Austrac’s AML and CTF reforms have come into effect, reflecting the regulator’s mandate for improved governance, processes and calculated risk-based outcomes in a complex regulatory environment.
The new regulations began 1 April and apply to all gaming venues – pubs and clubs – with 16 or more EGMs, meaning the majority of venues have completed or are in the process of updating documents, training and engaging advisers where required.
The goal now is about proving programs work in practise and under pressure, demonstrating delivery and how risk will be managed, as systems continue to improve.
This requires showing risk assessment reflects how the venue actually operates, consistent policies and procedures at the point of transaction and that oversight is proactive and linked to decisions and resourcing.
Pubs should determine whether compliance practices meet requirements and develop an implementation plan incorporating the current state and end goals, and reason for deficits, as well as what is required, a timeline and person(s) responsible, and both review and oversight processes. The plan must include formal senior manager or board approval. More information.
“The biggest challenge we see right across the industry is fragmented and siloed data,” says John Rayment, CEO of compliance technology platform BNDRY, used by some of Australia’s largest pubs and clubs.
“Compliance teams have plenty of data, but it’s scattered across multiple shared drives, spreadsheets, disconnected tools, Word docs, PDFs and more, making it extremely difficult to see customer risk profiles.”
Do’s and Don’ts
Risk ratings must now be exercised on customers undergoing Initial Customer Due Diligence (Initial CDD), using information reasonably known or collected, including PEP and sanctions status, past dealings or incidents and more. The exemption threshold has been reduced from $10,000 to $5,000, but a venue can complete an Initial CDD if a risk-based trigger such as ‘suspicious behaviour’ occurs.
AML/CTF programs must address what additional checks might be undertaken according to risk ratings, such as background checks, adverse media and covert source of wealth, and high-risk patrons require senior manager approval to use gaming machines.
Pubs should develop new processes for Initial CDDs and applying customer risk ratings, and lower CRT payout limits to less than $5,000 to ensure players see cashiers and complete Initial CDDs. Cheque payout and customer identification forms need to be amended to ensure the collection of necessary information. Also consider staff training and how additional information garnered will be managed. More information.
Austrac has made clear it ‘red flags’ the use of risk assessment templates lacking customisation, which frequently omit terrorism financing and the new requirement to mitigate ‘proliferation financing’. The process is not merely an administrative task, but rather justification for the controls put in place to keep the venue within its risk appetite. Detailed assessments, citing data sources and justifications, are deemed stronger and better aligned. More information.
Rayment offers Austrac wants venues to demonstrate someone actually thought about the business, warning against:
- Generic risk ratings (“medium”) with no supporting rationale
- Mitigating controls referencing policies that don’t actually exist at the venue
- No reference to the venue’s actual AML/CTF program, history or structure, and
- Risk ratings that haven’t changed across review periods, despite material changes to the business
“A template risk assessment is acceptable if it’s clearly tailored to your business,” says Rayment.
“Each risk rating is justified, controls align to those risks, and it can withstand scrutiny from AUSTRAC.”
In line with hospitality licensing, AML/CT Compliance Officers (AMLCO) must be deemed ‘Fit-and-Proper’, with expanded requirements for appointment, requiring management level, and amongst other requirements demonstration the person is of good moral and ethical character, and competent, with no history of negative regulatory action.
“The Compliance Officer turns regulatory obligations into real-time, auditable execution, and provides management and the board with continuous visibility and assurance over risk,” explains Rayment.
Pubs with an existing AMLCO need to demonstrate they meet the current requirements. All should develop new procedures for appointments, with ongoing oversight and steps for remediation if concerns are identified, such as when a new AMLCO is necessary. More information.
Putting it in place
Not every organisation has been able to deliver the full reform changes by the due date. In these instances, Austrac expects at least a documented implementation plan.
Pub and clubs with 20 EGMs have exactly the same regulatory position, including obligations, CDD requirements and reporting duties.
Austrac says it is important for “board and/or senior management” to be appropriately involved, as enforcement actions stress holding those accountable for insufficient oversight of AML/CTF compliance.
Owners or senior management should be actively engaged, questioning conclusions, the approach and implementation of changes to determining risk and controls – even if day-to-day compliance operations are delegated to a venue manager, responsibility for them cannot be delegated. More information.
An AML/CTF Compliance Officers Reform Readiness Checklist has been released by ClubsNSW, designed to help the AMLCO assist senior management and the board in their duties.
Operators wanting access to resources on the topic of AML/CTF compliance should refer to Austrac’s Regulatory Guide for Pubs and Clubs 2025.
“Using regulatory technology to streamline daily compliance activities is something all regulated businesses should consider,” furthers Rayment.
“These help demonstrate that all the necessary compliance procedures are being followed.”
