Involv
Login
Build a living risk system
Risk AssessmentAMLRisk Management & Governance

The Three Mistakes Australian AML Beginners Keep Making - and How to Avoid Them

Most newcomers treat AML as paperwork, rather than a living risk management system. Here are the three mistakes AUSTRAC keeps finding - and how to fix them fast.

Mark Kelly

Mark Kelly

7 November 2025

4 min read

Australia’s AML/CTF landscape is shifting fast. AUSTRAC’s enforcement actions, new guidance, and the looming expansion of Tranche 2 obligations have pushed thousands of organisations - real estate agencies, lawyers, accountants, jewellers - into a world they’ve historically not had obligations to meet.

And in that world, beginners often stumble in the same places.

At Involv, we review AML Programs and conduct risk uplift exercises on a weekly basis. We’ve seen what actually works inside gaming venues - and what repeatedly fails when AUSTRAC comes knocking. These are the three mistakes that often catch newcomers off guard.

1. Treating the AML Act as the standard - instead of AUSTRAC’s expectations

The AML/CTF Act and Rules are the baseline. They tell you what must exist: a risk assessment, an AML/CTF Program, customer due diligence, ongoing monitoring, and reporting.

But they don’t tell you what “good” looks like.

Beginners cling to the literal text of the Act and miss the standard that actually governs day-to-day compliance: AUSTRAC’s guidance, thematic reviews, enforcement cases, speeches, and supervisory behaviour.

That’s where AUSTRAC makes its expectations clear. And those expectations change.

Common symptoms include:

  • One-page “risk assessments” that aren’t risk assessments at all
  • AML/CTF Programs that describe controls that don’t exist operationally
  • A disconnect between what’s written and how the business really works

AUSTRAC doesn’t punish businesses for imperfect documentation. They punish businesses for documentation that doesn’t reflect reality.

Honestly, we believe that you should treat AUSTRAC’s public commentary as your north star. Align documents, processes, and technology to the practical standard AUSTRAC enforces, not just what the legislation technically requires.

2. Thinking customer due diligence = collecting ID

This is where almost every beginner misfires. They treat CDD as “get the licence, tick the box, file it somewhere.” But real AML expects you to understand risk, not just identity.

The common pitfalls:

  • Beneficial ownership is missed entirely. Many stop at the first company in the chain and never get to the individuals who actually control the entity
  • No customer risk rating. Every customer ends up classified as “standard,” because the business never built a real risk-based model
  • No ongoing due diligence. The mindset is “we onboarded them once, so they’re fine forever.”

CDD is meant to be a forward-looking intelligence layer. If you don’t understand a customer’s risk profile, you can’t identify suspicious behaviour later.

The fix? Build CDD around risk, not ID collection. And refresh it.

On change of circumstance.

On unusual behaviour.

On trigger events.

On regulator guidance.

3. Treating transaction monitoring as a static rules engine

This one creates more SMR/STR failures than any other. Beginners often copy a set of rules from another industry or from a template, then leave them untouched for years. They set thresholds with no link to the business’s risk profile, customer mix, or transaction behaviour.

In practice, this leads to:

  • Missed suspicious activity
  • “Alert fatigue” as irrelevant alerts bury the real ones
  • SMRs filed too late or not at all

AUSTRAC expects monitoring to be dynamic, risk-based, and behaviour-centred. Static rules will fail every time.

The fix?

  • Calibrate rules against real venue or firm data
  • Back-test regularly
  • Link rules to the ML/TF/PF risk assessment
  • Continuously refine thresholds
  • Ensure analysts have a clear escalation path

Monitoring isn’t a compliance bolt-on. It’s the engine room of your AML capability.

The real root cause: nothing connects

These three mistakes all point to the same underlying problem:

Beginners treat AML as documents, not a system.

The risk assessment doesn’t inform controls.

Controls don’t inform monitoring.

Monitoring doesn’t feed back into the risk assessment.

CDD isn’t connected to anything.

It’s a fragmented approach, and AUSTRAC consistently penalises fragmentation.

What good AML practice actually looks like

A modern AML program is integrated, data-driven, and behaviour-aware.

It ties everything together.

  • Risk Assessment informs
  • CDD which informs
  • Monitoring which informs
  • Reporting which informs
  • Program refresh...which closes the loop.

This is the operating model AUSTRAC already expects from Tranche 1 entities and the one Tranche 2 entities will need to adopt quickly.

Where Involv helps

Involv brings together AML advisory, risk expertise, gaming intelligence, and bespoke GRC technology. We help organisations build AML systems - not paperwork - and align everything with AUSTRAC’s evolving expectations.

Whether you’re a pub navigating gaming AML obligations or a new Tranche 2 reporting entity preparing for Day 1 compliance, we help you avoid the mistakes that cost businesses time, money, and reputational damage.

If you’d like help strengthening your AML program or want a review to understand where your gaps lie, reach out to the Involv team.

Tags

#AUSTRAC#AML/CTF#Risk Assessment#CDD#Benefitial Ownership#Ongoing Due Diligence#customer due diligence#OCDD#Transaction Monitoring#Suspicious Matter Reporting#SMRs#Tranche 2#Gaming#DNFBPs

Jurisdictions

NATIONAL
All Insights
Get in Touch