The Dual-Regime Future: Why Australian VASPs Need to Prepare for AUSTRAC and ASIC Simultaneously | VASP Australia 2026
Australian crypto businesses are about to become the only sector in the country that must comply with both AUSTRAC and ASIC at the operating level, simultaneously, as a matter of course.
The AUSTRAC side is already live. From 31 March 2026, VASPs have AML/CTF obligations including risk assessment, customer due diligence, transaction monitoring, suspicious matter reporting, the Travel Rule, and governance oversight. The 29 July 2026 registration deadline for newly captured VASPs is imminent.
The ASIC side arrives in April 2027. The Digital Assets Framework Act 2026 (Royal Assent April 2026) amends the Corporations Act to recognise two new financial products: Digital Asset Platforms (DAPs) and Token Capital Products (TCPs). Operators of DAPs and TCPs will need to hold an Australian Financial Services Licence. This captures crypto exchanges, brokers, custodians, and wallet providers where the operator has custody or control of client tokens.
For the first time, a crypto business will sit under two regulatory regimes at once: AUSTRAC for financial crime prevention, and ASIC for financial services conduct, disclosure, and consumer protection. This is not theoretical. It is legislated and timetabled.
What the Digital Assets Framework Act requires
Digital Asset Platforms (DAPs)
A DAP is a facility where an operator holds digital tokens on behalf of another person. In practice, this captures exchanges, brokers, custodians, and wallet providers where the operator has custody or control of client tokens. If your business holds, trades, or manages customer crypto, you are likely operating a DAP.
Token Capital Products (TCPs)
TCPs capture token offerings that function as capital-raising instruments. If your business issues, promotes, or distributes tokens that look and behave like financial products (investment returns, governance rights, profit-sharing), the TCP framework may apply.
The AFSL requirement means crypto businesses operating as DAPs or TCPs must meet the same standards of transparency, integrity, and consumer protection that apply to all Australian financial services businesses — including requirements around organisational competence, adequate resources, risk management, compliance arrangements, dispute resolution, and conduct obligations.
The timeline is tighter than it looks
The Act commences in April 2027. That feels like nine months away. It is not enough.
AFSL applications typically take 6–12 months from lodgement to approval. ASIC assesses the applicant's organisational competence, compliance arrangements, financial resources, risk management framework, responsible managers, and dispute resolution membership. For a crypto business that has never held a licence, this is not a form-filling exercise. It requires building governance structures, appointing responsible managers, demonstrating adequate compliance resources, and documenting a compliance plan — before lodgement.
Where AUSTRAC and ASIC obligations overlap
The good news is that the two regimes are not entirely separate. There are significant areas of overlap where a well-designed compliance program can serve both regulators from a single governance structure.
Governance and board oversight
Both AUSTRAC and ASIC require senior management oversight of compliance. Under AUSTRAC, your governing body must oversee the AML/CTF program, receive compliance reports, and approve risk assessments. Under an AFSL, ASIC requires adequate compliance arrangements, a compliance plan, and board oversight of conduct obligations. These can be served by a single governance structure with a unified board reporting framework that covers both regimes.
Compliance officer
AUSTRAC requires an AML/CTF compliance officer. ASIC requires adequate compliance arrangements under an AFSL, which typically includes a compliance manager or officer. A single compliance officer can serve both functions if they have the knowledge, authority, and resources to cover both regimes. The role description and reporting lines should be designed to satisfy both sets of obligations from day one.
Risk management
AUSTRAC requires a documented ML/TF Risk Assessment. ASIC requires adequate risk management systems as a condition of holding an AFSL. These are different risk domains (financial crime vs. financial services conduct), but the assessment methodology, documentation standards, and review cadence can be aligned. A VASP that builds its AML/CTF risk assessment in a framework that can later incorporate AFSL risk categories avoids rebuilding from scratch in 2027.
Record-keeping and audit trail
Both regulators require records to be kept for extended periods — 7 years under AUSTRAC, 7 years for many AFSL records. Both expect records to be accurate, complete, and accessible on request. A single record-keeping system that serves both regimes is more efficient and more defensible than two parallel systems.
Breach and incident reporting
Under AUSTRAC, you must report suspicious matters within 24 hours (terrorism financing) or 3 business days (money laundering). Under ASIC and the Corporations Act, licensees must report significant breaches within 30 calendar days. The triggers are different but the investigation, documentation, and escalation processes are similar. A single incident management workflow can capture both reporting obligations.
Staff training
Both regimes require staff to understand their obligations. AML/CTF training covers suspicious activity recognition, CDD procedures, and tipping-off prohibitions. AFSL training covers conduct obligations, disclosure requirements, and complaints handling. These can be delivered through a single training program with modules covering both regimes.
Where the obligations diverge
Not everything overlaps. There are obligations under each regime that are distinct:
AUSTRAC-specific (no AFSL equivalent)
- Suspicious Matter Reports and Threshold Transaction Reports
- Travel Rule (originator/beneficiary information transmission)
- Sanctions screening (DFAT, UN, OFAC)
- Customer due diligence and beneficial ownership verification
- Transaction monitoring for financial crime patterns
- AUSTRAC annual compliance report
ASIC/AFSL-specific (no AUSTRAC equivalent)
- Financial Services Guide and Product Disclosure Statement
- Responsible Manager obligations (fit and proper, competence)
- Internal and external dispute resolution (AFCA membership)
- Breach reporting under the Corporations Act (s912DAA, 30-day timeframe)
- Conduct obligations (best interests, conflicts management, client money)
- Financial requirements (adequate resources, net tangible assets)
- ASIC regulatory returns and compliance audits
The divergent obligations mean a VASP cannot simply copy its AML/CTF program and call it an AFSL compliance plan. But the shared governance, risk management, and reporting infrastructure can serve as the foundation for both.
The mistake: building two separate programs
The most expensive approach a VASP can take is to build an AML/CTF compliance program now, then build a separate AFSL compliance framework in 2027, then try to integrate them after the fact. This is what most businesses will do, because most compliance vendors only cover one regime.
The result is two governance structures, two reporting frameworks, two sets of board papers, two compliance calendars, two audit trails, and two sets of staff training modules — for the same business, the same customers, and the same transactions. The cost, complexity, and risk of inconsistency are significant.
The smarter approach is to design a unified compliance framework from the start — one that accommodates both AUSTRAC and ASIC obligations in a single governance structure, a single board reporting cadence, and a single system of record. The AML/CTF program you build this month should be designed with AFSL expansion in mind, even if the AFSL application is months away.
What to do now
If you are a VASP building your AML/CTF program now, consider these steps to future-proof for the AFSL transition:
- Design your governance structure for dual-regime from day one. Appoint a compliance officer with the authority and knowledge to cover both AML/CTF and financial services obligations. Structure your board reporting to include both regimes. Document roles and responsibilities in a way that satisfies both AUSTRAC and ASIC expectations.
- Build your risk assessment framework to accommodate AFSL risk categories. Your ML/TF Risk Assessment is required now. When you build it, use a methodology that can later incorporate AFSL risk domains (conduct risk, conflicts risk, client money risk, operational risk). This avoids rebuilding the framework from scratch when your AFSL application requires a documented risk management system.
- Use a single system of record. Every compliance action — customer verification, transaction monitoring alert, suspicious matter report, breach notification, staff training record, board report — should land in one audit trail. When you face two regulators asking for evidence, having one complete record is far stronger than producing fragments from two disconnected systems.
- Assess your AFSL application timeline now. AFSL applications take 6–12 months. April 2027 is nine months away. If your business model falls under the DAP or TCP definitions, begin scoping the application requirements now: responsible manager qualifications, financial resource requirements, dispute resolution membership (AFCA), and compliance plan documentation. Waiting until 2027 is too late.
- Seek advice on whether you need an AFSL. Not every VASP will need one. The DAP and TCP definitions capture specific business models. If you are unsure whether your business falls within the definitions, seek legal advice now rather than discovering the answer under regulatory pressure in 2027.
The bigger picture
The dual-regime future for Australian VASPs is not an accident. It reflects a deliberate policy decision to treat digital assets like other financial products — subject to the same conduct standards, consumer protections, and crime prevention obligations that apply across the financial system. Australia is aligning with international standards (FATF, EU MiCA) that expect crypto businesses to operate as regulated financial entities.
For VASP operators, this creates both obligation and opportunity. The compliance burden is real. But VASPs that build robust, dual-regime compliance programs early will be positioned as credible, regulated participants in the Australian financial system — which unlocks partnerships, institutional capital, and consumer trust that unregulated operators cannot access.
The window to build that foundation is open now. The AUSTRAC program you construct this month is the base layer. The AFSL framework you add in the coming months is the second layer. Design them together, and you build once. Design them separately, and you build twice — at twice the cost, with half the coherence.
Where Veriqua fits
Veriqua is the only Australian compliance platform designed to manage both AUSTRAC AML/CTF and ASIC/AFSL obligations in a single system. For VASPs facing dual-regime obligations, a unified compliance platform eliminates the cost and complexity of operating two parallel compliance programs for the same customers and transactions.
The AML/CTF structure you build in Veriqua today — ML/TF Risk Assessment, customer due diligence, transaction monitoring, SMR/TTR workflows, board reporting — expands naturally into your AFSL framework: obligations registers, breach reporting (s912DAA, 30-day timeframe), complaints management (RG 271), CPD tracking, and AFSL board pack automation. One system, one audit trail, two regulators. See it in two minutes, no login: demo.veriqua.com.au/start.
Frequently Asked Questions
Does every Australian VASP need an AFSL from April 2027?↓
Can a single compliance officer cover both AUSTRAC and ASIC obligations?↓
What is the most common mistake VASPs make when preparing for the dual-regime?↓
What ASIC obligations are unique to the AFSL regime and have no AUSTRAC equivalent?↓
Related articles
29 July 2026: The AUSTRAC Deadline Every Digital Currency Exchange Cannot Miss
Automatic VASP rollover is a trap. The enrolment, compliance-officer and program deadlines crypto businesses cannot miss.
DCE → VASP: What Changes in Your AML/CTF Program on 1 July 2026
What actually shifts for crypto businesses on 1 July 2026 — and why this is only the first of two regulatory transitions.
Is Your Crypto Business Ready? The VASP Compliance Checklist for July 2026
A scannable readiness checklist covering AUSTRAC AML/CTF obligations and forward-looking AFSL readiness.
After the Deadline: Ongoing VASP Obligations That Define Your Audit Readiness
The ongoing compliance cadence — and why it needs to be designed for two regulators, not one.
See how Veriqua handles this
Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.
Disclaimer: This article is general information only and is current as at July 2026. It reflects our understanding of the Digital Assets Framework Act 2026, the AML/CTF Act 2006, and AUSTRAC and ASIC guidance as at that date, all of which may change. It is not legal, financial or compliance advice. The Digital Assets Framework Act 2026 and AFSL requirements carry significant technical and fact-specific nuances. Whether your business requires an AFSL depends on the specific services you provide and how they are classified under the Corporations Act. Please confirm your position against current ASIC and AUSTRAC guidance and the AML/CTF Act, Corporations Act and Rules, and seek advice for your specific circumstances.