⚡ Direct Answer: Failing to comply with AUSTRAC’s AML/CTF obligations can result in significant civil penalties (potentially running into millions or even billions of dollars for major institutions), enforceable undertakings, compliance directions, external auditor appointments, cancellation of registration, criminal prosecution, and lasting reputational damage. AUSTRAC has greatly increased its enforcement activity in recent years and has made clear that non-compliance will be met with regulatory consequences.
AUSTRAC’s Enforcement Powers
AUSTRAC has broad enforcement powers under the AML/CTF Act. The regulator takes a risk-based approach to supervision — focusing its resources on the highest-risk entities and sectors — but has demonstrated willingness to pursue significant enforcement action when systemic failures are identified.
AUSTRAC’s enforcement toolkit includes:
1. Civil Penalty Orders
AUSTRAC can apply to the Federal Court for civil penalty orders against reporting entities that have contravened the Act. Civil penalties can be substantial:
- For body corporates, penalties are calculated as the greater of a fixed dollar maximum, 3 times the benefit derived, or 10% of annual turnover — whichever is highest.
- For serious, systemic contraventions, multiple penalties can be imposed — one for each contravention. Cases involving millions of individual transactions can result in exposure to penalties in the billions of dollars.
- Australia’s largest civil penalty was $1.3 billion against Westpac Banking Corporation in 2020 for systemic AML/CTF failures.
2. Infringement Notices
For less serious, individual contraventions, AUSTRAC can issue an infringement notice requiring payment of a penalty. Infringement notices do not require court proceedings and provide a faster enforcement pathway for minor breaches.
3. Compliance Directions
AUSTRAC can issue a compliance direction requiring a reporting entity to take specific steps to address a compliance failure within a specified timeframe. Failure to comply with a direction is itself a contravention of the Act.
4. Enforceable Undertakings
AUSTRAC can accept an enforceable undertaking from a reporting entity as an alternative to court action. The undertaking sets out steps the entity will take to remediate compliance failures. Breach of an undertaking is enforceable in court.
5. External Compliance Auditor
AUSTRAC can require a reporting entity to appoint an external compliance auditor to independently assess the entity’s AML/CTF compliance and report findings to AUSTRAC. This is an intrusive and costly intervention and a clear signal that AUSTRAC has serious concerns about the entity’s compliance culture.
6. Cancellation of Registration
For remittance dealers and virtual asset service providers that are registered with AUSTRAC, the regulator can suspend or cancel registration. Cancellation effectively means the business cannot legally operate in the regulated space — it is an extreme sanction that has been imposed on numerous non-compliant businesses.
7. Criminal Prosecution
For the most serious contraventions — particularly deliberate non-compliance or facilitation of financial crime — AUSTRAC can refer matters for criminal prosecution. The Australian Federal Police or state police may also independently investigate entities referred by AUSTRAC.
8. Reputational Damage
AUSTRAC publicly reports its enforcement actions. Adverse publicity from an AUSTRAC enforcement action can have severe commercial consequences, particularly for businesses that rely on customer trust (financial services, legal, accounting). The reputational damage from an AUSTRAC action can be more commercially destructive than the penalty itself.
AUSTRAC Supervisory Activities: How Non-Compliance Is Detected
AUSTRAC uses several mechanisms to identify non-compliance:
- Proactive risk-based assessments: AUSTRAC selects entities for compliance assessments based on risk indicators and sector data.
- Analysis of reporting data: AUSTRAC analyses the quality and completeness of SMRs, TTRs, and other reports submitted by reporting entities. Unusual patterns — such as a business that never submits SMRs — attract scrutiny.
- Intelligence from law enforcement: AUSTRAC collaborates with the AFP, state police, and other agencies. Intelligence suggesting a business is being used to facilitate financial crime may trigger an AUSTRAC investigation.
- Industry intelligence and referrals: Tips from industry participants, whistleblowers, or other reporting entities may lead to AUSTRAC investigations.
- AUSTRAC-initiated compliance assessments: For high-risk sectors or entities, AUSTRAC may proactively conduct compliance assessments with little or no advance notice.
What To Do If AUSTRAC Contacts You
If AUSTRAC contacts you about a compliance matter, the following steps are important:
- Seek legal advice immediately. AML/CTF matters can have significant legal consequences, and you should obtain advice from lawyers experienced in AML/CTF law before responding.
- Preserve all relevant records. Do not destroy or alter any documents or records once a potential investigation is underway.
- Cooperate with AUSTRAC. Failure to cooperate or provide information requested by AUSTRAC can itself constitute a contravention of the Act.
- Consider voluntary disclosure. If you have identified a compliance failure before AUSTRAC approaches you, voluntary disclosure is strongly recommended. It is a significant mitigating factor in AUSTRAC’s enforcement decisions.
- Develop a remediation plan. AUSTRAC will expect to see that you are taking concrete steps to address identified failures.
The Cost of Non-Compliance vs. the Cost of Compliance
A common mistake is viewing AML/CTF compliance as an expensive overhead. The cost of building and maintaining a compliant AML/CTF program — even for a complex business — is a fraction of the potential financial, legal, and reputational cost of enforcement action. AUSTRAC’s enforcement history demonstrates that the downside of getting it wrong is severe.
For newly regulated businesses under the 2026 reforms, investing in proper compliance from the outset is far more efficient than trying to retrofit compliance after a failure has occurred — or after AUSTRAC has initiated an investigation.
Frequently Asked Questions
Can a non-compliant business negotiate with AUSTRAC?
AUSTRAC does engage in dialogue with reporting entities, particularly in the context of enforceable undertakings and compliance remediation. However, this is not a substitute for compliance — it is a pathway to restoring compliance after a failure. AUSTRAC’s published position is that it will use its enforcement powers when necessary to ensure the integrity of Australia’s AML/CTF regime.
What is the statute of limitations for AML/CTF contraventions?
Civil penalty proceedings under the AML/CTF Act must generally be commenced within 6 years of the contravention. This means that compliance failures from several years ago may still be within the enforcement window. Criminal offences have different limitation periods.
Does AUSTRAC consider how long ago a contravention occurred?
Yes — the recency of contraventions is a factor courts and AUSTRAC consider in determining appropriate penalties and enforcement responses. However, the extended limitation period means past failures can still be actionable.
If I fix my compliance failures, will AUSTRAC still take action?
Remediation is a mitigating factor that AUSTRAC and courts take into account. Businesses that self-report failures, cooperate fully, and implement genuine remediation are treated more favourably than those that resist compliance. However, serious or systemic failures may still result in enforcement action even after remediation.
📣 Need expert AML/CTF support?
👉 Ensure your business is AUSTRAC compliant: contact us
👉 Download the AML compliance checklist: AML Compliance Checklist for Australian Businesses
👉 Read the complete AML guide: AML Compliance Australia – Complete Guide (2026)
👉 Read about Common AML Mistakes Businesses Make