With the passing of the highly anticipated Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) (Amending Act), many new virtual asset related services will soon be regulated by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act).
Most changes in the Amending Act as they affect the digital assets industry will commence on 31 March 2026. In this article, we discuss the key changes that will impact virtual asset service providers (VASP) under the new regime and how the digital assets industry can plan for compliance.
Expansion of the types of assets to be regulated by the new AML/CTF Regime
Under the amended AML/CTF regime, a new and broader ‘virtual asset’ definition replaces the definition of ‘digital currency’.
The new definition expands to:
- Various types of Non-Fungible Tokens (NFTs) that function as a medium of exchange.
- Governance tokens such as those that are typically used for the purposes of participating in decentralised autonomous organisations (DAOs).
- Stablecoins minted on public blockchains but which are intended to be used by a smaller subset of the public (of the type not generally available to members of the public without any restriction on its use). Such stablecoins could include privately issued stablecoins in tokenisation projects or financial transactions utilising blockchain technology.
However, central bank digital currencies, customer loyalty or reward points (eg frequent flyer points) and tokens used exclusively within an electronic game are excluded from the definition of being a Virtual Asset.
The AUSTRAC CEO has also been given the power to make Rules under the AML/CTF Act to address any emerging virtual assets. AUSTRAC has released the first of its Exposure Draft AML/CTF Rules on 11 December 2024.
Expansion of the regulated types of digital assets services
Entities providing the digital assets related ‘designated services’ under Table 1 of section 6 of the AML/CTF Act (provided there is also a geographic link with Australia) will now need to comply with the new AML/CTF regime. These are set out in the table below.
Each of these services will also now be referred to as a ‘registrable virtual asset service‘. Businesses that provide any registrable virtual asset-related designated services are required to register with the Australian Transaction Reports and Analysis Centre (AUSTRAC) as ‘registered virtual asset service providers’ where the AML/CTF Act’s geographical link is satisfied (unless the entity is a financial institution such as an ADI or specified type of casino). Notably, AUSTRAC CEO has the power to make AML/CTF Rules to clarify and prescribe what is not a registrable virtual asset service to ensure flexibility in this important definition as the virtual asset sector continues to evolve.
Category | Service | Item |
---|---|---|
Transfer of value involving virtual assets | As the ordering institution, accepting instructions to transfer a virtual asset. | item 29 (amended) |
As the beneficiary institution, making a virtual asset available to a payee in relation to a transfer of value. | item 30 (amended) | |
Virtual asset safekeeping | Providing a virtual asset safekeeping service where the service is provided in the course of carrying on a business as a virtual asset service provider. This service is intended to cover circumstances such as where a VASP holds virtual assets or private keys to the virtual asset belonging to another person in the course of carrying on a business. It also includes circumstances when the VASP acts upon the instructions of the owner of the assets. Mainstream custody providers including staking services could fall into this category. A person who solely provides a software application for the purposes of virtual asset safekeeping service is excluded. |
item 46A (new) |
Exchange of virtual assets | Exchanging or making arrangements for the exchange of a virtual asset for money (whether Australian or not) or vice versa. This service is already regulated by the AML/CTF Act. However, it will now capture exchanges between fiat and any digital assets which fall within the broadened definition of ‘virtual asset’ (such as governance tokens). Mainstream exchange providers would likely fall into this category. |
item 50A (amended) |
Exchange between same or different type of virtual assets. This is a new service which captures exchanges of one type of virtual asset to another type of virtual asset. For example, when a customer exchanges Bitcoin with Ethereum, that exchange will now attract obligations (including customer due diligence procedures) under the AML/CTF Act. Notably, exchanges between the same type of virtual assets (eg, Bitcoin to Bitcoin) are also captured to address regulatory concerns in respect of ‘mixing’ or ‘tumbling’ of crypto to obscure traceability. The regulated activities would include acting as a principal, a central counterparty for clearing or settling transactions, an executing facility, or another intermediary facilitating the exchange transaction. Mainstream exchange providers including staking services could fall into this category. |
item 50B (new) | |
Offer or sale of virtual asset | Providing another designated service under Table 1 of section 6 of the AML/CTF Act in connection with the offer or sale of a virtual asset. This new designated service is intended to include businesses that provide financial services that are ancillary to initial coin offerings and or other situations in which an issuer offers or sells a virtual asset. Such activities could include accepting purchase orders and funds and buying virtual assets from an issuer to resell and distribute the funds or assets. Mainstream broking providers would likely fall into this category. |
item 50C (new) |
Obligations that apply
Travel Rule
A key aspect of the new obligations is that VASPs will become subject to the ‘travel rule’.
The ‘travel rule’ in its current form in the AML/CTF Act only applies to certain financial institutions and only requires information about the payer and not the payee to be passed on with transfer instructions along the value transfer chain.
However, the Financial Action Task Force (FATF) in recommendation 16, recommends that certain information about both the payer and payee is transmitted with telegraphic transfers, remittances, as well transfers of virtual assets and other similar transfers of value. This is intended to support transparency of value transfers which in turns supports business with managing their money laundering, terrorising financing and sanctions risks as well as provisions of appropriate information to law enforcement authorities.
VASPs that act as ordering institutions (ie the VASP initiating the transfer) or beneficiary institutions (ie the VASP making virtual asset available to the transferee) in the virtual asset value transfer chain will now be required to comply with the ‘travel rule’ modified for virtual asset transfers. This means that VASPs will need to ensure that they are either receiving or passing certain transaction information to other institutions as prescribed by the Exposure Draft AML/CTF Rules released on 11 December 2024.
Further, before a VASP acts as an ordering institution or a beneficial institution it must first conduct due diligence to determine on reasonable grounds whether the relevant wallet is:
- a custodial wallet in the control of a person who meet certain licensing requirements
- a self-hosted wallet
In the case of the ordering institution, this needs to be conducted in relation to the person making the value transfer, and in the case of the beneficiary institution, this needs to be conducted in relation to the person receiving the value transfer (eg virtual assets). Where the transfer involves transferring from or to an unverified self-hosted wallet, a report must be made to AUSTRAC within 10 business days after the transaction.
The travel rule will apply to VASPs in respect of both domestic and cross border transfers.
The Exposure Draft AML/CTF Rules set out the definitions of an ‘ordering institution’ and a ‘beneficiary institution’.
Reports of International Value Transfer Services
VASPs will be required to make reports to AUSTRAC where as a result of their value transfer service, the value will cross into Australia, or cross out of Australia. This reporting requirement replaces the current requirement to report ‘international funds transfer instructions’ and apply to virtual asset transfers.
These reports are required to be made to AUSTRAC within 10 business days after the provider passes on or receives the transfer message for the transfer of value. The required form of this report will be set out in the AML Rules.
Registration of Virtual Asset Service Providers
All reporting entities are required to enrol with AUSTRAC. Additionally, entities providing any of the ‘registrable virtual asset services’ will now be required to register as a registered virtual asset service provider.
Risk Assessments
All reporting entities, including VASPs are required to prepare a Risk Assessment under the AML/CTF Act.
Under the Exposure Draft AML/CTF Rules released by AUSTRAC, it is proposed that VASPs involved in virtual asset transfers are required to include certain details of their compliance arrangements in relation to virtual asset transfers within their Risk Assessment.
Planning for compliance
New VASPs
Any new VASPs that become a VASP as a result of the broader definition of ‘virtual asset’ or being a provider of a one of the new digital assets related designated service will need to enrol with AUSTRAC and implement a comprehensive AML/CTF compliance framework.
Such an AML/CTF compliance framework must include:
- Preparing a Risk Assessment, AML/CTF Program and associated AML/CTF policies and procedures
- Conducting initial and ongoing customer due diligence on customers of the designed service
- Value transfer chain information collection and reporting
- Transaction monitoring and making reports to AUSTRAC
- Annual AUSTRAC compliance reports
Existing reporting entities that are VASPs
Existing reporting entities (eg crypto exchanges) that operate in the virtual asset sector must first assess whether they are impacted by any changes such as the broad definition of ‘virtual asset’, new digital asset designated services or value transfer rules and reporting.
In addition to uplifting and expanding initial and ongoing customer due diligence to more services, it is expected that entities will also review their transaction monitoring systems to support compliance with AUSTRAC’s reporting obligations.
Increased importance of blockchain analysis for both new and existing reporting entities that are VASPs
Blockchain analysis will play a significant role in detecting and mitigating money-laundering, terrorism financing (ML/TF) and proliferation risks (if relevant) in the context of virtual asset related services.
Reporting entities are subject to the various reporting requirements under the AML/CTF Act, these include:
- Reporting of suspicious matters
- Reporting of threshold transaction
- Reporting of international value transfer services
- Reporting of transfers of value involving unverified self-hosted virtual asset wallets
There is no simple way to tell if the cryptocurrency belongs to a specific person. However, blockchain ledgers, such as for Bitcoin and Ethereum, are transparent, which gives crypto providers ways to track funds flow, monitor transactions, and detect and prevent illegal activity. For example, the FATF has been providing advice for some time in relation to managing cryptocurrency anti-money laundering risks (https://www.fatf-gafi.org/en/topics/virtual-assets.html).
Key elements of implementing a best practice blockchain analysis include:
- (A know your transaction process) implementing a ‘know your transaction’ process as part of a broader customer due diligence (KYC) process on the blockchain to monitor online transaction data to detect and prevent financial crimes, including money laundering and financing of sanctioned entities and organisations. A broader KYC process includes verifying a customer’s identity and carrying out due diligence throughout the customer lifecycle. Blockchains are auditable and permanent so crypto providers can track the flow of funds in a transaction, as well as the entire history of coins and funds.
- (High-risk transaction and exchange analysis) implementing blockchain analytics tools to automatically flag issues such as transactions and coins linked to high-risk exchanges, dark web markets, and gambling, and real-time transaction monitoring and outlier detection including use of analytics supported by machine learning models.
- (Centralised exchange analysis) catering for the fact that there is no simple way to tell if cryptocurrency belongs to a specific person. That said, most crypto payments are made from wallets on centralised exchanges, and most large exchanges require that customers complete some sort of KYC process. In addition to industry-specific solutions, many regulators worldwide also follow the guidance issued by FATF to help track transactions and counterparties, which can help crypto providers track transactions across jurisdictions.
- (Use of ‘closed loop payments’) forcing ‘closed loop payments’ where possible, which involves forcing transactions to be made from and to customers in a way that is already monitored by the crypto provider, such as by using a shared wallet managed by the crypto provider.
Next steps
- Start preparing: While there is some time before these changes takes effect in 2026, providers should start to consider their compliance arrangement as implementation may take some time.
- Participate in the consultations on the AML/CTF Rules: We note that many aspects of the new AML/CTF regime will need to be clarified by the rules. AUSTRAC has released the first of its Exposure Draft AML/CTF Rules on 11 December 2024, with submissions due on 14 February 2025. Key aspects of the details included in this exposure draft include:
- requirements in relation to AML/CTF policies;
- details of certain matters to be established in initial customer due diligence and exemptions from aspects of the requirement to conduct initial customer due diligence; and
- details on the information required to be passed on and monitored for the purpose of the ‘travel rule’.
AUSTRAC is expected to release a second exposure draft in 2025 which will include further details on the following:
- any amendments following the first consultation;
- details of the contents required for suspicious matter reports; and
- current rules-based exemptions subject to consequential amendments.
If you have any queries or need any assistance in relation to the AML/CTF Compliance or submissions to the AML/CTF rules consultation, please contact a member of our team.
This article was written by Mizu Ardra, Partner, Iain McLaren, Special Counsel, Chenjie Ma, Senior Associate and Jordan Donaldson, Solicitor.