Are you VASP-ready? Understanding your new AML/CTF obligations

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) (the Act) passed on 29 November 2024, will usher in a major overhaul of AML/CTF laws for digital currency exchanges in Australia. We break down the major changes below and the questions every provider should be asking.

1.     From DCE to VASP

A key feature of the reforms is a shift in terminology from ‘digital currency’ to ‘virtual assets’, bringing Australia in line with the international standards set by the Financial Action Task Force (FATF). The new definition captures stablecoins, utility tokens, governance tokens and most NFTs, but excludes money, digital representations of value used exclusively within electronic gaming environments and customer loyalty or reward points. Digital currency exchanges are also getting a rebrand as Virtual Asset Service Providers (VASPs).

2.     New Designated Services

In alignment with FATF Recommendation 15, the Act introduces five new categories of designated services involving virtual assets. VASPs will now be regulated if they engage in any of the following activities:

1. exchanges between virtual assets and fiat currencies;

2. exchanges between different forms of virtual assets;

3. transfers of virtual assets on behalf of a customer;

4. safekeeping of virtual assets; and

5. provision of designated services related to the offer or sale of virtual assets.

   
   

These new laws commence on 31 March 2026. While AUSTRAC is yet to release full details of the transition process, AUSTRAC expects that applicants will seek enrolment and registration prior to the deadline with some temporary relief likely to be offered to those with a pending application awaiting determination.

3.     Travel Rule Obligations

The amendments extend the “travel rule” to VASPs via new section 66A. Under this rule, VASPs must collect, verify and transmit identifying information about both the payer and payee in a virtual asset transfer. Ordering and beneficiary institutions must conduct counterparty due diligence to determine whether the recipient virtual asset wallet is custodial or self-hosted, and whether it is controlled by a regulated VASP, an unregulated VASP, an illegally operating VASP or is a self-hosted wallet.

There are limited exceptions under s 66A(9) and (10), which allow omission of this information if the Australian entity has reasonable grounds to believe the counterparty:

1. cannot securely comply with the travel rule; or

2. cannot safeguard the confidentiality of the data.

   
   

Travel rule compliance begins from 31 March 2026. Transitional arrangements are expected as AUSTRAC phase out IFTIs in favour of International Value Transfer Reports (IVTRs).

4.     Reporting Requirements for Unverified Self-Hosted Wallets

Additional due diligence and reporting obligations will apply to VASPs who facilitate transfers to unverified self-hosted wallets. These wallets are seen as higher risk from a money laundering/terrorism financing perspective. Where such a service is provided, the VASP must submit a report to AUSTRAC within 10 business days. Further guidance is expected from AUSTRAC in the coming months.

5.     Targeted Financial Sanctions

Although not specific to VASPs, the second exposure draft of the AML/CTF Rules introduces a new requirement for all reporting entities to develop and maintain AML/CTF policies that ensure compliance with targeted financial sanctions, including asset freezing, when providing designated services. The rules will also place increased onus on VASPs to target proliferation financing risks.

6.     New Reporting Details for SMRs and TTRs

There are new details on the required contents of suspicious matter (SMR) and threshold transaction (TTR) reports. Where the matter involves virtual assets, reports must now include:

1. the type of virtual assets, including details of the backing asset (if any);

2. the quantity of virtual asset units;

3. the value in AUD;

4. the applicable exchange rate in determining the value;

5. the unique transaction reference number, including a transaction hash; and

6. the wallet address, including destination tag or memo details.

   
   

AUSTRAC will be releasing new online forms for these SMRs and TTRs.

7.     Registration Details for VASPs

Under the new exposure draft AML/CTF Rules, VASPs will now face a more robust registration process by expanding the information AUSTRAC considers. AUSTRAC will maintain a public VASP Register and publish key registration details (whereas the existing DCE register is not currently made public).

The new registration process includes the following requirements, among others:

1. Identifying and assessing the money laundering, terrorism financing and proliferation financing risks associated with the VASP’s operations. This includes evaluating risks arising from customer types, countries of operation and the products and services offered, as well as outlining the process for reviewing and updating these risk assessments.

2. Outlining AML/CTF policies, including evidence of the knowledge, training and experience of key personnel in meeting AML/CTF obligations, and conducting due diligence on those individuals.

3. Providing additional registration details, such as the types of virtual assets offered, how services are delivered and how customer funds or virtual assets will be used in exchanges.

Are you reform-ready?

Given the above reforms, VASPs should actively assess their compliance posture by asking:

1. Do you currently provide a service that will become a newly regulated designated service?

2. Have you reviewed whether you need to register (or re-register) as a VASP with AUSTRAC and update your enrolment as a reporting entity?

3. Are you prepared to submit a robust application that explains how you manage ML/TF and proliferation financing risks across customers, products, jurisdictions, delivery channels and transaction types?

4. Have you updated your AML/CTF risk assessment (which will be a mandatory requirement) to include proliferation financing and targeted financial sanctions obligations?

5. Have you reviewed and upgraded your AML/CTF program and policies, including in relation to counterparty wallet due diligence and travel rule compliance?

6. Do you meet organisational requirements, including appointing a ‘fit and proper’ AML/CTF compliance officer?

7. Have you implemented appropriate staff training and due diligence?

8. Do you have the internal processes to meet the new SMR and TTR reporting obligations?

   
   

   The AML/CTF reforms include sweeping changes which touch both existing reporting entities and a range of new designated services. This article provides only a high level overview of key changes which specifically apply for VASPs. With final AML/CTF Rules yet to be finalised, and more consultations and guidance expected in the coming months, VASPs should also continue to actively monitor updates and developments from AUSTRAC.

   
   

   In the meantime, AUSTRAC has launched a dedicated webpage with helpful resources which can be found here: https://www.austrac.gov.au/about-us/amlctf-reform

By Steven Pettigrove, Luke Misthos and Emma Assaf