Australia’s financial intelligence agency AUSTRAC has cancelled an Enforceable Undertaking with PayPal Australia after the company completed a two-year remediation plan to strengthen systems and controls for reporting international funds transfer instructions (IFTIs).
The move follows an external audit ordered by AUSTRAC in 2020 after it identified significant concerns that PayPal’s systems, controls and governance were not appropriate for the size and complexity of the business and the money-laundering risks it faced. In March 2023, AUSTRAC accepted an Enforceable Undertaking aimed at fixing IFTI reporting shortcomings that had deprived partner agencies of timely financial intelligence.
In May 2025, PayPal told AUSTRAC it had finished the remediation required under the undertaking and had also implemented additional control enhancements recommended by the auditor. Both the auditor and AUSTRAC agreed PayPal had improved its practices in line with the undertaking, leading to its cancellation.
AUSTRAC chief executive Brendan Thomas said PayPal had completed the steps required and had put itself in a better position to manage its risks. “Any business, large or small, can work hard to turn things around, but it’s better not to let issues emerge in the first place. When you slip up, it means a win for the criminals,” he said.
“EUs are one of the tools AUSTRAC has to ensure we are satisfied a business has devoted the necessary time and resources to combat criminal misuse of their systems.
“The buck doesn’t stop with the successful closure of an EU. Compliance is an ongoing process and so is risk awareness.
Payment platforms were singled out for increased regulatory activity in AUSTRAC’s 2024 regulatory priorities due to rapid growth, intelligence concerns, money-laundering risks and uneven compliance across the sector. AUSTRAC also reminded all businesses regulated under the Anti‑Money Laundering and Counter‑Terrorism Financing Act — including those set to be captured by forthcoming reforms — that they must understand their exposure to money-laundering and terrorism-financing risks and have appropriate controls in place.
“The key principles for AUSTRAC reporting entities are to understand, mitigate and manage the risks of money laundering and terrorism financing: it is your responsibility to prevent criminals from exploiting your business.
“If, like PayPal, your systems and controls do not match the size and complexity of your business, and the risks you face, your business will be exposed to unmitigated risks. Simply put, you may be inadvertently moving the proceeds of crime for a criminals.
“Then we will take action.”
