What is AUSTRAC's enforcement approach and what penalties apply?

Q: What is AUSTRAC's enforcement approach and what penalties apply?

AUSTRAC's civil penalty regime allows fines of up to AUD 18 million per contravention (for individuals) and higher for bodies corporate. Enforceable undertakings, infringement notices, and appointment of external auditors are also available. AUSTRAC has secured penalties exceeding AUD 1.3 billion against major financial institutions in recent years, signalling an active enforcement posture.

AUSTRAC has a graduated enforcement toolkit and has demonstrated a willingness to use its most serious powers against large institutions. Penalties are not theoretical — they have been applied at a scale that makes non-compliance one of the more consequential regulatory risks in the Australian financial sector.

Enforcement tools

AUSTRAC can use any of the following, independently or in combination:

Compliance assessments: AUSTRAC can conduct on-site or off-site assessments of a reporting entity's AML/CTF programme, records, and reporting. This is the most common form of supervisory contact.
Infringement notices: Fixed-penalty notices for less serious contraventions, issued without court involvement.
Enforceable undertakings: A formal written commitment by the reporting entity to remediate identified issues. Breach of an undertaking can lead to court enforcement.
External audit: AUSTRAC can require appointment of an independent external auditor to assess compliance and report back to AUSTRAC.
Civil penalty proceedings: AUSTRAC applies to the Federal Court for civil penalties. The maximum is AUD 18 million per contravention for individuals; for bodies corporate, the higher of AUD 18 million, three times the benefit obtained, or 10% of annual turnover (uncapped in some circumstances).
Criminal prosecution: Referred to the Australian Federal Police or Commonwealth Director of Public Prosecutions for serious intentional breaches, structuring offences, or tipping off.

Significant enforcement actions

AUSTRAC's enforcement posture hardened significantly from 2017 onward. Notable civil penalty outcomes include cases where penalties ran to hundreds of millions of dollars — driven by systemic failures to file SMRs, inadequate KYC programmes, and failure to monitor high-risk customers over extended periods. In each case, the penalty reflected both the number of individual contraventions and the duration of the failure.

The consistent pattern across enforcement actions: failures were systemic, not isolated. AUSTRAC's findings typically identify inadequate AML/CTF programmes as the root cause rather than individual bad transactions.

What AUSTRAC looks for in assessments

AUSTRAC's published guidance and enforcement outcomes point to the following as recurring assessment focus areas:

Whether the AML/CTF programme is documented, current, and actually implemented (not just on paper)
Whether customer identification and verification (KYC) is conducted at onboarding and re-verified for high-risk customers
Whether transaction monitoring is risk-based and generates actionable alerts
Whether SMR filing rates are consistent with the volume and risk profile of the business
Whether staff are trained and aware of their obligations

The implication for Tranche 2 entities entering AUSTRAC's remit from 2026 is that the bar is set by years of enforcement precedent — not by what is convenient to implement.