AML/CTF · VASP

DCE → VASP: What Changes in Your AML/CTF Program on 1 July 2026 | VASP Australia 2026

Published 5 May 2026Last reviewed July 20266 min readBy Paul Wise

It would be easy to read the DCE-to-VASP shift as a rebrand — same business, new acronym. It is not. From 1 July 2026, the substance of what a crypto business has to do changes, and the obligations land harder than the old digital-currency-exchange regime ever did. This is a plain-English explainer of what actually shifts. It is general information, not legal advice.

This is only the AUSTRAC side

Before we get into the detail: the AML/CTF changes below are significant, but they are only the AUSTRAC side of what is coming. The Digital Assets Framework Act 2026, which received Royal Assent in April 2026, will bring crypto exchanges and custodians under ASIC's financial services licensing regime from April 2027. VASPs will need to hold an AFSL — making them the only Tranche 2 sector facing dual regulatory obligations under both AUSTRAC and ASIC simultaneously.

The AML/CTF program you build now for AUSTRAC needs to be designed with AFSL obligations in mind. Governance structures, board reporting frameworks, risk management methodology, and compliance officer responsibilities should all be scoped from day one to serve both regulators — because rebuilding them in 2027 under time pressure is significantly more expensive than designing them right the first time. More on this in our separate article on the dual-regime future for Australian VASPs.

The program structure itself changed

The biggest under-the-hood change applies to every reporting entity, VASPs included: the old Part A / Part B program structure is gone. Your AML/CTF Program is now built from two parts — a ML/TF Risk Assessment and your AML/CTF Policies.

  • The ML/TF Risk Assessment identifies and assesses the money-laundering, terrorism-financing and proliferation-financing risks your business faces — across your virtual asset services, your customers, your channels (including self-hosted wallets and cross-chain activity), and the jurisdictions you touch.
  • Your AML/CTF Policies are the controls that flow from the risk assessment. A senior manager must approve both in writing before you provide designated services, and the program must be kept current as risks change.

For a crypto business this is more than a documentation exercise. Proliferation-financing risk, counterparty risk across decentralised protocols, and self-hosted-wallet risk are exactly the areas a generic, recycled program will not address. AUSTRAC can distinguish a tailored risk assessment from a template with a name change.

Proliferation-financing risk is now explicitly required in the ML/TF Risk Assessment. This is new compared to the old Part A framework — ensure your program addresses sanctions-evasion and weapons-proliferation risk as distinct categories, not just money laundering and terrorism financing.

The Travel Rule arrives — the operational headline

The change with the most operational weight is the Travel Rule, which applies to virtual asset transfers from 1 July 2026 with no exemption for VASPs. In broad terms, when value moves you must:

  • Collect and verify originator and beneficiary information before or at the time of the transfer.
  • Transmit that information to the receiving VASP — it must travel with the transfer.
  • Conduct due diligence on counterparty VASPs before transacting with them, including assessing whether they hold the required registrations and have adequate AML/CTF controls.
  • Apply risk-based policies to transfers involving self-hosted (unhosted) wallets — these do not sit outside the framework.

This is the single largest operational change for most VASPs. Building Travel Rule capability requires vendor selection, technical integration, a counterparty-VASP due-diligence process, and staff training — none of which happens in a week. The businesses that waited until June to start are already behind.

One misconception to clear up early: the Travel Rule is not the same as lodging an IFTI (international funds transfer instruction) report for virtual assets. Those are separate obligations on different timetables. The Travel Rule governs what information you collect and transmit operationally; AUSTRAC reporting obligations for value transfers are being phased in separately.

CDD becomes risk-based — and the runway differs for existing vs new VASPs

The reformed customer due diligence framework is risk-based and outcomes-focused, split into initial CDD (before you act) and ongoing CDD (monitoring over time), with enhanced CDD for higher-risk customers and specified circumstances — for example, a politically exposed person (PEP) or where a suspicious-matter-reporting obligation arises. Beneficial ownership and PEP screening are squarely in scope.

The runway is not the same for everyone:

  • Existing DCEs generally have a transitional period (to 30 March 2029) to move their existing customers from the old identification procedures to the new initial CDD framework. But the new standards apply to new customers from 31 March 2026.
  • Newly captured VASPs get no transitional relief at all. Full reformed CDD — including beneficial ownership tracing and PEP screening — applies from the moment your obligations commence.
If you are a newly captured VASP onboarding customers from 1 July 2026, your CDD procedures must meet the reformed standard from day one. There is no phase-in.

Where Veriqua fits

The shift from "we have a DCE program" to "we run a VASP program" is where a manual setup quietly falls behind. Veriqua's Program Documents module auto-generates both required parts — your ML/TF Risk Assessment and your AML/CTF Policies — from your own business data, structured the way the reformed regime expects, with proliferation-financing risk, counterparty-VASP exposure, and self-hosted-wallet risk built into the VASP risk template.

Its Transaction Monitoring engine runs rules tuned to virtual-asset risk — structuring, rapid movement across wallets, velocity patterns, and sanctions-evasion signals. KYC includes beneficial ownership capture, PEP screening, and enhanced-CDD flags. Every action sits on a tamper-evident audit log. When AUSTRAC asks how you identified a customer, approved a risk assessment, or escalated a suspicious transaction, the evidence is already assembled.

Because Veriqua manages both AUSTRAC and ASIC/AFSL obligations in one system, the program structure you build now for your AML/CTF compliance extends naturally into your AFSL framework when the Digital Assets Framework Act commences in April 2027 — without rebuilding from scratch. See the program and monitoring tools in two minutes, no login: demo.veriqua.com.au/start.

Frequently Asked Questions

Do I need to rebuild my AML/CTF Program from scratch for the VASP reforms?
You need to uplift it — which may or may not mean starting over depending on what you built under the old DCE regime. The new ML/TF Risk Assessment must address proliferation-financing risk, counterparty-VASP risk, and self-hosted-wallet risk as distinct categories. If your existing Part A does not cover those, the uplift is substantial. The AML/CTF Policies must reflect the Travel Rule, reformed CDD, and the new governance requirements.
What is the Travel Rule and when does it apply?
The Travel Rule requires VASPs to collect, verify and transmit originator and beneficiary information with virtual asset transfers, and to conduct due diligence on counterparty VASPs before transacting. It applies to Australian VASPs from 1 July 2026 with no transition period or exemption. Transfers involving self-hosted wallets do not sit outside the framework — you must apply risk-based policies to them.
Does an existing DCE have to re-do customer KYC under the new CDD framework?
Generally no — for existing customers, existing DCEs have a transitional period until 30 March 2029 to migrate to the reformed CDD standard. But new customers onboarded from 31 March 2026 must meet the new standard immediately. Newly captured VASPs get no transitional relief — reformed CDD applies from commencement.
Will crypto businesses need an AFSL as well as AUSTRAC registration?
Many will. The Digital Assets Framework Act 2026 requires VASPs operating as Digital Asset Platforms or Token Capital Platforms to hold an AFSL from April 2027. The AML/CTF program you build now should be designed to accommodate AFSL obligations — unified governance, a single compliance officer, and board reporting that covers both regimes — to avoid rebuilding from scratch in 2027.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at July 2026. It reflects our understanding of the AML/CTF Act 2006, the AML/CTF Amendment Act 2024, the Digital Assets Framework Act 2026, and AUSTRAC and ASIC guidance as at that date, all of which may change. It is not legal, financial or compliance advice. Travel Rule scope, CDD timing and self-hosted-wallet obligations carry transitional and fact-specific nuances. Please confirm your position against current AUSTRAC and ASIC guidance and the AML/CTF Act and Rules, and seek advice for your specific circumstances.