Specialising in advising the gambling, finance and bullion sectors on government regulation including Anti-Money Laundering and Counter-Terrorism and AUSTRAC compliance.








Legal advice on government regulation for Pubs and Clubs, Casinos, Banks, Credit Unions, Building Societies, super funds and bullion, crypto-currency and finance services. AUSTRAC, ASIC, APRA and sanctions (DFAT) compliance.


For Clubs which are incorporated associations or companies limited by guarantee - updating your Rules or Constitution.



Independent Reviews and AML/CTF programs.



Staff, Management and Board or Committee training for AML/CTF compliance - webinars and on-site.



Engagement with regulators on behalf of business, including regarding compliance issues.



Legislative counsel services for principal and subordinate legislation of all types in plain language.



TM provides innovative legal and compliance advice and training to businesses on government and regulatory requirements. We can liaise with regulators on your behalf, for example assisting with applications for exemptions.

We have specialist experience in Commonwealth government regulation for the gambling (including casinos and clubs and pubs), financial (including fintech) and bullion industries for anti-money laundering and counter-terrorism financing (AML/CTF) laws. We can assess and report on the compliance of your business units with AML/CTF legislative requirements. We also advise on privacy law.

We are passionate about communicating in plain language about what can often be complex regulatory environments.




What to do if AUSTRAC asks your Pub or Club to appoint an external auditor...

Earlier this year AUSTRAC changed the procedures around External Auditors which can be appointed to regulated businesses with gambling, such as Clubs or Pubs with gaming machines or ‘pokies’.

Where AUSTRAC finds that a Pub or Club’s compliance with the anti-money laundering and counter-terrorism financing requirements, or risk management is not sufficient, they may require the Pub or Club to appoint an ‘External Auditor’.

In the past, AUSTRAC kept a list of approved auditors on its website. This has changed, and Pubs and Clubs can now nominate an external auditor for consideration by AUSTRAC. This process involves the potential auditor providing information on their relevant expertise to AUSTRAC.

When could this be relevant for my Pub or Club?

Clubs or Pubs regulated by AUSTRAC (which offer gambling to patrons) will be aware of the headline civil penalties for non-compliance of up to $21 million under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).

However, there are many other steps in compliance, which AUSTRAC can take before an issue escalates to that level. Examples include:

  • infringement notices (for less serious contraventions with lower fines)

  • remedial directions (to take action to repair a contravention)

  • court ‘enforceable undertakings’ (these have been issued against Hotels in NSW and Queensland) and
  • the Club or Pub being required to appoint an ‘external auditor’.

Despite the title, an ‘external auditor’ does not need to be an ‘auditor’ in the accounting sense, but rather a professional, external to the Pub or Club with relevant expertise.

Where a Club or Pub receives enforcement related correspondence from AUSTRAC, this is a serious matter and professional advice is recommended.


Note: As originally published in the Spring Hub Magazine, Victoria, 2019, page 42.

Andrew Fernbach


​​© GOVLAW 2019

21 August 2020

Privacy and Patron Data Protection for Clubs and Pubs

At GOVLAW, we know these are challenging and difficult times for Clubs, their members, staff and patrons. However, the lockdown does provide an opportunity for Clubs to review their privacy compliance to safeguard their patrons’ personal data.


Even during the pandemic, Australians have reported a staggering 24,000 instances of stolen personal information, an increase of 55% on the prior year.[1] Australians lost more than $22 million to scammers who also stole their personal information. Awareness of these issues among members and patrons is likely to increase given the regular media coverage.


Clubs collect patron data, including personal information on application forms for rewards or membership and following large wins on gaming machines (‘pokies’). This information may include details such as date of birth, residential address and driver licence or passport numbers.


These details are sought by scammers for identity take-over, which can be used to take out loans fraudulently in your patron’s name, or to seek access to their pandemic-related government payments or early-release superannuation. A data breach may also escalate a family or domestic violence situation where for example, a victim wished to keep their address private.


The Privacy Act 1988 (‘Privacy Act’) covers how Clubs must handle, use and manage the personal data for members, patrons and volunteers.

Is my Club covered by the Privacy Act?

The Privacy Act covers Clubs with an annual turnover of more than $3 million and all Clubs with Electronic Gaming Machines (‘pokies’) regulated by AUSTRAC, regardless of turnover.


What are the Privacy Act requirements?

The Privacy Act contains the Australian Privacy Principles (‘APPs’) that set out the Club’s obligations for:

  • the collection, use and disclosure of members’ and patrons’ personal information

  • Committee privacy governance and management accountability and

  • the rights of patrons to access and correct their personal information.

The APPs include requirements for Clubs to have a Privacy Policy, so personal information is managed in an open and transparent way and to include Privacy Notices when collecting information from patrons.


Beware of templates, the Privacy Policy and  Privacy Notices need to be tailored to your Club’s circumstances. The Privacy Act sets out what must be included or your Club can seek assistance from a professional advisor.


Sensitive information

Sporting Clubs, including those with Football, Netball, Cricket, Golf, Bowls or gym facilities may ask health related questions on new member forms to ensure the safety and wellbeing of patrons using sporting facilities.


Under the Privacy Act this sort of personal information is regarded as ‘sensitive information’. Clubs must ensure they have the customer’s consent and follow the  tougher restrictions on how this type of information can be used and disclosed.


Notifiable Data Breaches

Clubs must also notify individuals and the Office of the Australian Information Commissioner (‘OAIC’) about data breaches which may cause serious harm to  members or customers. This is intended to assist Club members and patrons in taking the opportunity to change passwords to compromised online accounts, and be alert to identity fraud or scams.


Examples of data breaches include:

  • the loss or theft of laptops, flash drives or paper files that contain personal information (such as copies of driver licences for gaming machine jackpot wins)

  • unauthorised access to patron records by an employee

  • the disclosure of personal information due to ‘human error’, for example an email sent to the wrong person or by ‘reply all’

  • the disclosure of personal information to a scammer, such as by ‘social engineering’ to obtain staff  passwords and

  • the hacking of the Club IT network (also, consider a report to the Australian Cyber Security Centre at ReportCyber).


Does your Club have a Data Breach Response Plan?

This can help your Club management respond quickly and with confidence to a data breach.


The plan should outline your Club’s strategy for containing, assessing and managing the incident and set out the roles and responsibilities for Club staff in managing the incident.


What are the penalties for privacy breaches?

A serious breach of an Australian Privacy Principle is an ‘interference with the privacy of an individual’ and can lead to a civil penalty of up to $420,000.


It would be prudent to anticipate the increase of legislated penalties for privacy breaches over time, and that the option to seek a civil penalty expressed as a percentage of Club turnover may be added. This model for penalties is now included in the Australian corporations legislation and European privacy legislation.[2]


The OAIC may also award compensation to the patron affected, or seek an Enforceable Undertaking from a Club to improve their compliance which can be taken to the Federal Court.



Data privacy for your members and patrons is now a key responsibility for Clubs.


According to the Australian Community Attitudes to Privacy Survey 2017, 58% of Australians would decide not to deal with a business if they were concerned about a lack of security for their information.


A data breach can negatively impact a Club’s reputation and the bottom line. Privacy protection and compliance contributes to trust by Club members and visitors and a sustainable business model into the future.


Andrew Fernbach


​​© GOVLAW 2020


[1] Statistics published by ‘Scamwatch’, a division of the Australian Competition and Consumer Commission (ACCC), 2020.

[2] European Union, General Data Protection Regulation (GDPR).

Note: As originally published in the Hub Magazine, Victoria, 2020, Online Edition.








GOVLAW  (by appointment only)


696 Bourke St

Melbourne VIC 3000

M: 0411 897 943

Liability limited by a scheme approved under Professional Standards Legislation.

For any general inquiries, please fill in the following contact form:

Thanks! Message sent.