AML/CTF · Bookmakers

Customer Due Diligence & Transaction Monitoring for Bookmakers | AML/CTF Australia 2026

Published 21 May 2026Last reviewed July 20267 min readBy Paul Wise

From 31 March 2026, bookmakers and betting agencies must conduct Customer Due Diligence (CDD) as part of their AML/CTF obligations. This means verifying customer identity and assessing their risk profile before you accept a bet.

Transaction monitoring is equally important: you must watch for suspicious activity patterns and report anything that signals potential money laundering or terrorism financing. This guide explains both obligations and how to implement them practically — with emphasis on real-time detection of online betting risk patterns.

What is Customer Due Diligence?

CDD is the process of:

  • Identifying the customer (their name, date of birth, address)
  • Verifying their identity using reliable documents
  • Assessing their ML/TF risk profile
  • Understanding the purpose and nature of their betting activity

The $5,000 threshold: You do not need to conduct CDD for single transactions or betting accounts under $5,000 in value, unless you know the customer poses a higher risk or you have a pattern of smaller bets that suggest avoidance of the threshold. However, if a customer approaches or exceeds $5,000, you must conduct CDD before proceeding.

Verification documents

You must verify customer identity using documents that are reliable and current. Acceptable documents typically include:

  • Passport (Australian or foreign with visa)
  • Driver licence (Australian state/territory)
  • Proof of age card
  • National ID card (if from a foreign country)

You must check that the document is genuine and has not been tampered with, the photograph matches the person, the document is not expired, and the name, date of birth and address are legible.

Risk assessment of the customer

Once you have verified identity, assess the customer's ML/TF risk. Consider:

Customer profile

  • Are they a new customer or long-standing?
  • Are they based in a high-risk jurisdiction?
  • Are they a politically exposed person (PEP)?
  • Have they been sanctioned by government agencies?

Betting behaviour

  • What is their expected bet frequency and size?
  • Are they betting on familiar or exotic markets?
  • Do their bets seem recreational or professional?
  • Any signs of structuring (placing many small bets to avoid reporting thresholds)?

Payment method

  • Are they using a personal bank account or third-party funds?
  • Are they using cash, cards, or digital wallets?
  • Is the payment method consistent with their profile?

Transaction monitoring: what to watch for

Transaction monitoring is an ongoing process. You must monitor customer accounts and betting activity to identify suspicious patterns. AUSTRAC publishes indicators of suspicious activity for the betting sector. Your monitoring system must detect these patterns within hours of occurrence, not days.

Common red flags include:

  • Minimal-activity accounts — Customer deposits significant funds ($5,000 or more) but places zero bets or bets worth less than 1% of the deposit amount, then requests withdrawal within 24–48 hours. This pattern suggests the account is being used for value transfer rather than genuine gambling.
  • Large deposits followed by immediate, near-identical withdrawals (layering)
  • Rapid account cycling — multiple deposits and withdrawals in short timeframes
  • Structured betting — many small bets designed to avoid exceeding reporting thresholds
  • Unusual bet patterns — customer suddenly betting large amounts on unfamiliar markets
  • Third-party payments — bets funded by someone other than the account holder, or funded via cards not in the customer's name
  • Coordinated accounts — multiple accounts funded from the same source, betting on identical events, with synchronised withdrawals
The minimal-activity account typology — large deposit, little or no genuine gambling, rapid withdrawal — is a key pattern AUSTRAC identified in its enforcement actions against Sportsbet and bet365. Your monitoring system must be able to detect and flag this pattern automatically.

Real-time detection requirement

Online betting creates speed and scale challenges that manual review simply cannot address. Customers can deposit, place bets and withdraw in a matter of hours. Delayed transaction monitoring is a compliance failure.

Your monitoring system must:

  • Generate alerts within 24 hours of suspicious activity occurring
  • Have documented rules that detect minimal-activity accounts, layering patterns, third-party funding and coordinated account activity
  • Operate at the speed of online transactions (hours, not days)
  • Flag accounts immediately where deposit amounts significantly exceed expected gaming activity

If you are using manual transaction review, this is nearly impossible at scale. Consider investing in monitoring software that can automate pattern detection and escalate alerts in real time.

Record-keeping

You must keep records of:

  • Copies of verification documents (name, date of birth, address)
  • Your CDD assessment (risk rating and reasoning)
  • Transaction records (date, amount, bet details, outcome)
  • Any suspicious activity detected and any reports made

Records must be kept for at least 7 years after the customer relationship ends (or after the last transaction, if longer). Ensure your records are securely stored and accessible to your AML/CTF compliance officer and to AUSTRAC if requested.

Reporting suspicious activity

If your monitoring identifies suspicious activity that you have reasonable grounds to suspect relates to money laundering or terrorism financing, you must:

  1. Document your suspicion and the facts that led to it
  2. Report it to AUSTRAC via a Suspicious Matter Report (SMR)
  3. Not disclose the report to the customer (tipping off is prohibited)
  4. Maintain a record of the report

A suspicious matter report should be submitted promptly — AUSTRAC expects reporting within a reasonable timeframe, typically days not weeks. Delayed reporting is a compliance failure.

Common mistakes

  • Verifying identity once and never updating — Customer information changes. If a customer's address or other details change materially, refresh your verification periodically.
  • Ignoring small transactions — A pattern of small transactions can signal risk even if no single transaction triggers CDD thresholds. Monitor the pattern.
  • No documented suspicious activity procedure — You must have a clear procedure for identifying, documenting, and reporting suspicious activity. Ensure all staff understand it.
  • Delaying alert investigation and reporting — In online betting, delays in monitoring and reporting are compliance failures. Establish tight timelines: detect within 24 hours, investigate within 5 business days, report to AUSTRAC within days of decision.

Frequently Asked Questions

When do bookmakers need to conduct CDD on a customer?
From 31 March 2026, bookmakers must conduct CDD when a single transaction or betting account reaches or exceeds $5,000 in value. CDD must also be conducted regardless of amount if you know or suspect a customer poses a higher ML/TF risk, or if you identify structuring (a pattern of smaller bets designed to avoid the threshold).
What is a minimal-activity account and why does AUSTRAC care about it?
A minimal-activity account is where a customer deposits significant funds but places zero or very few bets (under 1% of the deposit amount) before requesting withdrawal within 24–48 hours. AUSTRAC has identified this pattern as a key money-laundering typology for online betting — the account is used for value transfer rather than genuine gambling. AUSTRAC's enforcement actions against Sportsbet and bet365 specifically identified failure to detect this pattern.
How quickly must suspicious activity be detected and reported?
Your monitoring system must generate alerts within 24 hours of suspicious activity occurring. Once a decision to lodge a Suspicious Matter Report is made, it should be submitted to AUSTRAC promptly — typically within days. Delayed detection and delayed reporting are both compliance failures that AUSTRAC has cited in enforcement outcomes.
Are manual transaction review processes sufficient for online betting?
No. AUSTRAC's guidance and enforcement actions make clear that manual review is insufficient at the speed and scale of online betting. Compliance software that automates pattern detection and escalates alerts in real time is increasingly necessary for online operators to meet real-time detection requirements.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at July 2026. It reflects our understanding of the AML/CTF obligations applying to bookmakers and betting agencies under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and AUSTRAC guidance as at that date, all of which may change. It is not legal, financial or compliance advice and must not be relied on as such. Your obligations depend on the designated services you provide and your own circumstances. Obtain advice from a qualified professional and refer to current AUSTRAC guidance before acting.