top of page
Search

AUSTRAC issues VASP guidance

  • Contributors
  • 13 hours ago
  • 5 min read
ree

The Australian Transation Reports and Analysis Centre (AUSTRAC) has commenced its education efforts in the run-up to implementation of Australia's enhanced virtual asset service provider (VASP) regime which is currently scheduled to enter into force from 31 March next year. The guidance follows:


  1. Substantial amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) passed last year which include a number of new designated services for virtual assets and new compliance obligations of general application and specific to virtual assets, including new obligations to comply with the travel rule and conduct due diligence on self-hosted wallets.

  2. Tabling of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (AML/CTF Rules) in September which represent a re-write of existing rules and provide important further details on how the reforms will function.


As an existing DCE or previously unregulated entity providing one or more of the newly regulated designated services, it is time to start planning for the new regime. We have previously written on some of the key questions to ask as we approach implementation of the new regime. From 31 March 2026, businesses providing certain designated services involving virtual assets with a geographical link to Australia will be subject to AML/CTF obligations. Transitional rules may extend this deadline, pending further guidance from the Department of Home Affairs.


In anticipation of these changes, AUSTRAC has released further guidance of how it will interpret and apply key aspects of the changes. While for the most part the guidance reflects the Act and its explanatory memorandum, the guidance is written in an accessible format and provides additional colour in some areas.


  1. What is a virtual asset?


The terms ‘virtual asset’ and ‘virtual asset service provider’ (VASP) replace ‘digital currency’ and ‘digital currency exchange provider’ and cover a wider range of digital representations of value and related services.


Specifically, a virtual asset is a digital representation of value that:

  • can be transferred, stored, or traded electronically; and

  • is not issued by a government body.


Examples include:

  • cryptocurrencies (e.g. Bitcoin or Ether);

  • stablecoins (e.g. USDC or AUDD);

  • certain NFTs that function as a store of economic value, unit of account or medium of exchange (e.g. gold-pegged NFTs); and

  • utility or governance tokens used in DAOs.


Exclusions from the definition include:

  • fiat currencies and Central Bank Digital Currencies (defined as money for the purposes of the AML/CTF Act);

  • in-game currencies;

  • loyalty points

  • purely collectible NFTs; and

  • digital records of share ownership in a company.


  1. What are virtual asset designated services?


Under table 1 of section 6 of the amended AML/CTF Act, virtual asset designated services include:


  • Item 50A: Exchanging virtual assets for money (and vice versa) or making arrangements for this type of exchange;

  • Item 50B: Exchanging one virtual asset for another or making arrangements for this type of exchange;

  • Item 46A: Safekeeping virtual assets involving the control or management of private keys

  • Items 29-30: Transferring virtual assets on behalf of customers or making transferred virtual assets available to customers (Items 29–30); and

  • Item 50C: Financial services related to the offer or sale of virtual assets (Item 50C).


These amendments introduce the concept of ‘making arrangements’ for the exchange of virtual assets, meaning that a VASP does not need to execute every element of the exchange (under items 50A and 50B) to be captured. Captured activities may include acting as a principal, a central counterparty for clearing or settling transactions, an executing facility, or another intermediary facilitating the transaction where such services are provided by a VASP.


Safekeeping services include controlling or managing virtual assets or private keys, including having the ability to hold, trade, transfer or spend the virtual asset according to the owner’s instructions


Notwithstanding the additional guidance provided by AUSTRAC, there are likely to be important nuances in how these definitions apply in the context of virtual assets, particularly decentralised finance and software developers. As significant and continuing penalties may apply for failing to register where required, businesses are encouraged to seek legal advice and additional guidance where required.


Businesses must complete initial customer due diligence (KYC) before providing any designated service. Separate obligations also apply to transfers of value involving virtual assets.


  1. The meaning of ‘carrying on a business as a VASP’


An entity is only classified as a designated service if the service is provided:

  • in the course of carrying on a business as a VASP (items 46A, 50A and 50B);

  • in the capacity of an ordering institution or a beneficiary institution (items 29 and 30); or

  • in the course of carrying on a business participating in the sale or offer (generally) (item 50C).


In the latter case, services related to the offer or sale of virtual assets are regulated if provided by any business, even as a non-core activity, and the business need not be a VASP to be captured. A service is considered provided in the course of business if it furthers a commercial venture, even if offered for free or only once.


For example:

  • A lawyer storing a client’s virtual asset cold wallet is not a VASP unless they regularly provide such services.

  • A peer-to-peer platform operator enabling virtual asset exchange is likely to be considered a VASP.


AUSTRAC clarifies that the regulation does not intend to capture ancillary infrastructure, such as:

  • Cloud storage operators where such services are provided by an entity not carrying on a VASP;

  • Persons who solely provide a software application (such as a developer of self-hosted wallet software) but does not engage in safekeeping or administration of the virtual assets; and

  • Incidental financial services such as a bank processing payment for their customers to purchase virtual assets, if the bank is not otherwise involved in the offer or sale.


In addition, AUSTRAC has issued general guidance on the travel rule including specific guidance for the virtual asset sector.


  1. Indicators of suspicious activity for the cryptocurrency sector


AUSTRAC has outlined a comprehensive set of behavioural and transactional indicators to help crypto-asset businesses identify potential money laundering, terrorism financing, scams and other financial crimes.


With respect to crypto ATMs, these indicators include:

  • customers appearing confused or coached during transactions;

  • using flagged wallet addresses;

  • making multiple small payments or large transfers to high-risk jurisdictions; and

  • transacting at unusual hours or on machines without security cameras.


Older Australians are highlighted as especially vulnerable, and noted to be frequently targeted by scams involving crypto ATMs.


The guidance also covers indicators for cybercrime, scams and tax evasion, including examples of using of privacy coins inconsistent with a customer profile, rapidly converting with no economic rationale and having links to darknet marketplaces.


These changes are set to come into force on 31 March 2026 for current reporting entities and VASPs, excluding threshold transaction and suspicious matter reporting which will remain the same until 2029. With just five month to go until the reforms are set to take effect, and additional changes affecting all reporting entities, the sector is likely to face a busy few months as the industry navigates the transition from DCE to VASP.


Written by Steven Pettigrove and Tahlia Kelly

© Michael Bacina and Steven Pettigrove. All rights reserved

  • White LinkedIn Icon
bottom of page