Customer Due Diligence & Transaction Monitoring for Bookmakers | AML/CTF Australia 2026
From 31 March 2026, bookmakers and betting agencies must conduct Customer Due Diligence (CDD) as part of their AML/CTF obligations. This means verifying customer identity and assessing their risk profile before you accept a bet.
Transaction monitoring is equally important: you must watch for suspicious activity patterns and report anything that signals potential money laundering or terrorism financing. This guide explains both obligations and how to implement them practically — with emphasis on real-time detection of online betting risk patterns.
What is Customer Due Diligence?
CDD is the process of:
- Identifying the customer (their name, date of birth, address)
- Verifying their identity using reliable documents
- Assessing their ML/TF risk profile
- Understanding the purpose and nature of their betting activity
The $5,000 threshold: You do not need to conduct CDD for single transactions or betting accounts under $5,000 in value, unless you know the customer poses a higher risk or you have a pattern of smaller bets that suggest avoidance of the threshold. However, if a customer approaches or exceeds $5,000, you must conduct CDD before proceeding.
Verification documents
You must verify customer identity using documents that are reliable and current. Acceptable documents typically include:
- Passport (Australian or foreign with visa)
- Driver licence (Australian state/territory)
- Proof of age card
- National ID card (if from a foreign country)
You must check that the document is genuine and has not been tampered with, the photograph matches the person, the document is not expired, and the name, date of birth and address are legible.
Risk assessment of the customer
Once you have verified identity, assess the customer's ML/TF risk. Consider:
Customer profile
- Are they a new customer or long-standing?
- Are they based in a high-risk jurisdiction?
- Are they a politically exposed person (PEP)?
- Have they been sanctioned by government agencies?
Betting behaviour
- What is their expected bet frequency and size?
- Are they betting on familiar or exotic markets?
- Do their bets seem recreational or professional?
- Any signs of structuring (placing many small bets to avoid reporting thresholds)?
Payment method
- Are they using a personal bank account or third-party funds?
- Are they using cash, cards, or digital wallets?
- Is the payment method consistent with their profile?
Transaction monitoring: what to watch for
Transaction monitoring is an ongoing process. You must monitor customer accounts and betting activity to identify suspicious patterns. AUSTRAC publishes indicators of suspicious activity for the betting sector. Your monitoring system must detect these patterns within hours of occurrence, not days.
Common red flags include:
- Minimal-activity accounts — Customer deposits significant funds ($5,000 or more) but places zero bets or bets worth less than 1% of the deposit amount, then requests withdrawal within 24–48 hours. This pattern suggests the account is being used for value transfer rather than genuine gambling.
- Large deposits followed by immediate, near-identical withdrawals (layering)
- Rapid account cycling — multiple deposits and withdrawals in short timeframes
- Structured betting — many small bets designed to avoid exceeding reporting thresholds
- Unusual bet patterns — customer suddenly betting large amounts on unfamiliar markets
- Third-party payments — bets funded by someone other than the account holder, or funded via cards not in the customer's name
- Coordinated accounts — multiple accounts funded from the same source, betting on identical events, with synchronised withdrawals
Real-time detection requirement
Online betting creates speed and scale challenges that manual review simply cannot address. Customers can deposit, place bets and withdraw in a matter of hours. Delayed transaction monitoring is a compliance failure.
Your monitoring system must:
- Generate alerts within 24 hours of suspicious activity occurring
- Have documented rules that detect minimal-activity accounts, layering patterns, third-party funding and coordinated account activity
- Operate at the speed of online transactions (hours, not days)
- Flag accounts immediately where deposit amounts significantly exceed expected gaming activity
If you are using manual transaction review, this is nearly impossible at scale. Consider investing in monitoring software that can automate pattern detection and escalate alerts in real time.
Record-keeping
You must keep records of:
- Copies of verification documents (name, date of birth, address)
- Your CDD assessment (risk rating and reasoning)
- Transaction records (date, amount, bet details, outcome)
- Any suspicious activity detected and any reports made
Records must be kept for at least 7 years after the customer relationship ends (or after the last transaction, if longer). Ensure your records are securely stored and accessible to your AML/CTF compliance officer and to AUSTRAC if requested.
Reporting suspicious activity
If your monitoring identifies suspicious activity that you have reasonable grounds to suspect relates to money laundering or terrorism financing, you must:
- Document your suspicion and the facts that led to it
- Report it to AUSTRAC via a Suspicious Matter Report (SMR)
- Not disclose the report to the customer (tipping off is prohibited)
- Maintain a record of the report
A suspicious matter report should be submitted promptly — AUSTRAC expects reporting within a reasonable timeframe, typically days not weeks. Delayed reporting is a compliance failure.
Common mistakes
- Verifying identity once and never updating — Customer information changes. If a customer's address or other details change materially, refresh your verification periodically.
- Ignoring small transactions — A pattern of small transactions can signal risk even if no single transaction triggers CDD thresholds. Monitor the pattern.
- No documented suspicious activity procedure — You must have a clear procedure for identifying, documenting, and reporting suspicious activity. Ensure all staff understand it.
- Delaying alert investigation and reporting — In online betting, delays in monitoring and reporting are compliance failures. Establish tight timelines: detect within 24 hours, investigate within 5 business days, report to AUSTRAC within days of decision.
Frequently Asked Questions
When do bookmakers need to conduct CDD on a customer?↓
What is a minimal-activity account and why does AUSTRAC care about it?↓
How quickly must suspicious activity be detected and reported?↓
Are manual transaction review processes sufficient for online betting?↓
Related articles
AML/CTF Risk Assessment for Bookmakers
How to build a dynamic, documented risk assessment that meets AUSTRAC's standards for betting operators.
AML/CTF Governance Structure for Betting Agencies
Governing body, senior manager and compliance officer roles — and the MI framework AUSTRAC now expects.
Post-bet365: What AUSTRAC's Enforcement Action Means for Your Betting Compliance
Three enforcement drivers, a self-audit checklist and a 30-day action plan.
See how Veriqua handles this
Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.
Disclaimer: This article is general information only and is current as at July 2026. It reflects our understanding of the AML/CTF obligations applying to bookmakers and betting agencies under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and AUSTRAC guidance as at that date, all of which may change. It is not legal, financial or compliance advice and must not be relied on as such. Your obligations depend on the designated services you provide and your own circumstances. Obtain advice from a qualified professional and refer to current AUSTRAC guidance before acting.