Recent coverage in industry publications over the past few weeks has painted a relatively optimistic picture of AML progress across pubs, clubs, and gaming in Australia. While the body of these stories often goes a little deeper, few readers get past the headlines. When those headlines focus on record SAR volumes or AUSTRAC commending SMR reporting, it creates the impression that the hard work is largely done.

That narrative is comfortable, but incomplete. Beneath it is a very different reality.

It was also clear from pubs and clubs at Regulating the Game that there is a genuine desire to improve. For many, that comes from being deeply embedded in their communities. But intent alone is not enough. Without the right systems, structure, and independence, even well-intentioned programs fall short.

What AUSTRAC is saying

In a recent address at Regulating the Game, AUSTRAC CEO Brendan Thomas acknowledged improvement across the industry. At the same time, he was clear that improvement has not translated into effective risk management. The underlying risks remain significant and, in many cases, unmanaged.

Key findings included:

• High-risk customers, including known criminals, continuing to transact without intervention

• Weak or superficial SOF and SOW checks

• Transaction monitoring that does not reflect actual risk

• Governance issues where compliance is influenced by the business

• Missed SMRs and TTRs

• Programs still operating at an entry-level maturity

His conclusion was direct: “The conclusion was unavoidable, risks were significant.”

And the forward message was equally clear: “Where risks remain unmanaged, regulatory action will follow.”

Progress vs. outcomes

Progress is happening, but progress is not the same as effective risk management.

Updating policies, implementing systems, or increasing reporting volumes does not mean risk is being identified or managed properly. Regulators are not assessing effort. They are assessing outcomes.

Right now, there is a gap between the two.

Where programs are breaking down

The issues AUSTRAC highlighted are not isolated. They point to structural weaknesses.

Monitoring is not risk-based

When transaction monitoring does not reflect risk, it is usually a systems limitation. If systems cannot support dynamic thresholds and risk segmentation, institutions fall back to static rules. At that point, missed risk is inevitable.

Governance is not independent

If revenue-generating teams have influence over AML, there is at least a perception that risk decisions can be compromised. Regulators assess structure, not intent. Any overlap weakens credibility.

CDD lacks structure and data

Weak SOF and SOW checks point to process and system gaps. There is too much available information today for manual approaches to be effective. Without aggregation and summarisation, CDD becomes inconsistent and shallow.

Reporting reflects fragmented ownership

Missed SMRs and TTRs are usually the result of unclear ownership and disconnected workflows. Strong programs rely on dedicated AML functions supported by integrated systems, not ad hoc processes.

But the gaps in reporting are not just structural. There is also a fundamental disconnect in how the industry understands what SMRs are for.

SMRs are more than a regulatory obligation

One part of the AUSTRAC discussion that received little attention is how SMRs are used by law enforcement.

More than 5,500 law enforcement officers rely on these reports. Yet many operators still see them as a regulatory obligation that disappears into a process.

That perception matters. If institutions understood how their reporting contributes to real investigations, SMRs would be viewed as intelligence, not just compliance. That shift would naturally improve both quality and consistency.

In the U.S., collaboration between institutions and law enforcement has already improved reporting outcomes. Australia is moving in that direction, with proposed changes to enable more information sharing.

Greater collaboration would change behaviour:

• SMRs become part of real investigative outcomes

• Quality improves as usefulness becomes clearer

• Volumes increase as teams see impact

Turning Momentum into Change

There is willingness across the industry to improve. The risk is losing urgency because the narrative suggests things are further along than they are.

The message from AUSTRAC is not that progress is happening. It is that progress is not enough.

Effective AML programs are built on strong systems, independent governance, and the ability to act on real risk. That includes transaction monitoring capable of analysing millions of data points to identify what matters.

In practical terms, that means:

• Prioritising risk, not completing checklists

• Ensuring compliance functions are independent

• Strengthening CDD through structured processes and data

• Aligning monitoring to real behaviour and exposure

• Engaging more directly with law enforcement and peers

The headlines suggest momentum. The regulator is signalling urgency. The difference between the two is where the industry needs to focus.

That starts with taking a more critical view of where programs actually stand, not where headlines suggest they are. It also means engaging more actively in the conversations happening across the industry, whether that is through forums, working groups, or simply paying closer attention to how peers and regulators are thinking about risk.

There is no shortage of signals right now. The opportunity is to take them seriously, ask harder questions internally, and continue pushing the conversation forward rather than assuming the work is already done.