AUSTRAC's enforcement record over the last decade has focused on Tranche 1 reporting entities — banks, remitters, and gambling operators. The civil penalties have been substantial: Westpac (A$1.3 billion), Crown (A$450 million), Star (A$100 million), CBA (A$700 million). The pattern across these cases is consistent, and instructive for Tranche 2 firms.
What the enforcement actions have in common
- Failure to identify and assess risk at the program level — not isolated failures.
- Failure to act on red flags that staff had identified internally.
- Inadequate or backdated SMRs and TTRs.
- Inadequate independent review and remediation of identified weaknesses.
- Failure to escalate to senior management and the board.
What this means for Tranche 2
AUSTRAC has signalled that the first 12–24 months of Tranche 2 will lean towards supervisory engagement rather than enforcement. The regulator wants new reporting entities to come into compliance, not to be made examples of. But the threshold for 'good faith effort' is real activity — a documented program, evidence of training, evidence of CDD on actual clients, and at least one independent review cycle before you'd reasonably expect a supervisor to engage.
How to be the firm AUSTRAC engages constructively with
- Have a written program that names a real person as compliance officer.
- Be able to evidence CDD on every in-scope client.
- Have an audit log showing your monitoring is actually running.
- File at least one SMR or be able to evidence why you have not.
- Have an independent review scheduled.