AML/CTF Risk Assessment for Bookmakers and Betting Agencies: A Practical Guide | Australia 2026
From 31 March 2026, bookmakers and betting agencies have core anti-money laundering and counter-terrorism financing (AML/CTF) obligations under Australian law. One of the most important of these is conducting and documenting a risk assessment that identifies, assesses, and mitigates the money laundering (ML) and terrorism financing (TF) risks your business reasonably faces.
This guide explains what a risk assessment is, why it matters, and how to build one that reflects your business model — with emphasis on the dynamic, ongoing monitoring AUSTRAC now requires following enforcement actions against Sportsbet, bet365 and Entain.
What is an AML/CTF risk assessment?
Your risk assessment is a documented analysis that identifies the ML/TF risks relevant to your betting operation. It forms the foundation of your entire AML/CTF program — everything else (your policies, procedures, and customer controls) flows from it.
A sound risk assessment considers:
- Your customers and their profile — Who do you accept bets from? Are any high-risk (high-risk geographies, politically exposed persons, customers with no verifiable identity)? What is the average bet size and betting frequency? Do customers use cash, cards, credit, or digital wallets?
- Your products and services — Are you offering on-course betting, telephone betting, internet betting, or a mix? Do you accept credit betting, and if so, to which customers? What is the transaction frequency and value range?
- Your delivery channels — How much interaction is face-to-face vs. remote? What technology platforms do you use for payments and account management?
- Your geographic exposure — Are you betting on local racing only, or international events? Do you have international customers or cross-border payment flows?
Online-specific risk drivers you must address
Online betting platforms face distinct risk typologies that must be explicitly addressed in your risk assessment. AUSTRAC's enforcement actions have made clear these are not optional inclusions.
- Minimal-activity accounts — Customers depositing significant amounts but placing zero or minimal bets before requesting withdrawal. This pattern can indicate accounts being used for value transfer rather than genuine gambling.
- Rapid account cycling — Customers opening accounts, depositing funds, and withdrawing within 24–48 hours with limited gambling activity.
- Third-party funding — Accounts funded via payment methods not in the customer's name, which may indicate mule account activity.
- Coordinated account activity — Multiple accounts funded from the same source, betting on the same events, and withdrawing in synchronised patterns.
Why risk assessment matters
Regulatory expectations are clear: your risk assessment must be documented, genuine, and proportionate to your business. AUSTRAC has noted that a generic, tick-box assessment that does not reflect your actual operations is unlikely to meet the standard.
A properly documented risk assessment also:
- Justifies your control decisions — if you know your ML/TF risks, you can explain why you have certain customer limits, verification steps, or monitoring thresholds.
- Supports your due diligence processes — your customer due diligence procedures should be calibrated to the risks you have identified.
- Protects your business — by identifying risks early, you can build controls to prevent misuse of your platform.
- Demonstrates good faith to regulators — showing that you have thought through your risks is a foundation for a proportionate compliance approach.
Key steps to build your risk assessment
Step 1: Identify risk factors
List the customer types you accept (casual punters, professional bettors, customers from high-risk jurisdictions, credit customers). List the products you offer (fixed-odds betting, exotic bets, accumulators, credit facilities). List your channels (face-to-face, phone, web, app). Consider your staff, premises, and supply chain.
Step 2: Assess likelihood and impact
For each risk factor, estimate how likely it is that ML/TF activity could occur via this channel, and what the potential impact would be to your business and the financial system. Use a simple matrix: Low, Medium, High.
Step 3: Document your findings
Write up a summary of each risk category (customer risk, product risk, channel risk, geographic risk) with your assessment. Explain the reasoning behind your ratings. Keep the document clear and practical — it should be understandable to your staff and to regulators.
Step 4: Design controls
Based on your assessed risks, identify what controls you will put in place. For high-risk customer segments, that might mean enhanced ID verification or transaction monitoring. For low-risk segments, standard procedures may be sufficient. Document the link between your risk assessment and your control decisions.
Step 5: Monitor and update continuously
Your risk assessment is not a static document. AUSTRAC's enforcement actions against Sportsbet and bet365 have made this explicit. You must monitor your customer base and transaction patterns on an ongoing basis and conduct a formal review and reassessment at least quarterly.
If you detect new risk typologies, changes in customer behaviour, or evolving threats, update your risk framework immediately. Document each review and update so you can demonstrate to a regulator that your risk model is dynamic and responsive.
Common pitfalls to avoid
- Generic templates — A risk assessment copied from another business without tailoring to your operations is unlikely to be persuasive to a regulator.
- Static risk frameworks — A risk assessment completed once a year and filed away will not meet current regulatory expectations. Your risk model must evolve as your business, customer base and threat landscape change.
- Ignoring online-specific typologies — If you operate online betting, you must explicitly address minimal-activity accounts, rapid cycling, third-party funding and coordinated account patterns.
- Assessing risk without explaining controls — Once you identify a risk, show how your procedures mitigate it. Otherwise your assessment is incomplete.
Next steps
If you have not yet conducted a formal risk assessment, start now — this is the foundation on which your entire compliance program rests. If you have one, review it to ensure it is current, documented clearly, and genuinely reflects your business — particularly online-specific risk typologies. Establish a quarterly review cycle and document your monitoring and reassessment process.
Use your assessed risks to calibrate your customer due diligence and transaction monitoring procedures — covered in our next article in this series.
Frequently Asked Questions
Do bookmakers need to conduct a risk assessment under the AML/CTF Act?↓
How often must a bookmaker's risk assessment be updated?↓
What happens if our risk assessment is generic or not tailored to our business?↓
Do we need to address online betting-specific risks in our risk assessment?↓
Related articles
Customer Due Diligence & Transaction Monitoring for Bookmakers
How to verify customer identity, assess ML/TF risk and detect suspicious betting patterns in real time.
AML/CTF Governance Structure for Betting Agencies
Governing body, senior manager and compliance officer roles — and the MI framework AUSTRAC now expects.
Post-bet365: What AUSTRAC's Enforcement Action Means for Your Betting Compliance
Three enforcement drivers, a self-audit checklist and a 30-day action plan.
See how Veriqua handles this
Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.
Disclaimer: This article is general information only and is current as at July 2026. It reflects our understanding of the AML/CTF obligations applying to bookmakers and betting agencies under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and AUSTRAC guidance as at that date, all of which may change. It is not legal, financial or compliance advice and must not be relied on as such. Your obligations depend on the designated services you provide and your own circumstances. Obtain advice from a qualified professional and refer to current AUSTRAC guidance before acting.