AML/CTF · VASP

Is Your Crypto Business Ready? The VASP Compliance Checklist for July 2026 | VASP Australia 2026

Published 18 May 2026Last reviewed July 20265 min readBy Paul Wise

Australia's virtual asset rules go live on 1 July 2026, with enrolment and registration for newly captured businesses due by 29 July 2026. Use this checklist to find your gaps, then confirm each item against AUSTRAC guidance and your own risk assessment. It is general information, not legal advice.

Enrolment and registration

If you were a registered DCE: you were automatically moved to VASP registration from 31 March 2026 — but you still need your enrolment information updated on AUSTRAC Online by 29 July 2026. Automatic registration is not the same as a current, complete enrolment record.
If you are newly captured: you must enrol and apply to register with AUSTRAC by 29 July 2026. After that date, providing registrable virtual asset services without registration is a criminal offence.

AML/CTF Compliance Officer

A fit-and-proper person at management level must be appointed as your AML/CTF Compliance Officer — with the authority and resources to run the program day-to-day. Existing entities were required to notify AUSTRAC by 30 May 2026; newly regulated businesses have until 29 July 2026. The appointment must be documented and notified to AUSTRAC in the required form.

AML/CTF Program

  • ML/TF Risk Assessment in place — your written assessment of money-laundering, terrorism-financing and proliferation-financing risk across your services, customers, channels (including self-hosted wallets and cross-chain activity), and jurisdictions. A senior manager must approve it in writing before you provide designated services.
  • AML/CTF Policies in place — the controls that flow from the risk assessment, the second half of your program. Also requires senior-manager approval.
  • Both documents current, version-controlled, and reviewed whenever risks change — not filed away after sign-off.
A generic, recycled program that does not address VASP-specific risks — proliferation financing, counterparty-VASP exposure, self-hosted wallets, cross-chain activity — is not adequate. AUSTRAC reviewers will notice the mismatch between a program that reads like a bank template and a business that runs a crypto exchange.

Customer due diligence

  • Risk-based initial and ongoing CDD procedures in place — identifying and verifying customers and beneficial owners before or as close as practicable to commencing each transaction.
  • PEP screening active for all customers, with enhanced CDD applied to hits.
  • Enhanced CDD process ready for higher-risk customers and the specified circumstances (PEPs, suspicious-matter-reporting triggers, certain jurisdictions).
  • Wallet verification procedures — for self-hosted wallet transfers, you need a risk-based approach to establishing who controls the wallet.
  • Newly captured VASPs: no transitional relief — full reformed CDD applies from commencement, including beneficial ownership for business customers.

Travel Rule capability

This is the single biggest operational lift for most VASPs. From 1 July 2026 you must:

  • Collect, verify and transmit originator and beneficiary information with every virtual asset transfer.
  • Conduct due diligence on counterparty VASPs before transacting — confirming they hold the required registration, have adequate AML/CTF controls, and are not on a sanctions list.
  • Apply risk-based policies to self-hosted wallet transfers — these are not exempt.
If your Travel Rule vendor selection, technical integration or counterparty-VASP onboarding is not finished, this is your most urgent item. The rule applies from the first transfer on 1 July 2026 — not from when your system is ready.

Suspicious Matter Reports and Threshold Transaction Reports

  • A documented process to recognise a reportable suspicion and escalate it through the compliance officer to AUSTRAC.
  • SMR timers in place: 24 hours for terrorism-financing suspicions, 3 business days for money laundering and other offences. Note: these are 3 business days, not 72 calendar hours.
  • Threshold Transaction Reports for physical-currency transactions of $10,000 or more.
  • Staff who can distinguish a TTR trigger from an SMR trigger — they are different obligations with different timeframes.

Sanctions screening

Customers and counterparties — including counterparty VASPs — must be screened against the relevant sanctions lists, with a documented process to handle matches before transacting. For a crypto business, sanctions screening of wallet addresses is also part of the operational picture.

Staff training and records

  • Personnel trained on the obligations relevant to their role — what a designated service is, when CDD is required, how to escalate a suspicion.
  • Training records kept with dates and completion status — evidenceable to AUSTRAC on request.
  • All compliance records retained for seven years.

Looking ahead: AFSL readiness (April 2027)

The checklist above covers your AUSTRAC AML/CTF obligations. But if your business operates as a Digital Asset Platform (exchange, broker, custodian) or Token Capital Platform, the Digital Assets Framework Act 2026 will require you to hold an Australian Financial Services Licence from April 2027. AFSL applications typically take 6–12 months, which means preparation should begin now.

  • Have you assessed whether your business model falls under the DAP or TCP definitions? Not every VASP will need an AFSL. The DAP and TCP definitions capture specific business models — principally where the operator holds, controls, or manages customer tokens. If you are unsure, seek legal advice now rather than discovering the answer under regulatory pressure in 2027.
  • Have you considered the AFSL application timeline? ASIC assesses organisational competence, compliance arrangements, financial resources, risk management, responsible managers, and dispute resolution membership. This is not a form-filling exercise. 6–12 months from lodgement to approval is typical. April 2027 is nine months away.
  • Are your governance structures designed for dual-regime? Your compliance officer, board reporting framework, and risk management structure should be designed to satisfy both AUSTRAC and ASIC requirements from day one. Building two separate governance frameworks and merging them later is significantly more expensive than designing a unified structure now.
  • Is your compliance reporting framework capable of dual-regime board packs? When you hold both AUSTRAC obligations and an AFSL, your board will need to oversee both regimes. A single board reporting framework that covers AML/CTF compliance performance and AFSL conduct obligations is more efficient and more defensible than two parallel reporting streams.
VASPs that design their AML/CTF governance, risk management, and board reporting for dual-regime from day one will avoid the cost and disruption of rebuilding those structures when AFSL obligations commence in April 2027.

How Veriqua maps to this checklist

Each line above corresponds to a part of Veriqua, the Australian compliance operating system for AUSTRAC reporting entities. The AUSTRAC Reporting Wizard keeps your enrolment data current. The Program Documents module holds your ML/TF Risk Assessment and AML/CTF Policies, version-controlled with senior-manager sign-off captured on the record. KYC and the Customer Risk register handle CDD, beneficial ownership, PEP screening and enhanced-CDD flags. Transaction Monitoring surfaces Travel-Rule-relevant and suspicious transfers. The SMR and TTR modules run the statutory timers from the moment a suspicion is recorded. Sanctions screening is built into the customer and counterparty onboarding flow. Staff training records and certificates sit in the Training register. And every action sits on a tamper-evident audit log.

Veriqua is also the only Australian platform that extends into AFSL compliance — covering obligations registers, breach reporting (s912DAA, 30-day timeframe), complaints management (RG 271), CPD tracking, and board pack automation. The AML/CTF compliance structure you build in Veriqua today expands naturally into your AFSL framework when the Digital Assets Framework Act commences. Run a free readiness assessment in ten minutes, no login: demo.veriqua.com.au/start.

Frequently Asked Questions

Do existing DCEs need to do anything before 29 July 2026 if they were automatically converted to VASP?
Yes. Automatic VASP registration moves your label — it does not complete your enrolment record. Existing DCEs were required to update their enrolment information on AUSTRAC Online with the new VASP details by 29 July 2026, notify AUSTRAC of their Compliance Officer (by 30 May 2026 for existing entities), and uplift their AML/CTF Program to meet the reformed obligations including the Travel Rule from 1 July 2026.
Is the Travel Rule the same as lodging an IFTI report?
No. The Travel Rule is an operational obligation: when you conduct a virtual asset transfer, you must collect, verify and transmit originator and beneficiary information with it, and conduct due diligence on the counterparty VASP. IFTI-style reporting for virtual asset transfers is a separate AUSTRAC reporting obligation being phased in on a different timetable. The two are not interchangeable.
Do newly captured VASPs get any transition period for CDD?
No. Newly captured VASPs (businesses that were not registered DCEs before 31 March 2026) must meet the full reformed CDD standard — including beneficial ownership tracing, PEP screening and enhanced CDD — from the moment their obligations commence. There is no phase-in for new entrants.
Do all Australian VASPs need an AFSL from April 2027?
Not all. The Digital Assets Framework Act 2026 requires an AFSL for VASPs operating as Digital Asset Platforms or Token Capital Platforms — principally businesses that hold, trade, or manage customer tokens. Whether your specific business model falls under those definitions requires a legal assessment. What is clear is that AFSL applications take 6–12 months, so businesses that may be captured should begin scoping now.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at July 2026. It is not legal, financial or compliance advice, and it is not exhaustive — your obligations depend on the virtual asset services you provide, your risk assessment, and transitional timing. Please confirm each item against current AUSTRAC and ASIC guidance and the AML/CTF Act, Corporations Act and Rules, and seek advice for your specific circumstances.