Is Your Crypto Business Ready? The VASP Compliance Checklist for July 2026 | VASP Australia 2026
Australia's virtual asset rules go live on 1 July 2026, with enrolment and registration for newly captured businesses due by 29 July 2026. Use this checklist to find your gaps, then confirm each item against AUSTRAC guidance and your own risk assessment. It is general information, not legal advice.
Enrolment and registration
AML/CTF Compliance Officer
A fit-and-proper person at management level must be appointed as your AML/CTF Compliance Officer — with the authority and resources to run the program day-to-day. Existing entities were required to notify AUSTRAC by 30 May 2026; newly regulated businesses have until 29 July 2026. The appointment must be documented and notified to AUSTRAC in the required form.
AML/CTF Program
- ML/TF Risk Assessment in place — your written assessment of money-laundering, terrorism-financing and proliferation-financing risk across your services, customers, channels (including self-hosted wallets and cross-chain activity), and jurisdictions. A senior manager must approve it in writing before you provide designated services.
- AML/CTF Policies in place — the controls that flow from the risk assessment, the second half of your program. Also requires senior-manager approval.
- Both documents current, version-controlled, and reviewed whenever risks change — not filed away after sign-off.
Customer due diligence
- Risk-based initial and ongoing CDD procedures in place — identifying and verifying customers and beneficial owners before or as close as practicable to commencing each transaction.
- PEP screening active for all customers, with enhanced CDD applied to hits.
- Enhanced CDD process ready for higher-risk customers and the specified circumstances (PEPs, suspicious-matter-reporting triggers, certain jurisdictions).
- Wallet verification procedures — for self-hosted wallet transfers, you need a risk-based approach to establishing who controls the wallet.
- Newly captured VASPs: no transitional relief — full reformed CDD applies from commencement, including beneficial ownership for business customers.
Travel Rule capability
This is the single biggest operational lift for most VASPs. From 1 July 2026 you must:
- Collect, verify and transmit originator and beneficiary information with every virtual asset transfer.
- Conduct due diligence on counterparty VASPs before transacting — confirming they hold the required registration, have adequate AML/CTF controls, and are not on a sanctions list.
- Apply risk-based policies to self-hosted wallet transfers — these are not exempt.
Suspicious Matter Reports and Threshold Transaction Reports
- A documented process to recognise a reportable suspicion and escalate it through the compliance officer to AUSTRAC.
- SMR timers in place: 24 hours for terrorism-financing suspicions, 3 business days for money laundering and other offences. Note: these are 3 business days, not 72 calendar hours.
- Threshold Transaction Reports for physical-currency transactions of $10,000 or more.
- Staff who can distinguish a TTR trigger from an SMR trigger — they are different obligations with different timeframes.
Sanctions screening
Customers and counterparties — including counterparty VASPs — must be screened against the relevant sanctions lists, with a documented process to handle matches before transacting. For a crypto business, sanctions screening of wallet addresses is also part of the operational picture.
Staff training and records
- Personnel trained on the obligations relevant to their role — what a designated service is, when CDD is required, how to escalate a suspicion.
- Training records kept with dates and completion status — evidenceable to AUSTRAC on request.
- All compliance records retained for seven years.
Looking ahead: AFSL readiness (April 2027)
The checklist above covers your AUSTRAC AML/CTF obligations. But if your business operates as a Digital Asset Platform (exchange, broker, custodian) or Token Capital Platform, the Digital Assets Framework Act 2026 will require you to hold an Australian Financial Services Licence from April 2027. AFSL applications typically take 6–12 months, which means preparation should begin now.
- Have you assessed whether your business model falls under the DAP or TCP definitions? Not every VASP will need an AFSL. The DAP and TCP definitions capture specific business models — principally where the operator holds, controls, or manages customer tokens. If you are unsure, seek legal advice now rather than discovering the answer under regulatory pressure in 2027.
- Have you considered the AFSL application timeline? ASIC assesses organisational competence, compliance arrangements, financial resources, risk management, responsible managers, and dispute resolution membership. This is not a form-filling exercise. 6–12 months from lodgement to approval is typical. April 2027 is nine months away.
- Are your governance structures designed for dual-regime? Your compliance officer, board reporting framework, and risk management structure should be designed to satisfy both AUSTRAC and ASIC requirements from day one. Building two separate governance frameworks and merging them later is significantly more expensive than designing a unified structure now.
- Is your compliance reporting framework capable of dual-regime board packs? When you hold both AUSTRAC obligations and an AFSL, your board will need to oversee both regimes. A single board reporting framework that covers AML/CTF compliance performance and AFSL conduct obligations is more efficient and more defensible than two parallel reporting streams.
How Veriqua maps to this checklist
Each line above corresponds to a part of Veriqua, the Australian compliance operating system for AUSTRAC reporting entities. The AUSTRAC Reporting Wizard keeps your enrolment data current. The Program Documents module holds your ML/TF Risk Assessment and AML/CTF Policies, version-controlled with senior-manager sign-off captured on the record. KYC and the Customer Risk register handle CDD, beneficial ownership, PEP screening and enhanced-CDD flags. Transaction Monitoring surfaces Travel-Rule-relevant and suspicious transfers. The SMR and TTR modules run the statutory timers from the moment a suspicion is recorded. Sanctions screening is built into the customer and counterparty onboarding flow. Staff training records and certificates sit in the Training register. And every action sits on a tamper-evident audit log.
Veriqua is also the only Australian platform that extends into AFSL compliance — covering obligations registers, breach reporting (s912DAA, 30-day timeframe), complaints management (RG 271), CPD tracking, and board pack automation. The AML/CTF compliance structure you build in Veriqua today expands naturally into your AFSL framework when the Digital Assets Framework Act commences. Run a free readiness assessment in ten minutes, no login: demo.veriqua.com.au/start.
Frequently Asked Questions
Do existing DCEs need to do anything before 29 July 2026 if they were automatically converted to VASP?↓
Is the Travel Rule the same as lodging an IFTI report?↓
Do newly captured VASPs get any transition period for CDD?↓
Do all Australian VASPs need an AFSL from April 2027?↓
Related articles
29 July 2026: The AUSTRAC Deadline Every Digital Currency Exchange Cannot Miss
Automatic VASP rollover is a trap. The enrolment, compliance-officer and program deadlines crypto businesses cannot miss.
DCE → VASP: What Changes in Your AML/CTF Program on 1 July 2026
What actually shifts for crypto businesses on 1 July 2026 — the program structure, the Travel Rule, and risk-based CDD.
After the Deadline: Ongoing VASP Obligations That Define Your Audit Readiness
The ongoing compliance cadence — program review, SMR clocks, independent evaluation and board oversight.
The Dual-Regime Future: Why Australian VASPs Need to Prepare for AUSTRAC and ASIC Simultaneously
The Digital Assets Framework Act 2026 means VASPs will face both AUSTRAC and ASIC obligations from April 2027. How to build one unified compliance program.
See how Veriqua handles this
Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.
Disclaimer: This article is general information only and is current as at July 2026. It is not legal, financial or compliance advice, and it is not exhaustive — your obligations depend on the virtual asset services you provide, your risk assessment, and transitional timing. Please confirm each item against current AUSTRAC and ASIC guidance and the AML/CTF Act, Corporations Act and Rules, and seek advice for your specific circumstances.