AUSTRAC · ongoing CDD

What ‘unusual’ means,
and how to build the baseline.

The AML/CTF Act requires clubs to monitor for “unusual transactions and behaviours” (AML/CTF Act 2006 (Cth) s 30 ). That phrase does a lot of work. What counts as unusual, how a venue builds the baseline it monitors against, what a transaction monitoring program looks like for a gaming venue, and where ongoing CDD connects to Enhanced CDD and suspicious-matter reporting. Working reference for AMLCOs and compliance officers — not legal advice.

Venue Axis Compliance TeamLast updated

Working reference, not legal advice

Monitoring obligations turn on the venue's AML/CTF program and the risk-based posture it documents. For a definitive view, talk to an AML lawyer or your external AML consultant.

The statutory definition

Four limbs, all comparison-based.

AML/CTF Act 2006 (Cth) s 30 requires reporting entities to monitor for unusual transactions and behaviours that may give rise to a suspicious matter reporting obligation. Subsection 30(5) defines what “unusual” includes:

  1. Unusually large or complex transactions — relative to what the venue normally processes, not an absolute dollar figure.
  2. Transactions and behaviours that are part of an unusual pattern — the pattern is the signal, not any individual transaction in isolation.
  3. Transactions and behaviours with no apparent economic or lawful purpose — feeding cash into an EGM and cashing out immediately with minimal play is the canonical example.
  4. Transactions and behaviours inconsistent with what the reporting entity reasonably knows about the customer, the nature and purpose of the business relationship, the ML/TF risk of the customer, or the customer's source of funds or source of wealth.

The fourth limb is explicitly comparison-based — it requires knowing what is consistent with the customer's profile before a departure becomes identifiable. The first and third limbs (unusually large/complex; no apparent lawful purpose) can be identified without a customer-specific baseline — a transaction with no economic rationale is unusual on its face. But in practice, especially in a club environment where the same patrons attend week after week, all four limbs benefit from a documented understanding of what normal looks like. The stronger the baseline, the more defensible the monitoring program's outputs.

Building the baseline

What ‘normal’ looks like for a club.

AUSTRAC's Regulatory Guide for Pubs and Clubs with Gaming Machines (October 2025) identifies the operational questions that build a venue's monitoring baseline:

  • Customer profile:What kind of customers frequent the venue — business owners, salaried workers, tradespeople, students, frequent or infrequent patrons, members, locals, interstate or overseas visitors?
  • Play style:Do the majority of customers play carded or uncarded? What's the typical session length?
  • Time and occupation: How long are customers present? Is the amount of time unusual given their declared occupation?
  • Member vs guest risk: Are there different ML/TF risks posed by members with an established pattern of play compared to guests or visitors?

These questions aren't compliance abstractions. They describe operational knowledge that most venue staff already hold. The AML/CTF obligation is to formalise that knowledge into a documented risk assessment, so deviations from established patterns become detectable against a stated expectation rather than relying on individual staff recall.

The risk assessment must be reviewed periodically, and whenever material changes occur: additional EGMs or new gaming products, adoption of TITO or cashless technology, an influx of new customers, demographic changes in the local area, intelligence received from AUSTRAC or law enforcement, changes to state or territory gaming legislation, or unusual ongoing patterns identified by game-play monitoring.

The monitoring program

What a TMP looks like in a club.

Ongoing CDD includes a transaction monitoring program (TMP) and an enhanced customer due diligence (ECDD) program. The TMP must be based on the ML/TF risks faced by the business and trigger alerts for transactions that may be suspicious.

AUSTRAC's Regulatory Guide specifies what a TMP should flag:

  • Size, frequency, or patterns of transactions that may indicate unusual or suspicious activity
  • Activities that may be inconsistent with a customer's risk profile or history
  • Other unexpected activity from a customer which may indicate ML/TF
  • A transaction that appears suspicious

For clubs, this monitoring operates differently from banks. Banks run automated rules against structured financial data — account balances, transaction amounts, velocity metrics. Clubs operate in a face-to-face environment where most monitoring signals are observational:

  • A patron arrives with substantial cash but is never observed using the ATM
  • A customer's gambling intensity suddenly increases beyond what is consistent with their apparent means
  • A patron approaches others to purchase their winning TITO tickets
  • Cash being used has a distinct or unusual odour or is in particularly poor condition
  • Gaming activity that is inconsistent with a customer's profile — for example, a customer who receives welfare benefits but gambles with or carries substantial amounts of cash

Both automated and observational approaches can satisfy the Act's risk-based standard, provided they are effective, documented, and produce retrievable records. The obligation is outcomes-based, not technology-based — but “observational” does not mean informal. A club's monitoring approach still requires systems and controls, escalation paths, review processes, and testing. “We know our regulars” is an operational reality; turning it into a documented, auditable AML/CTF control is the obligation.

Escalation path

When monitoring becomes ECDD or an SMR.

Ongoing monitoring isn't an end in itself. It feeds two escalation paths:

  1. Enhanced CDD.Triggered when the TMP identifies that a customer's ML/TF risk is high, when a suspicious matter reporting obligation arises and the venue proposes to continue providing designated services, or when suspicious activity or behaviour may lead to an SMR. ECDD measures may include identifying the customer's source of funds and wealth, re-verifying KYC information, more detailed analysis and monitoring of the customer's transactions, and seeking senior management approval for the relationship to continue. The measures applied must be appropriate to the ML/TF risk — not every measure is required every time.
  2. Suspicious matter reporting. The suspicious-matter reporting obligation (AML/CTF Act 2006 (Cth) s 41 ) arises when the venue forms a suspicion on reasonable grounds. It's the monitoring program that surfaces the activity the SMR responds to — monitoring identifies the unusual; the AMLCO assesses whether the unusual crosses the reasonable-grounds threshold; if it does, the reporting clock starts.

AUSTRAC's Regulatory Guide notes an important point about the ECDD-SMR relationship: “Carrying out ECDD allows you to decide whether a suspicious matter should be reported. It's important to note that SMR reporting is not a risk mitigation strategy, so even if you submit an SMR, you still have an obligation to mitigate and manage the risk you have identified. ECDD plays an important role in detecting, disrupting and preventing ML/TF.”

Once an SMR is submitted, ECDD must be applied. The venue must undertake appropriate measures — seeking information from the customer to clarify and update KYC information, or taking reasonable measures to identify the customer's source of funds or source of wealth. The venue may also seek senior management approval to continue the business relationship.

AUSTRAC indicators

Published signals for gaming venues.

AUSTRAC publishes indicators of suspicious activity for the pubs and clubs sector. These are not thresholds — they're observational signals that should inform the venue's TMP and staff training. Key categories:

  • Cash manipulation: feeding cash into EGMs and requesting a cheque or EFT after minimal or no play; large amounts inserted with minimal play before cashing out
  • Structuring: multiple payouts at or near the $10,000 TTR threshold; playing multiple EGMs simultaneously to circumvent note insertion limits
  • TITO harvesting: approaching other customers to purchase winning tickets; retaining tickets without redemption for unusually long periods
  • Identity resistance: reluctance to provide ID; use of false identification; enquiring about reporting thresholds or whether the venue reports to authorities
  • Profile inconsistency: gaming inconsistent with declared occupation or apparent financial position; sudden large increases in activity
  • Behavioural signals: appearing nervous or evasive when questioned; attempting to influence staff to ignore activity; sharing funds with patrons with no apparent relationship

The published list is a starting point. AUSTRAC expects venues to extend it with indicators specific to their own risk profile and operating context — the layout of the gaming floor, the presence of CRTs, the customer demographic, local crime intelligence. Staff training must cover both the published indicators and the venue-specific extensions.

FAQs

Common questions about monitoring.

What does 'unusual' mean under the AML/CTF Act?

Section 30(5) of the AML/CTF Act defines unusual transactions and behaviours to include: (a) unusually large or complex transactions; (b) transactions and behaviours that are part of an unusual pattern; (c) transactions and behaviours with no apparent economic or lawful purpose; and (d) transactions and behaviours inconsistent with what the reporting entity reasonably knows about the customer, the nature and purpose of the business relationship, the ML/TF risk of the customer, or (where relevant) the customer's source of funds or source of wealth. The definition is deliberately broad and comparison-based — each limb requires knowing what 'normal' looks like before you can identify what departs from it.

Does AUSTRAC define a fixed list of unusual behaviours?

No. AUSTRAC's published indicator list for the pubs and clubs sector (austrac.gov.au) provides examples — cash manipulation, structuring, voucher harvesting, third-party payment requests, identity resistance, behavioural indicators, and pattern anomalies — but explicitly states the list is not exhaustive. Venues must consider additional indicators specific to their own risk profile and circumstances. AUSTRAC has publicly red-flagged venues that adopt a risk assessment template without customising it to their actual operating context (the Mounties enforcement precedent). The published list is a floor, not a ceiling.

What is a transaction monitoring program (TMP)?

A TMP is the operational mechanism for ongoing CDD. It must be based on the ML/TF risks faced by the business and trigger alerts for transactions that may be suspicious. AUSTRAC's Pubs and Clubs Regulatory Guide specifies that a TMP should flag: size, frequency, or patterns of transactions that may indicate unusual or suspicious activity; activities inconsistent with a customer's risk profile or history; and other unexpected activity from a customer that may indicate ML/TF. The TMP doesn't have to be technology-based — the Act requires a risk-based approach, not a specific implementation. A club with floor staff who observe the same patrons week after week is running a monitoring program, provided it's documented, defensible, and produces records.

How is club monitoring different from bank monitoring?

Banks run automated rule sets against structured financial data — account balances, transaction amounts, counterparty details, velocity metrics. Clubs operate in a face-to-face environment where most monitoring signals are observational: a patron arrives with substantial cash but doesn't use the ATM, a customer's gambling intensity suddenly increases beyond their apparent means, a patron approaches others to purchase winning tickets. Both approaches satisfy the Act's risk-based standard. The difference is evidentiary — a bank's monitoring produces system logs and alert queues; a club's monitoring produces staff observations, incident records, and structured notes. Both need to be documented, attributable, and retrievable for seven years.

What baseline does a club need before it can identify 'unusual'?

The statutory test in s.30(5)(d) is 'inconsistent with what the reporting entity reasonably knows about the customer.' That requires the venue to have documented knowledge against which a deviation can be measured. The practical baseline comes from four sources that AUSTRAC's Regulatory Guide identifies: (1) the type of customers who frequent the venue — business owners, salaried workers, students, locals, interstate visitors; (2) whether patrons play carded or uncarded; (3) how long patrons are typically present and whether time spent is unusual given their declared occupation; and (4) whether members with an established pattern of play present different risks from guests or visitors. Formalising what staff already know into a documented framework is the obligation.

When does ongoing CDD escalate to Enhanced CDD?

Enhanced CDD (s.32) is triggered when the ongoing monitoring process identifies that the customer's ML/TF risk is high, or when an SMR has been filed and the venue continues to provide services, or when the customer is a foreign PEP or connected to a FATF high-risk jurisdiction. AUSTRAC's Pubs and Clubs Regulatory Guide states that ECDD is also triggered when 'a customer's suspicious activity or behaviour may lead to you making an SMR.' In practice, the TMP fires an alert; the AMLCO reviews the alert against the customer's profile; if the review indicates high risk or a potential SMR, ECDD applies — source of funds, source of wealth, re-verification of identity, more detailed analysis, and potentially senior management approval to continue the relationship.

What records does a monitoring program have to produce?

Three categories. (1) The risk assessment itself — the documented baseline of ML/TF risks the venue faces, reviewed periodically and whenever material changes occur (new EGM types, TITO adoption, demographic shifts, law enforcement intelligence). (2) Alert records — when the TMP flags activity, what was flagged, who reviewed it, what conclusion was reached, and what action was taken. (3) Outcome records — whether the alert resulted in ongoing monitoring, ECDD, an SMR, a service refusal, or a determination that the activity was consistent with the customer's profile after review. Records are retained for seven years after the business relationship ends. AUSTRAC reviewers assess the venue on whether the TMP is producing records that demonstrate the program is actually running — not just written, but applied.

Related

Working references.

AUSTRAC · CDD

Customer Due Diligence walkthrough →

The three CDD layers — initial, ongoing, enhanced — and what each captures for a gaming venue.

AUSTRAC · CDD & SMR

CDD vs SMR →

How Customer Due Diligence relates to Suspicious Matter Reports — connected but distinct obligations.

AUSTRAC · Monitoring baseline

Defining normal →

How clubs build a defensible monitoring baseline — the normality stack, patron segments, and the identity gap.

Related guides

Monitoring documented, not just remembered.

Transaction monitoring observations captured as structured records, linked to patron profiles, escalation paths built into the workflow — ongoing CDD that produces the evidence an AUSTRAC review expects. First three months free, no card up front.

Get started →See the working surface