AML/CTF · Bookmakers

Post-bet365: What AUSTRAC's Enforcement Action Means for Your Betting Compliance | Australia 2026

Published 9 July 2026Last reviewed July 20268 min readBy Paul Wise

On 6 July 2026, AUSTRAC announced an enforceable undertaking with bet365 — the fifth significant enforcement action against an online betting operator in as many years. The others: Sportsbet (undertaking finalised July 2026), Entain (Federal Court action ongoing), Neds/Ladbrokes and Betfair.

Enforcement actions in Australia carry strict liability consequences: civil penalties in the tens to hundreds of millions of dollars, enforceable undertakings requiring independent audits and management changes, public naming and reputational exposure, and in serious cases, criminal referrals.

But there is a secondary consequence every operator in the sector should be paying attention to: when AUSTRAC acts against one bookmaker and documents the findings, it is effectively signalling to the rest of the sector what it considers unacceptable. Every other betting agency should treat these outcomes as a self-audit against their own compliance program.

What AUSTRAC found: the three enforcement drivers

While the full findings vary by operator, three themes recur across AUSTRAC's enforcement actions against betting agencies, including the bet365 undertaking:

1. Inadequate or static risk assessment

Operators were found to have risk assessments that did not evolve as their businesses, customer bases, and threat environments changed. The risk assessment is supposed to be a living document, reviewed at least quarterly and updated immediately when new risk typologies are detected.

In bet365's case, AUSTRAC found the risk assessment framework did not adequately identify and respond to the online-specific risk typology of minimal-activity accounts — customers depositing significant funds and immediately withdrawing with little or no genuine gambling activity.

2. Real-time transaction monitoring failures

Operators were found to have transaction monitoring systems that were unable to detect suspicious patterns in real time. In online betting, customers can deposit, place bets and withdraw in hours. Monitoring that runs on daily or weekly batch cycles misses this entirely.

AUSTRAC found that bet365's monitoring failed to automatically detect and escalate minimal-activity accounts within the required timeframe. Alert backlogs — where suspicious activity flags accumulated without timely investigation — were also identified.

3. Governance failures — disconnect between management and compliance

Boards and senior management were found to be receiving insufficient, non-specific, or delayed compliance information. Rather than reviewing meaningful management information (high-risk customer counts, alert pipeline metrics, SMR trends), governing bodies were receiving generic compliance status updates.

This governance gap meant that risk was not being escalated appropriately, compliance officer findings were not generating timely management responses, and the board could not demonstrate active oversight — which is now a requirement, not a preference.

AUSTRAC's enforcement outcomes against bet365, Sportsbet and Entain signal that these three failures — static risk frameworks, delayed monitoring, and governance disconnect — are the primary vectors through which the regulator will assess compliance in the betting sector. Operators that address all three proactively are in a materially stronger position.

Self-audit checklist: where does your business sit?

Use this checklist to assess your own compliance gap against the bet365 and Sportsbet enforcement findings:

Risk assessment

  • Do you have a written AML/CTF risk assessment?
  • Is it current — reviewed within the last quarter?
  • Does it explicitly address minimal-activity accounts, rapid cycling, third-party funding and coordinated account patterns?
  • Is there a documented process for updating the risk assessment when new patterns are detected?
  • Has senior management formally reviewed and signed off the risk assessment?

Transaction monitoring

  • Do you have automated transaction monitoring in place?
  • Can your system detect suspicious patterns within 24 hours of occurrence?
  • Does your monitoring include rules specifically for minimal-activity accounts (significant deposit, minimal bets, rapid withdrawal)?
  • Are alert investigation timelines documented and being met?
  • Is there a process for updating monitoring rules when new risk typologies are identified?
  • Do you have a record of monitoring rule reviews and updates?

Governance

  • Is there a documented governance structure with defined roles (governing body, senior manager, compliance officer)?
  • Does senior management receive a monthly compliance dashboard with specific metrics (not generic updates)?
  • Does the governing body review compliance performance at least quarterly?
  • Are there records of governing body review and decisions in response to compliance findings?
  • Does the compliance officer have sufficient resources (time, systems, support) to do the job?
  • Is there a clear escalation process for compliance concerns?

What an enforceable undertaking requires

Enforceable undertakings — the mechanism AUSTRAC used with bet365 and Sportsbet — typically require the operator to:

  • Engage an independent auditor approved by AUSTRAC to assess and report on the entire AML/CTF program
  • Implement a remediation plan within specific timeframes
  • Report compliance status to AUSTRAC on a scheduled basis
  • In some cases, appoint a compliance specialist to the governance structure
  • Fund the cost of the independent audit themselves

The public announcement of the undertaking — with the operator named — is itself a significant consequence. For online betting operators, reputational impact can affect customer trust and state licensing.

Your 30-day action plan

  1. Days 1–5: Review your risk assessment. Pull out your current risk assessment. Is it current? Does it address online-specific typologies (minimal-activity accounts, rapid cycling, third-party funding, coordinated accounts)? If not, update it now and schedule quarterly reviews.
  2. Days 6–10: Test your transaction monitoring. Can your current system detect a minimal-activity account within 24 hours? Test it. If not, escalate immediately to management and begin sourcing monitoring solutions that can.
  3. Days 11–15: Audit your alert pipeline. How many open alerts do you currently have? How old is the oldest? Close or escalate all outstanding alerts and establish an alert management timeline policy (investigate within X business days, report within Y days of decision).
  4. Days 16–20: Document your governance structure. Who is your governing body, senior manager, compliance officer? Document it. Establish a monthly compliance MI dashboard that reports high-risk customer counts, alert metrics, SMR submissions and monitoring updates.
  5. Days 21–25: Conduct a staff training review. Is all relevant staff trained on AML/CTF obligations? Document training records. Identify gaps and schedule training.
  6. Days 26–30: Schedule an internal compliance review. Conduct a formal internal review of your AML/CTF program against the three enforcement drivers above. Document findings and a remediation plan. Present to senior management.

The bigger picture: why now

AUSTRAC's enforcement actions against betting agencies are not isolated events — they reflect a sustained regulatory focus on the sector. The betting industry's combination of rapid online transactions, high deposit volumes, and digital anonymity creates risk vectors that AUSTRAC has identified as a systemic concern.

The bet365 undertaking sets the current compliance benchmark. Operators that can demonstrate they have addressed the three enforcement drivers — dynamic risk assessment, real-time transaction monitoring, and active governance — are in a materially stronger position if AUSTRAC comes knocking.

Operators that have not addressed them should expect that AUSTRAC will use its enforcement record to support an argument that the minimum standard was well known and widely published.

Frequently Asked Questions

What is an enforceable undertaking and how does it differ from a fine?
An enforceable undertaking is a legally binding agreement between AUSTRAC and a reporting entity. The entity commits to specific remediation steps (independent audit, compliance improvements, periodic reporting to AUSTRAC) within defined timeframes. Breach of the undertaking can itself trigger enforcement action. A civil penalty (fine) is a one-off monetary sanction. Both can be imposed — and both are publicly announced.
What is the minimal-activity account typology and why is it significant?
A minimal-activity account is a betting account where a customer deposits significant funds but places zero or minimal bets before withdrawing — using the betting platform as a value transfer mechanism rather than for genuine gambling. AUSTRAC identified this typology as a key failure in its enforcement actions against Sportsbet and bet365. Every online operator must have monitoring rules that detect this pattern within 24 hours.
Does the bet365 undertaking apply to smaller bookmakers?
The enforceable undertaking is specific to bet365. However, the three findings underlying it — inadequate risk assessment, delayed transaction monitoring, and governance disconnect — reflect AUSTRAC's sector-wide standards. AUSTRAC has explicitly noted that it intends to apply consistent standards across online betting operators. Smaller operators are not exempt from these expectations.
How quickly do we need to address compliance gaps after identifying them?
There is no statutory grace period for fixing compliance gaps you identify internally. The 30-day action plan in this article is a practical starting point, not a regulatory deadline. Once you identify a gap in your risk assessment, monitoring, or governance, you should escalate and remediate as quickly as reasonably possible — and document your response timeline.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at July 2026. It reflects our understanding of AUSTRAC's published enforcement outcomes relating to bet365 and the AML/CTF obligations applying to bookmakers and betting agencies under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) as at that date, all of which may change. It is not legal, financial or compliance advice and must not be relied on as such. Your obligations depend on the designated services you provide and your own circumstances. Obtain advice from a qualified professional and refer to current AUSTRAC guidance before acting.