What the new AML/CTF draft rules mean for virtual asset service providers
As part of ongoing reforms to the anti-money laundering and counter-terrorism financing (AML/CTF) framework, the Australian Transaction Reports and Analysis Centre (AUSTRAC) has published the second exposure draft of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth) (Draft Rules). This was released alongside its consultation paper on the Draft Rules, which provides guidance on how amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) will affect virtual asset providers (VASPs).
This article focuses on changes specific to VASPs under the AML/CTF framework. For a general update on changes to the Draft Rules following the first consultation, read our article, New Draft Rules shake up AML/CTF regime.
In 2024, virtual asset services (VAS) were assessed by AUSTRAC as having medium-high vulnerability for money laundering and highly vulnerable to misuse for terrorism financing. This is partly due to VASPs being subject to less oversight and regulation compared to other financial sub-sectors. The Draft Rules intend to strengthen the registration process for VASPs, enabling AUSTRAC to more closely assess and mitigate the money laundering and terrorism financing risks associated with VAS.
In addition, the most recent consultation paper to the Draft Rules addresses further requirements or specific exceptions for VASPs when it comes to due diligence and the ‘travel rule’ requirements.
Summary
Notable changes in relation to VASPs include:
- registration application and administrative decision-making processes for VASPs;
- changes to the ‘travel rule’ and their application to VASPs; and
- increased requirements for VASPs to undertake counterparty due diligence and create policies to manage risks in virtual asset transfers.
Background
As discussed in our previous update, from 31 March 2026, new services and entities will be subject to AUSTRAC regulation. This follows reforms to anti-money laundering and counter-terrorism financing laws with the intent to better deter, detect and disrupt money laundering and terrorism financing, as well as meet international standards.
The new AML/CTF Rules framework comprises of two separate instruments:
- the Anti-Money Laundering and Counter Terrorism Financing Rules 2025 containing rules of general application, a subset of which are contained in the Draft Rules to reflect the new AML/CTF Rules as they are proposed to commence in 31 March 2026; and
- the AML/CTF (Class Exemptions and Other Matters) Rules 2007 (Class Exemption Rules), now released for public consultation for the first time.
These rules sit alongside the AML/CTF Act and its recent amendments, as detailed in the consultation paper on the Draft Rules.
Registration requirements for VASPs
Newly inserted Part 3 of the Draft Rules represents a more transparent entry process to registration by broadening the range of information AUSTRAC collects and considers when assessing an application for registration by VASPs. This increase in standards puts Australia in line with the approach taken in many other jurisdictions, including the United Kingdom, Singapore and Hong Kong, and is focused on preventing criminals or their associates from owning or being involved in crypto businesses and money services businesses.
Section 1-4 of the Draft Rules includes the new definition of ‘registrable services’, defined to include virtual asset service providers. This registration is required before providing registrable services to customers and is in addition to applying for enrolment on the Reporting Entities Role.
Key inclusions in the newly drafted Part 3 are as follows:
- Division 1 sets up the Virtual Asset Service Provider Register (VASP Register), with AUSTRAC responsible for maintaining the VASP Register and publishing information.
- Section 3-4 sets out a list of general information that must be included within a VASP’s application, including information on identity, place of business, ownership and operational information (including foreign operations).
- Section 3-5 requires VASPs to detail their money laundering and terrorism financing risks and their process for reviewing and updating risk assessments. Additionally, they must outline their AML/CTF policies per Section 3-6.
- Section 3-9 requires disclosure of whether the candidate or any of its key personnel have been charged or convicted of an offence in relation to money laundering, financing of terrorism and fraud (among other categories).
- Section 3-14 provides additional requirements for registration as a VASP, including the kinds of virtual assets provided, details of delivery channels and virtual asset wallet details.
The travel rule
The travel rule refers to the requirement that information about a payer and payee be transmitted (or ‘travel’) with transfers of value. Under the Draft Rules, beneficiary institutions for transfers of virtual assets must obtain complete and accurate travel rule information before making virtual assets available to the payee or a person acting on their behalf. However, the recent round of consultations expressed concerns about potential difficulties that may arise when counterparties in the value transfer chain, particularly in the case of VASPs, are unregulated.
In its consultation paper on the Draft Rules, AUSTRAC pointed to subsections 66A(9) and (10) of the amended AML/CTF Act, which provide exceptions for VASPs if an Australian entity reasonably determines a value transfer chain institution cannot securely comply with the travel rule. This must be documented and is based on objective capability, not unwillingness. This exception is unlikely to be relevant if the counterparty VASP or financial institution (engaged in virtual asset transfers) operates in a jurisdiction with its own travel rule legislation.
Subsection 66A(10) also allows exceptions if the ordering institution reasonably believes the beneficiary institution cannot safeguard the information's confidentiality. As above, this is an objective test and reasons for the belief must be documented.
Counterparty due diligence
The Draft Rules aim to address how VASPs can undertake counterparty due diligence to determine whether a third-party virtual asset wallet is controlled by a regulated VASP, an unregulated VASP, an illegally operating VASP or a self-hosted wallet. This was a commonly raised issue in the recent round of consultation.
Subsections 66A(2) and (5) of the amended AML/CTF Act set out the primary obligations for reporting entities transferring virtual assets to undertake counterparty due diligence. Although the current legislation does not prescribe how this should be done, given different levels of information available in different countries, further guidance is expected on how to undertake these due diligence requirements.
Section 4-13 of Draft Rules requires reporting entities involved in transferring virtual assets to develop AML/CTF policies that address counterparty due diligence. These polices must appropriately manage and mitigate the risks of providing designated services related to the transfer of virtual assets.
What’s next?
Consultation closes on 27 June 2025.
VASPs should consider their new registration requirements and whether they have appropriate policies in place to address relevant AML/CTF risks. VASPs should begin preparing their policies earlier rather than later.
At this stage, we expect the final version of the Draft Rules and Class Exemption Rules will be released in July.
Please contact John Bassilios to understand more about how the amendments to the Act and how the Draft Rules might impact your VASP business and what steps you should consider taking now.
We will keep you up to date with further developments.
This article was prepared with the assistance of Ruby Wensor, Law Graduate.
Contact
