AML/CTF · Bookmakers

AML/CTF Risk Assessment for Bookmakers and Betting Agencies: A Practical Guide | Australia 2026

Published 3 April 2026Last reviewed July 20267 min readBy Paul Wise

From 31 March 2026, bookmakers and betting agencies have core anti-money laundering and counter-terrorism financing (AML/CTF) obligations under Australian law. One of the most important of these is conducting and documenting a risk assessment that identifies, assesses, and mitigates the money laundering (ML) and terrorism financing (TF) risks your business reasonably faces.

This guide explains what a risk assessment is, why it matters, and how to build one that reflects your business model — with emphasis on the dynamic, ongoing monitoring AUSTRAC now requires following enforcement actions against Sportsbet, bet365 and Entain.

What is an AML/CTF risk assessment?

Your risk assessment is a documented analysis that identifies the ML/TF risks relevant to your betting operation. It forms the foundation of your entire AML/CTF program — everything else (your policies, procedures, and customer controls) flows from it.

A sound risk assessment considers:

  • Your customers and their profile — Who do you accept bets from? Are any high-risk (high-risk geographies, politically exposed persons, customers with no verifiable identity)? What is the average bet size and betting frequency? Do customers use cash, cards, credit, or digital wallets?
  • Your products and services — Are you offering on-course betting, telephone betting, internet betting, or a mix? Do you accept credit betting, and if so, to which customers? What is the transaction frequency and value range?
  • Your delivery channels — How much interaction is face-to-face vs. remote? What technology platforms do you use for payments and account management?
  • Your geographic exposure — Are you betting on local racing only, or international events? Do you have international customers or cross-border payment flows?

Online-specific risk drivers you must address

Online betting platforms face distinct risk typologies that must be explicitly addressed in your risk assessment. AUSTRAC's enforcement actions have made clear these are not optional inclusions.

  • Minimal-activity accounts — Customers depositing significant amounts but placing zero or minimal bets before requesting withdrawal. This pattern can indicate accounts being used for value transfer rather than genuine gambling.
  • Rapid account cycling — Customers opening accounts, depositing funds, and withdrawing within 24–48 hours with limited gambling activity.
  • Third-party funding — Accounts funded via payment methods not in the customer's name, which may indicate mule account activity.
  • Coordinated account activity — Multiple accounts funded from the same source, betting on the same events, and withdrawing in synchronised patterns.
Your risk assessment must explicitly identify whether these typologies exist in your customer base and what controls you have in place to detect and escalate them. Failing to address online-specific typologies was a key finding in AUSTRAC's enforcement action against bet365.

Why risk assessment matters

Regulatory expectations are clear: your risk assessment must be documented, genuine, and proportionate to your business. AUSTRAC has noted that a generic, tick-box assessment that does not reflect your actual operations is unlikely to meet the standard.

A properly documented risk assessment also:

  • Justifies your control decisions — if you know your ML/TF risks, you can explain why you have certain customer limits, verification steps, or monitoring thresholds.
  • Supports your due diligence processes — your customer due diligence procedures should be calibrated to the risks you have identified.
  • Protects your business — by identifying risks early, you can build controls to prevent misuse of your platform.
  • Demonstrates good faith to regulators — showing that you have thought through your risks is a foundation for a proportionate compliance approach.

Key steps to build your risk assessment

Step 1: Identify risk factors

List the customer types you accept (casual punters, professional bettors, customers from high-risk jurisdictions, credit customers). List the products you offer (fixed-odds betting, exotic bets, accumulators, credit facilities). List your channels (face-to-face, phone, web, app). Consider your staff, premises, and supply chain.

Step 2: Assess likelihood and impact

For each risk factor, estimate how likely it is that ML/TF activity could occur via this channel, and what the potential impact would be to your business and the financial system. Use a simple matrix: Low, Medium, High.

Step 3: Document your findings

Write up a summary of each risk category (customer risk, product risk, channel risk, geographic risk) with your assessment. Explain the reasoning behind your ratings. Keep the document clear and practical — it should be understandable to your staff and to regulators.

Step 4: Design controls

Based on your assessed risks, identify what controls you will put in place. For high-risk customer segments, that might mean enhanced ID verification or transaction monitoring. For low-risk segments, standard procedures may be sufficient. Document the link between your risk assessment and your control decisions.

Step 5: Monitor and update continuously

Your risk assessment is not a static document. AUSTRAC's enforcement actions against Sportsbet and bet365 have made this explicit. You must monitor your customer base and transaction patterns on an ongoing basis and conduct a formal review and reassessment at least quarterly.

If you detect new risk typologies, changes in customer behaviour, or evolving threats, update your risk framework immediately. Document each review and update so you can demonstrate to a regulator that your risk model is dynamic and responsive.

Common pitfalls to avoid

  • Generic templates — A risk assessment copied from another business without tailoring to your operations is unlikely to be persuasive to a regulator.
  • Static risk frameworks — A risk assessment completed once a year and filed away will not meet current regulatory expectations. Your risk model must evolve as your business, customer base and threat landscape change.
  • Ignoring online-specific typologies — If you operate online betting, you must explicitly address minimal-activity accounts, rapid cycling, third-party funding and coordinated account patterns.
  • Assessing risk without explaining controls — Once you identify a risk, show how your procedures mitigate it. Otherwise your assessment is incomplete.

Next steps

If you have not yet conducted a formal risk assessment, start now — this is the foundation on which your entire compliance program rests. If you have one, review it to ensure it is current, documented clearly, and genuinely reflects your business — particularly online-specific risk typologies. Establish a quarterly review cycle and document your monitoring and reassessment process.

Use your assessed risks to calibrate your customer due diligence and transaction monitoring procedures — covered in our next article in this series.

Frequently Asked Questions

Do bookmakers need to conduct a risk assessment under the AML/CTF Act?
Yes. From 31 March 2026, bookmakers and betting agencies are reporting entities under the AML/CTF Act and must conduct and document a money laundering and terrorism financing (ML/TF) risk assessment. This is the foundation of your AML/CTF program.
How often must a bookmaker's risk assessment be updated?
AUSTRAC's enforcement actions against betting operators signal that risk assessments must be reviewed and updated at least quarterly, or immediately when new risk typologies or material changes in customer behaviour are detected. A static annual review is no longer sufficient.
What happens if our risk assessment is generic or not tailored to our business?
AUSTRAC has stated that a generic, tick-box assessment that does not reflect your actual operations is unlikely to meet the required standard. Following enforcement actions against major operators, the regulator will test whether your risk assessment is genuine, documented and dynamically maintained.
Do we need to address online betting-specific risks in our risk assessment?
Yes. If you operate online betting, your risk assessment must explicitly address minimal-activity accounts, rapid account cycling, third-party funding and coordinated account patterns. These are the typologies AUSTRAC identified in its enforcement actions against Sportsbet and bet365.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at July 2026. It reflects our understanding of the AML/CTF obligations applying to bookmakers and betting agencies under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and AUSTRAC guidance as at that date, all of which may change. It is not legal, financial or compliance advice and must not be relied on as such. Your obligations depend on the designated services you provide and your own circumstances. Obtain advice from a qualified professional and refer to current AUSTRAC guidance before acting.