What an Australian gaming venue's AML/CTF program must contain under the post-reform framework — the ML/TF risk assessment, the AML/CTF policies, the AMLCO designation, and the independent evaluation cycle. Working reference for AMLCOs and senior management — not legal advice.
Working reference, not legal advice
AML/CTF program obligations turn on whether your entity is a reporting entity, what designated services it provides, and the operating details of the venue. For a definitive view, talk to an AML lawyer or your external AML consultant.
Before 31 March 2026, the structural rule for an AML/CTF program sat in Chapter 8 of the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 — most commonly cited as “Rule 8.1”. Rule 8.1 required every reporting entity to have a written AML/CTF program split into a Part A (general program) and a Part B (customer-due-diligence program), with an AMLCO at the management level.
The AML/CTF Amendment Act 2024 commenced on 31 March 2026 and replaced that scaffold. Chapter 8 and Rule 8.1 are retired. The Part A / Part B split is retired. The AML/CTF Rules 2007 are replaced by the AML/CTF Rules 2025. The program-structure obligations now sit in the AML/CTF Act itself, in Part 1A, with operational detail in Part 5 of the Rules 2025.
The substance is broadly continuous — venues still need a written, risk-based program, a designated AMLCO, and an independent assessment cycle — but the citations, the vocabulary, and a few of the floors have changed. The rest of this page describes the current law, not the retired Rule 8.1 framework.
AML/CTF Act 2006 (Cth) s 26B ↗ defines the AML/CTF program as comprising two things:
The program must be appropriate to the nature, size and complexity of the venue's business (ss.26C(2), 26F(1)(c)). Both components must be documented (s.26N) and approved by a senior manager of the reporting entity (s.26P(1)); updates to the ML/TF risk assessment must be notified to the governing body in writing as soon as practicable (s.26P(2)).
The detail of what the policies must address sits in the AML/CTF Rules 2025 Part 5 — Divisions 2 and 3 cover the policies' risk-mitigation and governance content, Division 4 covers the AMLCO, Division 5 covers documentation, and Division 6 covers lead-entity policies for reporting groups.
The venue must identify and assess the ML/TF and proliferation-financing risks it may reasonably face in providing its designated services (s.26C(1)). For a club providing services through an Australian permanent establishment, the assessment must have regard to the kinds of designated services, the kinds of customers, the delivery channels, the countries the venue deals with, AUSTRAC-communicated risk information, and any matters specified in the AML/CTF Rules (s.26C(3)).
The risk assessment must be reviewed for new or changed risks on triggers — a significant change in any of the matters above, AUSTRAC-communicated risk information, or circumstances specified in the Rules — and in any event at least once every three years (s.26D(1)). It must be updated to address issues identified by a review (s.26D(4)). A venue cannot commence to provide a designated service if it does not have a current, compliant risk assessment in place (s.26E(1); civil penalty provision).
The risk assessment is the foundation the AML/CTF policies operationalise. It is also what an AUSTRAC reviewer or an independent evaluator looks at first — everything else hangs off it.
AML/CTF Act 2006 (Cth) s 26F ↗requires the venue to develop and maintain policies, procedures, systems and controls that appropriately manage and mitigate the ML/TF and proliferation-financing risks identified in the risk assessment, ensure compliance with the Act and instruments under it, are appropriate to the nature, size and complexity of the venue's business, and meet any requirements specified in the AML/CTF Rules.
For a venue providing services through an Australian permanent establishment, s.26F(3) and (4) prescribe a non-exhaustive list of matters the policies must deal with — among them:
The Rules 2025 add operational detail — Division 2 of Part 5 covers risk-mitigation content, Division 3 covers governance and compliance management (including the AMLCO-to-governing-body reporting obligation in r.5-7), and Division 4 covers AMLCO fit-and-proper requirements (r.5-14).
A venue cannot commence to provide a designated service if it does not have policies in place that meet s.26F (s.26F(8); civil penalty provision). Once in place, the venue must comply with its own policies (s.26G(1); civil penalty provision).
Section 26J(1) of the Act requires every reporting entity to designate an individual as its AML/CTF Compliance Officer (AMLCO). Section 26J(2) requires that individual to be employed or engaged by the entity at management level and to have sufficient authority, independence, and access to resources and information to perform the role effectively. Section 26J(3) sets eligibility — Australian residency where designated services are provided through an Australian permanent establishment, a fit-and-proper person test, and any further requirements specified in the AML/CTF Rules. The fit-and-proper criteria are elaborated in Rules 2025 r.5-14 (competence, character, no disqualifying convictions or proceedings, no material conflicts of interest).
The AMLCO can hold other roles — club manager, general manager, compliance manager — provided the AMLCO duties are a real workload with documented time and resources. In most NSW registered clubs the AMLCO is the club manager or general manager. Smaller clubs may use a part-time external AMLCO via an AML consultant; the relationship still has to meet the management-level, authority, independence and access-to-resources tests in s.26J(2).
Section 26L lists the AMLCO's functions: overseeing and coordinating the venue's day-to-day compliance with the Act, the regulations and the Rules; overseeing and coordinating the effective operation of and compliance with the AML/CTF policies; communicating with AUSTRAC on behalf of the venue; and any further functions specified in the Rules.
Section 26M requires the venue to notify AUSTRAC of the individual designated as AMLCO within 14 days after designation. The notification must be in the approved form. Failure to notify is a civil penalty provision (s.26M(3)).
AML/CTF Rules 2025 r.5-7(2) requires the AML/CTF policies to provide for the AMLCO to report to the governing body regularly — at least once every twelve months — on the venue's compliance with its policies, the effectiveness of those policies, and the venue's compliance with the Act, the regulations and the Rules. The twelve-month cadence is the statutory floor; more frequent reporting is appropriate where the venue's risk profile warrants it, and many clubs build AMLCO updates into the standard board meeting agenda.
s 26F ↗(4)(f) of the Act requires the AML/CTF policies to provide for independent evaluations of the AML/CTF program at a frequency that is appropriate to the venue's nature, size and complexity, and in any event at least once every three years. The post-reform term is independent evaluation, not “independent review” — older guidance and many AML consulting firms still use the older phrase, but the statutory term has changed.
AML/CTF Rules 2025 r.5-10 sets out what the evaluation must include: evaluation of the steps the venue took in undertaking or reviewing its risk assessment against the Act/Regulations/Rules; evaluation of the design of the policies against the same; testing and evaluation of the venue's compliance with its policies; testing and evaluation of whether the venue is appropriately identifying, assessing, managing and mitigating its ML/TF risks; a written report (an “independent evaluation report”) containing findings on those matters; and delivery of the report to the governing body and any senior manager responsible for approvals under s.26P. The policies must also deal with how the venue will respond to the report (r.5-10(3)).
The evaluator cannot be the AMLCO; the independence requirement is structural. Most clubs engage an external AML consultant, accounting firm or lawyer for the evaluation, with the AMLCO managing the process and the remediation that follows.
Since 31 March 2026, the AML/CTF Act 2006 (as amended by the AML/CTF Amendment Act 2024) defines the AML/CTF program in s.26B as two components: the venue's ML/TF risk assessment (ss.26C–26E) and the venue's AML/CTF policies (s.26F). The risk assessment identifies and assesses the money-laundering, terrorism-financing and proliferation-financing risks the venue may reasonably face in providing its designated services. The policies operationalise that assessment and ensure compliance with the Act, the regulations, and the AML/CTF Rules 2025. Both must be documented (s.26N), approved by a senior manager of the venue (s.26P), and appropriate to the nature, size and complexity of the business. Detail of what the policies must address sits in Part 5 of the AML/CTF Rules 2025. The earlier 'Part A general program / Part B CDD program' split and the AML/CTF Rules 2007 Chapter 8 are retired.
No. The Part A general program / Part B customer-due-diligence program split was a feature of the AML/CTF Rules 2007 (Chapter 8, Rule 8.1). Both the 2007 Rules instrument and the Part A/B split were retired on 31 March 2026 when the AML/CTF Amendment Act 2024 commenced. The program is now a single thing — risk assessment + policies — under s.26B of the Act. Customer due diligence is a statutory obligation under Part 2 of the Act (ss.28–32), which the policies must operationalise; it isn't structured as a separate 'Part B' of the program. Older AML/CTF program documents that still use the Part A/B language need to be updated when the venue next refreshes the program.
For a venue providing designated services through an Australian permanent establishment, s.26C(3) of the Act requires the risk assessment to have regard to the kinds of designated services the venue provides, the kinds of customers it provides those services to, the delivery channels (cage, EGM, member account), the countries the venue deals with in providing services, any risk information AUSTRAC has communicated to the venue, and any matters specified in the AML/CTF Rules. The assessment must be reviewed for new or changed risks when significant changes occur, when AUSTRAC communicates risk information, when the Rules require it, and in any event at least once every three years (s.26D(1)). A venue cannot commence to provide a designated service if it doesn't have a current, compliant risk assessment in place (s.26E(1); civil penalty provision).
Section 26J(1) of the Act requires every reporting entity to designate an individual as its AML/CTF Compliance Officer. Section 26J(2) requires that individual to be employed or engaged at management level and to have sufficient authority, independence, and access to resources and information to perform the role effectively. Section 26J(3) adds eligibility — Australian residency where designated services are provided through an Australian permanent establishment, a fit-and-proper-person test, and any further requirements in the Rules. The Rules 2025 r.5-14 elaborates the fit-and-proper criteria. For most NSW registered clubs, the AMLCO is the club manager, general manager, or compliance manager. The role can be held alongside other duties, but it has to be a real workload — naming someone on paper while their actual time and budget for AML/CTF is zero is the structural failure pattern AUSTRAC is alert to. The venue must notify AUSTRAC of the AMLCO designation within 14 days (s.26M; civil penalty for failure).
Yes — though the post-reform term is 'independent evaluation', not 'independent review'. Section 26F(4)(f) of the Act requires the AML/CTF policies to provide for independent evaluations of the AML/CTF program at a frequency appropriate to the venue's nature, size and complexity, and in any event at least once every three years. AML/CTF Rules 2025 r.5-10 sets out what the evaluation must include — evaluation of the risk-assessment steps, evaluation of the policies' design, testing of compliance with the policies, a written report to the governing body and the approving senior manager — and r.5-10(3) requires the policies to deal with how the venue will respond to the report. The evaluator cannot be the AMLCO; structural separation is required. Most clubs engage an external AML consultant, accounting firm or lawyer for the evaluation.
The AML/CTF Act 2006 is the primary statute. The AML/CTF Rules are a legislative instrument made under s.229 of the Act. Both are binding law. Since 31 March 2026, the AML/CTF Rules 2025 are the current instrument (the earlier AML/CTF Rules 2007 instrument is retired). The Act now carries the structural rules itself — Part 1A covers AML/CTF programs (program definition, risk assessment, policies, governing-body responsibilities, AMLCO, documentation), and Part 2 covers customer due diligence. The Rules 2025 add detail — Part 5 of the Rules covers program-related operational requirements (risk-mitigation content, governance, AMLCO fit-and-proper criteria, documentation timing). In practical terms, an AMLCO who wants to know what their program must contain reads Part 1A of the Act first and Part 5 of the Rules 2025 second. The reverse priority (Rules first, Act second) was the pre-31-March-2026 posture.
The post-reform framework uses the term 'reporting group' (and 'lead entity') rather than the older 'designated business group (DBG)'. A reporting group is a group of reporting entities that has chosen to apply the reporting-group rules; the lead entity's AML/CTF policies must include matters for sharing information among group members (s.26F(5)–(6)), and AML/CTF Rules 2025 Division 6 of Part 5 covers how those policies operate. Each member entity remains separately liable for its own designated services. For most single-club operations, reporting-group structures aren't relevant; for club groups with multiple licensed entities under common control, they can simplify program maintenance. The pre-31-March-2026 DBG mechanism is retired, though many existing AML consultant arrangements may still use the older terminology.
Six categories, each retained for seven years under the AML/CTF Act but with different start clocks. (1) The current AML/CTF program (risk assessment + policies) with version history — kept seven years after the record is no longer relevant to Part 1A compliance (s.116). (2) Customer-due-diligence records for each patron the policies required CDD on — kept seven years after the business relationship ends (s.111). (3) Transaction records — kept seven years from when the record is made (s.107). (4) TTR and SMR submissions and any AUSTRAC correspondence about them — also seven years under s.107. (5) Staff training records and personnel-due-diligence records — Part 1A program records, seven years under s.116. (6) Independent evaluation reports and the venue's responses to findings — Part 1A records under s.116. (Customer-provided transaction documents have a separate seven-year clock under s.108.) The post-reform retention period is seven years for every AML record class — never five — but the section and the start clock vary by class.
Day-to-day duties of the AMLCO under Part 1A, Division 5 of the AML/CTF Act.
How to draft a defensible Suspicious Matter Report under the AML/CTF Amendment Act 2024.
How long an Australian club has to retain incident register, AML, gaming, RSA, and payroll records.
The risk assessment and the AML/CTF policies both produce evidence trails. The shape of compliance work shifts when those trails accumulate as a by-product of normal operation. First three months free, no card up front.