Compliance Fines and Penalties: What Australian
Comprehensive breakdown of compliance fines by sector in Australia: AUSTRAC, OAIC, ASIC, APRA penalties.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokIn 2024-25, AUSTRAC continued to pursue enforcement action against reporting entities for AML/CTF failures, building on a record that includes Australia's largest-ever corporate civil penalty โ AUD 1.3 billion against Westpac in 2020. The OAIC has signalled increased enforcement of the Privacy Act 1988, particularly since the 2022 amendments raised maximum penalties to AUD 50 million. This article maps out which Australian regulators fine which sectors, how much they charge, and what patterns are emerging from recent enforcement data.
Australian regulators and their enforcement powers
The Australian regulatory landscape splits compliance enforcement across several bodies, each with distinct sectoral jurisdiction and penalty frameworks. Understanding which regulator covers your sector is the first step in managing compliance risk.
AUSTRAC supervises reporting entities under the AML/CTF Act 2006, including banks, remittance providers, gambling operators, bullion dealers and digital currency exchanges. ASIC regulates financial services licensees, markets and corporate conduct. The OAIC enforces the Privacy Act 1988 across all sectors. APRA regulates banks, insurers and superannuation funds for prudential soundness.
| Regulator | Sectors supervised | Maximum penalty | Legal basis |
|---|---|---|---|
| AUSTRAC | Banks, remitters, gambling, bullion, DCEs, other reporting entities | AUD 28.2M per contravention (civil) | AML/CTF Act 2006 |
| OAIC | All sectors (personal information) | AUD 50M or 3x benefit or 30% of turnover | Privacy Act 1988 (as amended 2022) |
| ASIC | Financial services, markets, corporate governance | Varies โ unlimited for criminal, up to AUD 10.5M civil | Corporations Act 2001, ASIC Act 2001 |
| APRA | ADIs, insurers, superannuation trustees | Directions, licence conditions, disqualification | Banking Act 1959, Insurance Act 1973, SIS Act 1993 |
| ATO | All businesses (tax compliance) | Administrative penalties, director penalties | Tax Administration Act 1953, ITAA 1997 |
| AFP | Proceeds of crime, serious financial crime | Criminal prosecution + confiscation | Proceeds of Crime Act 2002 (Cth) |
AUSTRAC supervises AML/CTF compliance for a wide range of reporting entities. Since 2018, its enforcement posture has become significantly more aggressive, with civil penalty proceedings against major financial institutions and expanded supervisory attention to digital currency exchanges and remittance providers.
Banking and financial services: where the largest fines land
Banking consistently attracts the heaviest regulatory penalties in Australia. AML/CTF failures, weak transaction monitoring, and inadequate customer identification procedures are the primary triggers.
The Westpac case remains the reference point. In September 2020, Westpac agreed to pay AUD 1.3 billion โ the largest civil penalty in Australian corporate history โ for over 23 million contraventions of the AML/CTF Act, including failures to report international funds transfer instructions and inadequate customer due diligence on correspondent banking relationships (AUSTRAC v Westpac).
| Year | Entity | Penalty amount | Regulator | Primary failing |
|---|---|---|---|---|
| 2020 | Westpac | AUD 1.3B | AUSTRAC | 23M+ AML/CTF Act contraventions |
| 2018 | Commonwealth Bank | AUD 700M | AUSTRAC | 53,750 threshold transaction reporting failures |
| 2023 | Crown Resorts | AUD 450M | AUSTRAC | Systematic AML/CTF failures across casino operations |
| 2022 | SkyCity Adelaide | AUD 67M | AUSTRAC | Failure to have compliant AML/CTF program |
| 2024 | Star Entertainment | Under enforcement | AUSTRAC | AML/CTF compliance failures |
AUSTRAC's enforcement strategy has expanded beyond banks to encompass gambling operators, remittance providers and digital currency exchanges. The Crown Resorts penalty in 2023 signalled that the casino and gaming sector faces the same compliance expectations as traditional financial institutions. When transaction volumes increase, customer identification and transaction monitoring must scale accordingly.
Privacy enforcement: the OAIC's increasing attention
The OAIC takes a risk-based approach to enforcement, prioritising sectors that process large volumes of sensitive personal information. The 2022 amendments to the Privacy Act 1988 significantly increased maximum penalties and strengthened the OAIC's enforcement powers.
Since the Optus (2022) and Medibank (2022) data breaches, which affected a combined 20 million Australians, the OAIC has pursued more aggressive enforcement action. The maximum penalty for serious or repeated privacy breaches is now AUD 50 million, three times the benefit obtained from the breach, or 30% of the entity's adjusted turnover โ whichever is greatest.
| Sector | Typical OAIC enforcement range | Common violations |
|---|---|---|
| Telecoms | AUD 1M - 50M+ (pending Optus) | Data breaches, inadequate security |
| Healthcare / Health insurers | AUD 500K - 10M+ | Data breaches, improper data sharing |
| Financial services | AUD 250K - 5M | Improper data disclosure, access controls |
| Retail / E-commerce | AUD 100K - 1M | Marketing consent, data retention |
| Government agencies | Determinations + remediation | FOI failures, data loss |
The OAIC has signalled a shift toward larger penalties for systemic failures. The ongoing Medibank enforcement proceedings seek a penalty reflecting the scale of the breach โ potentially hundreds of millions of dollars.
Explore further
Discover our practical guides and resources to master document compliance.
Explore our guidesInsurance sector: growing regulatory attention
The insurance sector in Australia is subject to dual regulation by ASIC (conduct) and APRA (prudential). AML/CTF obligations apply specifically to life insurance and investment-linked policies, while broader conduct rules cover claims handling, product governance, and unfair contract terms.
APRA's enforcement in the insurance sector tends to focus on governance and risk management failures, particularly under CPS 220 Risk Management. ASIC targets poor claims handling, misleading product information, and failures in fraud detection. Intermediaries and underwriting agencies face increasing scrutiny as ASIC expands its supervisory activities.
Professional services: accountants and real estate agents
AUSTRAC's supervisory attention to designated non-financial businesses and professions (DNFBPs) has increased, with real estate agents and solicitors captured as reporting entities under the AML/CTF Act. Accountants are not currently reporting entities under Australian AML/CTF law but may be brought within scope under proposed reforms aligned with FATF recommendations.
Real estate agents are subject to AML/CTF obligations for transactions involving the purchase or sale of real estate. The ATO supervises tax compliance obligations for professional services firms, with administrative penalties for late lodgement and incorrect reporting.
International comparison: FATF Mutual Evaluation
For Australian firms operating across borders, the FATF Mutual Evaluation of Australia (2015, with follow-up assessments) identified areas requiring improvement, including the scope of reporting entities and beneficial ownership transparency. Australia's ongoing AML/CTF reform program aims to address these gaps by expanding the designated services regime and strengthening beneficial ownership requirements.
Australian firms servicing international clients must often comply with multiple regimes โ the AML/CTF Act domestically, plus EU AMLD6, UK MLR 2017, or US BSA/AML requirements depending on the jurisdictions involved. This increases the compliance burden and the potential for multi-jurisdictional enforcement.
Trends shaping 2026 enforcement
Three enforcement patterns are visible across all Australian regulators. First, digital-first businesses face the same compliance expectations as traditional institutions. The Crown Resorts and SkyCity penalties demonstrate that no sector receives a compliance exemption.
Second, AUSTRAC is increasingly willing to pursue substantial civil penalties rather than relying solely on enforceable undertakings. The precedent set by the Westpac and CBA penalties means all reporting entities face the credible threat of nine-figure penalties.
Third, cross-regulator coordination is increasing. AUSTRAC, ASIC, APRA and the AFP share intelligence more actively, meaning a compliance failure flagged by one regulator can trigger investigation by another. Firms that invest in robust document verification and KYC processes reduce their exposure across all regulatory touchpoints simultaneously.
For a comprehensive overview, see our document fraud data trends guide.
Frequently asked questions
What is the largest AML fine ever imposed in Australia?
Westpac's AUD 1.3 billion penalty in September 2020 remains the largest civil penalty in Australian corporate history. It covered over 23 million contraventions of the AML/CTF Act, including failures to report international funds transfer instructions and inadequate customer due diligence on correspondent banking relationships.
Can AUSTRAC and the OAIC both take action against the same company?
Yes. AUSTRAC and the OAIC have separate jurisdictions โ AUSTRAC enforces the AML/CTF Act, while the OAIC enforces the Privacy Act 1988. A firm that suffers a data breach involving customer financial data could face penalties from both regulators for the same incident. ASIC may also take action if the firm holds an AFS licence.
Are small firms exempt from AML fines?
No. AUSTRAC's obligations under the AML/CTF Act apply to all reporting entities regardless of size. The civil penalty provisions apply equally to sole operators and major corporations, though penalties are expected to be proportionate to the size and nature of the business. Small remittance providers and digital currency exchanges have been subject to enforcement action alongside larger institutions.
How do Australian fines compare to international penalties?
Australian AML penalties are among the highest globally in absolute terms, driven by the Westpac (AUD 1.3B) and CBA (AUD 700M) cases. The AML/CTF Act's per-contravention penalty structure, combined with high volumes of automated transactions, can produce aggregate penalties in the billions. The FATF Mutual Evaluation process means Australia's enforcement approach is benchmarked against international standards.
For deeper context on the document fraud patterns that drive these regulatory actions, read our document fraud statistics overview. You can also explore our AML compliance guide for practical steps to build a compliant programme. Our data from over 180,000 documents processed monthly shows that automated verification reduces compliance gaps by detecting 94.8% of fraudulent documents with a false positive rate of 2.8%. Learn how CheckFile.ai supports compliance workflows, or visit our pricing page.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Australian organisations should consult qualified professionals for guidance specific to their obligations under AUSTRAC, ASIC, APRA and the OAIC.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.