From the journal

AUSTRAC Launches VASP Supervisory Campaigns as AML/CTF Reforms Take Effect, 2026

The Australian Transaction Reports and Analysis Centre has launched two targeted supervisory campaigns into the virtual assets sector as Australia's revised anti-money laundering and counter-terrorism financing legislation reshapes obligations for virtual asset service providers. Obligations for most newly classified VASPs took effect from 31 March 2026, with travel rule requirements commencing 1 July 2026. New VASPs must register with AUSTRAC by 29 July 2026.

3 min read

The Australian Transaction Reports and Analysis Centre has launched two targeted supervisory campaigns into the virtual assets sector, timed to coincide with the commencement of expanded obligations for virtual asset service providers under Australia's revised anti-money laundering legislation. Obligations for most newly classified virtual asset designated services took effect from 31 March 2026. Travel rule requirements and obligations for a further class of virtual asset service providers commence on 1 July 2026. New VASPs must register with AUSTRAC by 29 July 2026.

The expanded obligations arise under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), as amended by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024. Under the amended Act, providers of virtual asset designated services must enrol and register with AUSTRAC, implement an AML/CTF program, conduct customer identification and verification, and report suspicious matters and threshold transaction reports. Australia's new regime adopts the Financial Action Task Force VASP definition, expanding the regulated population beyond the former definition of digital currency exchange businesses. Travel rule requirements appear in Division 6B of the AML/CTF Rules Instrument 2007, with commencement deferred to 1 July 2026.

Cryptocurrency exchanges, custodians, brokers, peer-to-peer platforms, and other virtual asset businesses with a geographical link to Australia must assess whether their services fall within the new VASP definition. Offshore platforms serving Australian customers may be caught where they have a requisite connection to Australia under the Act's geographical scope provisions. Existing digital currency exchange registrants are treated as registered VASPs under transitional provisions in the 2024 amending Act, but must update their AML/CTF programs to reflect the expanded obligations. Operating without registration after 29 July 2026 exposes entities to AUSTRAC enforcement action.

Existing DCE registrants benefit from a deemed registration transitional provision and are not required to re-register by the 29 July 2026 deadline. Some newly classified service types have obligations commencing 1 July 2026 rather than 31 March 2026, where the service fell outside the initial commencement class under the Act. AUSTRAC's registration action register, which lists cancelled and refused registrations, is relevant for counterparty due diligence assessments.

Licentium advises crypto exchanges, custodians, and fintech businesses on AUSTRAC registration, AML/CTF program design, and cross-border compliance for virtual asset service providers. Our partner network includes Australian AML specialists experienced in AUSTRAC supervisory processes and travel rule implementation. Work we undertake includes: VASP AML/CTF program documentation, AUSTRAC registration and re-registration, travel rule compliance design, AUSTRAC supervisory response, and cross-border AML regulatory mapping.

Source: AUSTRAC, AUSTRAC Steps Up Supervision of Virtual Assets Sector as Reforms Take Effect, 2026

Crypto Regulatory

More from the journal

See all

Illinois signs Artificial Intelligence Safety Measures Act into law, effective January 2027

Governor JB Pritzker signed the Illinois Artificial Intelligence Safety Measures Act on 6 July 2026, making Illinois the first US state to require mandatory annual third-party audits of frontier AI model developers. The Act applies to large frontier developers operating or deploying models in Illinois, requires transparency reports before each new or substantially modified frontier model deployment, and establishes civil penalties. Core obligations take effect 1 January 2027.

UK consults on modernising payment services regulation covering stablecoins and AI agents, 2026

HM Treasury launched a consultation on modernising the UK payment services regulatory regime, with responses due by 6 October 2026. The consultation addresses how to adapt regulation for tokenised payments including qualifying stablecoins, Open Banking expansion, and agentic AI systems authorised to conduct payments. It follows the February 2026 Payments Forward Plan and the government's decision to transfer Payment Systems Regulator functions to the Financial Conduct Authority.

Hong Kong SFC mandates phishing-resistant authentication for internet brokers and VATPs, July 2026

The Hong Kong Securities and Futures Commission issued a circular on 9 July 2026 requiring licensed corporations engaged in electronic trading and SFC-licensed virtual asset trading platform operators to replace one-time passwords with phishing-resistant authentication methods. Covered firms must implement passkeys or bound-device recognition for client login and device binding. Large internet brokers must act immediately. All other in-scope firms have up to 12 months to comply.