AUSTRAC Orders External AML/CTF Audit of Airwallex Over Compliance Concerns

The Australian Transaction Reports and Analysis Centre (AUSTRAC) has mandated an external audit of global payments platform Airwallex following concerns over serious non-compliance with financial crime regulations. AUSTRAC Chief Executive Officer Brendan Thomas announced the regulatory action on January 22, 2026, citing potential failures in the company’s management of anti-money laundering and counter-terrorism financing (AML/CTF) obligations. The audit, conducted under section 162 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, is intended to protect the Australian financial system from exploitation by criminal activity, including fraud, drug trafficking, and child sexual exploitation. Airwallex is required to appoint an approved external auditor at its own expense to review its transaction monitoring and customer due diligence programs.

The regulator’s decision follows an assessment that Airwallex may not have maintained a robust AML/CTF program. AUSTRAC expressed concern that the platform’s transaction monitoring systems were not sufficiently calibrated to the high-volume, multi-jurisdictional risks inherent in global payment services. The official notice highlighted that the company had not demonstrated an acceptable understanding of its customer base or the reporting requirements for suspicious activity. By invoking section 162, the regulator signalled that the suspected breaches were significant enough to warrant a comprehensive, third-party forensic examination of the firm’s internal controls and governance structures.

The audit is designed to determine whether Airwallex has consistently identified, mitigated, and managed money laundering and terrorism financing risks. This includes examining how the business identifies suspicious matters and whether senior management has provided effective oversight of compliance obligations. Under the terms of the enforcement notice, the appointed auditor must report back to AUSTRAC within 180 days. The findings will be instrumental in determining whether further regulatory action, such as civil penalty proceedings or enforceable undertakings, will be pursued by the Commonwealth.

As financial technology companies expand globally, the complexity of monitoring cross-border fund transfers increases exponentially. AUSTRAC has emphasised that AML/CTF compliance is not merely a back-office administrative task but a core requirement for any entity operating in the Australian financial sector. The regulator’s focus on Airwallex stems from the platform’s role in facilitating transfers across multiple jurisdictions, which can be exploited by criminal networks for moving illicit proceeds. AUSTRAC noted that failure to properly calibrate monitoring tools to detect fraud, scams, or movements of funds linked to illicit tobacco and drug trafficking represents a systemic risk to financial integrity.

The current enforcement action underscores that rapid growth in fintech must be matched by equivalent investment in compliance resourcing. AUSTRAC expects boards and senior executives to be actively involved in overseeing risk assessments and has stated that reporting entities must have clearly authorised staff and sufficient resources to ensure reporting is timely and accurate. When a business cannot demonstrate knowledge of its customers or justify its transaction monitoring methodology, it leaves the door open for regulatory intervention.

The legal framework for this audit is provided by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, which empowers AUSTRAC to compel a reporting entity to hire an external auditor when non-compliance is suspected. The auditor will specifically examine whether the Airwallex Designated Business Group has operated an ongoing customer due diligence program meeting statutory standards. This includes verifying customer identities and monitoring financial behavior over time, as well as ensuring the business meets its obligations for reporting suspicious matters, which are critical for intelligence provided to law enforcement agencies.

The 180-day timeline for the audit provides a structured period for Airwallex to address the regulator’s concerns. During this period, the auditor will have full access to the company’s records, systems, and personnel to verify the effectiveness of the compliance environment. The costs of this review are borne entirely by Airwallex, representing a substantial financial and operational burden. This mechanism is intended to ensure immediate improvements to the company’s systems while giving AUSTRAC an unfiltered view of the actual state of compliance within the organisation.

The intervention highlights a tightening regulatory environment in Australia, particularly for digital-first payment providers. The results of the external audit will provide a roadmap for the remediation necessary to bring the platform into full compliance with Australian law. This case illustrates the importance of moving beyond a checkbox approach to a genuine risk-based framework that reflects the nature of global operations. The outcome will affect not only Airwallex but also set a precedent for how other global fintech firms must manage exposure to financial crime.

Ultimately, AUSTRAC’s action aims to disrupt the flow of illicit funds through legitimate channels. By mandating an external audit, the regulator seeks to identify systemic weaknesses before they can be exploited by criminal networks. The emphasis on board-level accountability reinforces the principle that compliance is a fundamental component of corporate governance. For the wider industry, the message is clear: the ability to move money across borders carries a non-negotiable responsibility to protect the financial system from misuse.

By fLEXI tEAM