DCE → VASP: What Changes in Your AML/CTF Program on 1 July 2026 | VASP Australia 2026
It would be easy to read the DCE-to-VASP shift as a rebrand — same business, new acronym. It is not. From 1 July 2026, the substance of what a crypto business has to do changes, and the obligations land harder than the old digital-currency-exchange regime ever did. This is a plain-English explainer of what actually shifts. It is general information, not legal advice.
This is only the AUSTRAC side
Before we get into the detail: the AML/CTF changes below are significant, but they are only the AUSTRAC side of what is coming. The Digital Assets Framework Act 2026, which received Royal Assent in April 2026, will bring crypto exchanges and custodians under ASIC's financial services licensing regime from April 2027. VASPs will need to hold an AFSL — making them the only Tranche 2 sector facing dual regulatory obligations under both AUSTRAC and ASIC simultaneously.
The AML/CTF program you build now for AUSTRAC needs to be designed with AFSL obligations in mind. Governance structures, board reporting frameworks, risk management methodology, and compliance officer responsibilities should all be scoped from day one to serve both regulators — because rebuilding them in 2027 under time pressure is significantly more expensive than designing them right the first time. More on this in our separate article on the dual-regime future for Australian VASPs.
The program structure itself changed
The biggest under-the-hood change applies to every reporting entity, VASPs included: the old Part A / Part B program structure is gone. Your AML/CTF Program is now built from two parts — a ML/TF Risk Assessment and your AML/CTF Policies.
- The ML/TF Risk Assessment identifies and assesses the money-laundering, terrorism-financing and proliferation-financing risks your business faces — across your virtual asset services, your customers, your channels (including self-hosted wallets and cross-chain activity), and the jurisdictions you touch.
- Your AML/CTF Policies are the controls that flow from the risk assessment. A senior manager must approve both in writing before you provide designated services, and the program must be kept current as risks change.
For a crypto business this is more than a documentation exercise. Proliferation-financing risk, counterparty risk across decentralised protocols, and self-hosted-wallet risk are exactly the areas a generic, recycled program will not address. AUSTRAC can distinguish a tailored risk assessment from a template with a name change.
The Travel Rule arrives — the operational headline
The change with the most operational weight is the Travel Rule, which applies to virtual asset transfers from 1 July 2026 with no exemption for VASPs. In broad terms, when value moves you must:
- Collect and verify originator and beneficiary information before or at the time of the transfer.
- Transmit that information to the receiving VASP — it must travel with the transfer.
- Conduct due diligence on counterparty VASPs before transacting with them, including assessing whether they hold the required registrations and have adequate AML/CTF controls.
- Apply risk-based policies to transfers involving self-hosted (unhosted) wallets — these do not sit outside the framework.
This is the single largest operational change for most VASPs. Building Travel Rule capability requires vendor selection, technical integration, a counterparty-VASP due-diligence process, and staff training — none of which happens in a week. The businesses that waited until June to start are already behind.
One misconception to clear up early: the Travel Rule is not the same as lodging an IFTI (international funds transfer instruction) report for virtual assets. Those are separate obligations on different timetables. The Travel Rule governs what information you collect and transmit operationally; AUSTRAC reporting obligations for value transfers are being phased in separately.
CDD becomes risk-based — and the runway differs for existing vs new VASPs
The reformed customer due diligence framework is risk-based and outcomes-focused, split into initial CDD (before you act) and ongoing CDD (monitoring over time), with enhanced CDD for higher-risk customers and specified circumstances — for example, a politically exposed person (PEP) or where a suspicious-matter-reporting obligation arises. Beneficial ownership and PEP screening are squarely in scope.
The runway is not the same for everyone:
- Existing DCEs generally have a transitional period (to 30 March 2029) to move their existing customers from the old identification procedures to the new initial CDD framework. But the new standards apply to new customers from 31 March 2026.
- Newly captured VASPs get no transitional relief at all. Full reformed CDD — including beneficial ownership tracing and PEP screening — applies from the moment your obligations commence.
Where Veriqua fits
The shift from "we have a DCE program" to "we run a VASP program" is where a manual setup quietly falls behind. Veriqua's Program Documents module auto-generates both required parts — your ML/TF Risk Assessment and your AML/CTF Policies — from your own business data, structured the way the reformed regime expects, with proliferation-financing risk, counterparty-VASP exposure, and self-hosted-wallet risk built into the VASP risk template.
Its Transaction Monitoring engine runs rules tuned to virtual-asset risk — structuring, rapid movement across wallets, velocity patterns, and sanctions-evasion signals. KYC includes beneficial ownership capture, PEP screening, and enhanced-CDD flags. Every action sits on a tamper-evident audit log. When AUSTRAC asks how you identified a customer, approved a risk assessment, or escalated a suspicious transaction, the evidence is already assembled.
Because Veriqua manages both AUSTRAC and ASIC/AFSL obligations in one system, the program structure you build now for your AML/CTF compliance extends naturally into your AFSL framework when the Digital Assets Framework Act commences in April 2027 — without rebuilding from scratch. See the program and monitoring tools in two minutes, no login: demo.veriqua.com.au/start.
Frequently Asked Questions
Do I need to rebuild my AML/CTF Program from scratch for the VASP reforms?↓
What is the Travel Rule and when does it apply?↓
Does an existing DCE have to re-do customer KYC under the new CDD framework?↓
Will crypto businesses need an AFSL as well as AUSTRAC registration?↓
Related articles
29 July 2026: The AUSTRAC Deadline Every Digital Currency Exchange Cannot Miss
Automatic VASP rollover is a trap. The enrolment, compliance-officer and program deadlines crypto businesses cannot miss.
Is Your Crypto Business Ready? The VASP Compliance Checklist for July 2026
A scannable readiness checklist covering enrolment, CDD, Travel Rule, SMR/TTR, sanctions screening and AFSL readiness.
After the Deadline: Ongoing VASP Obligations That Define Your Audit Readiness
The ongoing compliance cadence — program review, SMR clocks, independent evaluation and board oversight.
The Dual-Regime Future: Why Australian VASPs Need to Prepare for AUSTRAC and ASIC Simultaneously
The Digital Assets Framework Act 2026 means VASPs will face both AUSTRAC and ASIC obligations from April 2027. How to build one unified compliance program.
See how Veriqua handles this
Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.
Disclaimer: This article is general information only and is current as at July 2026. It reflects our understanding of the AML/CTF Act 2006, the AML/CTF Amendment Act 2024, the Digital Assets Framework Act 2026, and AUSTRAC and ASIC guidance as at that date, all of which may change. It is not legal, financial or compliance advice. Travel Rule scope, CDD timing and self-hosted-wallet obligations carry transitional and fact-specific nuances. Please confirm your position against current AUSTRAC and ASIC guidance and the AML/CTF Act and Rules, and seek advice for your specific circumstances.