A club’s AML/CTF obligations aren’t a single duty. They’re a chain, and the order is the logic.
Working reference, not legal advice
This article is written for clubs and venues that are reporting entities for EGM-related designated services. It describes the structure of an AML/CTF program under the AML/CTF Act and the AML/CTF Rules 2025, as in force from 31 March 2026. It is general information, not legal advice, and it doesn’t establish a compliance position for any particular venue. For a definitive view on your obligations, talk to an AML lawyer or your external AML consultant.
TL;DR
Under the Act, an AML/CTF program comprises two things (s 26B): the entity’s ML/TF risk assessment (the EWRA) and its AML/CTF policies. Two further functions operationalise that core: operations (the program applied day-to-day, including SMR and TTR reporting) and assurance (testing and independent evaluation) — much of which the policies themselves must address.
The four functions depend on each other in order, and they feed back: assurance corrects the policies, monitoring updates the EWRA. A program that runs those loops is a living one. The order is the logic. Risk in, assurance back.
Most clubs working through the reforms that commenced on 31 March 2026 are focused on individual questions. What counts as “unusual”. When a suspicious matter report has to be filed. What the AML/CTF Compliance Officer (AMLCO) now has to document. Those are the right questions. They’re easier to answer once you can see where each one sits in the framework.
Under the AML/CTF Act, an AML/CTF program comprisestwo things: the reporting entity’s ML/TF risk assessment and its AML/CTF policies(s 26B). That is the statutory core.
The other things a competent program does — applying the policies day-to-day, monitoring, reporting, testing, independent evaluation, board oversight — aren’t a second statutory structure, and they aren’t “outside” the program either. They’re required obligations, and much of their substance has to be built into the policies themselves: governance, CDD, reporting controls, training and independent evaluation are all matters the policies must deal with.
So the four-function model below isn’t an alternative to the statutory core. It’s a practical way to understand how that core operates: the risk assessment sets the basis, the policies document the controls, operations apply them, and assurance tests whether they work and feeds back into the next review.
The enterprise-wide risk assessment is where the club identifies and assesses the money-laundering, terrorism-financing and proliferation-financing risks it may reasonably face in providing designated services (s 26C). For an Australian permanent establishment, the assessment looks across:
For most local clubs the countries limb may be brief, but it should still be considered and documented rather than ignored.
The output is a documented risk profile specific to the venue. That profile is what makes the rest of the program defensible: when the AMLCO sets a monitoring expectation or decides which patron behaviours warrant enhanced attention, those choices should be explainable by reference to the risk assessment.
A monitoring framework that isn’t anchored in a risk assessment is one where the thresholds are guesses.
The Act requires the policies, procedures, systems and controls to manage and mitigate the ML/TF/PF risks the assessment identified, to ensure compliance with the Act, the Rules and the regulations, and to be appropriate to the nature, size and complexityof the business (s 26F).
A 25-machine community club and a 200-machine metropolitan venue can both meet their obligations with very different programs, because “appropriate to nature, size and complexity” scales the obligation to the venue. This function covers how customer due diligence works, what triggers enhanced customer due diligence, how records are kept, and how the AMLCO is positioned.
Together with the risk assessment, this is what the Act calls the AML/CTF program.
Operations is the program in practice: floor monitoring, CDD checks, patron interactions, and the records that accumulate as a by-product. If the policies describe the method, operations is the method being applied. Two reporting obligations sit here:
Suspicious matter reports (SMRs). When ongoing monitoring surfaces a suspicion on reasonable grounds, an SMR must be submitted within three business daysafter the day the suspicion is formed — or within 24 hourswhere the suspicion relates to terrorism financing (s 41). The trigger is the formed suspicion, tied to a designated service, at any dollar amount and independent of whether any threshold was reached.
Threshold transaction reports (TTRs).In the ordinary club cash case, a designated service involving a cash threshold transaction — a transfer of physical currency of $10,000 or more(or its foreign-currency equivalent) — must be reported within 10 business days(s 43). “Threshold transaction” is broader than cash alone; the cash limb is the one most clubs encounter.
Reporting is an outputof the operations function, not a separate stage of the program. It’s where the investment in the first two functions either produces a defensible, timely outcome or doesn’t.
Assurance is the function AUSTRAC enforcement actions keep returning to. It has two parts.
Testing asks two questions of each control: is it the right control for the risk (design effectiveness), and is it actually being appliedas written (operating effectiveness)? A control can be well-designed but not operating — for example, a policy that requires enhanced CDD on high-risk patrons while, in practice, most of them are never escalated. The two questions produce different signals, and a program needs both.
Independent evaluationis the broader review. AUSTRAC’s guidance is that the evaluator shouldn’t be the people who develop, implement or maintain the program, shouldn’t be the ones who assess the ML/TF risks, and shouldn’t be the AMLCO or the compliance team. Under the AML/CTF Rules 2025 (rule 5-10), the evaluation evaluates the risk-assessment steps, evaluates the design of the policies, tests compliance with the policies, tests whether risks are being appropriately identified, managed and mitigated, and produces a written reportto the governing body and any senior manager responsible for approvals under s 26P.
The four functions feed back into each other.
A program that runs these loops is a living one. A program where the EWRA was written once and never revisited has a broken chain, no matter how complete any single function looks in isolation.
Board and senior-management oversight isn’t a fifth function bolted on the end; it runs across the whole framework.
Under the reformed Act (s 26H), the governing body must exercise ongoing oversight of the identification and assessment of risk and of compliance with the AML/CTF policies, the Act, the regulations and the Rules, and take reasonable steps to ensure risks are identified, assessed, managed and mitigated. The Rules also require the AML/CTF policies to ensure the governing body receives the AMLCO’s reports at least every 12 months on compliance and on the effectiveness of the policies (with a limited exception for some individual or single-person governing-body situations).
The governing body can’t delegate AML and stop looking.
The major Australian matters are usually read as “controls were missing”. The more accurate reading is structural.
In the Star, Crown and Mounties matters, the regulatory lesson was not simply that controls were absent. It was that programs, monitoring, governance and assurance were alleged to be insufficiently risk-based, tested, or operating in practice. In the Mounties matter, for instance, five independent review reports existed — the issue alleged was that the reviews did not properly test, verify, or engage with how the entity actually complied.
A function can be present on paper and still fall short if it isn’t genuinely doing its job. That is exactly why the loop, not the checklist, is the right mental model.
| Function | What it asks | Who owns it | Key artefact |
|---|---|---|---|
| Risk assessment (EWRA) | What ML/TF/PF risks does this venue face? | AMLCO & governing body | Documented enterprise-wide risk assessment |
| Policies & controls | How do we manage and mitigate them? | AMLCO | AML/CTF policies, appropriate to nature, size, complexity |
| Operations | Apply it day-to-day; report what the law requires | Floor & management | CDD records, monitoring trail, SMRs, TTRs |
| Assurance | Is it the right control, and is it working? | Independent reviewer | Written evaluation report to the board |
The order is the logic. Risk in, assurance back.
What the risk assessment and policies have to cover under the reformed framework, in detail.
The assurance function in depth: who can conduct it, what it tests, and what the written report has to reach.
The operations function in practice: how a venue builds the documented baseline its monitoring measures against.
Venue Axis captures structured floor observations linked to patron context: the documented, retrievable records that connect the operations function back to the program behind it.