⏱ Approximate read time: 8 – 10 minutes

You can almost feel the regulator’s exasperation in AUSTRAC’s Statement of Claim (SoC) against Entain. This isn’t a case about complex breaches — the allegations are about failures in the fundamentals: basic compliance and ML/TF risk management.

What the SoC allegations highlight, above all, is what happens when a business claims to take a risk-based approach, but doesn’t actually live it.

And when that disconnect exists — between what the risk assessment says and reality — the regulator doesn’t just raise questions. They zoom in. Deep. Every missing control, every ignored red flag, every opportunity to act that went by — it all becomes part of the narrative. And under that microscope, very little escapes scrutiny.

This is not new. Since the enforcement action taken against Tabcorp in 2015, followed by a range of enforcement actions against other corporate bookmakers, and then the major casinos, AUSTRAC has made its focus on the gambling sector crystal clear. At this point, no operator can reasonably claim they didn’t see this coming.

It’s Not About Perfection …

Let’s be honest: no one gets it 100% right all the time. We’ve seen this firsthand across a range of reporting entities. Real-world AML/CTF compliance involves trade-offs. It means prioritising risks, navigating constraints and making tough calls on resourcing and risk coverage.

But here’s the key: when AUSTRAC sees that you’re genuinely trying — that your AML/CTF program is based on a robust risk assessment, that internal resources are being allocated proportionately to those risks, and that you’re actively working to close gaps — they’ll treat you very differently than if you’ve been asleep at the wheel, or worse, wilfully or recklessly indifferent.

It’s not about being perfect. It’s about being proactive and credible.

Key Themes Emerging from the SoC:

In its public statement on 16 December 2024, Entain acknowledged AUSTRAC’s commencement of civil penalty proceedings and noted that many of the alleged failings had either been rectified or would be addressed by mid-2025. Against that backdrop, the following overarching themes emerge clearly from AUSTRAC’s Statement of Claim:

🔍 Risk Assessment

Without a fit-for-purpose risk assessment, you cannot demonstrate that your controls are risk-based or proportionate to your business’ size, nature, and complexity. In AUSTRAC’s view, your Part A Program is non-compliant – full stop.

🔍 Customer Due Diligence

Meeting the bare minimum CDD requirements isn’t enough — not if you want to demonstrate a genuinely risk-based approach. If your program fails to clearly define when additional KYC information must be collected and/or verified, particularly in high-risk scenarios, then in AUSTRAC’s eyes, you’re not compliant.

🔍 Transaction Monitoring (TM)

Operating a large, complex business demands a fit for purpose, automated TM program. AUSTRAC alleges Entain’s TM was not just outdated — but fundamentally unfit for its scale and risk profile.

🔍 Enhanced Customer Due Diligence (ECDD)

AUSTRAC alleges that Entain’s AML/CTF Program fell short where it mattered most: applying ECDD to high-risk customers. Despite the scale and complexity of its business, the SoC suggests that Entain failed to implement fit-for-purpose, risk-based systems and controls to manage elevated ML/TF risks.

The Statement of Claim goes further, alleging that Entain failed to take sufficient steps to collect and verify source of funds and source of wealth information—both core components of ECDD. These are not compliance niceties or optional extras. They are explicit obligations under the AML/CTF Act and critical to forming a reasonable basis for assessing whether a customer’s financial activity is legitimate.

🔍 Oversight

Involvement by senior management and board members on committees isn’t enough. If your AML/CTF Program has systemic deficiencies AUSTRAC will conclude that oversight wasn’t effective. As the SoC puts it: “Entain’s board and senior management could not and did not exercise ongoing oversight of Entain’s Part A Program.”

These themes aren’t just abstract failures — they manifest in practical, real-world blind spots. One of the most telling? The tension between delivering a world-class customer experience, being first to market, and implementing robust risk-based financial crime controls.

In the sections that follow, we explore this tension in more depth — including how AUSTRAC’s allegations bring it to life, what it means for regulated businesses today, and what lessons can be drawn by compliance teams, boards, and executives alike.

When Customer Experience Becomes a Blind Spot

One of the more nuanced lessons from the Entain case is this: even best-in-class customer experiences can create blind spots if they’re not balanced with risk awareness.

Entain, through its Ladbrokes and Neds platforms, offers some of the most seamless, intuitive, and enjoyable betting experiences in the industry — from rapid onboarding to flexible deposit & withdrawal options, in-play betting features, and a framework for social punting.

But therein lies the risk.

Features designed to delight customers — speed, ease, anonymity, instant fund transfers or layered account tools — can also attract money launderers. While commercially effective, they can become tools of abuse, if not paired with the right risk-based safeguards.

One such example is Entain’s “Punt Club” feature, which allowed customers to pool funds for group betting activity. While highly engaging — and no doubt a powerful customer acquisition tool — AUSTRAC flagged it as a potential money laundering risk. The problem wasn’t the feature itself — it was the lack of effective controls surrounding its use:

• Who was contributing funds to the pool?
• Where were the funds coming from?
• Who was controlling the account and how were transactions monitored?
• If ECDD was triggered, did all members get reviewed?

According to the SoC, “Entain had no record of the members of BDM Punt Clubs and was unable to identify them.” In other words, even basic questions of ownership and accountability went unanswered.

Without clear participant identification, traceability of funds, or appropriate risk-based thresholds, features like Punt Club can obscure the true source of funds — making it significantly harder to detect suspicious activity or meet regulatory reporting obligations.

It’s a classic case of customer experience innovation outpacing compliance oversight — where a commercially clever feature becomes a blind spot when risk-based controls don’t keep up.

Launch Smart: Build Risk-Based Controls As Part of the Product or Feature Design

Before adopting or rolling out any new technologies used in the provision of a designated service, businesses must conduct a detailed assessment of the potential ML/TF risks. What could this technology enable if misused? What transaction patterns or behaviours might it obscure? What controls — automated or manual — are needed to detect misuse, without unduly degrading the user experience?

This doesn’t mean stifling innovation. But it does mean building AML/CTF thinking into the product lifecycle — from design to deployment.

Compliance shouldn’t be a bolt-on — it should be embedded

Sometimes, that might mean introducing subtle friction points: enhanced verification at key thresholds, near real-time behavioural analytics, or decision gates before activating high-risk features. Not to kill the experience, but to protect it.

Ultimately, delivering delightful features while ensuring they don’t double as enablers for financial crime is part of a mature, risk-based approach. And when AUSTRAC sees that a business has failed to assess — let alone mitigate — the inherent risks in its own commercial model, the microscope zooms in.

If the risk-based controls are designed off a flawed risk assessment, or are never properly implemented — the consequences show up, not just in missed alerts, but in systemic failures across the compliance lifecycle. That’s exactly what AUSTRAC outlines in its assessment of Entain’s approach to Enhanced Customer Due Diligence, including Source of Wealth and Source of Funds.

What the SoC Says About ECDD and SoW/SoF

AUSTRAC is reiterating a now-familiar message — one that’s been made clear in recent enforcement actions across the gambling sector:

Systemic failures in core AML/CTF compliance and risk management will not be tolerated.

This message is especially sharp when it comes to ECDD and the effective handling of Source of Wealth (SoW) and Source of Funds (SoF) information. These are not just compliance checkboxes — they are essential risk management tools. Without them, reporting entities lack the visibility needed to understand who they’re dealing with, how funds are being generated, and whether the activity poses a financial crime risk.

Enhanced Customer Due Diligence (ECDD)

Your AML/CTF Program must:

• Comply with the AML/CTF Act and Rules
• Use appropriate, risk-based triggers to identify when ECDD is needed
• Apply ECDD measures tailored to the customer’s actual risk profile
• Ensure timely and effective implementation that generates quality intelligence

Source of Wealth and Source of Funds:

Among those ECDD measures, SoW and SoF are fundamental — particularly for high-risk customers and politically exposed persons (PEPs). Yes, these processes are more complex in a gambling context than in traditional financial services. While most punters are willing to explain where the money for a bet came from, they are far less likely to share detailed information about their overall financial position – especially with a bookmaker or casino. But the SoC makes it clear: that discomfort doesn’t excuse non-compliance.

AUSTRAC alleges that Entain:

• Had inadequate risk-based triggers for SoW/SoF collection and verification — relying instead on rigid deposit or loss thresholds
• Failed to adequately verify SoW/SoF information provided by customers, or assess whether that information reasonably supported the scale and nature of transactional activity
• Lacked a structured process for analysing or reviewing SoW/SoF information once collected
• Failed to act when customers refused or avoided engagement with the SoW/SoF processes
• Applied consequence management inconsistently, undermining the effectiveness of its ECDD framework

The key takeaway?

If your ECDD process is driven by internal policy — not by live customer risk — and your SoW/SoF checks rely on templated, unverified responses, you’re not risk-based.

You’re simply going through the motions. And AUSTRAC sees right through it.

 Why Being Proactive and Credible Matters More Than Perfection

There’s a reason we say that a risk-based approach is the heart of any credible AML/CTF program. It’s the difference between:

• Being seen by AUSTRAC as a partner trying to do the right thing, or
• Being positioned as a cautionary tale in a future regulatory enforcement

When the regulator comes knocking, they’re not just asking whether breaches occurred — they’re asking how you responded. Did you identify the issue yourself? Did you respond with urgency and depth? Did senior leaders engage? Were resources allocated to address the root causes?

When you do these things, your AML/CTF Program tells a story of intent and integrity. When you don’t, you risk the regulator writing the story for you — and you may not like the ending.

Final Word: The Microscope Isn’t Going Anywhere

The Entain case is more than a set of allegations. It’s a signal. AUSTRAC still has the appetite and the capacity to dig deep. They are prepared to show their work, and they expect you to do the same.

These are complex obligations — and even large, well-resourced organisations with capable people, can struggle to keep up, especially in sectors where customer behaviour and financial crime risks evolve rapidly.

But AUSTRAC’s message is clear: a risk-based approach must be more than a paper exercise. If it’s well-documented, properly resourced, and genuinely embedded in your operations, perfection isn’t required — but intent and effort are.

If it’s not — if it’s just a box-ticking exercise — that microscope is going to sting.