AUSTRAC money laundering submission from SVA
Scam Victim Alliance (SVA) is a not-for-profit organisation of survivors with lived experience of scams and cyber-enabled fraud. We welcome the opportunity to provide feedback on the Second Exposure Draft of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025. The reforms proposed are a significant step forward in strengthening Australia’s AML/CTF regulatory regime.
The aim of this submission is to:
Stop scam and fraud victims bearing the financial cost of the $2+ billion lost to scams, the majority of which involve money laundering in Australia.
Increase the trust of the Australian public in the Australian financial system and AUSTRAC in particular through increased transparency.
The draft rules do not yet go far enough to address critical gaps in consumer protection, institutional accountability, and regulatory transparency. The AML/CTF framework must not only detect and deter crime, but also protect victims and hold negligent institutions accountable.
In relation to the proposed AML/CTF changes, the SVA:
Supports mandatory reimbursement of victims where financial institutions failed in their AML/CTF obligations. We recommend amending the AML/CTF Rules to require mandatory reimbursement where a financial institution’s breach of AML obligations materially enabled the commission of a financial crime;
Supports enforceable and public penalties for institutions facilitating or enabling financial crime. We recommend introducing a structured penalty regime and require AUSTRAC to publicly list all enforcement actions with plain-English summaries of the breach and penalties issued;
Supports greater transparency by AUSTRAC regarding AML/CTF breaches, investigations, and penalties. We recommend AUSTRAC being subject to legislated requirements to release annual data on suspicious reports, breaches, investigations, and penalties, including sectoral risk trends and redacted breach summaries to support public oversight;
Supports penalties for entities providing designated financial services without being registered with AUSTRAC. We recommend that the AML/CTF Rules be amended to clearly empower AUSTRAC to:
Investigate and fine entities offering designated services without registration;
Publish enforcement outcomes;
Proactively monitor for compliance breaches by non-registered operators.
Supports tightening registration standards for Remittance and Virtual Asset Service Providers. Registration alone is not enough. In fact, in some cases, registration can give false legitimacy to scam operations, especially among Remittance Service Providers (RSPs) and Virtual Asset Service Providers (VASPs).
It is important that we strengthen systemic risks and consumer safety at a structural level.
AUSTRAC’s updates in the Second Exposure Draft mark commendable progress. However, to strengthen Australia’s AML/CTF framework further, AUSTRAC must:
Enhanced Suspicious Matter Reporting (SMR) tailored to scams;
Prioritise victim protection;
Enforce accountability and transparency;
Provide public transparency of AML/CTF Enforcement and Reporting;
Actively and transparently penalise unregistered and negligent actors, including reimbursement for scam victims;
Proactively Monitor Unregistered Entities; and
Enact stronger enforcement and information sharing.
Case study: money laundering happens regularly in Australian banks
O’Brien v Supercheap Security Demonstrates the lack of protection against money laundering and financial crimes for Australians within the Australian financial system. It also shows the lack of transparency for victims of crime in regard to money laundering.
In the case of O’Brien v Supercheap Security, 13 Australian victims collectively lost $1.36 million to a fake AMP term deposit scam. The funds were transferred into a NAB mule account under the name “Supercheap Security.” Public evidence tendered to the Supreme Court of NSW and ABC-TV later revealed that this NAB business account had been compromised before any deposits were made, with login credentials sold to overseas-based scammers.
Victims believed they were transferring money into secure term deposit accounts opened in their own names. In reality, the funds were funneled into a fraudulent NAB Supercheap Security account, then rapidly moved offshore to British-controlled shell companies. While the victims secured a court judgment against the mule account holder, Hassan Mehdi, bankruptcy proceedings have made actual recovery of funds impossible.
Despite these facts, the Supercheap victims have been unable to successfully resolve complaints through AFCA because NAB - the receiving bank - has no direct relationship to the victims and therefore no obligation to disclose how and where the funds were transferred after arriving in the Supercheap Security account. NAB cited privacy and confidentiality rules, effectively shielding itself from scrutiny. The victims, lacking access to the full transaction trail, are unable to establish liability nor hold NAB accountable for its failure to detect and prevent criminal money laundering activity on its own platforms.
SVA believes AUSTRAC is integral to the public maintaining trust in the financial system
Implementing the above recommendations will align Australia’s AML system with international best practices, improve compliance, and restore public confidence in the financial system’s integrity.
SVA‘s detailed response continues over the page. We welcome the opportunity for ongoing open dialogue and look forward to constructive changes to reduce the harm Australian scam victims currently experience.
Yours faithfully,
Harriet Spring
President
Scam Victim Alliance’s detailed response to proposed AML/CTF changes
1. Reimbursement for Victims where AML/CTF Obligations were breached
Proposed Inclusion:
Introduce rules requiring that when a reporting entity breaches AML/CTF obligations and that breach contributes to customer harm from financial crime, the institution must reimburse the victim.
Justification:
Victims should not bear the cost of scams or money laundering enabled by institutional failure.
In ASIC v RI Advice Group Pty Ltd (2022), the Federal Court found that poor cyber-risk controls breached financial obligations.
The UK Contingent Reimbursement Model Code (CRM) requires reimbursement for victims of APP scams when banks fall short of expected due diligence.
The EU PSD2 and EBA Guidelines mandate redress for fraud resulting from institutional non-compliance.
Aligns with ASIC’s broader shift toward a "fairness to customer" standard under DDO and the Financial Accountability Regime.
SVA recommendation:
Amend the AML/CTF Rules to require mandatory reimbursement where a financial institution’s breach of AML obligations materially enabled the commission of a financial crime.
2. Public and Tiered Penalties for Non-Compliant Institutions
Proposed Inclusion:
Require that AML/CTF breaches result in tiered penalties based on severity, harm, and institutional size — and that these penalties are published publicly by AUSTRAC.
Justification:
Public penalties serve as a deterrent and increase trust in regulatory oversight.
AUSTRAC has previously issued large fines, including:
Westpac – $1.3 billion (2020)
CBA – $700 million (2018)
FinCEN (USA) fined Capital One $390 million for AML failings tied to a check-cashing business.
The UK FCA fined NatWest £264 million and published ongoing AML actions in a searchable registry.
SVA Recommendation:
Introduce a structured penalty regime and require AUSTRAC to publicly list all enforcement actions with plain-English summaries of the breach and penalties issued.
3. Public Transparency of AML/CTF Enforcement and Reporting
Proposed Inclusion:
Require AUSTRAC to publish a Quarterly Enforcement and Intelligence Report detailing the AML/CTF enforcement landscape.
Justification:
Agencies such as FinCEN and the UK National Crime Agency publish detailed reports to inform law enforcement, regulators, and the public.
AUSTRAC currently publishes limited summary stats, but no transparent listing of SMR outcomes, breaches, or fines.
Transparency would aid industry benchmarking and support public trust in AML regulation.
SVA Recommendation:
Legislate a requirement for AUSTRAC to release quarterly data on suspicious reports, breaches, investigations, and penalties. Include sectoral risk trends and redacted breach summaries to support public oversight.
4. Enforce Penalties for Unregistered Entities Operating Financial Services
Proposed Inclusion:
AUSTRAC should be empowered and obligated to penalise unregistered financial service providers who operate in breach of the AML/CTF Act by failing to enrol or register.
Justification:
Operating without registration violates the AML/CTF Act and undermines systemic oversight.
AUSTRAC has taken some action — e.g., deregistering iSignthis Ltd — but such enforcement is infrequent and delayed.
UK FCA and US FinCEN maintain real-time public registries and penalise unregistered actors.
Lack of enforcement enables grey-market operators and risks regulatory arbitrage.
SVA Recommendation:
Amend the AML/CTF Rules to clearly empower AUSTRAC to:
Investigate and fine entities offering designated services without registration;
Publish enforcement outcomes;
Proactively monitor for compliance breaches by non-registered operators.
5. Tighten Registration Standards for Remittance and Virtual Asset Service Providers
Proposed Inclusion:
Revise AUSTRAC’s registration process to:
Require independent vetting of business models, beneficial owners, and executive history;
Mandate ongoing monitoring, not just a one-off registration;
Publish a warning list of registered RSPs/VASPs under investigation or with compliance concerns.
Justification:
Registration ≠ credibility: Scammers often use AUSTRAC registration as a badge of legitimacy to convince victims they are regulated and safe. AUSTRAC’s current checks are mostly administrative.
Examples of abuse:
In 2023, several crypto Ponzi schemes and forex trading scams operating in Australia cited their AUSTRAC registration to build trust — despite having no legitimate operations.
Shell companies are frequently used to register remittance services, with nominee directors and no genuine compliance infrastructure.
Weak vetting process: Currently, registration does not require full background checks, prior business conduct scrutiny, or robust business model review. This creates a low barrier for entry that scammers exploit.
Comparative international approaches:
The UK FCA has refused dozens of crypto-related applicants due to AML failings — and regularly publishes registrations revoked or denied.
MAS (Singapore) requires crypto businesses to pass AML audits before being licensed.
FinCEN (US) shares alerts with the public about scam-linked registrants and shell exchanges.
SVA Recommendation:
Amend the AML/CTF Rules and registration regime to:
Require a fit-and-proper test for beneficial owners, including checks against prior fraud, insolvency, or AML breaches;
Publish a compliance rating or risk flag beside RSPs/VASPs in AUSTRAC’s public registry;
Enable AUSTRAC to suspend promotion of “registered” status by an entity under investigation;
Introduce tiered scrutiny levels — e.g., stricter review for VASPs and international remitters.