Building an AML/CTF Governance Structure for Betting Agencies | Australia 2026
Effective AML/CTF compliance requires clear governance: defined roles, clear accountability, and senior leadership commitment. From 31 March 2026, bookmakers and betting agencies must establish a governance structure with three key roles: a governing body, senior manager(s), and an AML/CTF compliance officer.
This article explains what each role entails and how to implement governance that actually works — with emphasis on demonstrating control effectiveness through meaningful management information. AUSTRAC's enforcement actions against Sportsbet, bet365 and Entain have raised the governance bar for every Australian betting operator.
The three governance roles
Governing body (Board/Owner/Senior Leadership)
- Holds primary responsibility for the business's overall governance and sets the compliance tone
- Approves the AML/CTF program and compliance strategy
- Ensures resources (budget, staff, systems) are available to implement compliance
- Reviews meaningful management information on compliance performance (monthly or quarterly)
- Documents decisions made in response to compliance findings
For smaller businesses, this may be the owner or a partnership; for larger operations, it may be a board or compliance committee.
Senior manager(s)
- Approves the AML/CTF program and key compliance decisions
- Takes responsibility for implementing the program day-to-day
- Allocates resources to compliance functions
- Receives monthly reports on compliance performance from the compliance officer
- Escalates issues to the governing body and takes action on compliance findings
In smaller businesses, this role may overlap with the governing body; in larger operations, this is typically the General Manager, Operations Manager, or equivalent.
AML/CTF compliance officer
- Manages day-to-day compliance activities
- Implements policies and procedures
- Conducts customer due diligence and transaction monitoring
- Investigates suspicious activity and prepares suspicious matter reports
- Prepares monthly compliance MI for senior management and the governing body
- Trains staff on compliance obligations
- Acts as the main contact point with AUSTRAC
This role may be a dedicated person (in larger operations) or a responsibility assigned to an existing staff member (in smaller operations).
Governance by operation size
Small bookmaker (1–5 staff)
Governing body: owner(s). Senior manager: owner or head manager. Compliance officer: owner, manager, or one staff member with compliance responsibilities. All three roles may be held by one or two people, but the responsibilities must still be documented and understood.
Medium operation (5–20 staff)
Governing body: owner, partnership, or small management committee. Senior manager: Operations Manager or General Manager. Compliance officer: dedicated person or one person from back office with other responsibilities.
Larger operation (20+ staff)
Governing body: Board or Compliance Committee with multiple members. Senior manager: General Manager, Operations Manager, or equivalent. Compliance officer: dedicated role with specialist expertise; may have a small team.
What governance MI must include
Governance is not about having policies or receiving generic compliance updates. AUSTRAC's enforcement actions have made explicit that it is about demonstrating active oversight through meaningful management information. Your board and senior management must receive and review a monthly compliance dashboard that includes:
- High-risk customer register — How many high-risk customers do you have this month? Why are they high-risk? What controls apply to them? Updated monthly and reviewed by management.
- Transaction alert pipeline — How many alerts has your monitoring system generated? How many are open? How old are the oldest open alerts? What was the closure decision and reasoning for recently closed alerts? A growing or aging alert backlog is a red flag.
- Suspicious matter reports — How many SMRs have you submitted to AUSTRAC this month? What themes or patterns do they reveal? Have you received any feedback from AUSTRAC?
- Monitoring rule changes and new typologies detected — What new risk patterns or customer behaviours have you detected? Have you updated your monitoring rules or risk assessment?
- Independent assurance findings — Are you conducting (or has AUSTRAC required) an external audit? What did the auditor find? What is your remediation timeline?
- Staff training and compliance incidents — Have you completed required staff training? Have there been any compliance breaches or incidents?
Key governance responsibilities
1. Risk assessment
The governing body and senior manager should review and approve the risk assessment at least quarterly. The compliance officer oversees the documentation and update process. A static, annual risk assessment is no longer sufficient — AUSTRAC has required operators under undertaking to adopt ongoing, dynamic risk assessment methodology.
2. AML/CTF policies and procedures
The governing body and senior manager approve the policies. Policies must cover: customer due diligence, transaction monitoring, record-keeping, suspicious activity reporting, staff training, and independent audit. The compliance officer drafts and implements the policies.
3. Customer due diligence and transaction monitoring
The compliance officer (or trained staff under their supervision) conducts CDD and monitors transactions. The senior manager is responsible for ensuring CDD is conducted consistently and monitoring alerts are investigated promptly. Online betting requires detection within 24 hours of suspicious activity.
4. Suspicious activity reporting
The compliance officer investigates suspicious matters and prepares suspicious matter reports. The senior manager signs off on the SMR decision and timing. The governing body is informed of significant reports and themes.
5. Staff training and personnel due diligence
The compliance officer is responsible for designing and delivering AML/CTF training. All staff who handle customer data, take bets, process payments, or manage accounts must be trained. Staff handling AML/CTF functions must be assessed for fit and propriety.
AUSTRAC's sector benchmarking
AUSTRAC's enforcement actions against Sportsbet (undertaking finalised July 2026), bet365 (undertaking issued 6 July 2026), and Entain (Federal Court action ongoing) have established a compliance benchmark for the online betting sector. Other bookmakers can expect AUSTRAC to apply similar standards.
The governance standard AUSTRAC now expects:
- Active board/management oversight demonstrated through regular review of meaningful MI — not generic compliance updates
- Dynamic risk assessment reviewed at least quarterly and updated when new patterns emerge
- Real-time transaction monitoring that detects suspicious patterns within hours
- Documented decisions and actions taken in response to compliance findings
Your governance framework should assume AUSTRAC will test you against these benchmarks. The time to build your governance structure is now, before audit.
Common governance pitfalls
- No written documentation of roles — Your governance structure should be documented so it is clear to staff and can be demonstrated to regulators.
- Compliance officer with no authority or resources — The compliance officer must have enough time, training and systems support to do the job. Under-resourcing compliance will directly expose the business.
- Senior management disconnected from compliance — Compliance cannot be an isolated function. Senior management must take it seriously, receive meaningful MI, and act on compliance officer recommendations.
- Generic compliance updates instead of meaningful MI — Boards receiving vague "all good" reports without specific metrics will not satisfy AUSTRAC expectations post-enforcement.
- No escalation path for concerns — Staff must be able to raise compliance concerns without fear of adverse consequences. Establish a clear process.
Building your governance today
- Document your current governance structure — Who is responsible for compliance in your business right now?
- Map the three roles to your organisation — Even if one person holds multiple roles, define them clearly.
- Ensure your compliance officer has the support and resources needed.
- Design a monthly compliance dashboard — Senior management reviews monthly; governing body quarterly or monthly.
- Document that MI was reviewed and decisions were made in response — This is what AUSTRAC means by proving control effectiveness.
Frequently Asked Questions
Do bookmakers need a dedicated compliance officer?↓
What does AUSTRAC mean by 'meaningful management information'?↓
How often should the governing body review compliance information?↓
What qualifications does an AML/CTF compliance officer need?↓
Related articles
AML/CTF Risk Assessment for Bookmakers
How to build a dynamic, documented risk assessment that meets AUSTRAC's standards for betting operators.
Customer Due Diligence & Transaction Monitoring for Bookmakers
How to verify customer identity, assess ML/TF risk and detect suspicious betting patterns in real time.
Post-bet365: What AUSTRAC's Enforcement Action Means for Your Betting Compliance
Three enforcement drivers, a self-audit checklist and a 30-day action plan.
See how Veriqua handles this
Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.
Disclaimer: This article is general information only and is current as at July 2026. It reflects our understanding of the AML/CTF obligations applying to bookmakers and betting agencies under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and AUSTRAC guidance as at that date, all of which may change. It is not legal, financial or compliance advice and must not be relied on as such. Your obligations depend on the designated services you provide and your own circumstances. Obtain advice from a qualified professional and refer to current AUSTRAC guidance before acting.