Navigating customer exits: are new AML/CTF reporting entities required to ‘debank’ clients?
Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) laws are rapidly evolving, and many businesses are now navigating new obligations. Our experts explore what these changes mean for reporting entities and their clients, focusing on the growing reality of ‘debanking’ in the Australian context.
Essential takeaways
- Reporting entities (such as banks, lawyers and accountants) are not expected to police their clients. They do, however, need to understand their customers well enough to identify red flags, conduct additional due diligence, and either implement controls to manage increased risk or exit the relationship if it cannot be responsibly maintained.
- This does not mean every higher-risk customer has to be exited. Relationships can be maintained where concerns are addressed and appropriate controls are in place.
- Customers can reduce their chances of being ‘debanked’ by keeping good records, implementing basic controls to manage their own higher-risk activities, and being transparent when their bank or adviser asks questions.
- Reporting entities should review and update client engagement terms to ensure they are protected if a relationship needs to be exited at short notice.
Recent decision
The Supreme Court of Victoria’s decision in Sun Capital Investments Pty Ltd v Westpac [2026] VSC 216 provides a timely and practical insight into how reporting entities manage financial crime risk, just as tens of thousands of businesses are about to enter the AML/CTF regime.
In Sun Capital, the court considered whether Westpac had lawfully attempted to close a customer’s bank accounts based on perceived ML/TF risk, despite no actual incident occurring.
The practice, known as ‘debanking’, is growing in prevalence in Australia, as banks and other reporting entities face increasing scrutiny from AUSTRAC and awareness grows about non-financial risks posed by money-laundering and other criminal conduct.
In short, Sun Capital confirms a simple reality: under Australia’s AML/CTF regime, businesses are increasingly expected to choose their customers carefully.
What is debanking?
Debanking occurs when a reporting entity withdraws or refuses to provide services to an existing customer, typically by closing accounts or terminating the relationship altogether. It commonly arises where a customer presents heightened regulatory, compliance, reputational or financial crime risk, even in the absence of proven wrongdoing.
Debanking has become a significant problem for businesses operating in sectors with greater exposure to financial crime risk, including virtual assets and cryptocurrency, gold and precious goods, and cash-intensive businesses. This reflects the increasingly risk-based approach banks have adopted to their obligations under the AML/CTF Act.
As illustrated in Sun Capital, debanking often follows a familiar pattern:
- the reporting entity identifies customer red flags, such as suspicious transactions, adverse media reporting, exposure to political bodies, or links to high-risk products or jurisdictions;
- the customer is asked to provide further information about their business;
- the reporting entity conducts enhanced customer due diligence (ECDD) using third party resources and information gathered from the customer; and
- the reporting entity either (1) puts in place enhanced controls and monitoring, or (2) closes the customer’s accounts and exits the relationship.
The key lesson from Sun Capital is that reporting entities should ensure their engagement terms preserve the ability to exit a client relationship with minimal legal and operational risk. They should also have processes for closing accounts, handing over files and returning client assets where a customer falls outside their risk appetite.
Importantly, despite the name, this is not confined to banks. The gaming sector has increasingly exited high-value customers where exposure to, or actual, financial crime risk has emerged[1]. As new reporting entities are caught by the AML/CTF Act, businesses such as lawyers and accountants will now have to start considering whether they too need to ‘debank’ their clients, or if their risk can be safely managed.
Who do I have to debank, and when?
All reporting entities must monitor the risk of their customers and put in place appropriate controls or exit relationships that fall outside risk appetite. In Sun Capital, it was made clear that Australian banks are not required to wait for proven financial crime before deciding to end a relationship. Once a customer is outside a reporting entity’s risk appetite, the reporting entity can defensibly exit the relationship.
This does not mean that all customers who present risk factors must be exited. This approach is consistent with international regulatory expectations. For example, the New York State Department of Financial Services has emphasised, in its enforcement action against Deutsche Bank over failures to manage the high-risk accounts associated with disgraced financier and convicted sex offender Jeffrey Epstein:
If a financial institution decides to do business with a high-risk client, that institution is required to conduct due diligence commensurate with that risk and to tailor its transaction monitoring to detect suspicious or unlawful activity based on what the risk is[2].
In that case, Deutsche Bank obviously failed in its risk management. However, the broader point remains: where a reporting entity has effective controls, monitoring, and governance in place, it may be entirely appropriate to retain higher-risk customer relationships.
What if a reporting entity is considering debanking my business?
For customers, debanking rarely comes out of the blue. It is often preceded by a period of increased scrutiny, including more frequent information requests and tighter controls.
If you suspect your business might be about to be debanked, consider the following:
- Get support: seek professional assistance to respond to information requests, prepare financial records, and present your business clearly and accurately.
- Be transparent: failing to engage will not assist, as seen in Sun Capital. It is generally better to address concerns directly and work with the reporting entity to identify whether adjustments can be made to manage the risk.
- Prepare for the worst: in some cases, the decision to exit may be unavoidable, particularly where engagement terms allow for broad termination rights. In those circumstances, focus on understanding the underlying concerns, addressing any weaknesses in your business, and identifying alternative commercial partners.
What does this look like in practice?
Example 1 - Assisting in a transaction
An accounting firm is engaged to assist in the sale of a licensed regional hotel which operates a restaurant, sports bar and gaming room. The hotel is a legitimate, cash-intensive business and a long-term client of the firm.
In reviewing the hotel’s books, the accountant identifies multiple large cash deposits, with variations in volume and frequency over time.
If this activity falls outside the firm’s risk appetite, it could choose to end the retainer. Instead, the accountant seeks an explanation from the operator and is told that:
- deposits are higher on Mondays, reflecting weekend takings being banked while bank branches are closed; and
- deposits increase during summer months due to seasonal tourism.
The accountant tests these explanations against the books and implements monitoring to ensure future activity aligns with this pattern. On that basis, the firm updates its risk assessment and continues to act.
Example 2 - Setting up a new business
A commercial law firm is engaged by a bank from the Philippines seeking to establish a presence in Australia for its Australian-based customers. While the bank obtains local regulatory approvals, the firm provides registered office services, and a partner acts as an Australian-based director.
The firm observes multiple cross-border transactions from the Philippines to Australia. Given its understanding of the client’s business model, it assigns a risk rating, implements monitoring, and continues to act.
Media reports subsequently emerge alleging drug traffickers in the Philippines have used corrupt bank staff to deposit proceeds of crime into accounts at the bank. The law firm is unable to determine whether any such funds have been transferred to Australia.
The firm considers whether the risk can be managed through additional controls, including restricting international transfers and reporting suspicious matters to AUSTRAC. However, it ultimately concludes that these risks cannot be appropriately mitigated and continued involvement would expose the firm to unacceptable legal and reputational risk.
On that basis, the firm terminates its retainer and ceases to act.
What you should do next
If you are becoming a new AML/CTF reporting entity or the sector you are involved in is experiencing increased debanking, you should stress-test your customer onboarding, due diligence and exit process.
Our specialist AML/CTF team can help tailor your AML/CTF program or debanking response strategy. For general information about Australia’s new AML/CTF regime please visit our AML/CTF online guide.
This article was prepared with the assistance of Nikki Young, Law Graduate.
Contact
