AUSTRAC Tranche 2 Reforms: AML/CFT Compliance Guide for VASPs

Australia is implementing the most significant transformation of its AML/CTF framework since it passed its original Anti-Money Laundering and Counter-Terrorism Financing Act in 2006. This act imposed AML/CTF compliance obligations—including identification, verification, reporting, and record-keeping—on “Tranche 1” companies, so named because they were affected by these new obligations first. These are companies operating in industries seen as vulnerable to money laundering and the financing of terrorism, with Tranche 1 entities including banks, casinos, and digital currency exchanges.

In 2015, however, the Financial Action Task Force (FATF) criticized AUSTRAC’s omission of so-called “Tranche 2” companies—those which may act as “gatekeepers” for money laundering or the financing of terrorism. To address this gap, Australia is now expanding AML/CFT coverage to additional “Tranche 2” designated services (for example, lawyers, accountants, real estate professionals and dealers in precious metals and stones), with estimates indicating approximately  90,000 more reporting entities will come into scope, while at the same time updating the regime for virtual asset service providers (VASPs). 

While digital currency exchanges have operated under Tranche 1 AUSTRAC oversight in Australia since 2018, the Tranche 2 AML reforms substantially broaden this scope to include crypto-to-crypto exchanges, custodial wallet services, virtual asset transfers, and related financial services. 

With Tranche 2 enrollment for AUSTRAC registration opening March 31, 2026, and obligations commencing July 1, 2026, VASPs must act now to ensure VASP compliance with the expanded regulatory framework. This guide examines the practical compliance requirements, key implementation dates, and strategic approaches VASPs need to successfully navigate Australia’s changing AML/CTF landscape.

What is AUSTRAC Tranche 2?

AUSTRAC Tranche 2 refers to the second phase of Australia’s AML/CTF reform program enacted through the AML/CTF Amendment Act 2024. The Tranche 2 AML reforms expand existing regulatory obligations in Australia by: 

• Extending AML/CTF obligations to certain designated services typically provided by non‑financial businesses and professions (“tranche 2 entities”), such as lawyers, conveyancers, accountants, real‑estate professionals, trust and company service providers, and dealers in precious metals and stones.
• Expanding and clarifying the scope of regulated virtual asset services, including by replacing the former “digital currency” concept with a broader “virtual asset” definition in the AML/CTF Act. Further aligning Australia’s framework with FATF standards and addressing long‑standing recommendations relating to designated non‑financial businesses and professions (DNFBPs).

The AML/CTF reforms address the gaps the FATF identified in Australia’s 2015 mutual evaluation, where FATF noted that the absence of AML/CTF obligations for many DNFBPs created material money‑laundering and terrorism‑financing risks. 

What exactly is AUSTRAC? Let’s discuss in the following section.

Regulators: AUSTRAC and ASIC roles

Australian Transaction Reports and Analysis Centre (AUSTRAC) is Australia’s national financial intelligence unit and primary AML/CTF regulator. It administers and enforces the AML/CTF Act and Rules, registers and supervises reporting entities (including tranche 2 entities from 1 July 2026), receives and analyses reports, and can take enforcement action for non‑compliance. It supervises compliance with the AML/CTF Act, registers reporting entities, receives reports and filings, and issues enforcement actions.

What is ASIC responsible for?

The Australian Securities and Investments Commission (ASIC) is the regulator responsible for financial services and markets, overseeing how firms conduct themselves and how markets operate. When virtual assets constitute financial products under the Corporations Act, ASIC requires an Australian Financial Services License (AFSL).

As a result, some virtual asset and fintech business models can be subject to both regimes at the same time: AUSTRAC oversight because they provide designated services under AML/CTF law, and ASIC oversight because they issue or deal in financial products that require an AFSL.

Tranche 1 vs Tranche 2: Explained

The original AML/CTF Act 2006 placed obligations on regulated banks, casinos, remitters, and gambling services. In 2018, digital currency exchanges were included through regulatory interpretation. These so-called “Tranche 1” entities are required to implement AML/CTF programs, conduct customer due diligence, and report suspicious activity.

The Anti‑Money Laundering and Counter‑Terrorism Financing Amendment Act 2024 expands the regime so that equivalent AML/CTF obligations apply to specified “Tranche 2” entities, including:

• Accountants
• Lawyers providing designated high-risk services
• Real estate agents
• Trust and company service providers
• Dealers in precious metals, stones, and products

Tranche 1 focuses on financial intermediaries like banks and cash-intensive businesses like casinos, while Tranche 2 recognizes that professional service providers can facilitate money laundering without directly handling fiat currency. By regulating these “gatekeeper” professions, Australia hopes to have more comprehensive defenses against money laundering.

For virtual asset service providers (VASPs), the reforms broaden the existing regime beyond fiat–crypto exchange to also capture services such as crypto-to-crypto exchanges, custodial wallet services, virtual asset transfer services, and participation in virtual asset issuance, ensuring regulatory coverage across a spectrum of digital asset activities.

Key dates and timeline

AUSTRAC’s Tranche 2 timeline for full implementation is as follows:

March 31, 2025: Tipping-off offenses come into effect, making it an offense to disclose certain types of information that may hinder an investigation. 

January 2026: Sector-specific guidance is released.

March 31, 2026: Enrollment opens for VASPs providing newly regulated virtual asset services. Existing reporting entities begin transitioning to updated CDD requirements under the AML/CTF reforms, with a three-year transition period to March 30, 2029. 

July 1, 2026: Full Tranche 2 compliance obligations commence for all Tranche 2 entities, including gatekeepers and VASPs providing newly regulated services; the travel rule for virtual asset transfers takes effect for newly regulated VASPs. 

July 29, 2026: Final enrollment and registration deadline for newly regulated entities (28 days after commencement of obligations). VASPs should complete AUSTRAC registration well before their intended service launch to avoid criminal penalties and operational disruptions.

These milestones mark the operationalization of the AML/CTF Amendment Act 2024 and define the Tranche 2 compliance roadmap for newly affected businesses.

Suggested read: AML/KYC Requirements in Australia (Complete Guide 2026)

Who is affected by the addition of Tranche 2?

The AUSTRAC Tranche 2 reforms impact two main groups: 

• Newly regulated Tranche 2 entities (i.e., “gatekeeper” professions). 
• Existing reporting entities with expanded obligations, including some VASPs.

Tranche 2 entities: Gatekeepers

From July 1, 2026, professional service providers facilitating high-risk financial transactions will become regulated as Tranche 2 entities in Australia.

According to AUSTRAC, these designated non-financial businesses and professions (DNFBPs), commonly referred to as “gatekeepers,” include:

• Lawyers
• Accountants 
• Real estate professionals, including real estate agents, buyer’s agents, and property developers
• Trust and company service providers 
• Conveyancers
• Dealers in precious metals, stones, and products

These DNFBP entities subject to AML compliance represent approximately 90,000 new reporting entities, making this expansion unprecedented in nearly two decades of Australian anti-money laundering regulatory practice.

Expanded VASP services under the reforms

What exactly is a VASP in Australia? 

Under the reformed act, a virtual asset service provider (VASP) is any business providing designated services involving virtual assets. AUSTRAC defines virtual assets as digital representations of value that may be transferred, stored, or traded electronically and that are not issued by or under the authority of a government body. 

This includes cryptocurrencies, stablecoins, non-fungible tokens, utility tokens, and governance tokens.

Previously, Australian AML obligations primarily applied to fiat-to-crypto exchanges. These reforms extend coverage to:

• Crypto-to-crypto exchanges
• Custodial wallet services
• Virtual asset transfer services
• Virtual asset issuance
• Certain virtual asset financial services

This broadens VASP compliance expectations and ensures that more digital asset activities fall under crypto AML compliance rules.

💡If your organization provides custody, facilitates token swaps, or transfers virtual assets between parties in Australia, you may now qualify as a regulated Tranche 2 entity.

Transitional rules for VASPs

For VASPs providing newly regulated virtual asset services, compliance obligations are deferred until July 1, 2026, aligning with AUSTRAC Tranche 2 commencement. Enrollment opens March 31, 2026, with a final deadline of July 29, 2026 (compliance obligations, however, must begin from July 1, 2026).

Existing Tranche 1 digital currency exchanges are subject to a three-year CDD transition period until March 30, 2029, allowing progressive updates to adapt to the new AML/CTF system without immediate reverification of entire customer bases. However, updated CDD standards apply immediately for all new customers from March 31, 2026.

❗The crypto Travel Rule implementation in Australia is expected to take effect on July 1, 2026. Earlier guidance and industry commentary referenced March 31, 2026, as the implementation date; however, that date actually marks the commencement of broader AML/CTF transitional requirements rather than the operational start of the Travel Rule itself. Under AUSTRAC’s transitional rules, the obligation for VASPs to collect, verify, and transmit originator and beneficiary information for virtual asset transfers has been deferred to July 1, 2026. This timing aligns with the broader commencement of Tranche 2 obligations under the AML/CTF reforms. While certain related requirements, such as aspects of ongoing customer due diligence, may begin from March 31, 2026, full Travel Rule compliance for VASPs becomes mandatory only from July 1, 2026.

Australia’s crypto landscape and reform drivers

Australia’s AML/CTF Tranche 2 reforms were not driven solely by cryptocurrency risks but by long-standing structural gaps in the country’s anti-money-laundering regime. Since the introduction of the Anti-Money Laundering and Counter-Terrorism Financing Act in 2006, designated non-financial businesses and professions (DNFBPs), including lawyers, accountants, and real estate gatekeepers, have remained largely outside the regulatory framework. Australia’s 2015 FATF Mutual Evaluation identified these omissions as major deficiencies and placed sustained pressure on the government to modernise the regime in alignment with international standards. The Attorney-General’s Department subsequently ran a multi-year reform program between 2021 and 2023 to address these weaknesses.

At the same time, high crypto adoption in Australia and several high-profile global exchange collapses—most notably the FTX fallout in 2022—reinforced concerns about consumer protection and market integrity, particularly for digital currency exchange providers. Debate over debanking crypto businesses also contributed to policy momentum, with the Treasury acknowledging that regulatory uncertainty contributed to banking access restrictions.

Accordingly, the reforms reflect a combination of FATF alignment pressure, long-standing DNFBP regulatory gaps, and emerging digital-asset risks rather than a response to any single event. High crypto adoption, FTX fallout, debanking issues, and FATF alignment pressure drove Australia to modernise its AML/CTF framework through the Amendment Act 2024, shaping the future of crypto regulation in Australia and anti-money laundering policy settings.

Suggested read: A Practical Guide to AML/CFT Compliance for VASPs under AUSTRAC

As a result, entities operating in or servicing the Australian virtual asset market must now transition from a largely registration-focused framework to a comprehensive AML/CTF compliance model, requiring formal risk assessments, customer due diligence procedures, reporting mechanisms, and Travel Rule readiness.

AML/CTF compliance for virtual asset services in Australia (AUSTRAC Tranche 2-aligned)

Under Australian law:
- The AML/CTF program is the mandatory regulatory document.
- The entity must then implement controls demonstrating the program operates effectively.

AUSTRAC supervises both the adequacy of the program and the effectiveness of its implementation.

Australia regulates virtual asset businesses primarily through the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), administered by AUSTRAC. From July 1, 2026, Tranche 2 reforms will expand the scope of regulated virtual asset services and modify reporting and monitoring obligations.

This section outlines how an entity prepares for compliance under the reformed regime.

1. Registration with AUSTRAC

Entities that provide designated virtual asset services must be enrolled and registered with AUSTRAC before offering those services in Australia.

Under the expanded regime, this requirement applies not only to existing digital currency exchanges but also to additional virtual-asset-related services captured by the amended designated services schedule.

Registration requires submission of core business information, including:

• services provided
• ownership and corporate structure
• key management personnel
• business contact details
• identifiers such as ABN or ACN (where applicable)
• jurisdiction of incorporation
• relevant criminal, civil, or regulatory history
  

Providing a designated service without registration may constitute a criminal offence. Existing registered digital currency exchanges must update their enrolment before commencing any newly regulated services.

2. Develop the AML/CTF program (the legal obligation)

Every reporting entity must maintain a documented AML/CTF program tailored to its business risks.

This is the central legal requirement of the Act.

The program must:

• identify money-laundering and terrorism-financing risks
• establish governance and accountability arrangements
• define customer identification procedures
• describe ongoing customer due diligence
• set out transaction monitoring processes
• establish reporting procedures
• provide staff training
• provide for independent review

The program must be risk-based and periodically reviewed as the business, products, and risk exposure change.

Governance and compliance oversight

The entity must appoint a designated compliance officer at a management level responsible for AML/CTF compliance and liaison with AUSTRAC. The officer must have sufficient authority, access to information, and organisational independence to perform this role effectively.

Enterprise-wide risk assessment

The AML/CTF program must be supported by a documented risk assessment considering:

• customer characteristics (including higher-risk customers)
• products and services offered
• delivery channels
• geographic exposure

For virtual asset businesses, this may include risks associated with rapid cross-border transfers, pseudonymous transactions, and exposure to high-risk counterparties.

The risk assessment determines when enhanced due diligence is required.

3. Implement the program (operational controls)

The AML/CTF program describes the controls; the entity must also implement operational processes to make those controls effective.

Entities must operate systems reasonably capable of:

• screening customers against sanctions lists
• monitoring transactions for unusual or suspicious activity
• identifying higher-risk relationships
• collecting and transmitting the required transfer information
• escalating and investigating alerts
  

AUSTRAC does not mandate specific technologies; systems may be automated or manual, provided they are proportionate to risk.

Many virtual asset providers use blockchain analysis tools to support monitoring obligations, but the legislation requires outcomes rather than particular software.

4. Customer Due Diligence

Before providing a designated service, the entity must carry out applicable customer identification procedures, or CDD. This generally includes verifying:

• Full name
• Date of birth
• Residential address (or registered office for companies)

For non-individual customers, beneficial ownership must also be established.

Ongoing due diligence must ensure customer activity is consistent with the entity’s knowledge of the customer.

Enhanced due diligence (EDD) is required in higher-risk situations, such as where:

• Customer is a politically exposed person
• Customer is linked to a high-risk jurisdiction
• Identity cannot be reliably verified
• Suspicious activity indicators arise

Enhanced measures may include obtaining additional identity information or source-of-funds information and senior management approval.

5. Reporting obligations

Reporting entities must submit reports to AUSTRAC within statutory timeframes.

Suspicious matter reports (SMR)

Submitted when the entity forms a suspicion relating to criminal activity or identity concerns:

• within 24 hours for terrorism-related matters
• within 3 business days for other suspicions

Suggested reads:
Suspicious Activity Reports (SARs): A Guide for Banking and AML Compliance
Suspicious Transaction Reports (STRs) in 2025: The Latest Guidance for Regulated Businesses

Threshold transaction reports (TTR)

Required for physical cash transactions of AUD 10,000 or more.

International value transfer reports (from 2026 reforms)

Tranche 2 replaces IFTI reporting with broader international value transfer service (IVTS) reporting covering transfers of money or virtual assets.

Compliance reporting

Entities must submit periodic compliance reports describing how they met their AML/CTF obligations.

6. Transfer information requirements (“travel rule”)

From the reformed framework, virtual asset service providers must collect and transmit originator and beneficiary information when transferring virtual assets to another regulated provider, consistent with FATF Recommendation 16, or the crypto Travel Rule.

Suggested read: Explore Travel Rule Implementation

7. Record-keeping

Records relating to customer identification, transactions, and the AML/CTF program must be retained for seven years and be retrievable for AUSTRAC inspection.

How to choose a verification partner for AUSTRAC Tranche 2 KYC compliance

For identity verification in crypto and other affected sectors, selecting the right partner is critical for AUSTRAC Tranche 2 KYC compliance. 

Look for partners with: 

• User-friendly KYC processes
• AI-driven transaction monitoring
• Regulatory experience in crypto know your customer (KYC) compliance
• Travel rule support
• Full-cycle verification platform capability covering the entire customer lifecycle from onboarding through ongoing monitoring and reporting 
• Established crypto client bases
• Demonstrated FATF guidance knowledge
• Familiarity with crypto-specific risks
  

The AUSTRAC Tranche 2 reforms represent a watershed moment for Australia’s virtual asset sector. With enrollment opening March 31, 2026, and obligations commencing July 1, 2026, VASPs must act to develop AML/CTF programs, implement compliance frameworks, integrate verification technologies, and train staff. 

Sumsub can help impacted VASPs meet the challenges of a changing virtual asset regulatory landscape as they contribute to building an ecosystem that positions the thriving Australian market as a hub for digital asset innovation.

Comply with the Crypto Travel Rule easily

Join 1,700+ VASPs in the Sumsub ecosystem.

Find out more

FAQ

• What is AUSTRAC Tranche 2?

  AUSTRAC Tranche 2 is the second phase of Australia’s AML/CTF reform, enacted through the AML/CTF Amendment Act 2024. It extends anti-money laundering obligations to approximately 90,000 new businesses, including lawyers, accountants, real estate agents, and dealers in precious metals. For VASPs, Tranche 2 AML reforms expand regulated services beyond fiat-to-crypto exchanges to include crypto-to-crypto platforms, custodial wallets, transfer services, and virtual asset issuance.

• What are Tranche 2 entities?

  Tranche 2 entities are businesses providing designated high-risk services subject to AML/CTF obligations from July 1, 2026, including legal professionals, accountants, real estate agents, trust and company service providers, and dealers in precious metals. VASPs providing newly regulated virtual asset services also fall within this category.

• What is AML/CTF compliance?

  AML/CTF compliance refers to the systems and controls businesses implement to detect and prevent money laundering and terrorism financing. In Australia, requirements include AUSTRAC enrollment, developing AML/CTF programs, conducting risk assessments, performing customer due diligence, implementing ongoing transaction monitoring, screening against sanctions and PEP lists, reporting suspicious matters, and retaining records for seven years.

• What is a VASP in crypto?

  A virtual asset service provider or VASP is any business providing designated services involving virtual assets, including exchanging virtual assets for fiat currency, exchanging between virtual assets, transferring virtual assets on behalf of customers, providing safekeeping or administration of virtual assets, providing custodial wallets, or participating in virtual asset issuance.

• When does the travel rule apply to crypto in Australia?

  The crypto travel rule applies on July 1, 2026, for all VASPs facilitating virtual asset transfers. VASPs must collect and transmit originator and beneficiary information for domestic and international virtual asset transfers regardless of transaction value, aligning with FATF Recommendation 16.