Inside AUSTRAC's Airwallex audit

The payments did not look unusual.

They moved through legitimate business accounts, routed across borders and processed at speed. Individually, each transaction sat comfortably within the volume and value expected of a global payments platform. No obvious red flags. Nothing demanded immediate attention.

What concerned AUSTRAC was not a single transfer, but the possibility that patterns like these, fragmented, repetitive, deliberately ordinary, could pass through the system without being properly identified or escalated. Patterns the regulator has warned are commonly associated with money mule activity and, in the most serious cases, the funding of online child sexual exploitation.

It was that concern that prompted AUSTRAC’s intervention.

A rare regulatory step

On 22 January 2026, AUSTRAC ordered Airwallex to appoint an independent external auditor under section 162 of the Anti-Money Laundering and Counter-Terrorism Financing Act. The regulator said it had reasonable grounds to suspect that Airwallex may have contravened several core obligations of the Act, including requirements relating to transaction monitoring, customer identification and suspicious matter reporting.

AUSTRAC did not allege that Airwallex had knowingly facilitated criminal activity. Instead, it raised a more fundamental issue about the adequacy of the company’s compliance systems, noting that: “As a global payment platform that facilitates the transfer of funds to multiple jurisdictions, AUSTRAC is concerned that Airwallex’s transaction monitoring program has not been attuned to the full range of risks it faces and that the company hasn’t demonstrated an acceptable understanding of who its customers are and what reporting may be required.”

For compliance professionals, this distinction is critical. AUSTRAC does not compel audits lightly. The power is typically used where the regulator believes potential non-compliance may be systemic, not incidental.

Why the risk matters at scale

Airwallex has grown rapidly. Founded in Melbourne in 2015, it now operates as a global payments platform facilitating cross-border transfers and foreign exchange transactions for businesses. It has reported strong revenue growth, significant transaction volumes and, until recently, was widely expected to pursue an IPO in 2026.

That growth places Airwallex squarely within a category AUSTRAC considers high-risk: global payment platforms moving funds across multiple jurisdictions at speed.

Scale creates complexity, and complexity introduces friction. Different regulatory regimes, onboarding expectations and commercial pressures can make consistent application of AML controls difficult across markets. Even where policy is centralised, execution often is not.

That risk is not theoretical. Earlier reporting raised questions about Airwallex’s approach to AML obligations in Hong Kong, following internal discussions about whether identification requirements for significant shareholders could be relaxed in that jurisdiction. Airwallex has said those messages were taken out of context and that it complies with all applicable AML laws in every country where it operates, including collecting identification for all ultimate beneficial owners.

For AML professionals, the relevance lies not in the outcome of those discussions, but in what they illustrate. Criminal networks do not need every jurisdiction to be weak. They need one inconsistency, one lighter-touch route, one place where controls behave differently.

What the audit will examine

The audit AUSTRAC has ordered is extensive and time-bound. It covers a two-year period, from January 2024 to January 2026, and is designed to answer a practical question: if illicit activity moved through the platform during that time, would the system have had a realistic chance of seeing it?

To do that, the appointed auditor has been asked to examine:

• Whether transaction monitoring settings were appropriate for the risks posed by Airwallex’s products and customer base
• How alerts were reviewed, escalated and resolved
• Whether suspicious matter reports were generated proactively or only after external prompts
• How customer identification and verification were conducted, including for higher-risk customers
• How duplicate or linked accounts were identified and managed
• Whether governance, resourcing and oversight arrangements were effective

AUSTRAC has given Airwallex 180 days from the engagement of the auditor to deliver the audit report, underscoring that this is an operational test, not a documentation review.

Why AUSTRAC reached for its sharpest tool

AUSTRAC’s decision to order an external audit, rather than immediately pursue civil penalties, reflects a deliberate enforcement strategy.

An audit under section 162 allows the regulator to test controls in motion. It provides independent insight into real transactions, real alerts and real decisions, rather than relying on internal assurances or retrospective explanations.

This approach is used when the regulator is concerned about effectiveness rather than intent, about whether systems reduce harm in practice, not just whether they comply on paper.

It also aligns with AUSTRAC’s broader posture as scrutiny expands and expectations harden. In recent years, the regulator has taken action across banks, global payment providers and buy-now-pay-later firms where systemic weaknesses were identified, particularly where rapid growth, complex products or technology-led models outpaced control frameworks. 

That posture is now extending into the Tranche 2 landscape. As AML/CTF obligations expand to professional service firms, AUSTRAC has been explicit that the standard applied to newly regulated entities will not be lower, just because the obligations are new. At the same time, scrutiny across Tranche 1 firms, including payment providers, is intensifying rather than easing. The message is consistent: compliance maturity is judged by outcomes, not tenure in the regime. 

AUSTRAC has also been clear that effective AML controls start at the top. Active oversight, sufficient resourcing and clear accountability are non-negotiable. AML, it has repeatedly stated, is not a back-office function to be delegated and forgotten, but a core operational discipline that must function under pressure.  

What this means for compliance teams

The Airwallex audit is not a finding of guilt. It is a test of effectiveness.

It highlights the risks that arise when payment systems are designed for speed, scale, and convenience, but controls struggle to keep pace. It underscores the importance of monitoring that reflects real-world typologies, customer identification that prevents fragmentation, and reporting frameworks that surface suspicion internally rather than reactively.

Most importantly, it is a reminder that financial crime does not require spectacular failure. It relies on ordinary systems working just well enough that illicit activity can hide in plain sight.

When that happens, the consequences are not limited to regulatory action or delayed IPOs. They are measured in real harm, enabled not by the absence of rules, but by controls that never quite see what is moving through them.

For AUSTRAC, the Airwallex audit is also a signal moment. It creates a narrow window for reporting entities to take stock. For Tranche 2 firms, it is an opportunity to build effective controls from the outset, before poor design hardens into practice. For Tranche 1 entities, many of whom have already benefited from extended timelines, it is a reminder that patience is not indefinite. 

The direction of travel is clear. As scrutiny intensifies, AUSTRAC is unlikely to be as forgiving of systems that look compliant on paper but fail under real-world conditions. The next test may not come with an audit first.