A strategic guide to AML regulations for Australian gambling firms

For Australian gambling firms, the rules of the game for anti-money laundering (AML) and counter-terrorism financing (CFT/CTF) compliance have been rewritten. With Australia’s landmark Tranche 2 reforms taking effect in 2026 and financial regulators levying penalties of up to $67 million, the era of ‘business-as-usual’ compliance is over. 

The fast-paced, high-volume nature of the industry creates unique vulnerabilities that bad actors are eager to exploit, and with regulators demonstrating zero tolerance for failure, the financial and reputational stakes have never been higher.

This guide provides a strategic roadmap for compliance leaders. If you’re looking for:

• An analysis of the critical money laundering risks unique to the gambling industry;
• A breakdown of the key AML/CTF legislation affecting Australian gambling firms, including the 2026 Tranche 2 reforms;
• A clear outline of AUSTRAC’s core compliance requirements and enforcement priorities;
• Guidance on how to leverage technology to build a modern, effective AML program,

Then this guide is for you. It explores the regulatory landscape, identifies industry-specific risks, and outlines how to build sustainable, compliant operations.

What is the key legislation for Australian gambling firms?

Two pieces of legislation form the bedrock of compliance for the Australian gambling sector, with one that has overseen major reforms since 2024.

1. The AML/CTF Act 2006

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 designates gambling and gaming operators as reporting entities. This imposes stringent obligations, including:

• Developing and maintaining a formal AML/CTF program.
• Conducting thorough customer due diligence (CDD).
• Ongoing transaction monitoring.
• Reporting suspicious activities to authorities.

The Act is supported by the AML/CTF Rules, which provide specific, legally binding operational requirements that are frequently updated to reflect emerging threats.

The AML/CTF Amendment Act 2024 (Tranche 2 Reforms)

The Amendment Act, passed in late 2024, modernizes Australia’s financial crime regime and fundamentally changes the obligations of existing gambling firms. The core provisions commenced on 31 March 2026, and key changes include: 

• The formalization of outcomes-focused compliance (moving away from rigid checklists) and the introduction of mandatory proliferation financing (PF) risk assessments.
• For firms accepting virtual assets, the Act introduces Travel Rule requirements that demand the exchange of originator and beneficiary information during transfers.

2. The Interactive Gambling Act 2001

The Interactive Gambling Act 2001 governs online gambling services. While it prohibits specific gambling types for Australian residents, it also dictates how operators must structure services and verify customer identity and location.

Together, these acts create a comprehensive set of rules that require a sophisticated, detail-oriented approach to compliance from every firm operating in the sector.

What is AUSTRAC?

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is the country’s primary financial intelligence and regulatory agency. As the chief enforcer of the AML/CTF Act, AUSTRAC holds significant power over the gambling industry and is the primary source of guidance for correctly fulfilling industry obligations. Its role is twofold: 

1. Intelligence: Collecting and analyzing financial data to combat money laundering (ML), terrorism financing (TF), and proliferation financing (PF).
2. Regulation: Auditing reporting entities and enforcing legal obligations.

AUSTRAC’s enforcement powers are substantial and include conducting detailed audits, issuing infringement notices, and pursuing civil penalty orders that can result in multi-million-dollar fines.

Tranche 2 reforms 2026: A complete guide for DNFBPs

Dive into our comprehensive guide on AUSTRAC’s Tranche 2 reforms and explore the significant effects on compliance in the gambling sector.

Read more

Identifying critical AML risks in the gambling sector

The gambling industry’s high-volume, rapid, and often anonymous transactions make it a prime target for financial crime. It is critical for firms to move beyond a generic understanding of risk to address specific operational vulnerabilities.

1. Player anonymity and obfuscation tactics

Anonymity remains a top risk. Criminals often use stolen or synthetic identities to decouple their activities from their real-world personas. Virtual private networks (VPNs) further mask geographic locations, allowing users to circumvent jurisdictional controls. The integration of cryptocurrencies adds another layer of complexity, making it harder to trace funds as they move from illicit sources through gambling platforms and back into the legitimate financial system.

2. High-volume transactions and structuring

Structuring, or “smurfing”, involves breaking down large sums of illicit cash into smaller deposits below the A$10,000 reporting threshold. This is a classic tactic used with electronic gaming machines, where criminals feed illicit cash into multiple “pokies” before claiming the accumulated credits. In a high-volume online casino, these thousands of small transactions often bypass legacy, rules-based monitoring systems. Criminals can play minimally before withdrawing cleaned funds, creating a plausible but false source of wealth (SOW).

3. The use of mules and third-party accounts

Criminals frequently employ money mules. These are individuals who, wittingly or unwittingly, use their personal bank accounts or create gambling accounts to move money on behalf of a criminal organization. A mule might deposit illicit funds into their gambling account, transfer the funds to another player’s account (collusive play), or make minimal wagers before cashing out.

This process makes it appear that the funds belong to the mule, effectively breaking the evidentiary chain and rendering them appear as the mule’s legitimate assets. 

For a gambling firm, identifying whether a player is acting on their own behalf or as part of a wider criminal network is a significant and complex challenge that requires sophisticated monitoring of relationships and transaction patterns.

4. Use of junkets and third-party agents

Junket operations in land-based casinos have historically been identified as major AML failure points. Third-party junket operators bring high rollers to casinos and often handle all financial transactions, including providing chips and settling debts. This model creates a dangerous layer of opacity, as casinos have limited visibility into the ultimate source of the players’ funds (SOF).

Recent inquiries into major Australian casinos revealed that syndicates used junkets to launder billions. This has led to a major regulatory crackdown, making any dealings with junkets an area of extreme risk that requires the highest level of scrutiny.

5. Collusion between players

Collusion involves transferring value between accounts under the guise of legitimate gameplay. The most common form is “chip dumping,” particularly prevalent in online poker, where a player with illicit funds intentionally loses to a beneficiary or mule.

The funds are thereby transferred from one account to another within the game’s closed loop. When the winning player cashes out, the money appears as legitimate gambling winnings.

Detecting this activity requires advanced transaction monitoring (TM) systems that can analyze gameplay patterns and the velocity of fund transfers to identify deviations from competitive play.

6. The abuse of stored value cards, chips, and loyalty programs

Criminals seek out anonymous value-transfer instruments. Physical casino chips can be purchased with illicit cash and passed to others, effectively washing the money. In the online space, stored value cards (SVCs) or prepaid cards can fund accounts, which are then withdrawn to legitimate bank accounts. Even loyalty programs can be abused; points accumulated through illicitly funded play can be redeemed for cash, luxury goods, or travel.

7. Source of funds/wealth verification challenges

Establishing a customer’s SOF and SOW is a critical component of enhanced due diligence (EDD). SOF refers to the source of the specific funds used for a transaction, while SOW refers to the source of a customer’s entire wealth.

High-risk customers, including high rollers and politically exposed persons (PEPs), may be reluctant to provide detailed financial documents, and submitted information (such as a payslip) may not be genuine or accurately reflect their spending.

Compliance teams should act as skilled investigators, using customer-provided information, third-party data, and open-source intelligence to verify a customer’s financial profile.

Recent penalties and reputational damage

AUSTRAC has demonstrated its willingness to levy staggering financial penalties against firms deemed to have systemic failures in their AML/CTF controls. High-profile enforcement actions totaling hundreds of millions of dollars have targeted deep-rooted, long-term failures, including inadequate CDD for high-risk patrons and poor oversight by boards and senior management.

Beyond the financial cost, the reputational damage from these public failings has been immense. Public inquiries have led to the loss of gaming licenses, intense media scrutiny, and a significant decline in public trust and shareholder value.

Core AML requirements for Australian gambling firms

AUSTRAC enforces an outcomes-focused program, which serves as the legal foundation for all AML/CFT efforts. The following obligations create the core of a modern compliance program for gambling firms: 

1. Integrated AML/CTF program: As of March 2026, programs must be designed to achieve specific outcomes rather than just meeting technical rules. A business’s program must conduct thorough risk assessments that address ML, TF, and PF risks and update them as those risks change. 
2. Initial CDD: Firms are legally obligated to verify customers’ identities before providing services and conduct ongoing due diligence throughout the customer lifecycle. The threshold for mandatory identity verification for gaming machines and on-course betting is $5,000. While a transition period for re-verifying old customers exists until 2029, all ongoing CDD must meet the new initial CDD standard as of March 2026. 
3. Ongoing monitoring: Firms are required to scrutinize transactions for unusual patterns, such as structuring, that lack an apparent lawful purpose. As of 1 July 2026, firms using virtual assets (VAs) are obliged to comply with the Travel Rule, ensuring high-fidelity data follows every digital asset transfer. 
4. Holistic monitoring of value-holding instruments: Firms must have systems in place to monitor all instruments that can hold or transfer value, including the funding and redemption of casino chips, stored value cards, and loyalty programs. 
5. Effective reporting: A critical duty includes submitting threshold transaction reports (TTRs) for physical cash transactions of $10,000+, and suspicious matter reports (SMRs) for suspected financial crime. 
6. Board and senior management oversight: The AML/CTF Act places ultimate responsibility on a firm’s leadership. Under the 2026 reforms, firms are obligated to appoint an AML/CTF compliance officer who operates at a management level, with sufficient authority and independence to oversee day-to-day compliance and report directly to the board at least annually. This is to ensure the program’s effectiveness.

Triggers and best practices for a modern AML compliance program

To meet these core regulatory requirements, the evolving financial crime landscape demands that firms adopt a modern, dynamic, and integrated approach to maintain a resilient defense.

A dynamic, risk-based program

A customer’s risk profile can change overnight if they become a PEP, appear in adverse media, or enter into new jurisdictions and markets. Best-practice firms use real-time data feeds for instant alerts on these changes.

Advanced screening

To combat synthetic IDs, firms should use automated systems to continuously screen their entire customer base against watchlists. Intelligent screening powered by machine learning can contextualize alerts, significantly reducing the volume of false positives that overwhelm compliance teams.

Configurable transaction monitoring

As criminal methods evolve, firms must adapt just as quickly. Modern transaction monitoring (TM) solutions must be easily configurable, enabling compliance teams to respond to emerging threats in near real time. AI-powered rule builders, for example, empower firms to create and deploy new monitoring rules to identify new structuring techniques or mule activity without waiting for a lengthy development cycle. This ensures a firm’s defenses are always aligned with the latest financial crime patterns.

Holistic monitoring and reporting

Automating regulatory reporting ensures accuracy and timeliness. Integrated case management tools can automatically flag TTRs and streamline the investigation and filing of SMRs. This automation must be defensible to maintain clear regulatory audit trails. It is recommended to use modern platforms built with explainable AI (XAI) to provide a clear, natural-language rationale for every decision. For board oversight, centralized dashboards provide data-driven metrics on risk exposure and program performance.

Leveraging market-leading AML solutions

In Australia’s highly scrutinized regulatory environment, relying on manual processes poses a commercial risk, including regulatory penalties and reputational issues. Modern AML compliance is about working smarter.

Building a sustainable business requires embedding AI-powered tools at the core of operations. ComplyAdvantage enables firms to move from a reactive posture to proactive control through:

• Agentic automation: AI agents autonomously gather data and analyze complex risk factors like player collusion or mule activity, automating the remediation of 65–85% of false positives by pre-populating narratives for regulatory reporting.
• Detecting hidden risk: Machine learning and graph analytics covering 23 million entities uncover criminal networks, structuring schemes, and behavioral anomalies with explainability.
• Real-time risk monitoring: Continuous screening against global sanctions, watchlists, and politically exposed persons (PEPs) data. Every decision includes natural-language explanations in an immutable audit log, eliminating “black box” risk.

This approach builds a foundation of trust with regulators and customers, securing long-term growth in a competitive landscape.