Sapna is a content writer at Sprintlaw. She has completed a Bachelor of Laws with a Bachelor of Arts. Since graduating, she has worked primarily in the field of legal research and writing, and now helps Sprintlaw assist small businesses.
Contents
In June 2025, AUSTRAC issued $75,120 in infringement notices to Cointree Pty Ltd, a digital currency exchange provider, for allegedly failing to submit Suspicious Matter Reports (SMRs) within the statutory timeframes prescribed under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). While Cointree voluntarily disclosed the breaches and engaged cooperatively with the regulator, the enforcement action underscores a critical point: timely compliance is a legal obligation, and even proactive remediation does not shield entities from penalties.
Though this matter arose in the digital currency space, the regulatory implications extend far beyond financial services. For legal and compliance professionals across sectors - particularly in organisations operating under complex or evolving statutory frameworks - this case raises urgent questions: Are your internal systems capable of identifying, escalating, and reporting incidents within mandatory timeframes? Are your governance arrangements adequate to mitigate non-compliance risk?
The Cost of Delayed Reporting: What Went Wrong at Cointree
Cointree’s penalty stemmed from its failure to submit SMRs on time, as required under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Under this law, businesses must:
- Submit SMRs within 3 business days for suspected money laundering
- Submit SMRs within 24 hours for suspected terrorism financing
These timelines are not advisory - they are legally enforceable duties under the AML/CTF Act. SMRs serve as a primary intelligence source for AUSTRAC and law enforcement agencies. Delays, even if inadvertent, impair enforcement capabilities and raise concerns about systemic compliance deficiencies.
AUSTRAC CEO Brendan Thomas stated that such reports form the “backbone” of their intelligence function and must be submitted without delay to be actionable. Notably, AUSTRAC acknowledged Cointree’s cooperation, but the regulator’s position was clear: voluntary disclosure is not a substitute for compliance.
Why This Matters Beyond Financial Services
Regulatory obligations don’t just affect banks and crypto platforms. Many industries are increasingly subject to sector-specific reporting and compliance rules - from notifiable data breaches in tech to incident reporting in health and critical infrastructure. In each case, time-bound compliance is becoming the norm.
Whether it’s reporting suspicious transactions, privacy breaches, safety incidents, or supply chain disruptions, the theme is consistent:
- Obligations have strict timeframes
- Failures are often visible in hindsight
- Voluntary disclosure may reduce penalties - but doesn’t remove them
What Makes Timely Compliance So Challenging?
Many businesses fall short not because of intent, but because their systems aren’t designed for operational compliance. Common issues include:
- Manual reporting processes prone to human error or delay
- Ambiguity around who owns the reporting obligation
- Lack of training or awareness among frontline teams
- Over-reliance on external compliance providers without internal escalation pathways
In rapidly growing or complex businesses, these gaps compound over time. As AUSTRAC noted in its 2024 National Risk Assessment, the speed, pseudonymity, and global reach of modern business models (especially in digital sectors) make timely compliance both harder and more critical.
Warning Signs Your Reporting Systems May Be at Risk
If you're unsure whether your business could meet a regulatory reporting deadline tomorrow, here are five warning signs to watch for:
- Your compliance program exists primarily on paper, not in workflows
- There's no single owner for incident escalation or regulatory reporting
- Frontline staff don't know what qualifies as a reportable matter
- Reporting relies on a single person or manual review
- You’ve never tested or audited your reporting timeframes
Even one of these can put your business at risk of non-compliance.
How to Build a Culture of Operational Compliance
To move from "policy" to "practice," businesses need to embed compliance into their operations. That means:
- Mapping obligations clearly across business units
- Establishing internal triggers and alerts for reportable events
- Training staff to recognise and escalate concerns
- Automating wherever possible to reduce delay and error
- Auditing and stress-testing systems periodically to confirm effectiveness
AUSTRAC's action against Cointree sends a clear signal: businesses must build the capability to comply before an incident occurs.
What Role Can Sprintlaw Play?
At Sprintlaw, we don’t advise on financial services, but we do support businesses dealing with obligations under:
- Privacy laws (including NDB schemes)
- Workplace health and safety regulations
- Environmental and supply chain reporting
- Sector-specific incident notification rules
In each case, the goal is the same: to build strong, proactive compliance systems that protect the business and demonstrate good governance.
Final Thoughts
AUSTRAC’s enforcement action against Cointree may seem specific to the digital currency sector, but the message resonates far more widely. Regulators across sectors are taking timeliness and operational readiness seriously. If your business is not structured to detect, escalate, and report in line with legal timeframes, you could be vulnerable.
Now is a good time to assess whether your compliance systems are up to the task.
Need support reviewing your regulatory obligations or internal reporting systems? We’d be happy to assist.
Key Takeaways
- AUSTRAC fined Cointree for failing to submit SMRs on time, despite voluntary disclosure.
- Timely reporting is critical across all regulated industries - not just financial services.
- Delayed compliance, even if unintentional, can result in substantial penalties.
- Operational compliance depends on real-time systems, clear ownership, and staff training.
- Manual or siloed reporting processes significantly increase compliance risk.
- A proactive approach - testing, automating, and training - minimises the chance of breach.
- Legal advisors can help design practical compliance systems that meet regulatory expectations.
If you would like a consultation on your regulatory obligations, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
Sapna Goundancontent writer
