AML/CTF · VASP

After the Deadline: Ongoing VASP Obligations That Will Define Your Audit Readiness | VASP Australia 2026

Published 14 April 2026Last reviewed July 20265 min readBy Paul Wise

Getting enrolled, registered and live by July 2026 feels like the finish line. It is the start line. The thing that actually determines whether a VASP holds up under AUSTRAC scrutiny is what happens after the deadline — the ongoing rhythm of running the program. This is a plain-English explainer of that cadence. It is general information, not legal advice.

Keep the program alive — the review rhythm

The fastest way to fail an inspection is to treat your AML/CTF Program as a document you finished in July. The regime expects it to stay current, with a real cadence rather than a single annual tick:

  • Keep the ML/TF Risk Assessment up to date as risks change — reviewed at appropriate intervals, at least once every three years, and whenever there is a significant change: new services, new customer types, new jurisdictions, new AUSTRAC guidance. A senior manager approves updates; the governing body is notified of risk-assessment changes in writing.
  • Your Compliance Officer reports to the governing body at least once every 12 months on how the program is performing — not just that it exists.
  • You lodge an annual AUSTRAC compliance report each year, covering the prior calendar year.
The compliance report, the governing-body report, and the program review are three separate recurring obligations. Missing any of them is the kind of gap that surfaces in a compliance assessment — and "we were focused on getting registered" does not close it.

Suspicious Matter Reports — know the two clocks

Once you are operating, SMRs are a live obligation. When you form a suspicion on reasonable grounds, the deadline depends on what you suspect:

  • 24 hours — if the suspicion relates to terrorism financing or a person's physical safety.
  • 3 business days — for money laundering or any other offence. Note: these are business days, not 72 calendar hours.

The trigger is forming a suspicion on reasonable grounds — you do not need proof, and the obligation can arise even where you decline the transaction. For a crypto business, the patterns that commonly trigger suspicion — rapid movement across wallets, structuring below thresholds, high-risk jurisdictions, mismatched source of funds — need to be surfaced operationally, not spotted by manual review after the fact.

Cross-border transfers — the Travel Rule, not "IFTI for crypto"

For virtual asset transfers, your cross-border obligation is the Travel Rule (from 1 July 2026): originator and beneficiary information must travel with the transfer, and you must conduct counterparty-VASP due diligence. This is an operational requirement on every transfer — not a reporting obligation to AUSTRAC.

Separate international-value-transfer reporting (the framework replacing the old IFTI reports) is being phased in on a later transitional timetable, and a pure virtual-asset transfer is handled differently from a fiat-denominated international transfer instruction. These are distinct obligations and should not be conflated in your procedures.

Independent evaluation — at least every three years

The reforms replaced the old "independent review of Part A" with an independent evaluation of your entire program — your ML/TF Risk Assessment, your AML/CTF Policies, and how they work in practice. The key requirements:

  • Conducted at regular intervals, at least once every three years. (The first evaluation for newly regulated entities is phased in over the next few years — confirm your specific timing against AUSTRAC guidance.)
  • Conducted by someone genuinely independent of the program's design and operation — not the Compliance Officer who built it, and not a team member whose work is being evaluated.
  • The written report goes to the governing body and senior management, and must address whether the program is adequate and effective.
"Independent" means genuinely outside the program's design and operation. An internal review by a different team member is unlikely to satisfy the requirement. Plan for the cost and lead time of an external evaluation from the start, not when the three-year clock has nearly run.

Governance and board oversight

The program has to be governed. The governing body holds ongoing oversight, receives the compliance reports and independent evaluation, and is expected to question adverse findings — not just receive them. Your records need to show that oversight is real and engaged, not symbolic.

In practice this means: board or governing-body minutes that record the receipt and discussion of compliance reports; evidence that material risks were escalated and addressed; and a paper trail showing that senior management acted on the evaluation findings. "We did the work" needs to be evidenceable as "we can prove we did the work."

Governance designed for two regulators

This governance cadence will intensify when the Digital Assets Framework Act 2026 takes effect in April 2027. VASPs holding an AFSL will face parallel governance obligations under both AUSTRAC and ASIC — including separate compliance reporting, breach notification requirements (30 calendar days under the Corporations Act), responsible manager obligations, and conduct monitoring.

The board oversight structure you build now for your AML/CTF program should be designed to accommodate AFSL obligations from day one. Specifically:

  • Your compliance officer should be scoped to cover both AML/CTF and AFSL functions, with the authority and resources for both.
  • Your board reporting framework should include both AML/CTF performance (SMRs, alerts, risk assessment updates) and AFSL performance (breaches, complaints, conduct monitoring) in a single reporting cadence.
  • Your risk management methodology should be expandable to incorporate AFSL risk domains (conduct risk, conflicts risk, client money risk) alongside ML/TF risk.
  • Your audit trail should capture all compliance actions across both regimes in a single system of record.

Building two separate governance frameworks — one for AUSTRAC now and one for ASIC later — and merging them after the fact is significantly more expensive and disruptive than designing a unified structure from the start.

Where Veriqua fits

Ongoing cadence is exactly where things slip through the cracks when compliance is run manually. Veriqua is built to hold the rhythm. Statutory SMR and TTR timers run the clocks automatically from the moment a suspicion is recorded — so the 3-business-day and 24-hour windows are tracked, not calculated retroactively. Transaction Monitoring surfaces Travel-Rule-relevant and suspicious activity without manual triage. The independent evaluation schedule is tracked with reviewer sign-off and deadline alerts. A board-pack generator compiles your compliance reporting from live register data in one click — not assembled by hand the week before the board meeting.

Because Veriqua manages both AUSTRAC and ASIC/AFSL obligations in one system, your ongoing compliance cadence — board reports, breach registers, complaints tracking, obligations monitoring — runs from a single platform. When you hold both an AUSTRAC compliance program and an AFSL, you produce one board pack covering both regimes, not two disconnected reports from two disconnected systems. See the ongoing-compliance tools in two minutes, no login: demo.veriqua.com.au/start.

Frequently Asked Questions

How often does a VASP need to review its AML/CTF Program?
The program must be kept up to date as risks change — there is no fixed annual cycle, but a substantive review at least every three years is the minimum. In practice you should review it whenever there is a material change: new services, new customer segments, new jurisdictions, significant AUSTRAC guidance, or a change in the business's risk profile. The ML/TF Risk Assessment and AML/CTF Policies must both be kept current, with senior-manager approval of material updates.
What does the annual AUSTRAC compliance report require?
Each year you must lodge a compliance report with AUSTRAC covering the prior calendar year, addressing how your AML/CTF Program operated and your compliance with your obligations. The report is submitted via AUSTRAC Online, and failing to lodge is itself a compliance breach. AUSTRAC uses the reports to identify trends and prioritise compliance assessments.
Who can conduct the independent evaluation of a VASP's AML/CTF Program?
The evaluator must be genuinely independent of the design and operation of the program — which means independent of the Compliance Officer and the team that built the procedures. In practice this is typically an external adviser or auditor with AML/CTF expertise, though the Act does not restrict it to a particular professional category. The written report must go to the governing body and address the adequacy and effectiveness of the program.
How should VASPs prepare their governance for the Digital Assets Framework Act 2026?
VASPs should design their governance structure for dual-regime from day one: appoint a compliance officer with authority to cover both AML/CTF and AFSL functions, build a board reporting framework that covers both AUSTRAC and ASIC obligations, and use a single system of record for all compliance actions. Building two separate governance frameworks — one for AUSTRAC now and one for ASIC later — and merging them after the fact is significantly more expensive than designing a unified structure now.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at July 2026. It reflects our understanding of the AML/CTF Act 2006, the AML/CTF Amendment Act 2024, the Digital Assets Framework Act 2026, and AUSTRAC and ASIC guidance as at that date, all of which may change. It is not legal, financial or compliance advice. Reporting obligations (including Travel Rule and value-transfer reporting), evaluation timing and governance duties are technical and carry transitional nuances. Please confirm your position against current AUSTRAC and ASIC guidance and the AML/CTF Act, Corporations Act and Rules, and seek advice for your specific circumstances.