By Viktor Ha | February 2026 | AML-CAMS Blog
When APRA and AUSTRAC jointly announced enforcement action against Bendigo and Adelaide Bank on 17 December 2025, the headline number was AUD 50 million — an operational risk capital add-on that landed effective 1 January 2026.
But the number is not the story. The story is how a single branch-level money laundering concern unravelled into findings of systemic, enterprise-wide AML/CTF deficiencies spanning six years. And the story is what the coordinated regulatory response signals for every financial crime team working in an Australian ADI right now.
If you work in financial crime at a bank, this case should be on your radar. Here is what happened, what it means, and what you should be asking about your own institution.
The Timeline: From One Branch to Enterprise-Wide Failures
The Bendigo Bank case did not emerge overnight. It followed a clear sequence that every FC analyst should understand.
In August 2025, Bendigo and Adelaide Bank identified suspicious activity indicative of money laundering at one of its branches. To its credit, the bank self-reported to AUSTRAC and law enforcement and engaged Deloitte to conduct an independent investigation.
Deloitte’s review examined activity at that branch from 1 August 2019 to 1 August 2025 — a six-year window. But the scope was deliberately broad: the bank asked Deloitte to look beyond the branch and assess any related systemic AML/CTF issues.
What Deloitte found was not confined to one location.
On 25 November 2025, Bendigo Bank disclosed Deloitte’s findings to the ASX. The independent review had concluded that deficiencies existed throughout the relevant period in the bank’s approach to identifying, mitigating and managing ML/TF risk. Critically, these weaknesses extended beyond the branch into key aspects of the bank’s broader risk management framework — including ML/TF risk assessment, enhanced customer due diligence, oversight of ML/TF risks, transaction monitoring, and customer risk rating.
Shares dropped 8 per cent on the day. Macquarie estimated remediation costs between AUD 30 million and AUD 70 million — between 4 and 10 per cent of the bank’s annual cash profit.
On 17 December 2025, APRA and AUSTRAC announced a coordinated enforcement response with three key measures:
- APRA required Bendigo Bank to undertake a root cause analysis to understand the full extent of non-financial risk management issues — explicitly going beyond AML/CTF.
- APRA imposed an operational risk capital add-on of AUD 50 million, effective 1 January 2026, to remain in place until remedial measures are completed to APRA’s satisfaction.
- AUSTRAC commenced a formal enforcement investigation into whether Bendigo Bank complied with its obligations under the AML/CTF Act.
Both regulators made clear: these actions do not preclude further enforcement in the future.
Why This Case Is Different: The APRA-AUSTRAC Joint Approach
Australian FC professionals are accustomed to AUSTRAC-led enforcement. The CBA penalty (AUD 700 million, 2018) and the Westpac penalty (AUD 1.3 billion, 2020) were both AUSTRAC actions under the AML/CTF Act.
What makes the Bendigo Bank case notable is the coordinated APRA involvement. This is not just an AML compliance matter — APRA has framed it as a prudential risk management concern.
APRA Chair John Lonsdale stated that while the bank is financially sound, APRA was concerned about “significant gaps in its risk management framework” that needed to be “addressed urgently.” APRA’s concern extended beyond AML/CTF into broader non-financial risk management practices and risk culture.
This is an important shift. When the prudential regulator starts treating AML control failures as threats to institutional soundness — not just regulatory non-compliance — it changes the calculus for every board and executive team.
AML failures are now capital risks.
The AUD 50 million capital add-on is not a fine. It is a prudential tool that directly impacts the bank’s balance sheet, reducing Bendigo’s Level 2 CET1 ratio by approximately 17 basis points. It stays in place until APRA is satisfied that remediation is complete. That is a sustained cost, not a one-off payment.
And Bendigo Bank is not alone in receiving this treatment. APRA imposed the same AUD 50 million capital add-on on Bank of Queensland in 2023 for similar non-financial risk weaknesses. ANZ has faced a progressively increasing capital add-on — from AUD 500 million in 2019, to AUD 750 million in 2023, to AUD 1 billion in 2025 — for persistent non-financial risk management and risk culture concerns.
The pattern is unmistakable: APRA is using capital add-ons as a scalable tool to force remediation, and the amounts go up when issues persist.
The Five Deficiency Areas That Should Worry Every FC Team
Deloitte’s findings identified weaknesses across five key aspects of Bendigo Bank’s ML/TF risk management. If you are working in financial crime at an ADI, these are the areas to stress-test in your own institution.
1. ML/TF Risk Assessment
The foundation of any AML/CTF program. If your enterprise-wide ML/TF risk assessment is outdated, does not reflect your current products, channels, customer base and jurisdictional exposure, or has not been meaningfully updated in response to emerging typologies, you have a problem. AUSTRAC has consistently criticised major banks for insufficient ML/TF risk assessments — it was a central theme in both the CBA and Westpac enforcement actions.
2. Enhanced Customer Due Diligence
Risk-based CDD is not optional — it is a core obligation under the AML/CTF Act. Deficiencies here typically mean that high-risk customers are not being identified or subjected to appropriate enhanced due diligence measures. Are your EDD triggers calibrated? Are they actually being applied in practice, not just documented in policy?
3. Oversight of ML/TF Risks
This goes to governance. Who is accountable for ML/TF risk at your institution? Is there effective escalation from first-line operations to second-line risk and compliance? Are the board and senior management receiving meaningful MI on financial crime risks, not just activity metrics? APRA’s joint announcement with AUSTRAC specifically called out risk culture as a concern — that is a governance failure signal.
4. Transaction Monitoring
Your TM program is only as good as its rules, its tuning, and the quality of investigations downstream. In the CBA case, the bank failed to monitor transactions on over 778,000 accounts for three years. At Bendigo, the deficiency was systemic. If you have not reviewed your TM scenarios against current typologies, tested for coverage gaps, or assessed whether alert volumes are generating meaningful outcomes, this is your wake-up call.
5. Customer Risk Rating
Customer risk rating drives the intensity of your ongoing CDD and monitoring. If your risk rating methodology is static, based on incomplete data, or disconnected from your TM and CDD processes, high-risk customers can sit undetected in your portfolio for years. That appears to be what happened at Bendigo.
The Bigger Picture: Why This Matters Right Now
The Bendigo Bank enforcement does not exist in isolation. It sits within a regulatory environment that is tightening rapidly.
Australia’s AML/CTF reforms commence from 1 July 2026, bringing Tranche 2 entities — real estate agents, lawyers, accountants, trust and company service providers — into the AML/CTF regime for the first time. AUSTRAC has publicly stated its regulatory expectations for implementation, and its 2025-26 priorities explicitly focus on preparing for these changes while continuing to target gaps in high-risk sectors.
Australia’s FATF mutual evaluation begins in 2026. The FATF Plenary, which concluded just days ago in Mexico City (11–13 February 2026), adopted mutual evaluation reports for Austria, Italy and Singapore under its new, more risk-based assessment methodology. Australia knows it is next. Regulators are under pressure to demonstrate enforcement credibility before international assessors arrive.
The trajectory is clear: CBA (AUD 700 million, 2018), Westpac (AUD 1.3 billion, 2020), Crown, SkyCity, Entain, BoQ, and now Bendigo Bank. Each enforcement action reveals the same underlying themes — insufficient risk assessments, inadequate systems, poor governance, reactive rather than proactive risk culture.
APRA’s new Prudential Standard CPS 230 (Operational Risk Management), effective from July 2025, now explicitly requires institutions to identify critical operations, assess their operational risk profile and maintain effective controls. AML/CTF transaction monitoring, suspicious matter reporting and sanctions screening are all critical operational functions under this framework. Root cause analysis is expected when material weaknesses are detected, and senior management and boards are directly accountable.
Key Takeaways
- The Bendigo Bank case demonstrates that AML control failures are now treated as prudential capital risks, not just compliance issues. When APRA and AUSTRAC act together, it signals systemic concern.
- Six years of unresolved deficiencies across risk assessment, CDD, transaction monitoring, oversight and customer risk rating turned a branch-level incident into an enterprise-wide enforcement action.
- APRA’s AUD 50 million capital add-on is a balance sheet impact that stays until remediation is verified — and history shows these amounts escalate when progress stalls.
- With Australia’s AML/CTF reforms commencing July 2026 and a FATF mutual evaluation on the horizon, the enforcement environment will only intensify.
- Every FC team at an ADI should be conducting an honest self-assessment of their AML/CTF framework now — before a regulator or an independent reviewer does it for them.
Viktor Ha is a Senior Financial Crime Analyst based in Melbourne and the author of the AML-CAMS Blog. Follow him on LinkedIn for weekly insights on financial crime, AML enforcement, and FC career development.
#AML #FinancialCrime #AUSTRAC #APRA #BendigoBank
Leave a Reply