The Reckoning: Why Australian Pubs and Clubs Can No Longer Ignore Money Laundering

On 30 July 2025, AUSTRAC filed Federal Court civil penalty proceedings against Mount Pritchard & District Community Club (Mounties) for alleged serious and systemic AML/CTF failures. This is not a wrist-slap. It signals a step-change in enforcement across the pubs & clubs sector.

Within days, AUSTRAC’s Concise Statement landed: it alleges Mounties’ program and controls were so weak that ten “sample suspicious customers” turned over $139,855,108 and received $10,464,856 in payouts without appropriate monitoring or ECDD, with maximum civil penalties per contravention cited at $21m–$31.3m. Read that again: penalties that can break a business.

ABC then reported AUSTRAC’s assessment that one in four NSW club poker machines could be susceptible to money laundering after a monitoring program “systemically failed.” The era of “nothing to see here” is over.

What’s changed (and why denial is now existential risk)

• AUSTRAC has moved from casinos to clubs. Target selection is deliberate: big volumes, high cash exposure, historically complacent compliance.
• Court documents are public and specific. They detail weak risk assessment methods, vague transaction monitoring, inadequate ECDD, and failure to reassess relationships - exactly the gaps many clubs still have.
• The industry is on notice. Even ClubsNSW has urgently urged members to “get their house in order” following AUSTRAC’s action. If your Board still thinks AML is old news, they’re asleep at the wheel.

Let’s be clear: low SMR volume is not a badge of honour. AUSTRAC’s own SMR FAQ says low reporting versus peers may indicate your program isn’t effective. “We never see anything suspicious” is not proof of safety; it’s proof your radar is off. You can’t find what you’re not looking for.

What AUSTRAC actually expects of pubs & clubs (no shortcuts)

Read the regulator’s own pages and sector guide; the obligations are not optional or “casino-only”:

• Have a documented, risk-based AML/CTF Program before providing designated services (Part A governance + Part B KYC), and implement it proportionately to your venue’s risks.
• Identify and verify customers and beneficial owners, and apply ECDD when risk triggers (high-risk behaviour, PEPs, suspicions, prescribed foreign countries) arise.
• Report: TTRs (cash ≥ A$10,000) within 10 business days; IFTIs within 10 business days; SMRs within 24 hours for TF, three business days for ML/other; and compliance reports when required.
• Record-keeping: keep required records (including KYC and transaction records) for 7 years after the relationship ends/provision of service.
• Sector-specific expectations for pubs & clubs are spelled out in AUSTRAC’s Regulatory Guide for Pubs & Clubs (including typical exploitation methods and practical controls).

A few sector-specific clarifications most Boards still get wrong:

• TTRs: Required for venues with 16+ EGMs; smaller venues may be exempt from TTRs under Chapter 52, but still owe SMRs, KYC, risk assessment, training, and record-keeping. Don’t misuse exemptions as a blindfold.
• KYC at payout: Collect/verify identity for winnings of A$10,000 or more. If you don’t verify, you don’t pay - full stop.
• An independent review of your Part A program is not a “nice-to-have”. It’s baseline assurance, and AUSTRAC will ask for it.
• Outsourcing ≠ absolution. Using a program provider/DBG does not remove your legal responsibility. If your third party is weak, you are weak.

The patterns you should already be catching

AUSTRAC publishes indicators tailored to EGM venues - things like large cash inserts with minimal play, rapid cash-in/out cycles, session structuring, chip-dumping analogues on EGMs, and third-party play. If your system and staff aren’t surfacing these, expect scrutiny.

The Mounties filing even calls out the failure to define and operationalise “large amount inserted with minimal play”. If your TMP says “watch for unusual play” without thresholds, data sources, roles, and escalation paths, it’s non-compliant theatre. Write it. Parameterise it. Test it.

Stop throwing tools at the problem. Fix the program and the risk first.

Buying a monitoring widget won’t save you if your risk assessment is generic, rules are vague, data plumbing is missing, frontline training is superficial, and governance is asleep. The correct order of operations is:

Specialist AML Advisory & Risk Mapping
Build (or rebuild) a venue-specific ML/TF Risk Assessment that reflects your product set, floor configuration, cash handling, patron demographics, high-risk cohorts (e.g., cash-intensive businesses), and geographic exposure. Then align Part A to those risks (governance, roles, training, ECDD triggers, SMR process), and Part B to how and when you actually identify and verify customers in a gaming context.

Write the Rules (properly)
Convert risks into clear transaction-monitoring logic (thresholds, velocity, session-level metrics, “large cash-in/minimal play”, session resets, third-party indicators) mapped to play data, payout data, and KYC/ECDD workflows. Include alert investigation procedures and SMR decision criteria so the 3-day clock doesn’t kill you.

Then apply the technology
Pick (or tune) a tool that can actually ingest your gaming + payout data, supports session analytics, structuring detection, and ECDD/SMR workflow, and produces board-grade MI. Don’t let a vendor sell you generic banking rules.

Risk Management & Board Reporting
Stand up a Board-level risk view showing inherent vs residual ML/TF risk, mapped to control coverage & effectiveness, and tracking: SMR volume & timeliness, ECDD counts, repeat patronage, high-risk patron decisions, and “SMRs per $X turnover” (trend). Remember AUSTRAC’s line: low reporting vs peers can signal an ineffective program.

Independent Review & Record-keeping
Have an independent reviewer kick the tyres and close findings fast. Lock your 7-year record-keeping controls now.

Here's a 90-day plan

Days 1 - 15...Triage & Stabilise

• Name an empowered AML/CTF Officer; brief the Chair.
• Freeze risky practices (e.g., large cash payouts without KYC).
• Stand up an SMR war-room to clear aged alerts and codify escalation (24h TF / 3-day ML clock).

Days 16 - 45...Rebuild the Foundations

• Re-perform the ML/TF risk assessment; rewrite Part A governance and TMP/ECDD to venue-reality.
• Define play-pattern rules (thresholds) and data sources; implement manual interim monitoring while tooling is stood up.
• Retrain frontline on indicators and SMR hygiene (grounds for suspicion quality).

Days 46 - 75...Instrument & Prove

• Connect gaming/payout/KYC data; run rules; test alert precision/recall.
• Start monthly Board packs (inherent/residual risk, control status, SMR KPI, timeliness).
• Begin independent review - don’t wait for AUSTRAC to order it.

Days 76 - 90...Lock Compliance & Scale

• Close review findings; document procedures; drill staff.
• Benchmark your SMR rate and timeliness; if you’re an outlier on the low side, fix your detection.

Final word

AUSTRAC’s action against Mounties is not an outlier; it’s the playbook for the sector. The regulator has spelled out exactly what “bad” looks like - and exactly what “good” requires. If you’re still arguing that the problem doesn’t exist in your venue, you’re advertising yourself as a soft target. The best time to get serious was years ago. The second-best time is today.

How Involv helps (end-to-end, not tool-first)

Advisory - We lead the risk assessment and [re]write Part A/Part B to your venue’s reality (not generic templates). And we get that TMP done with proper risk mapping.
Rules & Design - We translate risks into monitoring logic & workflows you can operationalise.
Technology - We implement Australia's best transaction monitoring, Sentinel, technology and GRC platform, Assure, to get you Board-grade risk reporting.
Assurance - We prepare you for independent review, test SMR quality & timeliness, and embed the 7-year record controls via our GRC platform, Assure.

If you operate EGMs in Australia, this isn’t optional. Let’s get your house in order.