Australia is overhauling its AML/CTF framework to fully align with the FATF’s standards by introducing broader obligations for virtual asset service providers (VASPs) under the revised definition of “virtual assets.”
The regime expands regulated services (including wallet custody, virtual asset transfers, and exchange services) and enforces Travel Rule compliance via a new “value transfer chain” concept. Stronger registration, governance, and independent compliance evaluations are required.
Implementation starts from March 2026 for existing VASPs and July 2026 for newly covered entities. VASPs must prepare for increased reporting, interoperability, and cross-border data-sharing obligations.
What is the scope of the Travel Rule in Australia?
The Australian Travel Rule applies to all reporting entities providing “designated services”. In other words, all originator and beneficiary institutions involved in the services explained below must comply with the Travel Rule.
An originator institution is any person who, in the course of business, accepts an instruction for a transfer of value on behalf of a payer (originator). This includes when the person:
Receives value directly from the originator;
Holds the value in an account or virtual asset wallet;
Is authorised to transfer value from a third-party deposit-taker or credit provider;
Arranges a transfer under an offsetting arrangement with a beneficiary institution.
A beneficiary institution is any person who, in the course of business, makes the transferred value available to a payee (beneficiary). This can happen when the person:
Provides the value directly, or through an agent;
Deposits it into an account or virtual asset wallet;
Holds it on deposit;
Deposits it with a third-party deposit-taker or credit provider;
Arranges availability under an offsetting arrangement with the ordering institution.
[Part 8. Division 1. 8-1 & 8-2]
Who is the supervisory body for VASPs in Australia?
The Australian Transaction Reports and Analysis Centre (AUSTRAC)
What is the Travel Rule threshold in Australia?
AUD 1000 for VASP-to-VASP transactions*.
AUD 10,000 for transactions between self-hosted wallets and VASPs*.
*At the time of print, the above stipulated thresholds were accurate, but are subject to change.
Obligations of originator virtual asset service providers
For transactions between VASPs, equivalent to or over AUD 1000, originator VASPs must collect and submit the following data to the intermediary or counterparty VASP before or alongside each crypto transaction.
originator’s full name (if a legal entity, a unique identifier* must be provided),
originator’s date of birth,
originator’s full business or residential address (post box is not acceptable),
beneficiary's name,
beneficiary’s town and country of residence (if a legal entity, the town and country of business operations and any unique identifier* must be provided).
Moreover, the originator VASP must verify the originator’s data before submission and is responsible for sharing tracing information with its counterparty. Tracing information refers to details that enable the originator and the beneficiary to identify the accounts involved in the transaction.
Depending on the type of transfer, this could be a unique transaction reference number, a destination tag, or a wallet address in the case of self-hosted wallets.
[Part 8. Division 2. 8-6 (1)(2)]
*A unique identifier includes:
“(a) a unique identifier given to the person by an Australian government body (other than the person’s tax file number within the meaning of section 202A of the Income Tax Assessment Act 1936); or
(b) a unique identifier given to the person by a government body of a foreign country (together with information identifying the body); or
(c) a legal entity identifier given to the person by an organisation accredited by the Global Legal Entity Identifier Foundation (together with information identifying the organisation); or
(d) a connected business identifier code given to the person by the Society for Worldwide Interbank Financial Telecommunication.”
All data stated above must be collected and, when required, verified, in accordance with the AML/CTF Act and the VASP’s AML/CTF program.
Irrespective of transaction value, the originator VASP must:
identify the counterparty VASP,
conduct due diligence to ensure the counterparty VASP can safeguard and transmit information and is not a sanctioned entity,
complete these checks before the transaction is executed.
If the counterparty VASP cannot meet these requirements, the originator VASP must not proceed with the transfer.
Obligations of beneficiary virtual asset service providers
The beneficiary VASP must comply with AML/CTF Act requirements for verifying the beneficiary’s identity and must implement an AML/CTF program.
For inbound transfers, the beneficiary VASP must monitor that it has received the originator’s information, the beneficiary’s full name and tracing information.
The beneficiary VASP must also take reasonable measures, such as real-time or post-event monitoring, to detect transfers that lack the required information.
In addition, it must develop a risk-based policy, documented in its AML/CTF program, that determines when to execute, reject, or suspend a transfer that lacks the required information and the follow-up action to be taken in each such case.
Obligations of intermediary virtual asset service providers
Where an intermediary VASP is used, it must ensure that all required originator, beneficiary, and tracing information accompanies the transaction and pass it on to its counterparty.
Like beneficiary VASPs, intermediaries must develop a risk-based policy, documented in their AML/CTF program, which determines:
when to execute, reject, or suspend a cross-border crypto transfer that lacks the required information, and
what follow-up actions will be taken in each case.
Does Australia’s Travel Rule apply to self-hosted wallets?
The Australian Travel Rule applies to self-hosted wallet transactions if at least one regulated entity is involved.
Obligations of originator virtual asset service providers
In cases involving self-hosted wallets, the originator VASP’s policies must specify how it will identify the beneficiary and what steps will be taken to verify the person controlling the wallet.
These policies must set out how it will manage and mitigate ML/TF risks when transferring a virtual asset to a wallet controlled either by an unverified beneficiary or by a person not required to be licensed or registered under a law giving effect to the FATF Recommendations. [Part 5. Division 7. 5-17 (6)(c)(d)]
Additionally, originator VASPs must collect and verify the originator’s information and collect the beneficiary’s full names, but are not required to pass on any details to their counterparty. [Part 8. Division 2. 8.3]
Obligations of beneficiary virtual asset service providers
Beneficiary VASPs must implement policies that describe how it will identify the originator and any steps that will be taken to verify the person controlling the wallet.
Morover, the policies must specify how the beneficiary will manage and mitigate ML/TF risk where the wallet is controlled by an unverified originator, by a person not required to be licensed or registered under a law giving effect to the FATF Recommendations, or by a licensed or registered person in circumstances where the ordering or intermediary institution cannot securely pass on the required information. [Part 5. Division 7. 5-18 (3)(c)(d)]
Lastly, beneficiary VASPs must monitor the receipt of the originator’s information, the beneficiary’s full name, and tracing information [Part 8. Division 2. 8.4]
Obligations of intermediary virtual asset service providers
Intermediary institutions must take responsible steps to monitor the receipt of the originator’s information, the beneficiary’s full name, and tracing information. The intermediary is responsible for passing on this information to its counterparty. [Part 8. Division 2. 8.5]
How to comply with and meet Australia’s AML requirements
Obligations of originator virtual asset service providers
For paragraph 26F(3)(e) of the Act, a reporting (originator) VASP's AML/CTF policies must address specific requirements when the designated service relates to the transfer of a virtual asset.
These policies must outline how the originator will undertake due diligence to determine, in line with subsection 66A(2) of the Act, whether the destination wallet is custodial or self-hosted, and, if custodial, whether the controlling person is required to be licensed or registered under a law that gives effect to the FATF Recommendations and, if so, whether they hold such a licence or registration.
Where the wallet controller is licensed, registered, or otherwise not required to be, the policies must explain how the originator will assess whether the beneficiary institution is capable of securely receiving the information that must be passed on under subsection 64(3) of the Act and safeguarding its confidentiality.
Obligations of beneficiary virtual asset service providers
A reporting (beneficiary) entity's AML/CTF policies must also address specific requirements when the designated service involves the transfer of a virtual asset.
These policies must explain how the they will conduct due diligence, for subsection 66A(2) of the Act, to determine whether the wallet from which the virtual asset is being transferred is custodial or self-hosted and, if custodial, whether the person controlling the wallet is required to be licensed or registered under a law that gives effect to the FATF Recommendations and, if so, whether such licensing or registration is in place.
Where the wallet controller is licensed, registered, or not required to be, the policies must set out how the beneficiary will determine whether the originator and any intermediary institution are capable of securely passing on the information specified in section 8-4 of this instrument relating to the transfer of value.
Finally, the policies must specify how the beneficiary will manage and mitigate ML/TF risk where the originator or intermediary institution cannot securely pass on the required information.
Become Travel Rule Compliant with 21 Analytics
When do you need to comply with the Travel Rule in Australia?
Already regulated businesses must comply with the Act and Rules by 31 March 2026.
New reporting entities must comply by 1 July 2026, though they may begin enrolling with AUSTRAC on 31 March 2026.
Which regulations are applicable to the Travel Rule in Australia?
Anti‑Money Laundering and Counter‑Terrorism Financing Rules 2025
Anti-Money Laundering and Counter-Terrorism Financing Act 2006
