended. AUSTRAC has demonstrated both the capability and willingness to pursue major enforcement actions against institutions that fail to genuinely manage ML/TF risk. For boards, this creates both obligation and opportunity. The obligation is clear: ensure your institution’s AML/CTF program is resourced, governed, and operated to actually prevent criminal exploitation—not merely to satisfy regulatory checklists. The opportunity is equally significant. Institutions that demonstrate genuine effectiveness in combating financial crime will build regulatory trust, reduce enforcement risk, and contribute to a financial system that is genuinely hostile to criminal exploitation. The question for every board is not whether AUSTRAC will continue its enforcement trajectory, recent actions confirm it will. The question is whether your institution will be positioned on the right side of that trajectory.