Gambling regulation in Australia
1) The whole picture
Australia combines a federal framework with state-territorial oversight.
The federation has rules on interactive (online) services, communications and consumer protection.
States/territories issue most licenses, collect taxes, control land casinos and "pokies" (slot machines) in pubs/clubs (except for certain exceptions).
Basic principle of the online sector: online bookmaking and lotteries are allowed; online casinos/poker for Australian residents are prohibited. Offshore sites are blocked/suppressed.
2) Federal frame: what's "on top"
2. 1 Interactive Gambling Act (IGA)
The IGA restricts the provision of "interactive" casino services to Australian consumers and sets out the foundations for clamping down on offshore operators (including locks and notices). Online bookmaking is allowed under state/territory licenses, but there are a number of private restrictions (for example, on in-play online betting).
2. 2 ACMA
The Australian Communications and Media Authority oversees IGA compliance, advertising/communications and coordinates blocking/suppression of illegal venues.
2. 3 National Consumer Protection in Online Betting
There is a nationwide framework of measures for online bookmaking: mandatory risk notifications, activity statutes, limits/self-exclusion, standards for transparency of offers, etc.
2. 4 AML/CTF (AUSTRAC)
Online bookmakers, casinos and other providers fall under AML/CTF mode: KYC/eKYC, transaction monitoring, suspicious/large transaction reporting, training and internal audit.
2. 5 Privacy and incidents
The federal Privacy Act and data breach notification scheme set out responsibilities for PII protection, notification deadlines, and risk management.
3) States/territories: who is responsible for what
Below is a guideline for regulators and accents (without exhaustive details):4) What is allowed/prohibited online
Allowed: sports/horse racing, fantasy, etc. under licenses (often - NT Racing Commission); lotteries/syndicates within the relevant permits.
Restrictions: prohibition of online in-play bets (exceptions and details - through telephony/reception points, depending on the rules); strict requirements for advertising and offers.
Prohibited: online casinos, poker and similar "interactive" games for Australian residents.
Offshore: Offshore sites targeting Australians without local legalization are subject to suppression (including blocking).
5) Responsible Gambling (RG)
National Self-Exclusion: Country-Wide Register of Self-Exclusion for Online Betting; operators are required to check the status of players online.
Player tools: deposit/loss limits, timeouts/cooling, reality-checks, activity history.
Behavioral control: early signs of problem play, intervention matrix (soft/hard), log of contacts and outcomes.
Support/communication: prohibition of misleading language; special protection for minors and vulnerable groups.
6) Advertising and affiliates
Restrictions on channels/time (including around sports broadcasts), targeting goals and creative content.
Transparent T&C promos; banning "promises of easy gain."
Affiliates: contractual responsibility for RG/AML/data, whitelisting sites, material audit, stop procedures and traffic traceability.
Influencers/streams: labeling, audience and content requirements.
7) Payments and the "way to the wallet"
Methods: cards (with restrictions), bank transfers, local A2A rails, e-wallets - according to the rules of providers and regulators.
Compliance practices: idempotency, HMAC signatures webhooks, DLQ/event replay, Time-to-Wallet monitoring, return control/chargeback.
Credit instruments/responsible payment: prohibitions/restrictions on the use of credit products for online betting; strict control of affordability and velocity.
Sanctions/PEP and AML triggers: filters on incoming/outgoing flows, manual case checks.
8) Taxes and fees (high-level)
POCT (Point-of-Consumption Tax): the bet is set by the state/territory, applied to online bookmakers at the player's place.
GST and other fees: depend on business model and jurisdiction.
Offline sector: there is a set of specific duties/licenses/fees for each state.
9) Licensing: how to get things right
9. 1 Online bookmakers
More often they get a license in Northern Territory (NT Racing Commission), after which they work throughout the country within the federal model, observing federal restrictions (IGA/ACMA), national consumer protection rules and state/territory requirements for advertising/GROWTH.
9. 2 Offline casinos and "pokies"
It is a fully state/territory domain: separate licenses for casinos, gaming halls, terminals, operating standards, limits and RG controls. In a number of jurisdictions - unique restrictions (for example, strict cash rules, time/bet limits, in WA - the absence of "pokies" outside the casino).
10) Technical standards: SDLC/observability/safety/DR
SDLC/releases: change control, staging pipelines, artifact signatures + SBOM, "no humans in prod," release/rollback log.
Observability: structured logs (without PAN/extra PII), metrics and traces (OTel), SLO/SLI (latency, error-rate), synthetic checks "deposit/ACC/output."
Security: segmentation, mTLS, WAF/bot management, SSO/MFA/PAM, SAST/SCA/DAST in CI/CD, regular penetration test, critical/high closure without delay.
DR/BCP: RTO/RPO-validated regular restore tests, graceful-degradation scripts.
Anti-abuse: bonus anti-fraud, device-signals, velocity rules, behavioral scoring, monitoring complaints.
11) Readiness checklists
11. 1 Definition of Ready
- Select license jurisdiction (e.g. NT Racing Commission) and target perimeter (nation/states).
- Назначены Key Persons: MLRO/AMLO, DPO, RG-Lead, Heads (Compliance/Platform/SRE/Security/Payments); collected documents of beneficiaries.
- AML/RG/Advertising/Data/Incidents/DR policies approved; trained employees; there are execution logs.
- SDLC: signatures and SBOM, "no humans in prod," release log.
- Observability: SLO/SLI-dashboards, "deposit/CCL/output" in synthetics, retention logs.
- Security: pentest/scans without expired critical/high; remediation plan.
- Payments/CCM: contracts with providers, HMAC-webhooks, idempotency, DLQ.
- Advertising/affiliates: white-list channels and creatives, stop procedures, broadcast guides.
- Tax model: POCT by state/territory, reporting and reconciliations.
11. 2 Definition of Done
- Regulatory/tax/AML reporting included; KPI owners are assigned.
- Stable PSP/KYC integrations; Time-to-Wallet monitoring and success margins.
- RG tools are active; intervention/self-exclusion telemetry; registry matches - online.
- DR/BCP: restore tests performed; RTO/RPO normal; acts of exercises are drawn up.
- Advertising/affiliates: content audit, violation and action log, correct labeling.
12) RACI (example for online bookmaker)
13) Typical risks and mitigation
14) 90-180 Day Roadmap (example)
Month 1-2: selection of licensing jurisdiction (e.g. NT), gap analysis, launch of SDLC/Observability/Security remediations, setup of AML/AUSTRAC loops.
Month 2-3: collection of a package for a license, penetration tests/scans, DR acts, contracts with PSP/KYC/anti-fraud providers, design of an advertising model under restrictions.
Month 3-4: submission/approval, dry-run demo (dashboards, magazines, RG/AML/payments/advertising), finalization of tax POCT logic.
Month 4-6: Q & A/variations, on-boarding payments/content, reporting inclusion, KPI control (SLO/SLI, TtW, RG metrics).
Summary
Australia is a federal ban on online casinos under permitted online bookmaking and lotteries in state/territory (often NT) licenses, with powerful ACMA/AUSTRAC oversight and strict advertising/payment and RG regulations. A successful strategy is built on evidence-first: SDLC/observability/safety/DR, RG telemetry, AML processes, correct advertising and accurate POCT accounting. This approach opens up sustainable access to the payment ecosystem and partners of one of the most mature markets in the Asia-Pacific region.