By Viktor Ha | June 2026 | AML-CAMS Blog
The Quote That Defines an AML Compliance Culture Failure
In March 2017, AUSTRAC CEO Paul Jevtovic addressed the media after the Federal Court ordered Tabcorp to pay a $45 million civil penalty for 108 contraventions of the AML/CTF Act over five years. His words were precise: “In our view, Tabcorp had a corporate culture indifferent to meaningful AML/CTF compliance and risk mitigation until we intervened.”
Not a technical failure. Not a resourcing gap. Not a systems problem. A culture problem.
That framing matters enormously — because AUSTRAC’s return in May 2026 with a fresh enforcement investigation must be understood through exactly that lens. An AML compliance culture failure is not fixed by a penalty. It is only fixed when the institution genuinely changes the way it thinks about compliance — and that change either holds or it doesn’t.
Act One: What AUSTRAC Found in 2017
The Failures Behind the $45 Million
The 2017 Tabcorp penalty was AUSTRAC’s first major civil enforcement action against any Australian reporting entity. It established the template for everything that followed — CBA’s $700 million, Crown’s $450 million, SkyCity’s $67 million.
The specific failures Tabcorp admitted tell a precise story:
105 suspicious matter reports not filed on time — or at all. The suspected activity included credit card fraud, match fixing, and credit betting. This was not a case where the institution lacked information. The suspicions existed and investigators identified them. Tabcorp simply did not report them to AUSTRAC as required. In several instances, it reported the suspicious matters to other law enforcement agencies — just not to the regulator with the statutory obligation to receive them. That distinction is not ignorance. That is a compliance governance failure.
Three years without a compliant AML/CTF program. The program existed on paper but did not function in practice. AUSTRAC found it failed to meet the requirements of the Act for more than three years — an extraordinary duration for a systematic deficiency to go unaddressed.
A customer who collected $100,000 in winnings without identity verification. A single transaction, but telling. It points to a CDD process that was absent, poorly designed, or consistently bypassed at the point of service.
The Governance Failure Behind All the Others
The finding that carries the most weight is this: senior management did not regularly receive AML/CTF compliance reporting. When the board and executives lack visibility over their compliance program, resource allocation suffers, tone-from-the-top weakens, and problems accumulate invisibly until a regulator surfaces them.
Jevtovic’s “culture indifferent to compliance” framing was not rhetoric. It described an institution where AML compliance was not a board-level priority until external pressure forced it to become one.
Act Two: Nine Years of Silence
What Remediation Is Supposed to Look Like
After 2017, Tabcorp committed to rebuilding its program. The company cooperated with AUSTRAC, settled the proceedings by consent, and made public commitments to reform. Jevtovic himself noted, shortly before leaving AUSTRAC in 2017, that he was “heartened by Tabcorp’s response.”
For nine years, AUSTRAC took no further public enforcement action against Tabcorp. In the AML world, that is not nothing. It suggests the remediation was substantive enough to avoid regulatory intervention during that period — or that AUSTRAC’s enforcement focus sat elsewhere.
What nine years of silence does not confirm is that the underlying AML compliance culture failure was definitively resolved.
Why Culture Is the Hardest Thing to Fix
Systems can be rebuilt. Policies can be rewritten. Staff can complete new training. All of those outputs are measurable. Culture — the institutional disposition toward compliance, the tone executives set, the weight commercial teams give compliance concerns when they conflict with revenue — cannot be measured in the same way. It reveals itself under pressure, particularly when the regulator is not watching.
The Bendigo Bank enforcement action demonstrated this clearly. Bendigo had an AML program that looked adequate on paper but had not kept pace with the actual evolution of its products and customer base. The gap between documented controls and operational reality only surfaced under regulatory scrutiny.
The CBA’s $700 million penalty added a further dimension: the compliance team’s concerns about intelligent deposit machines did not receive the commercial weight they deserved. That is a culture signal, not a technical one.
Both cases illustrate the same dynamic at the heart of every AML compliance culture failure: the institution prioritised commercial continuity over compliance integrity, until the regulator made that choice impossible to sustain.
Act Three: AUSTRAC Returns — May 2026
The Investigation and the Market Reaction
On 7 May 2026, Tabcorp disclosed to the ASX that AUSTRAC had commenced a formal enforcement investigation. AUSTRAC stated serious concerns about the company’s ability to effectively identify, mitigate, and manage its money laundering and terrorism financing risks.
The investigation’s initial focus covered three pillars: whether Tabcorp maintained a compliant AML/CTF program, whether it followed that program, and whether it appropriately monitored customers.
Those three pillars are almost word-for-word identical to the 2017 failures.
The market responded immediately. Tabcorp’s share price fell more than 28% on the announcement day, erasing over $700 million in market capitalisation in a single session — a figure larger than the original penalty that was supposed to prompt lasting reform. Fitch placed Tabcorp under review, noting that any enforcement action could become “rating relevant” and create financial and governance pressures.
What the Language Tells Us
AUSTRAC’s word choices matter. “Serious concerns” is not administrative language. The 2026 investigation announcement uses the same register as the 2017 penalty proceedings. When AUSTRAC uses that framing, it signals that the concerns are substantive, that evidence has already been collected, and that the range of possible outcomes includes significant enforcement action.
All potential outcomes remain open, including the possibility that no further enforcement action is taken. The investigation is at an early stage and evidence is still being assessed. But the framing leaves no ambiguity about the seriousness of what AUSTRAC has found so far.
Act Four: Hiring the Regulator Who Fined You
The Jevtovic Appointment
On 21 May 2026, two weeks after the investigation announcement, Tabcorp appointed Paul Jevtovic as its Chief Financial Crime Officer. He will lead the AUSTRAC investigation response, chair an internal oversight committee, and oversee Tabcorp’s broader financial crime framework including fraud prevention and internal investigations.
Jevtovic is the AUSTRAC CEO who imposed the 2017 penalty and publicly labelled Tabcorp’s culture as indifferent to compliance. Tabcorp now employs him to fix the problem he identified, in response to a new investigation by the agency he once led. The narrative arc is almost too neat to be real.
Remediation or Regulatory Relationship Management?
There is a genuine logic to the appointment. Jevtovic’s track record spans AUSTRAC, HSBC, and NAB — where he served as Chief of Financial Crime Risk while NAB navigated its own AUSTRAC scrutiny over customer identification and CDD failures. He understands how enforcement investigations proceed, what credible remediation looks like to the regulator, and what an AML program needs to demonstrate in order to satisfy AUSTRAC’s expectations. For this specific role, he is probably the most qualified person available in Australia.
But the appointment also surfaces the central question in every AML compliance culture failure remediation: is this genuine change, or is it regulatory relationship management?
Why the Distinction Matters
Genuine remediation requires diagnosing the root cause of the failure, rebuilding governance structures so the failure cannot recur, and embedding compliance accountability at a level that survives leadership changes. Regulatory relationship management — hiring someone with credibility and regulator relationships to manage the investigation response — can look identical from the outside while leaving the underlying culture unchanged.
The Mounties case illustrated this at a smaller scale. An entity outsourced its compliance function and believed outsourcing the work meant outsourcing the obligation. AUSTRAC’s consistent message across every enforcement action is that accountability cannot be delegated, cannot be outsourced, and cannot be hired in from outside. It must be built inside the institution.
Jevtovic’s appointment is a necessary step. Whether the culture has genuinely changed is what the investigation will determine.
The Wagering Sector Pattern
Tabcorp is not an isolated case. AUSTRAC has been running a systematic sector sweep of Australian wagering operators, and Tabcorp is the latest entity in the sequence — not the first.
Entain, which operates Ladbrokes and Neds in Australia, has faced civil penalty proceedings since December 2024. AUSTRAC alleges deficient customer verification, inadequate source-of-funds checks, and cash-deposit channels that obscured the origin of funds and exposed the wagering network to criminal exploitation. Entain accepted $181 million in wagers from 17 individuals with suspected criminal profiles whose identities were “deliberately obscured.” The Federal Court hearing is scheduled for 30 November 2026.
The pattern is unmistakable. AUSTRAC concluded that the Australian wagering sector has systemic AML compliance weaknesses and began working through the major operators — casinos first with Crown, Star, and SkyCity, then digital and retail wagering operators. Tabcorp is under investigation because AUSTRAC reached it in a deliberate sequence, not because its failures are unique.
For AML teams at banks, payment providers, and institutions with wagering-sector exposure, the sector sweep is directly relevant. What AUSTRAC finds in Tabcorp’s transaction monitoring and customer oversight will shape the regulator’s view of the entire sector’s risk profile — and will influence supervisory expectations for any institution processing transactions for wagering operators.
What This Means at the Desk
The Tabcorp story raises three questions worth asking about any institution’s AML program, not just wagering operators.
1. Does Your SMR Governance Have Real Accountability?
Tabcorp’s 2017 failures included 105 suspicious matter reports not filed on time or at all. In several instances, investigators reported the suspicious activity to other law enforcement agencies — which means the information existed and people acted on it, just not in the way the AML/CTF Act required. SMR governance is about more than the decision to file. It covers who makes that decision, what process governs it, what the escalation path looks like, and who is accountable when the filing does not happen. Ambiguity in any of those answers is the gap.
2. Is Your AML Program Current or Historical?
Tabcorp’s three-year non-compliant program did not fail overnight. It drifted as the business changed, products evolved, and customer volumes grew, while the program stayed static. Every AML program drifts if it is not actively maintained against the current risk profile. The governance question is whether your review cycle catches the drift before AUSTRAC does.
3. What Does Senior Management Actually Know?
Tabcorp’s 2017 finding included the explicit observation that senior management did not regularly receive AML compliance reporting. The fix is straightforward in principle — AML compliance as a standing agenda item at board and executive level, not a document that exists and is occasionally reviewed. As AUSTRAC CEO Brendan Thomas has stated: “AML/CTF is not a back-office function.” Tabcorp’s 2017 experience shows what happens when institutions treat it as one.
The Question the Industry Should Be Asking
The Jevtovic appointment will be watched across the Australian AML and financial crime community — not just for what it means for Tabcorp, but for what it signals about how institutions manage an AML compliance culture failure under active investigation.
If the appointment produces genuine program rebuilding, embedded governance accountability, and a measurable improvement in Tabcorp’s controls — and if AUSTRAC’s investigation outcome reflects that — it becomes a case study in effective remediation leadership.
If the investigation reveals the same structural weaknesses as 2017, and the Jevtovic hire reads primarily as a reputational response rather than a substantive compliance commitment, the question of what remediation actually requires will receive a very public answer in the Federal Court.
Either outcome is instructive for every practitioner in this space.
The regulator came back. Whether the culture that produced the original AML compliance culture failure has genuinely been replaced — or simply better managed in the years between — is the question that remains open.
Viktor Ha is a Senior Financial Crime Analyst with experience in AML/CTF compliance across the Australian banking sector. The views expressed here are his own.
Links referenced in this post:
External:
- AUSTRAC media release — 2017 Tabcorp penalty
- The Straight — Jevtovic appointment reporting
- Gaming Intelligence — May 2026 investigation announcement
Internal:
Leave a Reply