Specialising in advising the gambling, finance and bullion sectors on government regulation including Anti-Money Laundering and Counter-Terrorism and AUSTRAC compliance.








Legal advice on AUSTRAC government regulation for Pubs and Clubs, Casinos, Banks, Credit Unions, Building Societies, super funds, stockbrokers, custodians, bullion traders and crypto-currency exchanges.


Drafting a new compliance program for your business, including a tailored risk assessment.



Independent Review of your business' AML/CTF compliance.



Staff and Management training and Board/Committee strategy for AML/CTF compliance. Options include an on-demand smartphone app, webinars and on-site training for your business.



Engagement with regulators on behalf of your business, including regarding compliance issues or to seek an exemption.


Legal advice on the annual compliance report to AUSTRAC.



TM provides innovative legal and compliance advice and training to businesses on government and regulatory requirements.

We have specialist experience in Commonwealth government regulation for the gambling (including casinos and clubs and pubs), financial (including fintech) and bullion industries for anti-money laundering and counter-terrorism financing (AML/CTF) laws. We can assess and report on the compliance of your business units with AML/CTF legislative requirements.

We are passionate about communicating in plain language about what can often be complex regulatory environments.




What to do if AUSTRAC asks your Pub or Club to appoint an external auditor...

Earlier this year AUSTRAC changed the procedures around External Auditors which can be appointed to regulated businesses with gambling, such as Clubs or Pubs with gaming machines or ‘pokies’.

Where AUSTRAC finds that a Pub or Club’s compliance with the anti-money laundering and counter-terrorism financing requirements, or risk management is not sufficient, they may require the Pub or Club to appoint an ‘External Auditor’.

In the past, AUSTRAC kept a list of approved auditors on its website. This has changed, and Pubs and Clubs can now nominate an external auditor for consideration by AUSTRAC. This process involves the potential auditor providing information on their relevant expertise to AUSTRAC.

When could this be relevant for my Pub or Club?

Clubs or Pubs regulated by AUSTRAC (which offer gambling to patrons) will be aware of the headline civil penalties for non-compliance of up to $21 million under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).

However, there are many other steps in compliance, which AUSTRAC can take before an issue escalates to that level. Examples include:

  • infringement notices (for less serious contraventions with lower fines)

  • remedial directions (to take action to repair a contravention)

  • court ‘enforceable undertakings’ (these have been issued against Hotels in NSW and Queensland) and
  • the Club or Pub being required to appoint an ‘external auditor’.

Despite the title, an ‘external auditor’ does not need to be an ‘auditor’ in the accounting sense, but rather a professional, external to the Pub or Club with relevant expertise.

Where a Club or Pub receives enforcement related correspondence from AUSTRAC, this is a serious matter and professional advice is recommended.


Note: As originally published in the Spring Hub Magazine, Victoria, 2019, page 42.

Andrew Fernbach


​​© GOVLAW 2019

21 August 2020

Privacy and Patron Data Protection for Clubs and Pubs

At GOVLAW, we know these are challenging and difficult times for Clubs, their members, staff and patrons. However, the lockdown does provide an opportunity for Clubs to review their privacy compliance to safeguard their patrons’ personal data.


Even during the pandemic, Australians have reported a staggering 24,000 instances of stolen personal information, an increase of 55% on the prior year.[1] Australians lost more than $22 million to scammers who also stole their personal information. Awareness of these issues among members and patrons is likely to increase given the regular media coverage.


Clubs collect patron data, including personal information on application forms for rewards or membership and following large wins on gaming machines (‘pokies’). This information may include details such as date of birth, residential address and driver licence or passport numbers.


These details are sought by scammers for identity take-over, which can be used to take out loans fraudulently in your patron’s name, or to seek access to their pandemic-related government payments or early-release superannuation. A data breach may also escalate a family or domestic violence situation where for example, a victim wished to keep their address private.


The Privacy Act 1988 (‘Privacy Act’) covers how Clubs must handle, use and manage the personal data for members, patrons and volunteers.

Is my Club covered by the Privacy Act?

The Privacy Act covers Clubs with an annual turnover of more than $3 million and all Clubs with Electronic Gaming Machines (‘pokies’) regulated by AUSTRAC, regardless of turnover.


What are the Privacy Act requirements?

The Privacy Act contains the Australian Privacy Principles (‘APPs’) that set out the Club’s obligations for:

  • the collection, use and disclosure of members’ and patrons’ personal information

  • Committee privacy governance and management accountability and

  • the rights of patrons to access and correct their personal information.

The APPs include requirements for Clubs to have a Privacy Policy, so personal information is managed in an open and transparent way and to include Privacy Notices when collecting information from patrons.


Beware of templates, the Privacy Policy and  Privacy Notices need to be tailored to your Club’s circumstances. The Privacy Act sets out what must be included or your Club can seek assistance from a professional advisor.


Sensitive information

Sporting Clubs, including those with Football, Netball, Cricket, Golf, Bowls or gym facilities may ask health related questions on new member forms to ensure the safety and wellbeing of patrons using sporting facilities.


Under the Privacy Act this sort of personal information is regarded as ‘sensitive information’. Clubs must ensure they have the customer’s consent and follow the  tougher restrictions on how this type of information can be used and disclosed.


Notifiable Data Breaches

Clubs must also notify individuals and the Office of the Australian Information Commissioner (‘OAIC’) about data breaches which may cause serious harm to  members or customers. This is intended to assist Club members and patrons in taking the opportunity to change passwords to compromised online accounts, and be alert to identity fraud or scams.


Examples of data breaches include:

  • the loss or theft of laptops, flash drives or paper files that contain personal information (such as copies of driver licences for gaming machine jackpot wins)

  • unauthorised access to patron records by an employee

  • the disclosure of personal information due to ‘human error’, for example an email sent to the wrong person or by ‘reply all’

  • the disclosure of personal information to a scammer, such as by ‘social engineering’ to obtain staff  passwords and

  • the hacking of the Club IT network (also, consider a report to the Australian Cyber Security Centre at ReportCyber).


Does your Club have a Data Breach Response Plan?

This can help your Club management respond quickly and with confidence to a data breach.


The plan should outline your Club’s strategy for containing, assessing and managing the incident and set out the roles and responsibilities for Club staff in managing the incident.


What are the penalties for privacy breaches?

A serious breach of an Australian Privacy Principle is an ‘interference with the privacy of an individual’ and can lead to a civil penalty of up to $420,000.


It would be prudent to anticipate the increase of legislated penalties for privacy breaches over time, and that the option to seek a civil penalty expressed as a percentage of Club turnover may be added. This model for penalties is now included in the Australian corporations legislation and European privacy legislation.[2]


The OAIC may also award compensation to the patron affected, or seek an Enforceable Undertaking from a Club to improve their compliance which can be taken to the Federal Court.



Data privacy for your members and patrons is now a key responsibility for Clubs.


According to the Australian Community Attitudes to Privacy Survey 2017, 58% of Australians would decide not to deal with a business if they were concerned about a lack of security for their information.


A data breach can negatively impact a Club’s reputation and the bottom line. Privacy protection and compliance contributes to trust by Club members and visitors and a sustainable business model into the future.


Andrew Fernbach


​​© GOVLAW 2020


[1] Statistics published by ‘Scamwatch’, a division of the Australian Competition and Consumer Commission (ACCC), 2020.

[2] European Union, General Data Protection Regulation (GDPR).

Note: As originally published in the Hub Magazine, Victoria, 2020, Online Edition.









P.O. Box 390

Collins Street West

Melbourne VIC 8007

M: 0411 897 943

Liability limited by a scheme approved under Professional Standards Legislation.

For any general inquiries, please fill in the following contact form:

Thanks! Message sent.