Defining normal.

The AML/CTF Act requires clubs to monitor for unusual transactions and behaviours that may give rise to a suspicious matter reporting obligation. Section 30(5) defines what “unusual” includes — unusually large or complex transactions, unusual patterns, transactions with no apparent economic or lawful purpose, and transactions or behaviours inconsistent with what the reporting entity reasonably knows about the customer, the nature and purpose of the business relationship, the customer’s ML/TF risk, and, where relevant, the customer’s source of funds or source of wealth.

Some unusual activity is identifiable from typologies alone. A transaction with no apparent economic or lawful purpose is unusual on its face. But the comparison-based limb of s.30(5) requires a reference point: what would have been expected for this customer, cohort, venue, or event? You can’t reliably identify what is inconsistent until you have defined what would ordinarily be expected.

For some clubs, that’s straightforward. A venue licensed for 20 EGM entitlements in a regional town where staff know every regular by name has a strong informal baseline. The practical task is not to invent new knowledge. It is to formalise what’s already known into a documented framework, so deviations become detectable against a stated expectation rather than relying on individual staff recall.

For others — larger venues, higher patron turnover, tourist-heavy locations — building that baseline is more complex. The patron mix is more variable, the cash profile is harder to characterise, and “normal” changes with the season, the day of the week, and the event calendar.

Either way, the baseline has to be documented, specific to the venue, and periodically reviewed. A generic template may be a useful starting point, but it is not a defensible baseline unless it is customised to the venue’s actual customers, services, cash profile, operating model, and local risk environment.

Most clubs working through the reformed obligations will engage a consultant to write or update their AML/CTF programme. That’s appropriate — programme design is specialist work that requires understanding of the Act, the Rules, and the regulatory guidance.

The programme sets out the venue’s risk assessment, its monitoring methodology, its escalation procedures, and its record-keeping approach. It should describe how the venue identifies unusual behaviour and what it does when it finds it.

But the programme is the architecture. The baseline is the operational substance that sits inside it.

A programme that says “monitor for unusual transactions” needs a documented answer to: unusual compared to what? That answer has to come from the venue itself. A consultant can design the segmentation approach and the monitoring methodology. But the segments — who your patrons are, what normal activity looks like, how that changes seasonally — that’s operational knowledge that lives inside the venue.

The same applies to ongoing monitoring. Recording observations, reviewing deviations, maintaining records — that’s daily work, not a periodic consulting deliverable. The programme sets the standard. The venue has to run it.

AUSTRAC’s outsourcing guidance makes the point directly: even where AML/CTF functions are outsourced, the business remains responsible and liable for meeting its AML/CTF obligations. The programme has to be genuinely applied, not just documented. A monitoring baseline that reflects the venue’s actual operations is the difference between a programme that exists on paper and one that produces defensible records.

AUSTRAC’s Regulatory Guide for Pubs and Clubs identifies the operational questions that build a venue’s monitoring baseline — customer demographics, play patterns, session duration, member-versus-guest risk profiles. Those questions are venue-specific by design.

Consider how different the answers look across different club types.

A small regional RSL with 20 EGMs might see the same 40 patrons every week. Staff know who plays carded, who comes on pension day, who always stays for two hours and leaves. The baseline is stable and built on direct observation.

A large suburban club with 150 EGMs, function rooms, and a sports bar draws a different crowd on Friday night than Tuesday morning. The patron mix includes members, guests, function attendees, and walk-ins. Cash volumes spike around events. The baseline has to account for that variability.

A coastal club in a tourist area sees seasonal swings — school holidays bring unfamiliar patrons with different play patterns. What looks unusual in winter might be ordinary in January.

None of these venues can adopt the same monitoring thresholds and call it risk-based. The Act requires controls proportionate to risk, and risk is shaped by context. AUSTRAC’s May 2026 Statement of Expectations reinforced this directly:

“We do not expect you to apply the same level of controls and interventions for all customers irrespective of risk.”

Normal is not a number. It’s a documented description of what the venue expects to see, and why.

A useful way to think about monitoring baselines is as a stack — each layer answers a different question, uses different data, and applies at a different level of specificity.

Layer 1: Regulatory normal — what behaviours are known red flags?
This is the floor. AUSTRAC publishes indicators for the pubs and clubs sector — cash manipulation, structuring near reporting thresholds, TITO ticket misuse, identity resistance, patron behaviour inconsistent with apparent financial means. These are sector-wide typologies that apply regardless of venue context. A transaction with no apparent lawful purpose is unusual on its face.

Layer 2: Venue normal — what’s typical for this venue?
Cash volumes, operating rhythms, patron demographics, EGM utilisation patterns, and seasonal variation. A mid-week $5,000 cash-out might be unremarkable at a large metropolitan club and very unusual at a small regional venue. The venue’s risk assessment should document what its normal operating envelope looks like.

Layer 3: Cohort normal — what’s typical for this type of patron?
This is where segmentation becomes practical. Not every patron presents the same risk profile or the same expected behaviour. A long-time member with a stable weekly pattern is a different monitoring proposition from an unknown visitor making a single large cash transaction. The cohort baseline defines what “usual” looks like for each operationally meaningful group — so that a departure from the group expectation becomes visible.

Layer 4: Individual normal — what’s typical for this person?
Where identity is established — through membership, loyalty programmes, or carded play — the venue may have enough history to detect individual-level deviations. A regular who suddenly triples their spend. A patron whose session duration doubles. A member who starts attending at unusual hours. These changes are only detectable if the venue has documented what the individual’s established pattern looks like.

Layer 5: Event normal — is this specific event consistent with its context?
Some events are unusual regardless of who the patron is. Large cash-in followed by almost no play and an immediate cash-out. Multiple small transactions structured just below a reporting threshold. Coordinated activity across machines by multiple people. Event-level monitoring applies even when identity is weak or unknown.

Not every venue needs all five layers active from day one. A small club might operate effectively at layers 1, 2, and 5 — regulatory typologies, venue-level baselines, and event-level alerting. As the venue’s programme matures and identity coverage improves, layers 3 and 4 become more practical.

The value of the stack is in knowing where your monitoring is strong and where it has acknowledged gaps — and documenting both.

Most club staff carry operational segmentation knowledge already. They know the pension-day regulars. They recognise the after-work Friday crowd. They notice when someone unfamiliar arrives with a large amount of cash.

The AML/CTF obligation is to formalise that knowledge into operationally meaningful groups — segments — and document what expected behaviour looks like for each one. The segment becomes the reference group against which deviations are measured.

Segments are not demographic stereotypes. They are operational reference groups — clusters of reasonably similar expected behaviour that help the venue decide what level of monitoring is proportionate.

Example segments a venue might define:

Local regulars. High local knowledge, repeat attendance, stable play patterns. The baseline is usually well-understood through direct observation. Monitoring focus: sudden changes in spend, session duration, cash intensity, visible distress, or unexplained shifts in behaviour.

Unknown or uncarded cash-heavy visitors.Lower identity certainty and higher AML ambiguity. Without individual history, monitoring defaults to event-level typologies — minimal play with rapid cash-out, structuring, repeated high-value cash events, identity resistance.

Tourist or transient patrons.Higher variability, weaker longitudinal context. Activity that would be unusual for a local regular may be ordinary for a visitor on holiday. The baseline should reflect the venue’s tourist or seasonal patron profile, not the local-regular baseline.

High-frequency gaming patrons.Patrons whose activity levels are high but potentially cohort-normal. Monitoring should focus on escalation — changes in pattern over time, welfare indicators, and cash or source-of-funds inconsistency.

Long-session patrons.Primarily welfare-relevant, but sometimes AML-relevant. Duration alone is not suspicious — the context matters. Assess alongside distress indicators, ATM use, chasing behaviour, and spending patterns.

Third-party or group behaviour. Often AML-relevant where money, tickets, or machines appear coordinated. Passing of TITO tickets between patrons, cash exchanges near gaming areas, proxy play, or coordinated cash-outs.

A venue doesn’t need to adopt every segment on this list. It needs to define the segments that are operationally meaningful for its own context, explain why they’re relevant, and document the expected behaviour for each one. The segments should be reviewed periodically — when patron demographics change, when new gaming products are introduced, or when monitoring identifies patterns that don’t fit the existing groupings.

A structural vulnerability in gaming venues is that some activity occurs through anonymous, uncarded, or weakly identified patrons — uncarded play, guest-pass visitors, walk-ins. This doesn’t invalidate baselining. It changes the type of baseline that’s available.

For anonymous patrons, individual behavioural analytics isn’t realistic. The venue doesn’t have a longitudinal history to compare against. The defensible model is event-level and venue-level monitoring — typology overlays, cash-event alerting, and staff observations — with clear documentation of the data limitation.

For members, loyalty-card holders, and carded-play patrons, individual history may be available. That enables layer-4 monitoring — detecting deviations from an individual’s established pattern.

The important thing is to match the monitoring approach to the identity certainty, and to document both. A regulator asking “how do you monitor anonymous patrons?” should get an honest answer: we apply venue-level and event-level controls, we focus on known typologies, and we document where individual baselining is not possible due to identity limitations.

Overstating monitoring capability is more risky than acknowledging a limitation. A programme that claims individual-level anomaly detection for anonymous patrons is harder to defend than one that says: “We monitor at the level the data supports, and here is how we’ve documented that.”

AUSTRAC’s May 2026 Statement of Expectations signals that the regulator values documented, risk-based reasoning over perfection. “Effort, not perfection” during FY 2026-27. “Conversation, not enforcement, in the first instance” where interpretation differs. “Turn your own mind to the question and develop your own position” where guidance has gaps.

That posture suggests the questions a regulator is likely to ask about a venue’s baseline are about reasoning, not arithmetic:

• Why did you define these segments?
• What operational evidence supported the groupings?
• How do you review whether the segments still reflect reality?
• Why are your monitoring thresholds proportionate to the risk?
• What happens when an observation doesn’t fit the expected pattern?
• How do you document the outcome — whether it escalated or was assessed as consistent?

A venue with documented answers to those questions is in a defensible position, even if the segmentation model is simple. A venue without documentation — even one with strong informal staff knowledge — has less to show a reviewer.

The bar is not algorithmic sophistication. It is: can the venue explain what it treats as normal, why that’s reasonable, and what it does when something doesn’t fit?

Most venues already have the raw material for an initial baseline — staff who know the regulars, managers who understand cash patterns, and operational experience with the venue’s rhythms. The obligation is to structure that knowledge into a documented framework.

A practical starting path:

0–90 days: Document the venue context and initial segments. Describe the venue — EGM count, geography, operating hours, patron mix, cash exposure, known risk drivers. Identify the patron segments that are operationally meaningful and explain why. Capture staff knowledge about expected activity for each segment. Map the obvious AUSTRAC typology indicators against the venue’s context.

3–6 months: Refine against observed activity. Review whether the initial segments and expected-behaviour descriptions match what’s actually happening. Adjust based on staff feedback, false positives in monitoring, and any emerging patterns that don’t fit the initial groupings.

6–12 months: Tune thresholds and document the rationale. Refine monitoring triggers based on operational experience. Document why specific thresholds were chosen or changed. Review whether segments need updating due to changes in patron mix, gaming products, or venue operations.

12+ months: Seasonal calibration and governance review. Incorporate seasonal variation into the baseline. Report to management or the board on monitoring effectiveness. Review whether the overall framework remains proportionate to the venue’s current risk profile.

This is not a technology problem at the start. A small club can build an initial baseline with structured observations, a documented venue profile, and a simple review cycle. The programme matures over time — but it has to start somewhere, and starting with what the venue already knows is both practical and defensible.

1. Anti-Money Laundering and Counter-Terrorism Financing Act 2006(Cth), s.30 — ongoing customer due diligence and unusual transactions and behaviours
2. AUSTRAC, Pubs and clubs with gaming machines — Regulatory Guide (PDF), October 2025
3. AUSTRAC, Indicators of suspicious activity for the pubs and clubs sector
4. AUSTRAC, Responding to unusual transactions and behaviour, updated 27 March 2026
5. AUSTRAC, How to monitor your customers
6. AUSTRAC, Update to regulator statement of expectations — May 2026
7. AUSTRAC, Using outsourcing to help meet your obligations
8. FATF, Guidance for a Risk-Based Approach: The Banking Sector (PDF), October 2014
9. FinCEN, Casino or Card Club Risk-Based Compliance Indicators, June 2010
10. FINTRAC, Money laundering and terrorist financing indicators — Casinos
11. UK Gambling Commission, Risk-based customer due diligence and risk profiling