On 2 April 2026 AUSTRAC issued payment platform Mobile Handset Internet Technology Solutions — better known as MHITS Limited — a notice under s.162(2) of the AML/CTF Act directing it to appoint an external auditor. The auditor must report back to AUSTRAC within 180 days. MHITS pays the bill. AUSTRAC sets the scope. (AUSTRAC media release)
This is the third payment-sector audit notice AUSTRAC has issued in roughly twelve months — WorldRemit and Airwallex were the first two, with letters of concern issued to four other providers in the same campaign.
For Tranche 2 firms reading this from May 2026: the MHITS notice is your enforcement preview. The specific allegations are about a remitter, but the regulatory mechanism — the audit order, the scoping power, the language AUSTRAC uses to describe the failure — is exactly what will land on accountants, law firms and real estate agencies once obligations start on 1 July 2026.
What AUSTRAC Actually Found
The headline language from AUSTRAC CEO Brendan Thomas is short and worth quoting directly:
"Strong risk management and compliance systems and timely reporting of suspicious matters are essential to disrupting criminal activities."
Stripped of diplomatic register, the regulator's finding is that MHITS's transaction monitoring system was failing to identify, manage or report high-risk payments — including payments with characteristics consistent with child sexual exploitation material (CSEM) financing. The platform allegedly did not file SMRs, did not exit the customers, and did not adapt its monitoring rules to the full risk profile of cross-border, low-value payments.
The regulator's phrasing is the part to memorise:
"The transaction monitoring program is not attuned to the full range of risks the platform faces."
That sentence is the test. It is going to be reproduced, almost verbatim, in dozens of audit notices to Tranche 2 firms over the next 24 months.
Why "Not Attuned" Is the Phrase Tranche 2 Firms Must Understand
"Not attuned" is doing a lot of work. It is not a finding that the firm had no transaction monitoring. It is a finding that the monitoring didn't match the firm's actual risk profile. That distinction matters because it kills the most common Tranche 2 defence — "we have a system, we run reports, we have a template".
Here is what AUSTRAC will mean by "attuned" when they apply the same test to your accounting practice or law firm:
| Generic | Attuned |
|---|---|
| Threshold alerts at $10,000 cash | Thresholds calibrated to your clients' typical transaction sizes, with rationale documented |
| One transaction-monitoring rule applied firm-wide | Rules differentiated by service type (trust account work vs. tax returns vs. M&A advisory) |
| Annual rule review | Rules reviewed when typologies change or AUSTRAC publishes new sector indicators |
| "We use a template" | The template has been adapted, signed off, and references this firm's risk assessment |
If you read your existing program right now and the transaction monitoring chapter could be lifted, unchanged, into a competitor's program — that is the definition of "not attuned". It is unlikely to survive a s.162(2) review.
The Audit Order Is the New Penalty Posture
For most of AUSTRAC's history, public enforcement meant either a civil penalty proceeding (CBA, Westpac, Crown, SkyCity) or no public action at all. The audit notice is a middle path AUSTRAC has been quietly building out:
- Civil penalty = years of litigation, hundreds of millions in fines, but rare and expensive to run.
- Audit notice under s.162(2) = fast, asymmetric, the firm pays the cost, and the report itself becomes the foundation for any later civil penalty.
In a year, AUSTRAC has now used the s.162(2) audit power against three payment platforms. The same statutory power applies to every Tranche 2 reporting entity from 1 July 2026. (Penalty landscape explained)
If you're a 6-partner accounting firm, your most realistic "worst case" in 2027 is not a $1 billion Westpac-style penalty. It is a s.162(2) notice arriving in your inbox, naming a forensic auditor your firm has to pay for, and demanding 180 days of records.
That is the case to plan against.
What the MHITS Notice Tells You About AUSTRAC's Reading Habits
Three signals worth reading carefully:
1. AUSTRAC is reading SMR data quantitatively. The agency cited a 264% increase in CSEM-related suspicious matter reports across the payment sector since its supervisory campaign began. Translation: AUSTRAC is not waiting for a complaint. It is data-mining its own SMR feed and identifying entities whose reporting profile looks inconsistent with the sector trend. If everyone in your sector is reporting and you aren't, that's a signal.
2. AUSTRAC will use the absence of SMRs as evidence of failure. The MHITS notice rests partly on the regulator's view that the platform should have been filing SMRs and was not. The same logic applies to a law firm that runs a busy conveyancing practice and files zero SMRs in its first 12 months. (How to write a defensible SMR)
3. AUSTRAC does not need a court before it acts. Civil penalty proceedings (Mounties, the historical CBA/Westpac/Crown cases) require Federal Court action. Audit notices do not. They are administrative. The firm can challenge them but compliance is the default response. (How the Mounties civil case differs)
What an "Attuned" Transaction Monitoring Program Looks Like for a Tranche 2 Firm
If you're building Part D of your AML/CTF Program now, the MHITS standard tells you what AUSTRAC will look for. (Walkthrough of Parts A-F)
A defensible Part D — at minimum — answers these six questions:
- What transactions are we monitoring? Not "all of them". A specific, written list keyed to your designated services.
- What red flags trigger a review? Listed by service line, with examples. The relevant AUSTRAC typology document referenced. (Industry indicators)
- Who reviews a flag and on what timeline? A named role, not "the team". A maximum review window, not "as soon as practicable".
- How is the review documented? Template, fields, retention period.
- What is the escalation path? Compliance Officer, then board / partnership? Named.
- How and when do we update the rules? Calendar trigger (annual minimum) plus event triggers (AUSTRAC guidance updates, new typologies, regulator findings against peers — Mounties, MHITS, etc.).
If you cannot point a finger at the document and answer each of those six questions inside 60 seconds, your Part D is not "attuned" yet.
The Five-Minute MHITS Self-Test
Before your next partner meeting, run this against your draft AML/CTF Program:
- Does your transaction monitoring section reference your risk assessment by paragraph number? (If no — generic.)
- Has anyone in your firm reviewed the AUSTRAC indicators for your specific industry in the last 90 days? (Where AUSTRAC publishes typology updates)
- If a $250,000 trust account deposit lands tomorrow from a new corporate client incorporated in a low-transparency jurisdiction, what does your program say happens in the next 24 hours?
- If AUSTRAC issued you a s.162(2) notice today, who in your firm would respond — and would they need to call the consultant who drafted the program?
- How many SMRs have peers in your sector filed in the last 12 months? (You can estimate from AUSTRAC's annual report.)
A "no" or a shrug at any of those is a gap that the MHITS notice tells you AUSTRAC is now actively looking for.
What to Do This Month
The window between now and 1 July 2026 is the cheapest compliance work you will ever do. After 1 July it costs more — because by then the regulator's data is live, the SMR feed is being mined, and the audit power applies.
Three concrete actions:
- Rewrite your Part D in your own words. If it was drafted by a consultant from a template, replace every generic clause with one that references your services, clients and geographies. (Risk assessment template)
- Name a Compliance Officer who can actually answer a s.162(2) notice. Not your external provider. (Compliance Officer responsibilities)
- Run one practice SMR file on a hypothetical fact pattern from your real client book. Save the file. That document is the single best evidence that your program operates, not just exists. (SMR walkthrough)
The One-Sentence Summary
If Mounties is AUSTRAC's case study in why outsourced AML doesn't work, MHITS is the case study in what AUSTRAC will do about it:
AUSTRAC will not wait for a civil penalty proceeding. It will issue an audit notice, name your auditor, set the scope, send the bill to you, and use the report as the foundation for whatever comes next.
That tool exists right now. It applies to every Tranche 2 firm from 1 July 2026.
Run a free compliance check — two minutes, no signup, see whether your transaction monitoring would survive the same test AUSTRAC applied to MHITS. Or start a 14-day free trial and have an "attuned" Part D drafted against your actual client base in an afternoon.
Sources: AUSTRAC media release (2 April 2026); s.162(2) Notice to MHITS Limited (PDF); Fincrime Central analysis; GRC Report — pressure on payment platforms. The audit notice is an administrative action; no court determination has been made.