Entain BetStop Failures Push ACMA Into Action

Key Points

• More than 500 breaches surfaced after self-excluded users still managed to open or use betting accounts because identity matching and account linking systems failed.
• Regulators ordered an 18-month court-enforceable remediation programme instead of direct financial penalties, forcing compliance reviews and system upgrades.
• The case exposed wider weakness inside gambling compliance systems and raised concerns around how enforcement works across the industry.

What happens when a system built to stop gambling harm fails the people depending on it? Regulators uncovered exactly that problem. Customers who blocked themselves from betting still managed to gamble for months and, in one case, longer than a year. The fallout now forces one of the largest wagering operators into a major overhaul. Questions now centre on how safeguards designed to protect users collapsed so badly.

Hundreds of Breaches Expose System Failure

Investigators identified more than 500 breaches, and every case pointed toward the same breakdown. Customers who had already self-excluded still managed to open or continue using accounts. These incidents did not happen once or twice. The failures repeated because identity matching and account linking systems failed to operate correctly.

Instead of issuing direct financial penalties, regulators introduced an 18-month court-enforceable remediation programme. That decision changed the focus away from punishment and toward forcing repairs through reviews and compliance upgrades. The issue reaches beyond one operator. This case exposed wider weaknesses across gambling compliance systems and raised concerns around how dependable enforcement remains.

BetStop Failed to Deliver the Protection Expected

At the centre of the investigation sits BetStop, Australia’s national self-exclusion register. The purpose behind the system remains clear. Once users register, all licensed wagering providers must block access and close existing accounts immediately.

That process failed in practice.

Investigators discovered that self-excluded users still opened accounts and continued wagering activity. Some accounts remained active far beyond the timeframe required by law. One account stayed open for more than a year after the customer entered self-exclusion.

The figures reveal the scale of the issue. Regulators recorded more than 500 breaches, including four wagering accounts opened for users already registered through BetStop. Authorities also identified 59 separate days where wagering services reached self-excluded users. Three accounts stayed active over extended periods, which resulted in 449 breaches counted daily. This did not happen through one isolated error. The same pattern kept returning.

Identity Matching Became the Hidden Weakness

The investigation linked these failures to a deeper technical problem. Systems could not consistently identify and connect customer accounts across different platforms. Many affected users held multiple accounts across separate brands. Matching systems failed to recognise those accounts as belonging to the same person. Minor differences in names, email addresses, or other details became enough to bypass controls.

That weakness opened a direct loophole.

Users could self-exclude through one account and continue gambling through another account that stayed unlinked. One customer registered for self-exclusion during August 2023 and later opened two more accounts in May 2024 even after the system confirmed exclusion status. Another case followed the same pattern. One individual continued wagering for more than 10 months because only one linked account closed while another remained active. The conclusion becomes unavoidable. Self-exclusion protection depends entirely on identity accuracy. Without reliable matching systems, the safeguard stops functioning correctly.

Compliance Problems Extended into Marketing

The investigation reached beyond account management and uncovered marketing compliance failures as well. The operator sent 23 regulated promotional messages without mandatory BetStop information attached. At first glance, the issue may appear smaller than the account failures, though it exposed another weakness.

Compliance controls did not operate consistently across systems. When safeguards break unevenly, those gaps begin connecting together. A user who should not gamble may still receive promotional material that reinforces the same behaviour the system aimed to stop.

Regulators Chose Oversight Instead of Immediate Fines

Despite the number of breaches, regulators avoided direct financial penalties and introduced a court-enforceable undertaking lasting 18 months instead. The programme requires compliance reviews, governance oversight, reporting obligations, and implementation of every recommended improvement.

The operator already confirmed several corrective measures. These include a “single customer view” system designed to connect accounts across brands, hourly account checks, and updated promotional messaging carrying the required BetStop information.

The process remains active.

Failure to meet conditions under the undertaking may still result in court-ordered financial penalties later. Regulators will continue monitoring throughout the period.

Industry-Wide Patterns Continue Emerging

This case does not stand alone because other operators have already faced similar action. One operator reviewed marketing practices after sending hundreds of messages to self-excluded users. Another operator received fines after allowing wagering activity despite exclusions remaining active. Viewed together, these cases reveal a broader pattern across the sector. The problem appears connected less to unclear rules and more to failures in system implementation.

Expert Review: Regulatory Pressure Starts Changing the Industry

This development signals a wider change in regulatory strategy. Regulators now focus less on penalties alone and more on forcing structural correction inside gambling systems.

Operators now face immediate pressure because building accurate identity systems requires investment in verification technology, monitoring, and integrated data systems. Compliance no longer works as a simple checklist exercise. It now becomes part of system design itself.

Across the industry, expectations continue to change. Regulators now test how systems perform in real-world conditions rather than only checking whether written policies exist.

Opportunities also appear alongside the pressure. Operators investing early in unified identity systems and connected customer views may lower regulatory risk while strengthening trust. The balance inside the industry continues shifting.

Consumer protection frameworks and regulators gain credibility through visible enforcement. Vulnerable users may receive stronger protection if these repairs succeed. Operators still relying on fragmented systems now face rising costs and shrinking room for mistakes.

Looking ahead, regulators are expected to introduce tighter rules, stronger audit activity, and more pressure around real-time identity matching systems.