AUSTRAC has cancelled an Enforceable Undertaking (EU) from PayPal Australia Pty Ltd (PayPal) after PayPal completed a two year remediation plan to improve its systems and controls relating to international funds transfer instructions (IFTIs).
In 2020 AUSTRAC ordered an external audit of PayPal's AML/CTF program, after it identified significant concerns that PayPal's systems, controls and governance were not appropriate for the size and complexity of PayPal's business and the money laundering risks to which it was exposed.
Following the external audit, AUSTRAC accepted an EU from PayPal in March 2023 which sought to rectify compliance issues in the reporting of IFTIs that deprived our partners of timely financial intelligence.
In May 2025, PayPal advised AUSTRAC it had completed the remediation work required under the EU, and had carried out additional work on its controls outside of the EU, which were recommended following an external audit. Both the external auditor and AUSTRAC have agreed that PayPal has improved its practices in line with the requirements of the EU.
AUSTRAC CEO Brendan Thomas said PayPal completed the steps required and has put itself in a better position to effectively manage its risks.
"Any business, large or small, can work hard to turn things around, but it's better not to let issues emerge in the first place. When you slip up, it means a win for the criminals," he said.
"EUs are one of the tools AUSTRAC has to ensure we are satisfied a business has devoted the necessary time and resources to combat criminal misuse of their systems.
"The buck doesn't stop with the successful closure of an EU. Compliance is an ongoing process and so is risk awareness.
Payment platforms, like PayPal, were one of the key industries flagged for increased regulatory activity in AUSTRAC's 2024 Regulatory Priorities, due to the sector's rapid growth, intelligence concerns, money laundering risks and concerns about the variation in compliance levels between businesses.
All businesses regulated under the AML/CTF Act including those who will come under regime as part of upcoming reforms, must ensure they fully understand the ML/TF risks they are exposed to, and have appropriate controls in place to manage and mitigate these risks.
"The key principles for AUSTRAC reporting entities are to understand, mitigate and manage the risks of money laundering and terrorism financing: it is your responsibility to prevent criminals from exploiting your business.
"If, like PayPal, your systems and controls do not match the size and complexity of your business, and the risks you face, your business will be exposed to unmitigated risks. Simply put, you may be inadvertently moving the proceeds of crime for a criminals.
"Then we will take action."
