Sandbox environment — test data only, not production
General9 min read

Sportsbet Just Closed Its AUSTRAC Enforceable Undertaking. The Three Failures It Had to Fix Are on Every Tranche 2 Checklist.

On 3 July 2026 AUSTRAC finalised its enforceable undertaking with Sportsbet, confirming after an independent external audit that the bookmaker had remediated the AML/CTF failings the regulator flagged in 2024. The concerns clustered in three areas: risk assessment, customer monitoring and suspicious matter reporting. Those are the same three areas every Tranche 2 firm is now expected to have working.

2026-07-09· AML Mate Team
Sportsbet Just Closed Its AUSTRAC Enforceable Undertaking. The Three Failures It Had to Fix Are on Every Tranche 2 Checklist.

On 3 July 2026, AUSTRAC announced that it had finalised its enforceable undertaking with Sportsbet Pty Ltd. On the surface it reads as a good news story. Sportsbet offered the undertaking back in 2024, worked through a multi year remediation program, and an independent external auditor has now confirmed to AUSTRAC that every required uplift has been implemented and operationalised. The regulator is satisfied. The matter is closed. (AUSTRAC release)

Read it a second time and it stops being a good news story. Sportsbet is one of the most resourced betting operators in the country, with a dedicated compliance function and years of AML/CTF obligations behind it. AUSTRAC still found enough concern to accept a formal undertaking, and Sportsbet still had to uplift five separate areas of its program and pay for an external auditor to prove it. If that is what "getting it wrong" looks like for a large, sophisticated reporting entity, it is worth asking what the same three failure areas mean for the roughly 90,000 accountants, lawyers, real estate agents and dealers now entering the regime.

What AUSTRAC Was Actually Worried About

The undertaking came out of AUSTRAC's wider review of the corporate bookmaker sector. When AUSTRAC looked at Sportsbet, its concerns landed in three specific places. (AUSTRAC release)

  1. Risk assessment. Whether the business genuinely understood where its money laundering and terrorism financing risk sat, rather than holding a generic risk document that did not reflect its actual customers and services.
  2. Customer monitoring. Whether ongoing due diligence kept pace with how customers actually behaved, instead of onboarding a customer once and never looking again.
  3. Suspicious matter reporting. Whether the business was identifying and reporting the right things, to the right standard, on time.

Those are not exotic, sector specific failures. They are the three load bearing walls of any AML/CTF program. Sportsbet ultimately had to uplift five key areas of its policies and processes and evidence the fix through independent assurance before AUSTRAC would sign off.

This Is a Sector Move, Not a One Off

The most important context is that Sportsbet is not alone. Days after finalising the Sportsbet undertaking, AUSTRAC accepted a separate enforceable undertaking from bet365, requiring it to overhaul its AML systems. (bet365 undertaking) Both sit inside the same review of corporate bookmakers.

When a regulator works through an entire sector one operator at a time, "we have not heard from AUSTRAC" is not a compliance position. It is a queue. The pattern AUSTRAC has established across gambling, banking and remittance is consistent: pick a sector, examine the largest players against the same core obligations, and use the findings to set the expectation for everyone else in that sector. Tranche 2 firms are now a sector in exactly that sense.

Finishing an Undertaking Does Not Lower the Bar

AUSTRAC CEO Brendan Thomas was explicit that closing out the Sportsbet undertaking changes nothing about what the regulator expects going forward. Businesses operating in higher risk sectors are expected to maintain robust, risk based systems to prevent criminal exploitation, permanently, not as a one time project that ends when an auditor signs off. (AUSTRAC release)

This is the same message AUSTRAC sent when it reopened an investigation into Tabcorp nine years after that company's original penalty and remediation program. (What the Tabcorp investigation means for Tranche 2) A firm can stand up a fully compliant program, pass an independent review, and still be examined again years later if the program drifts, if monitoring goes stale, or if the business changes faster than the risk assessment does. Compliance is a continuous obligation, not a finish line.

Lesson One: Your Risk Assessment Has to Reflect Your Actual Business

The first concern AUSTRAC raised with Sportsbet was risk assessment. For a Tranche 2 firm, this is the part most likely to be treated as a formality: download a template, tick some boxes, save the file, move on.

A risk assessment that survives scrutiny does something harder. It maps the designated services you actually provide to the specific money laundering risks those services carry, considers your real customer base and the jurisdictions they connect to, and produces risk ratings you can defend. If your risk assessment would read identically to that of a firm on the other side of the country doing different work for different clients, it is not a risk assessment. It is a document. (How to build a defensible risk assessment)

Lesson Two: Customer Monitoring Is Where Most Firms Will Fail

The second concern was customer monitoring, and it is the one most likely to catch professional services firms by surprise. Most accountants and lawyers have never run an ongoing monitoring process. The instinct from onboarding, verify once and file it, does not satisfy the obligation.

Monitoring, for a Tranche 2 firm, means something specific:

  • Re-running customer due diligence at a frequency proportionate to the customer's risk rating
  • Watching for change in behaviour, business activity, ownership or jurisdiction
  • Re-evaluating the risk rating when a material change occurs
  • Keeping a documented review trail so that, in an audit, you can show what you knew, when you knew it, and what you did about it

It does not have to be software. For most firms it is a documented schedule of reviews tied to risk rating, plus a clear list of triggers for an unscheduled review. It does have to exist, and it has to leave evidence. AUSTRAC's enforcement history is full of high value customers who triggered no internal review for years, and reviews that existed on paper but contained no actual analysis. (What ongoing monitoring looks like for an existing client book)

Lesson Three: Suspicious Matter Reporting Is a Standard, Not a Gut Feel

The third concern was suspicious matter reporting. The obligation is not "report the things that feel obviously criminal". It is to form and act on a reasonable suspicion, to the standard the Act sets, within the required timeframe, and to keep the reasoning behind each decision, including the decisions not to report.

For a small firm, the failure pattern is quiet. A transaction looks slightly off, the partner knows the client, everyone is busy, and the moment passes without a file note. When AUSTRAC later reconstructs the timeline, the absence of a documented decision is itself the finding. A defensible SMR process gives every person in the firm a way to escalate a concern, a decision maker who records the outcome, and a trail that shows the suspicion was considered even where no report was lodged. (SMR guide with worked examples)

The Real Cost Was Never the Penalty

There was no headline fine in the Sportsbet outcome. The cost was the years of remediation, the external auditor, the management attention, and the public record of an enforceable undertaking against the company's name. For a listed operator that shows up in reputation and investor confidence. For an unlisted accounting or law firm, the equivalent costs are referral flow, professional indemnity premiums, lender relationships, and a spot on the panels that larger firms maintain. None of those appear on an invoice. All of them move if AUSTRAC opens a matter, whether or not a penalty ever follows.

That is why the work is worth doing properly the first time. A program built to hold up under an external review is far cheaper than a program built to look finished by a deadline and then repaired under scrutiny.

What to Do This Week

If you are a Tranche 2 entity, treat the Sportsbet and bet365 undertakings as a preview of how AUSTRAC intends to use its powers, and use this week to pressure test the same three areas.

  1. Confirm your compliance officer and enrolment. The role has to sit inside the firm and the named officer has to have formally accepted it. If enrolment is not done, do it now. (Compliance officer responsibilities) (Tranche 2 enrolment)
  2. Stress test your risk assessment. Pick a real client at random. Does your risk assessment actually explain why they landed at the rating they did? If not, it is not doing its job. (Risk assessment template)
  3. Write your monitoring trigger list. Decide, in writing, what events force an unscheduled review: a new beneficial owner, a sudden change in transaction pattern, a connection to a higher risk jurisdiction.
  4. Trace one matter end to end through your program. How would it have been screened, monitored, and escalated if something looked wrong? If you cannot answer that from your documents, AUSTRAC will not be able to either. (Part A to F program walkthrough)

The bar AUSTRAC set for Sportsbet is the bar for everyone in a higher risk sector: a risk based program, evidence that it is being followed, and monitoring of the customers it applies to. Those are the three things that closed the Sportsbet undertaking, and they are the three things every Tranche 2 firm needs to be able to defend.

Where AML Mate Fits

AML Mate's compliance plan and Part A to F program editor are built around exactly the three areas AUSTRAC named in the Sportsbet undertaking: a risk assessment mapped to your designated services, a program you can show you are following, and a customer monitoring framework that leaves a documented review trail. The free compliance check at /check gives you a five minute view of where the gaps are before you commit to a paid plan.

If your firm is in the long tail of Tranche 2 entities that has not yet finished enrolment or stood up a program, the corporate bookmaker undertakings are your warning. AUSTRAC has told you, in plain language and through its own enforcement pattern, that the new entrants will be held to the same expectations as everyone already in the regime.

austracsportsbetenforceable-undertakingenforcementtranche-2transaction-monitoringsuspicious-matter-reportrisk-assessmentcase-studyaccountants

Ready to build your AML/CTF program?

AML Mate generates your AML/CTF program in 15 minutes using AUSTRAC's official templates. Start a 14-day free trial, cancel anytime.

This article is based on AUSTRAC's publicly available guidance. It does not constitute legal or compliance advice. Consult a licensed compliance professional for complex situations.

Sportsbet Just Closed Its AUSTRAC Enforceable Undertaking. The Three Failures It Had to Fix Are on Every Tranche 2 Checklist. | AML Mate Blog