What the regulatory posture shift means for Australian registered clubs heading into FY 2026-27.
Regulatory analysis, not legal advice
This article analyses publicly available AUSTRAC documents and does not constitute legal advice. Clubs should seek independent legal and compliance advice on their specific obligations under the AML/CTF Act.
Executive summary
Between July 2025 and May 2026, AUSTRAC’s public messaging evolved from implementation urgency to what appears to be a more differentiated supervisory posture for FY 2026-27.
Read together, the four statements suggest AUSTRAC remains firm on systemic gambling-sector ML/TF weaknesses and criminal exploitation, but may be prepared to take a more pragmatic approach where clubs are making documented, risk-based progress in good faith.
Several May 2026 signals are particularly significant: “effort, not perfection,” “conversation, not enforcement, in the first instance,” explicit encouragement of simplified CDD, and direction to “turn your own mind” to unresolved guidance gaps and document reasonable positions.
For clubs, the practical implication appears to be: define your operational baseline, document your reasoning, and be able to explain why your approach to ML/TF risk was reasonable.
Between July 2025 and May 2026, AUSTRAC published four statements explaining how it expected industry to approach the AML/CTF reforms.
Read individually, they look like routine regulatory communications.
Read together, they appear to reveal something more deliberate: a shift from pre-commencement escalation to post-commencement differentiated supervision — pragmatic where entities are making documented progress, and interventionist where it perceives systemic exposure to organised crime.
None of the statements expressly say “this is our enforcement strategy for FY 2026-27.” But regulators often communicate posture through emphasis, repetition, prioritisation language, and shifts in tone over time. This article examines how AUSTRAC’s public messaging evolved as the reforms moved from pre-commencement preparation into post-commencement supervision, and what that evolution may signal about supervisory priorities during the first full post-reform financial year.
What follows is our reading of the public messaging when the four statements are viewed together.
Australia’s AML/CTF reforms did not happen in a vacuum.
The Financial Action Task Force (FATF) — the global standard-setter for anti-money laundering — commenced a mutual evaluation of Australia in 2026. Australia’s previous FATF assessment, in 2015, identified significant gaps in the AML/CTF regime, including the absence of regulation for lawyers, accountants, real estate agents, and dealers in precious metals and stones.
The 2024 AML/CTF Amendment Act was Parliament’s response: a substantial expansion of the regulated population, a shift to outcomes-focused and risk-based obligations, and a compressed timeline — 31 March 2026 for existing reporting entities, 1 July 2026 for newly regulated sectors.
That timeline created a tension AUSTRAC had to manage publicly. The reforms were extensive. The implementation burden was real. But the FATF evaluation meant Australia needed to demonstrate not just that the laws existed, but that they were being implemented. AUSTRAC’s four statements across this period can reasonably be read as navigating that tension — between the urgency of demonstrating reform progress and the reality that many businesses were not ready.
On 3 July 2025, AUSTRAC CEO Brendan Thomas published the first statement of regulatory expectations for implementation of the AML/CTF reforms (signed 4 July 2025).
The tone was collaborative. Thomas acknowledged the tight timeframes set by Parliament and the challenges they presented for businesses. The statement established a baseline philosophy:
“AUSTRAC does not expect perfection on day one. However, we do expect you to maintain your focus on reducing your money laundering risks.”
For existing reporting entities — which includes clubs with gaming machines — AUSTRAC set out five expectations: continue implementing current money laundering controls, develop and document implementation plans, show sustained effort and progress, implement tactical improvements in the short term, and act now to review and strengthen existing frameworks.
The statement also included a line that would prove significant in hindsight:
“We recommend businesses resist the urge to implement programs or processes that may create the impressions of compliance with the AML/CTF Act, but have minimal impact on the risk of money laundering.”
AUSTRAC was already signalling, seven months before commencement, that it valued genuine risk management over performative compliance.
Three months later, Thomas reinforced and extended this message directly to club directors at the ClubsNSW 2025 Conference on 15 October 2025.
Two lines from the speech are particularly significant when read against the later statements.
The first:
“AUSTRAC is moving away from tick-box compliance toward an outcomes-based model. That means our focus is on whether your systems are genuinely mitigating the risks in your business, not just whether you’ve filled out forms correctly.”
This was AUSTRAC telling a room full of club directors, five months before commencement, that the reformed regime would evaluate the effectiveness of their controls — not the completeness of their paperwork. The May 2026 language around “effort, not perfection,” simplified CDD, and “document your own position” reads as a natural extension of this principle.
The second:
“For you as existing entities, the changes mean increased obligations and increased scrutiny but also a more flexible focus on managing risk.”
Increased scrutiny and increased flexibility. That pairing is arguably the clearest single-sentence summary of the differentiated supervision posture that the four statements collectively describe.
The speech sat chronologically between the collaborative July statement and the sharper December escalation. It makes the December shift appear less abrupt — the themes of outcomes-based supervision and sector-specific scrutiny were already being articulated publicly. December intensified them; it did not introduce them.
On 18 December 2025 — 103 days before the 31 March commencement date — Acting CEO Katie Miller published an update that represented a noticeable sharpening of tone.
The collaborative framing remained. But the December statement introduced formal structure around implementation plans and connected them directly to AUSTRAC’s enforcement powers.
Under section 212 of the AML/CTF Act, the AUSTRAC CEO must consider a range of matters when performing regulatory functions. The December statement specified that, for businesses enrolled prior to 31 March 2026, the CEO would consider as a relevant matter whether the regulated business had a reasonable implementation plan, made sustained effort and reasonable progress against the plan, and exercised due care and diligence to manage ML/TF risks while working toward compliance.
The statement detailed what an implementation plan should contain: a gap analysis between current state and reformed obligations, a timeline with accountable roles, ongoing risk mitigation during the transition, and monitoring of control effectiveness through the change period. Plans were expected to be endorsed by senior management and provided to the board.
The enforcement language was markedly sharper than in July:
“If your systems and controls are not effective in managing ML/TF risks, or you are ignoring your obligations, you will continue to face regulatory action. This could include AUSTRAC commencing civil penalty proceedings or cancelling or suspending the registration of regulated businesses with unacceptably high ML/TF risks.”
And:
“We do not expect tactical responses that technically meet an obligation but reduce the effectiveness of AML/CTF controls.”
Viewed in isolation, this reads as standard regulatory communication ahead of a major legislative change. Viewed against the July statement’s collaborative tone, and against what followed in May, the December statement appears to have been designed to create urgency — a deliberate escalation aimed at moving laggards before commencement.
On 21 May 2026, AUSTRAC released an updated statement of expectations for FY 2026-27. The reforms had now commenced for existing reporting entities. Newly regulated sectors were seven weeks from their 1 July 2026 commencement date.
The tone shifted. Not back to July 2025’s baseline, but to something different — a posture that appears calibrated to the post-commencement reality of managing a significantly larger regulated population through its first year of reformed obligations.
Several lines in the May 2026 statement are doing considerably more work than their plain language suggests.
“We expect effort, not perfection, during FY26/27.”
Set against the December statement’s civil penalty warnings and implementation plan governance requirements, this line reads as a deliberate recalibration. AUSTRAC appears to be setting a good-faith-progress standard for year one — not a retreat from expectations, but an explicit acknowledgment that the bar for the first post-reform year is trajectory and intent, not flawless execution.
“Be ready to have a go at reporting when a suspicious matter arises.”
“Have a go.” From a financial intelligence regulator. For a statutory reporting obligation.
This is remarkable language, but it is also strategically coherent. AUSTRAC’s own 2025-26 Regulatory Priorities document identified a significant under-reporting problem: “a small number of reporting entities are responsible for a vast majority of the SMRs lodged with AUSTRAC, while many other entities have never lodged a report.”
The messaging appears aimed at reducing the paralysis that prevents reporting — the fear of getting it wrong — rather than signalling that reporting quality does not matter. Read in the context of the under-reporting data, AUSTRAC may prefer an imperfect SMR to no SMR at all.
“If we have a different interpretation of the law to your interpretation, we will engage in conversation, not enforcement, in the first instance.”
Neither the July 2025, October 2025, nor December 2025 statements addressed interpretation disputes. The inclusion of this commitment in the May 2026 statement, combined with the qualifier “in the first instance,” appears to represent a deliberate pre-commitment to a regulatory posture — one that distinguishes between genuine interpretive disagreement and non-compliance.
“We do not expect you to apply the same level of controls and interventions for all customers irrespective of risk. We expect that you will meaningfully consider whether simplified due diligence is appropriate and not apply a ‘one size fits all’ approach to customers and risks.”
Neither prior statement addressed CDD calibration at this level of specificity. This appears to be AUSTRAC pushing back against blanket over-compliance — a signal that the risk-based approach embedded in the reformed Act is expected to be applied in practice, not just documented in policy.
For clubs, this is directly relevant. Not every patron walking up to an electronic gaming machine requires enhanced scrutiny. The obligation is risk-proportionate monitoring — simplified CDD where risk is lower, enhanced measures where risk indicators are present. The standard is documented, defensible calibration, not uniform application.
“We expect you to turn your own mind to the question and develop your own position… We expect that you will document your position and why you consider it to be a reasonable position to adopt.”
This is AUSTRAC explicitly acknowledging that its guidance has gaps — and placing the obligation on the regulated entity to reason through those gaps, document the reasoning, and retain records of any external advice.
For clubs, this connects directly to one of the harder operational questions under the reformed Act: what does “unusual” actually mean under section 30(5) for a specific venue?
The Act defines unusual transactions and behaviours as including transactions that are “inconsistent with what the reporting entity reasonably knows about the customer, their risk profile, or their source of funds or wealth.” But AUSTRAC has not prescribed what that baseline looks like for a 30-EGM club in regional New South Wales versus a 300-machine venue in western Sydney.
The May 2026 statement appears to confirm that the obligation is to define that baseline yourself — to document what “normal” looks like for your venue, your customer base, and your risk profile — so that deviations are detectable against a stated expectation. And to be able to explain why your position was reasonable.
“If your business aligns with the characteristics described in the program starter kit and prepares an AML/CTF program using the kit, you can expect that our regulatory engagement with you will focus on your application of your AML/CTF program.”
This is not a formal safe harbour. But it does appear to offer a form of regulatory comfort for businesses that genuinely fit the starter-kit profile: use the kit, apply it properly, and AUSTRAC’s engagement will focus on how the programme is applied in practice — not whether the programme design itself is adequate.
It is worth noting that no pubs or clubs starter kit currently exists. Clubs are in the “turn your own mind to it” category — expected to develop their own programmes, calibrated to their own risk assessments, and document their reasoning.
Any reading of the May 2026 statement as a broad softening of enforcement posture would be incomplete without accounting for what AUSTRAC was doing simultaneously in the gambling sector.
In May 2026, AUSTRAC ordered Bankstown District Sports Club to appoint an external auditor under section 162 of the AML/CTF Act, amid concerns its anti-money laundering controls were insufficient. Acting CEO Katie Miller — the same official who signed the December 2025 statement — framed the action in deliberately sharp language:
“Poker machines can be exploited by criminals to turn cash into apparently legitimate winnings, especially where controls are weak or warning signs are missed.”
“Where we see signs of systemic weaknesses, AUSTRAC will intervene to protect the community and the integrity of Australia’s financial system.”
AUSTRAC explicitly linked the Bankstown action to its broader enforcement programme in the gambling sector, citing ongoing civil penalty proceedings against Mount Pritchard District and Community Club (Mounties), an enforceable undertaking with online wagering provider Sportsbet, and an enforcement investigation involving Tabcorp.
AUSTRAC’s 2025-26 Regulatory Priorities reinforced this focus. One of the seven stated priority outcomes was “improved risk management by reporting entities whose exposure to cash creates ML/TF/PF vulnerabilities.” The document noted that “cash is a mainstay of money laundering in Australia and abroad” and that AUSTRAC would conduct “discovery work to identify entities and cohorts that are not adequately managing their cash-related ML/TF/PF risks.”
Clubs with electronic gaming machines are, by definition, cash-exposed entities operating in a sector AUSTRAC has identified as a regulatory priority.
These are not contradictions. They are what the outcomes-based model looks like in practice — the same regulator, in the same period, applying a pragmatic posture to implementation friction while remaining firm where it perceives systemic gambling-sector laundering exposure. This is the “increased scrutiny and increased flexibility” Thomas described at ClubsNSW in October 2025, now visible in the regulatory actions themselves.
The four statements, viewed together, suggest a regulatory posture for FY 2026-27 that can be summarised as follows:
For clubs that are making documented, risk-based progress: AUSTRAC appears to be setting a good-faith-progress standard. The bar is effort, not perfection. Interpretation disputes will start with conversation, not enforcement. Simplified CDD is not just permitted but expected where risk is lower. The May 2026 statement appears to recognise that businesses will sometimes need to adopt documented, self-directed positions where guidance is incomplete.
For clubs with systemic weaknesses in cash-handling and transaction monitoring: AUSTRAC’s enforcement trajectory is clear. The Bankstown audit order, the Mounties civil penalty proceedings, the ClubsNSW conference address, and the explicit identification of cash-exposed entities as a 2025-26 regulatory priority all point to continued and firm scrutiny of gambling-sector ML/TF controls.
The distinction appears to turn on a single question: can you demonstrate that you are managing your ML/TF risks through documented, risk-based controls — or are you relying on generic programmes, untested assumptions, and the hope that enforcement is focused elsewhere?
The May 2026 statement does not read like a retreat from enforcement. It reads like a regulator distinguishing between entities making good-faith, documented, risk-based progress and entities demonstrating indifference, systemic ineffectiveness, or exposure to organised criminal exploitation.
For clubs, the message that appears to emerge from the four statements taken together is increasingly specific: if guidance is incomplete, turn your own mind to the problem. Document the reasoning. And be able to explain, later, why your position was reasonable.
What the programme must contain under the reformed Act — risk assessment, policies, AMLCO, independent evaluation.
How to draft a defensible Suspicious Matter Report — threshold rationale, evidence standards, the questions AUSTRAC asks.
Initial and ongoing CDD under the reformed Act — who to identify, when, and the simplified-CDD pathway.
Venue Axis turns floor activity into the documented, risk-based controls AUSTRAC expects — without the paperwork.