691 Red Flags. Thirteen Customers. One Cookie-Cutter AML Program

Every compliance officer in Australia's gaming sector should have felt the temperature drop reading the Sydney Morning Herald's coverage of the AUSTRAC case against Mounties this week.

The headline number is what gets you first: 691 separate alarm bells, warning signs, and missed chances raised internally over five years, clustered around just thirteen customers who allegedly ran up to $226 million through poker machines at Mounties venues.

Thirteen people. Nine figures. Six hundred and ninety-one ignored signals.

That's nothing like a near-miss. That's a system that saw what was happening, wrote it down, filed it away, and then watched it keep happening for years.

The detail that should stop every operator in their tracks

The case includes a customer the SMH refers to as "Customer 12" - a self-described housewife who, in less than twelve months, allegedly cycled $5.75 million through poker machines. The betting volume didn't reconcile with her stated occupation or income. Mounties' own internal investigation flagged her as suspicious in April 2023.

She wasn't excluded until August 2024.

Sixteen months between “we see a problem” and “we'll do something about it.”

That’s not a procedural hiccup. It's the entire compliance program telling you what it actually is: paperwork, not surveillance. I might be being generous even framing it like that.

Why the cookie-cutter approach is the real defendant here

Mounties didn't operate without an AML program. They had one. The problem, as AUSTRAC's pleadings make clear, is that it was the same boilerplate program circulating across hundreds of pubs and clubs in NSW - built around thresholds so high and triggers so narrow that the only customer it would ever catch is one practically waving a duffel bag with a dollar sign on it.

That's not risk-based monitoring. That's risk-avoidance monitoring designed to generate the smallest possible volume of alerts, the smallest possible volume of investigations, and the smallest possible chance of having to expel a high-revenue member.

A real AML program asks a different question. Not “is this transaction over a threshold?” but “does this pattern make sense for this person at this venue?” A housewife pushing nearly $6 million through pokies in a year fails that “pub” test instantly. A templated program never asked the question.

The 31 March reforms have already moved the goalposts

Here's the part operators need to internalise. The Mounties allegations cover conduct from 2019 through 2023, and that conduct is being judged against the old AML/CTF regime.

The reforms that took effect on 31 March 2026 explicitly raise the bar. Risk now sits at the centre of the framework. Generic, off-the-shelf programs aren't just inadequate under the new rules; they're affirmatively non-compliant. AUSTRAC has been clear that "we used the same program as everyone else" is no defence when the standard the industry was using is the standard now under prosecution.

If your AML program looks substantially the same as it did twelve months ago, and substantially the same as the one the venue down the road is running, you are running the Mounties playbook. The regulator has now told the entire industry, with court filings to back it up, what they think of that playbook.

The lesson for every venue

The Mounties case isn't an outlier. It's a template. AUSTRAC has signalled with its actions, not just its statements, that pubs and clubs are now firmly in the enforcement frame, and that outsourcing your program to a third-party provider doesn't transfer your liability to them. It transfers nothing. Your obligations stay with you.

What needs to change in practice is straightforward, even if it's uncomfortable:

• Lower the bar for what counts as suspicious. If something feels off, the threshold for action shouldn't be "can I prove a crime"; it should be "can I justify doing nothing?”
• Empower floor staff to escalate without fear. The dynamic in which a duty manager hesitates to flag a high-spending member because of the revenue implications is exactly the one that produced 16-month delays at Mounties.
• Close out cases when your own investigation says you should. If your own people have written down "this person is a money laundering risk," waiting for a regulator to force the decision is no longer a viable strategy.
• Move from periodic sampling to continuous monitoring. The era of reviewing a handful of transactions against a checklist has finished.

Sentinel: continuous monitoring built for exactly this problem

This is precisely the gap Sentinel was built to close.

Sentinel ingests EGM transaction data continuously and assesses every relevant transaction against a configurable rules engine aligned to AUSTRAC typologies. It doesn't sample - it surveils. Patterns that look ordinary at the threshold level but anomalous at the customer level are exactly what Sentinel is designed to surface, with priority scoring that puts the highest-risk activity in front of your compliance team first.

Every alert flows into a structured case workflow with timestamped notes, decision records, and a full audit trail…the documented evidence that AUSTRAC is now explicitly looking for. So, when - and you should count on it being “when”, not “if” - the regulator asks how you knew what you knew and what you did about it, Sentinel gives you an answer in writing.

And because Sentinel feeds directly into Assure GRC, transaction monitoring activity isn't isolated from the rest of your compliance framework. Cases, alerts, SMR submissions and risk register entries all live in the same platform: one source of truth for your obligations, your evidence, and your defence.

The 691 alarm bells at Mounties weren't ringing into a void. They were ringing into a system that wasn't built to act on them. Make sure yours is.

Talk to our team about Sentinel → or Learn more about Gaming Cloud →