By Viktor Ha | April 2026 | AML-CAMS Blog
Airwallex had already been audited.
AUSTRAC looked at their program in 2024. An independent external reviewer followed up in 2025 and signed off — controls in place, systems adequate, no major concerns.
Then, on 22 January 2026, AUSTRAC ordered another external audit. This time under section 162 of the AML/CTF Act. This time with the word “serious” in the press release.
So what happened between a clean external review and a compulsory regulatory audit ordered by Australia’s financial intelligence agency? That’s the question worth asking — not just about Airwallex, but about what it tells us about fintech AML compliance more broadly.
Who Is Airwallex?
Airwallex isn’t a startup in the garage stage. Founded in Melbourne in 2015, it’s one of Australia’s few genuine unicorn companies — valued at $11.5 billion AUD following a $475 million Series G raise in late 2025. It processes transactions across more than 150 countries, serves over 150,000 businesses, and has built a proprietary cross-border payments network backed by investors including Tencent, DST Global, and several Australian superannuation funds.
It’s also a regulated entity under Australia’s AML/CTF Act. That matters, because the obligations that apply to Airwallex aren’t light-touch — they’re the same framework that governs major banks, with the same expectations around transaction monitoring, customer due diligence, and suspicious matter reporting.
Airwallex’s commercial growth story is genuinely impressive. The compliance story is a different picture.
A Pattern of Compliance Strain
The January 2026 AUSTRAC action didn’t emerge from nowhere. The compliance history at Airwallex has had visible stress points for years.
In 2021, an improperly configured sanctions screening system incorrectly flagged more than 11,000 customers — mostly due to issues with Chinese name formats — creating a substantial backlog that took over a year to resolve. That’s not a minor technical glitch. That’s a misconfigured control at the core of the KYC/CDD function.
In 2022, the legal, risk, and compliance departments saw 14% staff attrition in a single quarter. That level of turnover in precisely the teams responsible for maintaining the AML program is a red flag that doesn’t appear in a transaction monitoring alert — it appears in the institutional knowledge walking out the door.
Earlier audits in 2020 and 2022 had also flagged lapses in staff probity checks. Taken together, these aren’t isolated incidents. They’re a pattern of compliance infrastructure that struggled to keep pace with the business it was supposed to govern.
What AUSTRAC Actually Found
When AUSTRAC announced the section 162 audit in January 2026, the media release identified three specific areas of concern:
1. Transaction monitoring not calibrated to actual risk
AUSTRAC stated it was concerned that Airwallex’s transaction monitoring program had not been attuned to the full range of risks it faces as a global payment platform facilitating transfers across multiple jurisdictions. In plain terms: the monitoring wasn’t keeping up with what the business was actually doing.
This is a calibration problem, and it’s one of the most common failure modes in high-growth fintechs. Transaction monitoring systems are built at a point in time, for a risk profile that exists at that point in time. If the business doubles in volume, enters new corridors, or onboards new customer segments, the monitoring needs to be recalibrated — not set and forgotten.
2. Inadequate customer understanding
AUSTRAC’s concern extended to whether Airwallex had demonstrated an acceptable understanding of who its customers are and what reporting may be required. This goes directly to the ongoing CDD obligation — not just onboarding, but maintaining an accurate and current picture of the customer base as it evolves.
For a platform serving 150,000+ businesses across 150+ countries, that’s a genuinely complex problem. But complexity doesn’t create an exemption from the obligation.
3. Suspicious matter reporting oversight
The third concern related to how well Airwallex identifies and reports on suspicious matters, and whether senior management has exercised effective oversight of these obligations. The SMR obligation isn’t just about submitting reports — it requires a governance structure where suspicious activity is actually surfaced, reviewed, and escalated with appropriate accountability.
AUSTRAC also noted that its concerns covered potential conduct from January 2024 through to the audit order in January 2026 — a two-year window. The auditor, appointed at Airwallex’s expense, must report findings to AUSTRAC within 180 days, placing the deadline around late July 2026.
The background context to all of this, reported by Information Age, is that AUSTRAC CEO Brendan Thomas had become concerned approximately six months before the audit order that the platform was being used by money mules in connection with child sexual exploitation material payments. That typology — payment platforms as a node in CSAM financing — is not hypothetical. It was the same underlying concern that contributed to Westpac’s landmark $1.3 billion penalty in 2020. When AUSTRAC sees that pattern in a platform’s transaction data, the response is not a strongly worded letter.
The Audit Paradox
Here’s what makes the Airwallex case analytically interesting: they had already been reviewed.
An AUSTRAC audit in 2024 was followed by an independent external review in 2025, which, according to Airwallex’s own public statement, found that appropriate systems and controls had been implemented for the areas examined.
And then AUSTRAC ordered another compulsory audit in January 2026.
There are a few possible explanations. The 2025 external review may have had a limited scope — it examined specific areas, not the full AML/CTF program. AUSTRAC’s concerns may have emerged from intelligence or reporting data that post-dated the review. Or the business grew fast enough between 2025 and early 2026 that controls which were adequate in a smaller version of the company were no longer adequate in the current version.
Any of those explanations points to the same underlying problem: a compliance program that is static while the business is dynamic.
This is the fintech AML compliance failure pattern. It’s not unique to Airwallex. It’s the reason AUSTRAC’s earlier enforcement actions against PayPal and Afterpay in 2020 occurred — businesses that scaled rapidly without scaling their compliance infrastructure at the same pace.
We’ve seen a version of this before in Australia’s banking sector. Bendigo Bank’s $50 million capital add-on came after AUSTRAC and APRA identified that the bank’s AML/CTF program had not kept pace with the evolution of its products and services. The compliance failures weren’t a single dramatic event — they accumulated over time, in the gap between a program that existed on paper and one that functioned in practice. The CBA’s $700 million penalty tells a structurally similar story: a technology-driven product (the intelligent deposit machines) introduced without adequate AML risk assessment, monitored inadequately, and escalated too late.
The Airwallex situation is playing out at higher velocity, across a more complex risk landscape, with more jurisdictions and more customer types in the mix.
The Reputational Response
What Airwallex did after the AUSTRAC order is worth noting, not as criticism, but as a pattern of behaviour that AML practitioners should recognise.
The company’s public statement said it would cooperate fully with the audit and that it had zero tolerance for financial crime. That’s a standard response. Less standard was the parallel PR activity: reports emerged of Airwallex engaging influencers to promote CEO Jack Zhang’s “thought leadership,” and of the company using lawyers to have critical news articles removed from the internet.
Zhang also appeared on LinkedIn and X to push back on what he characterised as misinformation — particularly around the IPO question, clarifying that a public listing before 2028 was never planned, despite earlier public statements that the company was targeting IPO readiness by 2026.
This is not unusual corporate behaviour under regulatory pressure. But it’s worth naming: the response to a serious AML compliance concern was partly to manage narrative. The compliance problem and the reputational problem were being addressed in parallel, not sequentially.
From an AML practitioner’s perspective, that ordering matters. Narrative management doesn’t fix a transaction monitoring gap.
What This Means at the Desk Level
The Airwallex audit raises questions that are relevant beyond Airwallex itself.
For AML teams at fintechs — or at banks that provide correspondent or banking-as-a-service infrastructure to fintechs — the key questions are:
Does your transaction monitoring actually reflect your current risk profile? Not the risk profile when the system was last configured. Not the risk profile from the last ML/TF risk assessment. The risk profile right now, given the customer base you have today and the corridors you’re actually processing.
Is your customer understanding genuinely current? Ongoing CDD isn’t a once-a-year refresh cycle. For high-volume platforms with large business customer bases, understanding who customers are and what activity to expect from them is a continuous function, not a periodic one.
Does senior management have meaningful oversight of SMR decisions? AUSTRAC’s concern about Airwallex’s suspicious matter reporting oversight is a governance question as much as a compliance one. The obligation sits with the board and senior executives — not just with the compliance team submitting the reports.
As AUSTRAC CEO Brendan Thomas put it in the media release: “AML/CTF is not a back-office function. It requires clear accountability, properly authorised staff who can submit reports and sufficient resourcing to support timely and accurate reporting.”
That’s not a message aimed only at Airwallex.
What Comes Next
The 180-day audit clock means AUSTRAC will receive the auditor’s findings around late July 2026. The outcomes of that report will determine whether AUSTRAC pursues further regulatory action — which could include civil penalty proceedings, an enforceable undertaking, or remediation requirements.
Analysis from The Paypers notes that the audit’s scope covers potential conduct from January 2024 to January 2026 — giving the auditor two full years of operations to examine.
For context on what further action can look like, the Mounties enforcement case — AUSTRAC’s first civil penalty proceedings against a registered club — is a useful data point: it demonstrated that AUSTRAC is willing to pursue formal action against entities that couldn’t point to an adequate AML program, regardless of whether they were a traditional financial institution.
Airwallex has broader commercial stakes in the outcome. Adverse audit findings could create complications for its partnerships with McLaren F1 and Arsenal, its ongoing expansion into new markets including South Korea through the Paynuri acquisition, and its longer-term capital markets ambitions. The company’s investors — including multiple Australian superannuation funds — will be watching the July window closely.
The Pattern Behind the Case
Step back from the Airwallex specifics and the pattern is familiar: a high-growth platform, operating at scale across complex jurisdictions, with an AML program that was adequate at an earlier stage of the business but hadn’t been recalibrated fast enough as the business evolved.
The fintech AML compliance failure isn’t about bad intent. Most fintechs aren’t deliberately ignoring their obligations. The failure mode is structural: compliance investment consistently lags commercial growth, because the incentives in a growth-stage company point almost entirely toward scaling revenue, not scaling governance.
AUSTRAC is making clear that this is no longer an acceptable lag. The section 162 audit is a serious tool — it’s not a warning letter. And the auditor’s findings will inform whether much heavier consequences follow.
The 180-day clock is ticking.
Viktor Ha is a Senior Financial Crime Analyst with experience in AML/CTF compliance across the Australian banking sector. The views expressed here are his own.
Links referenced in this post:
Leave a Reply