KYC/AML for Online Gambling in Australia: AUSTRAC and AML/CTF Act 2026

Online gambling in Australia is regulated by a dual framework: the Interactive Gambling Act 2001 (IGA) governs which gambling services are legal to offer to Australian customers, while AUSTRAC (Australian Transaction Reports and Analysis Centre) administers the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) for all gambling service providers. Unlike the EU's AMLD6 model, Australia uses sector-specific legislation rather than a unified AML directive. Major amendments to the AML/CTF Act commenced on 31 March 2026, significantly updating the obligations for gambling operators.

This article is for informational purposes only and does not constitute legal or regulatory advice. Regulatory references are accurate as of the publication date. Seek qualified legal counsel for advice specific to your situation.

Australian Gambling Regulatory Framework

Under the IGA, interactive gambling services (online casino games, poker) may not be offered to Australian customers by Australian-licensed operators — but sports betting is legal. Major Australian sports betting operators (Sportsbet, Bet365, TAB, William Hill Australia) hold licences from state/territory gaming commissions. The Australian Communications and Media Authority (ACMA) enforces the IGA and blocks unlicensed offshore operators.

As of 2026, Australian gambling AML/CTF obligations apply to:

AUSTRAC AML/CTF Program Obligations for Gambling Operators

Gambling service providers designated under the AML/CTF Act must enrol with AUSTRAC and maintain a compliant AML/CTF Program. The AML/CTF Act 2006 (as amended from 31 March 2026) requires designated service providers to:

• Adopt a written AML/CTF Program with Part A (due diligence) and Part B (customer identification) components
• Apply a risk-based approach to identify, mitigate, and manage ML/TF risks
• Conduct customer identification before providing a designated service exceeding the AUD 10,000 threshold
• Submit Threshold Transaction Reports (TTRs) to AUSTRAC for cash transactions of AUD 10,000 or more
• Submit Suspicious Matter Reports (SMRs) when there are reasonable grounds to suspect ML/TF
• Conduct ongoing customer due diligence including enhanced due diligence for higher-risk customers

The March 2026 AML/CTF Act amendments introduced new requirements including a mandatory enterprise-wide risk assessment, enhanced due diligence for PEPs (now broader in definition), and new correspondent relationship obligations.

Customer Identification Under the AML/CTF Act

The AML/CTF Act requires Know Your Customer (KYC) identification before providing designated gambling services above the AUD 10,000 threshold, or when the gambling provider suspects the customer is engaging in ML/TF.

Acceptable Identity Documents for Australian Players

The AUSTRAC Customer Identification Rules 2007 specify the documents acceptable for verifying customer identity:

• Primary photographic documents (1 document required): Australian passport, Australian driver's licence, proof of age card, foreign passport
• Primary non-photographic documents: birth certificate, citizenship certificate, Medicare card (limited use)
• Secondary documents: utility bills (electricity, gas, water), bank statement — used to supplement primary documents for address verification

For online operators (sports betting), electronic verification is the norm. The AML/CTF Rules permit the use of electronic AML/CTF customer verification using commercially available identity verification services that match the customer's details against reliable data sources (credit bureau data, government databases).

Tax File Number (TFN) considerations: Unlike the US SSN, the TFN is optional for gambling customers. However, some operators request it for tax reporting on winnings above AUD 10,000 (where the operator must withhold tax under PAYG rules if the TFN is not provided).

CheckFile supports Australian gambling operators with document verification that meets AUSTRAC's AML/CTF Rules requirements for both documentary and electronic customer identification.

Enhanced Customer Due Diligence for High-Value and High-Risk Customers

The AML/CTF Act requires Enhanced Customer Due Diligence (ECDD) when the ML/TF risk is heightened. Under the 2026 amendments, ECDD triggers now explicitly include Domestic Politically Exposed Persons (DPEPs) — a change from the previous rules that only required enhanced scrutiny for Foreign PEPs (AUSTRAC, AML/CTF Act 2026 amendments).

ECDD is required for:

Domestic and Foreign PEPs: As of 31 March 2026, Australian gambling operators must apply ECDD to both foreign PEPs and domestic PEPs (senior Australian public officials and their associates). ECDD includes: additional identity verification, source of funds and source of wealth documentation, and ongoing enhanced monitoring.

High-Value Customers: AUSTRAC guidance recommends that wagering operators with high-staking customers establish written ECDD procedures, particularly for customers placing single bets above AUD 5,000 or with total annual wagering activity above AUD 100,000.

Customers from High-Risk Jurisdictions: Customers from FATF-listed high-risk countries require ECDD at the time of onboarding and during ongoing due diligence reviews.

The enhanced due diligence guide provides a structured framework. CheckFile enables centralised storage of ECDD documentation with full audit trails.

Suspicious Matter Reports (SMRs) to AUSTRAC

Australian gambling operators must submit an SMR to AUSTRAC when they form a suspicion on reasonable grounds that a customer or transaction is related to ML or TF. AUSTRAC received approximately 68,000 SMRs from the gambling sector in 2024 (AUSTRAC, Annual Report 2024).

Unlike the EU model, Australia has a "suspicion" standard rather than a "knowledge" standard — meaning operators need not prove money laundering, only form a reasonable suspicion. SMRs must be submitted within 3 business days of forming the suspicion (or 24 hours for terrorism-related matters).

Common SMR triggers for Australian sports betting operators:

• Customer placing large bets immediately after account opening with no betting history
• Use of multiple payment methods or betting accounts linked to the same person
• Unusual betting patterns inconsistent with sports knowledge (e.g., betting on obscure events)
• Requests for account balance transfers to third parties
• Use of overseas credit cards for large Australian betting deposits

Privacy Act 1988 and Australian Privacy Principles (APPs)

Australian gambling operators handling customer personal data must comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs), overseen by the Office of the Australian Information Commissioner (OAIC).

Australia's 7-year retention requirement (AML/CTF Act, s. 106) is longer than the EU AMLR's 5-year requirement. This distinction is important for operators with both EU and Australian customer bases, who must apply the stricter standard for Australian records.

For a guide on document retention across jurisdictions, see the document retention requirements by country and sector.

Internal Controls and AML/CTF Program Structure

The AML/CTF Act (Part 2) requires gambling operators to structure their compliance program with:

• AML/CTF Compliance Officer: a senior individual responsible for the AML/CTF Program
• Board-level oversight: Australian regulators expect gambling AML programs to have board or senior management sign-off
• Independent audit: review of the AML/CTF Program at least every 3 years (Part A requirement) and review of KYC procedures annually
• Staff training: AML/CTF training for all new employees and at least annually for existing staff

CheckFile integrates via API with operator onboarding systems to automate document checks and produce AUSTRAC-ready compliance documentation.

Frequently Asked Questions

What is AUSTRAC and why is it critical for Australian gambling operators?

AUSTRAC (Australian Transaction Reports and Analysis Centre) is Australia's financial intelligence unit and the regulator of AML/CTF compliance. All gambling operators providing designated gambling services in Australia must enrol with AUSTRAC, maintain an AML/CTF Program, and comply with reporting obligations. AUSTRAC has enforcement powers including the ability to impose civil penalties, which can exceed AUD 100 million for systemic failures.

Is online casino gambling legal in Australia under the IGA?

Under the Interactive Gambling Act 2001, Australian-licensed operators are prohibited from offering casino-style games (roulette, poker, blackjack) to Australian customers online. Only sports betting and racing wagering are legal for Australian-licensed online operators. The ACMA actively blocks offshore casino operators under the IGA.

What is the KYC threshold for sports betting operators in Australia?

AUSTRAC requires customer identification before providing designated gambling services above AUD 10,000 in a single occasion. For ongoing betting accounts, operators should apply KYC at account opening as a best practice, with heightened scrutiny for any customer depositing more than AUD 5,000 in a 24-hour period.

How do the 2026 AML/CTF Act amendments affect gambling operators?

The March 2026 amendments expanded ECDD requirements to include Domestic PEPs, broadened the definition of beneficial ownership for legal entities, and introduced mandatory enterprise-wide risk assessments. Gambling operators must update their AML/CTF Programs to reflect these changes, particularly in their PEP identification and screening procedures.

What records must Australian gambling operators keep under the AML/CTF Act?

The AML/CTF Act requires retention of all KYC records, TTRs, SMRs, and monitoring records for 7 years from the last transaction with the customer. All records must be stored in a secure, retrievable format that can be produced to AUSTRAC on request within 3 business days.