What AUSTRAC Actually Expects From Your Gaming Payout Process in 2026

On 31 March 2026, the compliance landscape for Australian gaming venues changed in a meaningful way. The new Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 came into effect for existing reporting entities, shifting the regulatory benchmark from having an AML/CTF program to demonstrating that your program is effective.

That distinction matters more than it might sound. A printed document sitting in a drawer is a program. A documented, measurable process that consistently produces verified, time-stamped records is evidence of an effective one.

If your venue operates electronic gaming machines (EGMs), AUSTRAC considers you a reporting entity. That means your payout process is subject to obligations around customer identification, verification, PEP screening, transaction monitoring, and record-keeping, regardless of how many machines you operate or how busy your floor gets on a Friday night.

Checkd by iDU was built specifically to help venues meet those obligations without grinding the payout counter to a halt. But before getting to solutions, it helps to understand exactly what AUSTRAC is looking for.

Table of Contents

• What “Effective” Now Means Under the Reforms
• KYC at the Payout Counter
• The PEP Screening Obligation
• Threshold Transaction Reports and Structuring
• Record-Keeping and Audit Readiness
• Frequently Asked Questions

What “Effective” Now Means Under the Reforms

The updated AUSTRAC regulatory guide for pubs and clubs with gaming machines is explicit about the shift in its expectations. The previous focus was on whether venues had a documented AML/CTF program. The current focus is on whether that program is actually working.

AUSTRAC has described this as a move toward an “outcomes-focused regulatory model.” In plain terms, it means the regulator will be looking at the quality and consistency of your compliance activity, not just whether you can produce a policy document.

For gaming venues, this has specific implications for the payout counter. Inconsistent record-keeping, skipped verification steps, and manual processes that rely on individual staff members’ memory or diligence are no longer defensible. AUSTRAC expects your controls to be systematic, which means they should produce the same outcome every time, regardless of which staff member handles the transaction.

KYC at the Payout Counter

Know Your Customer (KYC) requirements sit at the centre of gaming venue compliance. KYC involves collecting identifying information from a patron and verifying that information against a reliable, independent source, such as a government-issued licence or passport, or through electronic verification against government databases.

For large cash transactions, this is a mandatory step. But AUSTRAC also expects venues to apply KYC on a risk-sensitive basis for transactions that fall below the mandatory threshold. Your AML/CTF program should define the circumstances under which additional verification is required, and your staff should be following those rules consistently.

The challenge for venues is that KYC is not a single checkbox. It is a documented process that should capture: the identification document used, the outcome of the verification check, any secondary documentation required, and the identity of the staff member who completed the process.

In a manual workflow, every one of these steps depends on human recall and paperwork discipline. In a digital workflow, they are embedded into the process itself. The Checkd platform guides staff through each step in sequence, using in-video OCR to extract ID data instantly and verify it against government databases in real time, completing the entire process in around three minutes.

The PEP Screening Obligation

One of the more technically demanding elements of gaming venue AML compliance is the requirement to screen patrons against PEP (Politically Exposed Person) and sanctions watchlists.

A PEP is an individual who holds or has held a prominent public position, a politician, a senior government official, a judicial officer, a senior military figure, or a senior executive of an international organisation. Their immediate family members and close associates are also classified as PEPs. This classification matters because individuals in these positions are considered to have elevated exposure to bribery and corruption risk, which makes them higher-risk customers for AML purposes.

AUSTRAC requires enhanced customer due diligence (ECDD) for PEPs identified during your KYC process. Being identified as a PEP does not mean a patron has done anything wrong, it simply triggers a more thorough review before the transaction proceeds.

In a manual payout process, PEP screening typically does not happen. There is no realistic expectation that a floor staff member will cross-reference a patron’s name against a sanctions list mid-payout. The result is that venues are either skipping this obligation entirely or applying it inconsistently.

For RSL clubs and licensed venues that serve community members with established relationships, this can feel like an overreach, but the obligation exists regardless of the patron’s familiarity to your staff. Automated screening embedded directly in the payout workflow removes the burden from the individual and makes it part of the process instead.

Threshold Transaction Reports and Structuring

AUSTRAC requires reporting entities to submit a Threshold Transaction Report (TTR) for any cash transaction of $10,000 or more. For gaming venues, this applies to payouts that meet that value.

But the obligation does not stop at the threshold. AUSTRAC also expects venues to monitor for structuring, the practice of deliberately breaking up transactions to avoid triggering a TTR. A patron who makes repeated payouts just below $10,000, or who uses multiple staff members or sessions to collect winnings in instalments, may be engaged in structuring, which is a criminal offence under the AML/CTF Act.

Your venue’s transaction monitoring program (TMP) must be capable of identifying these patterns. A paper-based payout system records individual transactions in isolation. Without aggregation across time, staff, and sessions, it is impossible to surface a structuring pattern.

This is one of the key areas where digital systems provide compliance value that paper simply cannot replicate, and where hospitality groups operating multiple gaming venues face the greatest exposure under a manual model.

Record-Keeping and Audit Readiness

AUSTRAC’s record-keeping requirements for gaming venues are clear: you must retain records of customer identification, verification steps, transaction details, and any AML screening conducted. Those records must be stored securely and be accessible when required.

What is less often discussed is what “accessible” means in practice during an AUSTRAC review. The regulator may request records relating to a specific individual, a specific transaction window, or a pattern of activity spanning multiple dates. Responding to that request from a filing cabinet full of paper forms is a process measured in hours, with the compounding risk of incomplete records, misfiled forms, and illegible handwriting.

A structured digital record, with time-stamped entries, verified ID data, and a clear approval chain, is retrievable in seconds. It also provides a consistent format that does not depend on individual staff members’ paperwork habits.

Under AUSTRAC’s updated expectations, “audit-ready” is not a standard you achieve at the start of the year during a compliance review. It is a standard your process should produce automatically, for every single payout, every day.

 

Frequently Asked Questions

Do the new AUSTRAC rules apply to all gaming venues from 31 March 2026? 

The new Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 came into effect for current reporting entities from 31 March 2026. This includes pubs and clubs licensed to operate EGMs. If your venue was already a reporting entity before this date, the new obligations apply to you. Threshold transaction reporting and suspicious matter reporting obligations remain unchanged until 2029.

What is the difference between KYC and ECDD? 

KYC (Know Your Customer) refers to the standard process of collecting and verifying a patron’s identity before proceeding with a transaction. ECDD (Enhanced Customer Due Diligence) is a more thorough process applied to higher-risk customers, including foreign PEPs, patrons with unusual transaction patterns, or customers whose source of funds cannot be readily explained. Your AML/CTF program should define the triggers for ECDD in the context of your venue.

How often should my venue’s AML/CTF program be reviewed?

AUSTRAC expects AML/CTF programs to be reviewed regularly, particularly when there are changes to your business structure, the products or services you offer, or the regulatory environment. The updated guidance emphasises that your risk assessment should be forward-looking and updated when your risk profile changes, not just at the start of a calendar year.

What happens if my venue is found to have inadequate AML controls? 

AUSTRAC has a range of enforcement tools available, from infringement notices to civil penalties to court proceedings. Recent penalties across the gaming sector have ranged from thousands of dollars for administrative failures to hundreds of millions for systemic program deficiencies. AUSTRAC has been explicit that it will not limit its attention to large operators, all reporting entities are expected to meet the same standards.