AML Infringement Penalties: Federal Court Ruling Signal for Enforcement

ByOfficer

Last updated: May 2026

On 27 May 2026, AUSTRAC announced that the Federal Court of Australia had imposed civil penalties against two businesses that failed to pay AML infringement notices. The original notices carried a penalty of AUD 18,780 each. The court-ordered penalties came in at AUD 50,000 and AUD 45,000 respectively, plus legal costs. That is roughly 2.4 to 2.7 times the original administrative fine before costs, and 2.7 to 3.5 times once costs are included.

The enforcement pattern here is straightforward: warning, then infringement notice, then court. What makes this worth tracking from a European perspective is not the dollar amounts. It is the escalation mechanism itself. As AMLA begins standing up its direct supervisory and enforcement powers under Regulation (EU) 2024/1620, and as national supervisors prepare to apply the harmonised sanctions framework under Directive (EU) 2024/1640 (AMLD6), the Australian case shows what happens when administrative AML penalties meet judicial enforcement. EU compliance teams, boards, and MLROs should pay attention to the operational pattern, not the jurisdiction.

Related reading: AMLR: What Changes for Luxembourg

What Happened: The AUSTRAC Federal Court Orders

In September 2024, AUSTRAC issued infringement notices to Castra Licensee Pty Ltd and Princeton Securities (NSW) Pty Ltd for alleged breaches of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Both notices related to failures to meet mandatory reporting obligations under the Act. Specifically, neither business had submitted its annual compliance report for the 2023 calendar year.

Neither business paid the infringement amount of AUD 18,780. AUSTRAC commenced civil penalty proceedings in the Federal Court. On 26 May 2026, the Federal Court handed down separate judgments. Castra was ordered to pay AUD 50,000 plus AUD 15,000 in costs. Princeton was ordered to pay AUD 45,000 plus AUD 5,000 in costs. Both businesses admitted liability. Princeton and AUSTRAC made joint submissions on the appropriate penalty, and that cooperation was reflected in the lower overall amount.

AUSTRAC said the businesses had been warned before infringement notices were issued, and that firms which leave a notice unpaid risk spending more time, effort, and ultimately money resolving the matter through the court.

The total exposure for each firm moved from AUD 18,780 to between AUD 50,000 and AUD 65,000 once court-imposed penalties and costs were factored in. That is the cost of non-response, not the cost of the original breach.

The Escalation Sequence: Administrative to Judicial

The enforcement pathway AUSTRAC followed is worth mapping in detail because it mirrors a pattern that EU regulators are now building into their own frameworks.

Step one: AUSTRAC identified non-compliance. Both firms, along with 14 others, failed to submit mandatory annual compliance reports. Step two: AUSTRAC issued warnings. Step three: when warnings produced no response, AUSTRAC issued infringement notices in September 2024, each carrying a fixed penalty of AUD 18,780. Step four: when neither firm paid within the statutory deadline, AUSTRAC escalated to Federal Court civil penalty proceedings. Step five: the court imposed penalties substantially exceeding the original infringement amount.

This is not a complex enforcement action involving multi-year investigations or systemic compliance failures. It is the simplest kind of AML obligation: filing an annual report. The breach was binary. Either the report was submitted or it was not. The escalation was mechanical. And the financial outcome for both firms was materially worse than paying the original notice.

Where teams commonly get this wrong is in assuming that low-value administrative notices carry low consequences. The original AUD 18,780 notice looks manageable. The AUD 65,000 total for Castra, including costs, does not. The escalation multiplier is the risk, not the base penalty.

AML Infringement Notice Penalties in the EU Context

The EU does not currently have a single federal AML regulator with court-enforceable penalty powers equivalent to AUSTRAC’s model. That is changing. The EU’s AML reform package, adopted in May 2024, introduces three instruments that collectively build an enforcement escalation architecture for the first time at EU level.

Regulation (EU) 2024/1620 establishes AMLA as the EU-level AML/CFT authority with direct supervisory powers over selected high-risk obliged entities. For entities under its direct supervision, AMLA can impose administrative pecuniary sanctions and periodic penalty payments. The amounts are significantly larger than the Australian example: AMLA’s maximum fine for directly supervised entities can reach up to EUR 10 million or 10% of annual turnover, whichever is higher, depending on the breach category.

Regulation (EU) 2024/1624 (AMLR) creates the single AML/CFT rulebook, including uniform obligations on customer due diligence, beneficial ownership, suspicious transaction reporting, and compliance governance. This is the substantive law that defines what constitutes a breach.

Directive (EU) 2024/1640 (AMLD6) harmonises the sanctions toolkit available to national supervisors. Article 53(10) mandates the development of regulatory technical standards on pecuniary sanctions, administrative measures, and periodic penalty payments to promote convergence in how national authorities classify breach severity and calibrate penalties. AMLA is developing this RTS, which includes a four-category breach severity classification system and criteria for determining the appropriate sanction level. The EBA carried out the preparatory work through its response to the European Commission’s Call for Advice before its AML/CFT functions transferred to AMLA on 31 December 2025.

Enforcement culture and sanction levels currently differ across Member States, which is the divergence the harmonised AMLD6 framework and its RTS are designed to narrow. They do not eliminate it.

What the Australian Pattern Signals for EU Enforcement

The AUSTRAC case is not directly transferable to the EU. Australian AML legislation and its enforcement mechanisms operate under a different legal system, a different constitutional framework, and a different supervisory model. I use the Australian case as a signal, not a precedent.

The signal is this: administrative AML enforcement is moving toward judicial backstops globally. AUSTRAC demonstrated that when administrative fines go unpaid, the regulator will escalate to court proceedings, and courts will impose penalties that exceed the original administrative amount. The mechanism creates a financial disincentive for non-response that goes beyond the original sanction.

For EU firms, the relevant question is whether AMLA and national supervisors will develop a similar escalation posture. Three indicators suggest they will.

First, AMLA’s enforcement powers under Regulation (EU) 2024/1620 include periodic penalty payments, which by design escalate over time if the underlying breach is not remedied. This is an automatic escalation mechanism built into the regulation itself.

Second, the AMLD6 breach severity classification system is designed to ensure that repeated or unresolved breaches are classified at higher severity levels, triggering higher penalty ranges. Cooperation, or its absence, is an explicit calibration factor.

Third, national supervisors already have the power to refer unpaid administrative fines to national courts for enforcement in most Member States. The Australian case is simply a public illustration of what that referral produces.

Where EU-focused teams often misread this pattern is in treating AMLA as a future problem. AMLA became operational in 2025, and its direct supervisory mandate begins in 2028 for the first cohort of selected entities. The entity selection process is underway. Member States, meanwhile, must transpose AMLD6 by 10 July 2027, and national supervisors must apply its sanctions framework from that date. The enforcement architecture is not hypothetical. It is on a published timeline.

Operational Implications for AML Compliance Teams

The operational lesson from the Castra and Princeton cases is not about Australia. It is about AML reporting governance and the cost of treating administrative notices as low-priority items.

Annual compliance reports, suspicious transaction reports, customer due diligence records, and beneficial ownership filings are all mandatory under both Australian and EU AML frameworks. The specific obligations differ, but the enforcement logic does not: non-filing is a binary breach that regulators can detect mechanically, escalate predictably, and prove easily in court.

For EU compliance teams, the following operational points deserve attention.

Infringement notice response protocols need a defined internal escalation path. In the AUSTRAC case, the statutory payment deadline ran and both firms simply did not respond. In an EU context, when a national supervisor issues a formal administrative measure, the response window is typically defined by national law. Missing that window creates a documented record of non-cooperation, which under the AMLD6 severity classification directly increases the penalty range.

Payment and remediation governance must sit with a named owner, not the general compliance inbox. If a supervisory fine or administrative measure arrives and no one owns the response workflow, the clock runs without anyone tracking it. The Castra and Princeton outcomes suggest that both firms may have failed to respond to their notices for operational rather than strategic reasons. The breach was a missing annual report, not a deliberate programme of non-compliance.

Evidence of remediation matters at the penalty stage. Princeton’s cooperation with AUSTRAC in making joint submissions on the penalty amount resulted in a lower total (AUD 50,000 versus AUD 65,000 for Castra including costs). Under the EU framework, cooperation is an explicit mitigating factor in the AMLD6 breach severity classification. Documenting remediation steps, board awareness, and corrective actions from the moment a notice is received reduces exposure at every subsequent stage.

Board Oversight and Governance Response

Boards and senior management should not see the AUSTRAC case as a minor enforcement action in a distant jurisdiction. They should see it as a demonstration of how the simplest AML obligation, filing an annual report, can generate disproportionate cost when governance fails to respond.

The governance failure in the Castra and Princeton cases was not a failure of AML programme design. It was a failure to respond to a regulatory notice. That is a governance process issue, not a compliance content issue. It sits squarely within the board’s responsibility for regulatory engagement and supervisory relationship management.

For EU institutions, the CSSF’s AML/CFT data collection exercises and similar national supervisor requests create recurring obligations where non-response carries escalation risk. Board-level reporting should include a tracker of outstanding regulatory requests, administrative measures, and any infringement notices with their response deadlines and status.

One area where I see governance structures fall short is in distinguishing between the severity of the underlying breach and the severity of non-response. Boards may reasonably view a missed annual compliance report as a low-severity issue. The AUSTRAC case shows that the breach severity is almost irrelevant once the enforcement process is in motion. The court did not penalise the firms for failing to file a report. It penalised them for failing to pay the notice issued for failing to file a report. The escalation penalty attached to the process failure, not the substantive breach.

Tracking Enforcement Patterns Across Jurisdictions

EU compliance officers and MLROs working in firms with cross-border footprints should build enforcement pattern tracking into their regulatory monitoring. The AUSTRAC case is one data point, but it sits within a broader trend.

AUSTRAC has used infringement notices as an enforcement tool with increasing frequency. The September 2024 round covered 16 businesses, not just Castra and Princeton. The Federal Court proceedings against these two are the public consequence for the firms that did not pay. That ratio matters: 16 notices issued, two escalated to court. The regulator is signalling willingness to use judicial enforcement while giving the majority of recipients the opportunity to resolve matters administratively.

In the EU, AMLA is building its supervisory framework and will publish its first entity selection decisions ahead of the 2028 supervisory start date. National supervisors are already applying AML enforcement actions, but the public visibility and cross-border coordination of those actions is inconsistent. The EuReCA central AML/CFT database and the breach severity RTS consultation under AMLD6 Article 53(10) now sit with AMLA, which took over the EBA’s AML/CFT functions on 31 December 2025; that consultation aims to make national enforcement more comparable.

For firms operating across multiple EU jurisdictions, the operational risk is that enforcement culture varies between home and host supervisors. A notice from one national supervisor may carry different urgency signals than the same notice from another. The FATF’s focus on effective implementation reinforces the expectation that countries, and by extension their supervisors, demonstrate tangible enforcement outcomes, not just legislative transposition.

Tracking enforcement actions by jurisdiction, breach type, escalation pathway, and outcome gives compliance teams early warning when a supervisor moves from warnings to formal measures. The AUSTRAC case is a textbook example: warnings in 2024, notices in September 2024, court proceedings in late 2025, and court orders in May 2026. That is a 20-month timeline from first notice to judicial penalty. EU escalation timelines under AMLD6 are likely to follow similar patterns, though the specific procedural steps will vary by Member State.

Building an Infringement Response Playbook

Every AML compliance function should have a documented response protocol for regulatory infringement notices and administrative measures. The AUSTRAC case shows what happens when that protocol is missing or ignored.

The playbook should cover, at minimum: who receives and logs incoming regulatory correspondence, what the internal escalation path is once a notice is identified, who owns the decision on whether to pay or contest, what the documentation requirements are for remediation evidence, and what the reporting line to the board or senior management is.

A common mistake is routing infringement notices through the same workflow as routine regulatory correspondence. They are not routine. An infringement notice is a formal finding that carries a statutory deadline and escalation consequences. It should trigger an incident-level response, not a compliance-inbox-level response.

Another mistake is treating cooperation as optional after the notice is issued. In the AUSTRAC case, Princeton’s joint submissions with the regulator on penalty resulted in a lower total exposure. Under AMLD6, the breach severity RTS explicitly includes cooperation as a factor that can move the classification downward. Early engagement with the supervisor, documented evidence of remediation, and a clear timeline for corrective actions are not optional. They are penalty-reducing factors built into the framework.

For firms under or approaching EU sanctions and enforcement scrutiny, the response playbook should also address parallel proceedings: what happens if a notice arrives from one supervisor while another enforcement action is underway, and how the firm coordinates its response to avoid contradictory positions.

Frequently Asked Questions

What were the specific AML breaches in the AUSTRAC Federal Court case?

Both Castra Licensee Pty Ltd and Princeton Securities (NSW) Pty Ltd failed to submit their annual compliance reports for the 2023 calendar year, a mandatory reporting obligation under the Australian AML/CTF Act 2006. AUSTRAC issued infringement notices in September 2024 after initial warnings were not actioned. Neither firm paid the AUD 18,780 infringement amount within the statutory deadline.

How much did the Federal Court penalties exceed the original infringement notices?

The court ordered Castra to pay AUD 50,000 plus AUD 15,000 in costs (total AUD 65,000), and Princeton to pay AUD 45,000 plus AUD 5,000 in costs (total AUD 50,000). Compared to the original AUD 18,780 infringement amount, the total exposure increased by a factor of 2.7 to 3.5 once costs were included.

Does AMLA have similar enforcement powers to AUSTRAC?

AMLA, established under Regulation (EU) 2024/1620, has direct supervisory powers over selected high-risk obliged entities, including the ability to impose administrative pecuniary sanctions and periodic penalty payments. The maximum fines available to AMLA are significantly larger than those in the AUSTRAC case. However, AMLA’s direct supervisory mandate does not begin until 2028 for the first selected cohort. National supervisors retain enforcement responsibility for all other obliged entities under the AMLD6 harmonised sanctions framework.

Can EU national supervisors refer unpaid AML fines to courts?

In most EU Member States, national administrative law provides mechanisms for enforcing unpaid administrative fines through judicial proceedings. The specific procedures vary by jurisdiction. AMLD6 aims to harmonise the sanctions toolkit available to national supervisors, but the judicial enforcement step remains governed by national procedural law.

What is the AMLD6 breach severity classification?

Directive (EU) 2024/1640, Article 53(10), mandates regulatory technical standards establishing a four-category breach severity classification for AML/CFT violations. Following the transfer of the EBA’s AML/CFT functions to AMLA on 31 December 2025, AMLA is developing this RTS. The classification considers factors including the gravity of the breach, the conduct of the responsible person, cooperation with the supervisor, and whether the breach was concealed. Breaches classified at higher severity categories trigger higher penalty ranges. The RTS is under development.

How should EU compliance teams respond to an AML infringement notice?

Treat it as an incident, not routine correspondence. Log receipt immediately, identify the internal owner, assess the statutory deadline, engage legal counsel, document remediation steps, and escalate to the board or senior management. Cooperation with the supervisor and evidence of corrective actions are explicit mitigating factors under the AMLD6 breach severity framework.

Does this case affect firms not under AMLA direct supervision?

Yes. The enforcement escalation pattern applies at the national level regardless of whether a firm is selected for AMLA direct supervision. National supervisors issue administrative measures and fines under their own transposed AMLD6 frameworks. The Australian case illustrates the consequences of non-response to any AML regulator’s administrative notice, not only those issued by a supranational authority.

What is the timeline from AUSTRAC notice to Federal Court penalty?

Approximately 20 months. Infringement notices were issued in September 2024. AUSTRAC commenced civil penalty proceedings after the payment deadline passed. The Federal Court handed down its judgments on 26 May 2026. EU escalation timelines are likely to vary by Member State but will follow a broadly similar administrative-to-judicial sequence.

Related Articles

Key Takeaways

  • The Federal Court of Australia imposed civil penalties of AUD 50,000 and AUD 45,000 (plus costs) against two businesses that failed to pay AUD 18,780 AUSTRAC infringement notices, demonstrating a 2.7 to 3.5 times cost multiplier for non-response.
  • The underlying breach was a missed annual compliance report, the simplest category of mandatory AML reporting obligation. The court penalty attached to the process failure of not paying the notice, not to the severity of the substantive breach.
  • EU firms should track this enforcement escalation pattern as AMLA prepares to exercise direct supervisory powers under Regulation (EU) 2024/1620, including administrative pecuniary sanctions and periodic penalty payments for directly supervised entities from 2028.
  • AMLD6 (Directive (EU) 2024/1640) Article 53(10) mandates a four-category breach severity classification for national AML enforcement, with cooperation and remediation as explicit calibration factors. AMLA’s RTS is under development.
  • Infringement notice response protocols should be treated as incident-level processes with defined owners, statutory deadline tracking, remediation documentation, and board-level escalation, not as routine correspondence.
  • Cooperation with the regulator reduces penalties. Princeton’s joint submissions with AUSTRAC on the penalty amount resulted in materially lower total exposure compared to Castra, which did not make joint submissions.
  • National supervisors across the EU already have the ability to refer unpaid administrative fines to courts under national procedural law. The AUSTRAC case illustrates the judicial outcome that EU firms can expect if they ignore administrative measures.
  • Boards should distinguish between the severity of the underlying breach and the severity of non-response to regulatory enforcement. The process failure, not the substantive breach, drives the escalation multiplier.

Sources and References

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Similar Posts