VASP Compliance Under AUSTRAC Tranche 2: A 2026 Operator’s Guide to AML/CTF Obligations

If you run a Virtual Asset Service Provider (VASP) in Australia, the regulatory ground has just shifted under your feet. The AUSTRAC Tranche 2 reforms expanded Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime to cover a wider universe of businesses, and the obligations on crypto-asset platforms were overhauled at the same time. The 31 March 2026 commencement date is now behind us, enrollment windows are open, and full enforcement is approaching.

This guide is written for compliance leads, founders, and operations heads at Australian-licensed digital currency exchanges and broader VASPs. We unpack what Tranche 2 actually changes, who is in scope, what the AML/CTF Act 2024 requires day to day, and where most VASPs are quietly underprepared for the standard of VASP AML compliance Australia is now expecting.

What is AUSTRAC Tranche 2?

AUSTRAC Tranche 2 is shorthand for the second phase of Australia’s AML/CTF reform program. The reforms extend the federal AML/CTF regime to a much wider population of businesses and modernise the obligations placed on existing reporting entities, including VASPs.

For context, Tranche 1 was the original 2006 framework that brought banks, financial services providers, and gambling operators into the AUSTRAC perimeter. Tranche 2 was always intended to follow, pulling in the higher-risk professions that FATF mutual evaluations had repeatedly flagged as gaps in Australia’s regime. After two decades of consultation papers and false starts, the legislation finally cleared parliament in 2024 and commenced in 2026.

The package was enacted through the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which received Royal Assent in late 2024. The Act amends the original AML/CTF Act 2006 in three ways. It brings designated non-financial businesses and professions (DNFBPs) into scope for the first time. It overhauls the AML/CTF Program rules so they are outcomes-based rather than prescriptive. And it tightens the controls applied to virtual asset activity, harmonising Australian rules with Financial Action Task Force (FATF) Recommendation 15 on virtual assets.

For VASPs, the practical effect is that the digital currency exchange (DCE) registration regime that has existed since 2018 has been broadened. The definition of regulated activity now captures a wider set of crypto services, the AML/CTF Program structure has changed, and reporting and recordkeeping expectations have been updated to align with international standards.

The shift from prescriptive to outcomes-based programs is the single largest practical change. Under the previous regime, AUSTRAC published Rules that mapped to specific control activities. Under the new framework, the obligation is to achieve a defined outcome (for example, an AML/CTF Program that genuinely reflects current ML/TF risk), and the regulator assesses whether the controls in place actually deliver that outcome. For VASPs that have historically passed audits with binder-thick policies and thin controls, this is a different supervisory model.

Which businesses are affected by Tranche 2 reforms?

Tranche 2 affects two distinct populations. The first is the existing reporting entity base, which now operates under a refreshed rulebook. The second is the new DNFBP cohort, which has been pulled into the AML/CTF regime for the first time.

Existing reporting entities (re-scoped, not newly added)

These businesses were already regulated and remain so, but the obligations have changed.

• Banks, credit unions, and other deposit-taking institutions
• Remittance service providers
• Gambling and bookmaking operators
• Bullion dealers
• Digital currency exchange (DCE) providers and the broader VASP cohort

New entities pulled in under Tranche 2 (DNFBPs)

These professions are now in scope and must enroll with AUSTRAC.

• Lawyers, conveyancers, and legal services providers offering specified services
• Accountants and tax practitioners offering specified services
• Trust and company service providers (TCSPs)
• Real estate professionals involved in property transfers
• Dealers in precious metals and precious stones above defined thresholds

How VASPs are treated

VASPs are not new to AUSTRAC. Australia has registered DCEs since 2018. What Tranche 2 changes is the definitional perimeter and the operational expectations. The AML/CTF Act 2024 expands the definition of digital currency to capture a broader set of crypto-asset products, brings additional service categories into scope (for example, custody and transfer services that previously sat in a regulatory grey zone), and aligns recordkeeping with the FATF Travel Rule.

If your business holds, transfers, exchanges, or provides custody of crypto assets for Australian customers, assume you are in scope. AUSTRAC has been explicit in its reform guidance that activity-based scoping is the test, not corporate form. An offshore-registered exchange marketing to Australian residents may still trigger AUSTRAC’s jurisdictional reach, and a domestic platform that has launched custody or staking products since 2023 should not assume its 2018-era DCE registration still describes the regulated activity it is now performing.

When does AUSTRAC Tranche 2 come into effect?

Tranche 2 commenced on 31 March 2026. The implementation has been phased so that affected businesses can enrol, finalise their AML/CTF Programs, and stand up controls before full enforcement begins.

The headline dates compliance teams should track:

• 31 March 2026. Core Tranche 2 provisions commenced. New DNFBP enrollment window opened. Updated VASP obligations took effect.
• 1 July 2026. End of the soft-enforcement transition period for new DNFBPs. Full obligation set applies.
• Throughout 2026. Sector-specific guidance, rules instruments, and AUSTRAC operational updates continue to roll out.

For VASPs that were already registered as DCEs, there is no separate enrollment trigger. The expanded obligations apply directly under the new framework. However, if your business has expanded into custody, staking-as-a-service, or cross-border transfer activity since your original registration, you should reassess whether your registration scope still matches your current activity and update AUSTRAC accordingly.

AUSTRAC’s enforcement powers under the AML/CTF Act now include civil penalty proceedings, infringement notices, and enforceable undertakings, which means operational gaps surfaced after 1 July 2026 will not be treated as good-faith teething problems.

The regulator’s track record over the last five years (large-bank settlements running into hundreds of millions of dollars, gambling-sector enforceable undertakings, and a consistent willingness to litigate) is a relevant signal. The reform period is not a quiet enforcement window. It is a transition that hands the regulator new tools and an explicit timeline.

[INSERT INFOGRAPHIC 1 HERE | alt: “AUSTRAC Tranche 2 implementation timeline showing 31 March 2026 commencement, 1 July 2026 full enforcement, and key VASP and DNFBP milestones across 2026” | section: “When does AUSTRAC Tranche 2 come into effect?”]

What VASPs Must Do Under the AML/CTF Act 2024

The expanded AUSTRAC CTF obligations on VASPs under Tranche 2 organise around six operational pillars. Each is enforceable, each is auditable, and each is now phrased as an outcome rather than a checkbox.

Enrol or update registration with AUSTRAC

If you operate as a DCE or any newly in-scope VASP activity, your AUSTRAC registration must reflect your current business model. The registration questionnaire was updated alongside the reforms, and existing registrants should review their answers against current operations rather than assume historical filings still cover them.

New entrants must enrol before commencing regulated activity, and AUSTRAC has flagged that operating prior to confirmation of registration is itself a contravention. Where corporate structure has changed since the original filing (group reorganisation, acquisition, or new licensed entity), a fresh registration is typically required rather than an amendment.

Maintain a current, board-approved AML/CTF Program

The AML/CTF Program is no longer a static document drafted at registration and refreshed annually. Under the AML/CTF Act 2024, your program must reflect a current money laundering / terrorism financing (ML/TF) risk assessment, identify the specific controls used to mitigate those risks, and demonstrate board oversight.

Programs are expected to be living artefacts that evolve with your product and customer base. The board oversight test is not symbolic. Minutes must show that the program has been reviewed at the directors’ level, that material risk changes have been escalated, and that the AML/CTF Compliance Officer has direct reporting access to the board. AUSTRAC has been clear that “rubber stamp” approval is not enough, and that supervisors will read board papers as part of any review.

Apply Customer Due Diligence and ongoing CDD

Customer identification at onboarding is the visible part of Customer Due Diligence (CDD), but the reform agenda has put more weight on ongoing CDD. That means continuous monitoring of customer risk indicators after the initial onboarding event, scheduled re-verification of higher-risk customers, and trigger-based reviews when customer behaviour changes materially.

For VASPs, “material change” includes large transaction volume shifts, exposure to high-risk jurisdictions, counterparty patterns that suggest layering, and any structural change to the customer’s business profile (a retail account that begins behaving like a corporate treasury, for example). Enhanced CDD is mandatory for higher-risk customer segments, and the reform places clearer emphasis on source-of-wealth and source-of-funds evidencing for crypto customers above defined thresholds.

Screen against sanctions, PEPs, and adverse media

Screening obligations now extend across the customer lifecycle. AUSTRAC has signalled that one-off sanctions checks at onboarding are not sufficient. Reporting entities are expected to screen against current sanctions lists at the point of transaction where risk warrants and to maintain ongoing monitoring for politically exposed persons (PEPs) and adverse media exposure throughout the relationship.

Adverse media is the obligation that sits least understood in practice. The expectation is not a passive Google search performed at onboarding, but a structured, periodic check against curated news sources, calibrated to the customer’s risk profile. Hits must be reviewed, dispositioned, and recorded with reasoning. A “no result” outcome is itself an outcome that must be documented if the regulator later asks how a customer’s adverse media exposure was monitored over time.

Monitor transactions and report suspicious matters

VASPs must implement transaction monitoring scenarios calibrated to crypto-specific typologies, including mixer exposure, peel chains, structuring across wallets, and unhosted-wallet transfers above the Travel Rule threshold. The Travel Rule itself requires originator and beneficiary information to travel with virtual asset transfers above the AUD 1,000 threshold, including transfers to and from unhosted wallets where the VASP has visibility.

Suspicious Matter Reports (SMRs) are due within three business days where the matter relates to terrorism financing, and within 24 hours where it relates to physical currency transactions over the threshold. Threshold Transaction Reports (TTRs) for cash equivalents above AUD 10,000 remain in force, and the supervisor reads SMR filing volume as a proxy for monitoring effectiveness during reviews.

Keep records that survive a regulator review

Recordkeeping is the obligation that gets quietly under-scoped. Under the updated regime, transaction records, customer identification records, AML/CTF Program documents, and audit-trail data must be retained for seven years.

AUSTRAC has reinforced its position that records must be reproducible on request and presented in a format that supports forensic reconstruction. The practical bar is whether you could, within a regulator’s deadline, hand over a complete reconstruction of how a specific customer was onboarded, what screening hits were triggered, what risk decisions were made, who authorised them, and how the customer’s behaviour was monitored across the lifecycle.

If that workflow involves stitching together exports from multiple systems and emailing CSVs back and forth, the recordkeeping standard is not being met.

[INSERT INFOGRAPHIC 2 HERE | alt: “Six VASP compliance pillars under AUSTRAC Tranche 2 — registration, AML/CTF Program, customer due diligence, sanctions screening, transaction monitoring, and recordkeeping” | section: “What VASPs Must Do Under the AML/CTF Act 2024”]

The Compliance Gaps Most VASPs Discover Late

After a few audit cycles, the same handful of gaps tend to show up across VASP compliance reviews. None of them are exotic. All of them are addressable. They are worth flagging now, while remediation is cheaper than enforcement.

Business Scope Ambiguity

Scope drift comes up first. A VASP that registered in 2019 as a spot exchange may have added staking, custody, or fiat off-ramps since then without updating its AUSTRAC profile. Tranche 2 makes activity-based scoping explicit, and the regulator now expects registrants to own that mapping themselves rather than waiting for a supervisor to flag it.

Outdated Risk Assessment

Stale risk assessments follow close behind. The AML/CTF Program must reflect the actual risk surface, not the surface that existed when the company was Series A. New product lines, new geographic markets, new payment rails, and new customer segments. Each of those should trigger a risk reassessment, but most VASPs rely on annual reviews and miss the inter-cycle changes.

Lack of Ongoing Screening

A more common one is screening that stops at onboarding. Day-zero screening alone does not satisfy the ongoing CDD expectation. A customer who clears onboarding in March may appear on a sanctions list in October, and without continuous screening, the gap between event and detection is the regulator’s problem to find and yours to explain.

Outdated Transaction Monitoring

Transaction monitoring built for fiat shows up next. Generic AML transaction monitoring scenarios do not catch crypto-native typologies. If your monitoring rule library was inherited from a banking platform, it is almost certainly under-detecting on mixer exposure, peel chains, and high-risk counterparty wallets.

Fragmented Audit Trail

Then there is the audit trail that lives across different systems. When AUSTRAC requests evidence, the answer “we have it across three SaaS tools” is the wrong answer. A unified audit trail across identity, screening, monitoring, and case management is what good looks like. Anything less means a reconciliation exercise under deadline pressure, with the regulator watching.

Staff Training and Awareness Gap

Training and awareness is another quiet failure point. The AML/CTF Program rules require staff training that is current, role-relevant, and verifiable. Most VASPs train at induction and skip the lifecycle refresh, which surfaces during AUSTRAC reviews when the regulator asks for the most recent training records of named compliance staff and finds material from two years earlier.

Vendor & Partner Risk

The last gap worth flagging is fourth-party exposure. Many VASPs use embedded onboarding partners, white-label custody providers, or liquidity venues that perform CDD as a delegated service. Under Tranche 2, the regulated entity remains responsible for that CDD even when it is operationally outsourced. If your provider’s evidence pack does not let you reproduce the original verification on demand, the gap is yours, not theirs.

The same logic applies to data-residency choices. Australian customer data held in offshore systems is not automatically out of compliance, but the AML/CTF Program must explicitly address the data flow, the privacy implications under the Privacy Act, and the supervisor’s right to access records on request.

Worth restating, because compliance teams sometimes miss this in the rush to enrol. Tranche 2 is not a single deadline. It is a continuous expectation that the program, the controls, the screening cascade, the monitoring scenarios, and the audit trail all stay current as the business evolves. The reform pushes Australian AML/CTF closer to the FATF model of “effective implementation,” and AUSTRAC will assess effectiveness rather than the existence of a policy document.

Building a Tranche-2-Ready VASP Compliance Stack with Shufti

Closing those gaps is operational work, and it is what Shufti’s compliance platform was built for. The product set was designed around the reality that VASPs need identity, screening, monitoring, and audit evidence to land in one place rather than across stitched-together vendors.

KYC verification handles the onboarding side. Document verification covering 230+ countries, biometric face matching with Level 3 iBeta-certified liveness, and configurable journeys mean Australian onboarding requirements can be met without rebuilding flows when AUSTRAC updates its expectations. For corporate customers and partner exchanges, Know Your Business handles ultimate beneficial owner mapping and corporate structure verification at the same standard.

AML Screening covers the ongoing-monitoring obligation. Customers are checked against 3,500+ global watchlists, 2.6 million PEP profiles, 215+ sanction regimes, and 50,000+ adverse media sources, with data refreshed every 15 minutes. Risk categories are configurable so the screening cascade can be tuned to crypto-specific typologies rather than forcing a generic banking template. Continuous monitoring runs after onboarding, surfacing watchlist changes, sanction list updates, and adverse media events for customers already in the book.

Transaction Screening sits next to the screening layer for the payment-flow side. It allows monitoring scenarios calibrated to crypto patterns and pairs with User Risk Assessment so that an SMR-worthy transaction can be traced back to its identity, screening history, and behavioural risk score in one audit trail. Workflows are configured through a no-code journey builder, which means the compliance team can adjust step ordering, evidence captures, and risk-rule branching without engineering effort each time AUSTRAC clarifies an expectation.

The platform is deployable as cloud, on-premises (for VASPs operating in zero-trust environments), or hybrid. It carries SOC 2, ISO 27001, GDPR, and PCI DSS certifications, processes 280M+ identity checks annually, and was named a DHS RIVR 2025 Top Performer for biometric accuracy. For Australian VASPs working through Tranche 2, that translates into a single platform that can stand up the controls AUSTRAC now expects, with the audit-trail evidence that makes a regulator review survivable.

Get Your VASP Compliance Stack Ready for Tranche 2

If you are stress-testing your AML/CTF Program against the updated AUSTRAC obligations, identity, screening, monitoring, and audit evidence are the four surfaces that need to be tight. Shufti can help you stand up that control set without stitching together five vendors. Request a demo to see how the platform handles VASP onboarding, ongoing screening, and transaction monitoring under one audit trail.