Arrow Icon
X Icon

Left arrow icon
Blog

Australia Crypto Regulation 2026: AML Reforms, ASIC Deadlines, and the New Licensing Framework

Solidus Labs

Key takeaways:

Australia's crypto regulation is changing on three separate tracks.As of 1 July 2026, the expanded AML/CTF regime is in force: newly regulated virtual asset service providers (VASPs), including crypto-to-crypto exchange and custody providers, must register with AUSTRAC by 29 July 2026, while already-registered providers face strengthened obligations and the FATF Travel Rule. Separately, firms providing financial services involving digital assets that are financial products under existing law must lodge an AFSL application by 30 September 2026, when ASIC's no-action position expires; unlicensed conduct carries penalties of up to 10% of annual turnover. Third, the Digital Assets Framework commences on 9 April 2027, introducing a new licensing regime for Digital Asset Platforms and Tokenised Custody Platforms. Across all three, regulators expect risk-based AML transaction monitoring and market surveillance. Solidus Labs provides both through its crypto-native HALO trade surveillance and transaction monitoring platform, used by exchanges, broker-dealers, trading firms and regulators globally.

Australia's crypto regulatory overhaul is no longer coming. It is here, and the clock is running on two fronts.

As of 1 July 2026, Australia's anti-money laundering and counter-terrorism financing (AML/CTF) reform is fully in force. It expands the range of virtual asset service providers subject to supervision by AUSTRAC, the Australian Transaction Reports and Analysis Centre, raises compliance obligations across the sector, and implements the Financial Action Task Force (FATF) Travel Rule with no exemptions for virtual asset transfers.

On the licensing front, for firms providing financial services involving digital assets that are financial products, the original 30 June deadline set by the Australian Securities and Investments Commission (ASIC) has passed. On 25 June, the regulator extended its no-action position to 30 September 2026. This is a 90-day reprieve, not an amnesty.

At the same time, the Corporations Amendment (Digital Assets Framework) Act 2026, which received Royal Assent on 8 April 2026, establishes Australia's first dedicated licensing framework for Digital Asset Platforms (DAPs) and Tokenised Custody Platforms (TCPs). The Australian Securities and Investments Commission (ASIC) is responsible for implementing the new regime through an 18-month transition period ahead of its commencement in April 2027

Taken together, this is Australia's most significant overhaul of crypto regulation since digital currency exchanges came under the AML/CTF regime in 2018.

AML/CTF reforms (live 1 July 2026) ASIC licensing framework (from 9 April 2027)
Expands the range of regulated VASPs Dedicated licensing regime for DAPs and TCPs
Strengthens AML/CTF obligations Greater legal certainty for digital asset activities
Implements the FATF Travel Rule Tailored conduct and operational requirements
Principles- and risk-based AML framework Market integrity and surveillance expectations
Supervised by AUSTRAC Supervised by ASIC

Australia's two regulatory pillars at a glance.


What are the key deadlines for Australia's new crypto regulations?

FOUR DATES. THREE REGIMES.

1 Jul 2026

AML/CTF regime and Travel Rule in force

29 Jul 2026

AUSTRAC registration closes for newly regulated VASPs

30 Sep 2026

ASIC's no-action position expires — AFSL application lodged

9 Apr 2027

DAF Act commences, DAP and TCP licensing opens

  • 1 July 2026: AML/CTF obligations commence for newly regulated virtual asset services. The Travel Rule applies to all virtual asset transfers. No small-transfer carve-out. No exemption.
  • 29 July 2026: Final deadline for newly regulated VASPs to enrol and register with AUSTRAC, and to notify AUSTRAC of their AML/CTF compliance officer.
  • 30 September 2026: ASIC's extended no-action position expires. Firms providing financial services involving digital assets that are financial products under existing law must lodge an AFSL application or variation by this date, or enter an authorised representative or intermediary authorisation arrangement with a licensee.
  • 9 April 2027: The DAF Act commences. ASIC begins accepting licence applications from DAP and TCP operators under the new framework, in line with its implementation roadmap.


Why did Australia reform its crypto regulatory framework?

Since April 2018, digital currency exchanges facilitating fiat-to-crypto transactions have been required to register with AUSTRAC and comply with Australia's AML/CTF regime. While this was an important first step, the framework applied to a relatively narrow category of businesses. At the same time, ASIC has consistently held that many crypto-assets and related services already constitute financial products under the Corporations Act 2001, a position the High Court reinforced in the Block Earner ruling. Businesses carrying on those activities may therefore already be required to hold an Australian Financial Services Licence (AFSL).

The result was a patchwork. Some firms answered to AUSTRAC, some to ASIC, some to both, and many to neither. The reforms close those gaps by expanding the regulatory perimeter, raising compliance obligations, and introducing a comprehensive licensing framework. They also land ahead of Australia's FATF mutual evaluation later this year, the first time the country's VASP framework will be assessed against international standards.

What do the new AML/CTF rules require from VASPs?

The AML/CTF reform replaces the much narrower concept of a digital currency exchange (DCE) with the broader concept of virtual asset service provider. This significantly expands the range of businesses captured by the AML/CTF regime, including crypto-to-crypto exchange providers, virtual asset custody providers and other designated virtual asset services.

The framework is also more demanding for firms that were already regulated. Australia has moved to a principles- and risk-based approach. Reporting entities must identify, assess, and mitigate the money laundering and terrorism financing risks associated with their products, services, customers, delivery channels, and jurisdictions, and demonstrate that their controls actually work. Firms should therefore review and update their AML/CTF programmes, enterprise-wide risk assessments and internal controls to ensure they remain proportionate to their risk profile.

The reforms also implement the FATF Travel Rule, further aligning Australia with international standards by requiring VASPs to collect and transmit originator and beneficiary information for qualifying virtual asset transfers. In short, the reform is both broader and deeper: it brings more businesses within scope while raising compliance expectations for firms that were already regulated.

How is AUSTRAC enforcing the new rules?

The reforms are accompanied by a more proactive supervisory approach. AUSTRAC is placing increasing emphasis on the effectiveness of firms' AML/CTF controls, governance and risk management frameworks. This supervisory approach is consistent with Australia's principles- and risk-based AML/CTF framework, under which firms are expected to demonstrate that their controls are proportionate to their specific money laundering and terrorism financing risks.

AUSTRAC has already announced targeted supervisory campaigns focusing on over-the-counter (OTC) crypto businesses and local crypto exchanges. These campaigns are designed to assess how effectively firms are managing money laundering risks, strengthening governance arrangements and preparing for the expanded AML/CTF framework.

Australia's supervisory philosophy is also reflected in its registration regime. Unlike many jurisdictions, AUSTRAC registration is not indefinite. Registration is valid for three years and must be renewed. Recent supervisory exercises to identify inactive or non-compliant firms further demonstrate AUSTRAC's increasingly proactive approach to overseeing the sector.

The practical consequence for chief compliance officers: compliance is now supervised by effectiveness, not documentation. Your transaction monitoring must detect, investigate, and report suspicious activity across fiat-to-crypto, crypto-to-crypto, custody, and transfer services. It must identify complex financial crime typologies. Static rules and manual reviews will not clear the bar, and the FATF mutual evaluation later this year will put both the framework and its enforcement under a microscope.

ASIC's licensing framework is next

What does ASIC's Digital Assets Framework mean for platform operators?

While Australia's AML/CTF reforms are now in force, the next phase of the country's crypto regulatory framework will be implemented through the Corporations Amendment (Digital Assets Framework) Act 2026 (Cth), which received Royal Assent on 8 April 2026. The Act establishes, for the first time, a dedicated licensing framework for Digital Asset Platforms (DAPs) and Tokenised Custody Platforms (TCPs), providing greater legal certainty for businesses operating in Australia's digital asset ecosystem. Rather than replacing Australia's existing financial services regime, the new framework builds on it by introducing licensing requirements specifically tailored to digital asset activities.

Recognising the need for an orderly transition, ASIC's has published an 18-month implementation roadmap which sets out consultations, and operational standards covering asset holding, transactional and settlement requirements, and financial requirements ahead of commencement on 9 April 2027.

Preparation should not wait until then.

Two things matter now.

First, the extended no-action position expires on 30 September 2026. Many crypto-asset activities already require an Australian Financial Services Licence under existing law. Firms relying on the relief must lodge an application, secure a variation, or enter an authorised representative arrangement by that date. After it, unlicensed operation exposes firms to penalties reaching 10% of annual turnover.

Second, DAP operators should expect ASIC's conduct standards to focus heavily on market integrity: conflicts of interest, fair and orderly markets, and systems capable of detecting and deterring market manipulation and other forms of market abuse. Firms that start building surveillance capability after ASIC publishes its standards will be procuring, integrating, and tuning systems while their licence application sits in the queue. That is the wrong order.

How does Solidus Labs help firms comply with Australia's new crypto regulations?

AUSTRAC and ASIC are converging on the same test: can you detect, investigate, and evidence financial crime in practice. That is what Solidus Labs was built for. Founded in 2018 by Goldman Sachs veterans, Solidus merges institutional rigor with crypto-native innovation and agentic AI. At its core is HALO, an AI-powered, risk-based platform trusted by financial institutions, crypto firms, and regulators globally.

Risk-based AML transaction monitoring, live from day one. HALO's AI-powered transaction monitoring covers 20+ AML typologies purpose-built for digital assets, from structuring and rapid movement of funds to high-risk jurisdiction exposure and know your customer (KYC) profile deviation. Detection goes beyond the static rules and manual reviews AUSTRAC has flagged as insufficient, with thresholds tuned to your firm's risk profile: exactly the risk-based, proportionate approach the new regime requires.

Market surveillance ahead of ASIC's standards. Solidus's crypto-native trade surveillance detects the full manipulation taxonomy, including wash trading, spoofing, layering, and pump-and-dump schemes, across crypto and traditional markets. It already supports firms regulated under the UK Financial Conduct Authority (FCA), the EU Markets in Crypto-Assets Regulation (MiCA), the Hong Kong Securities and Futures Commission (SFC), and the US Commodity Futures Trading Commission (CFTC). Deploying now means entering ASIC's licensing window with a battle-tested surveillance program and an audit trail, not a procurement plan.

Evidence, not assertions. The new supervisory posture measures whether controls operate effectively. HALO's AI-powered case management, full audit trail, and tuning documentation give compliance teams exactly what AUSTRAC examiners and ASIC licensing reviewers will ask for: proof.
Australian firms preparing for the transition can book a consultation with our team.

The bottom line

Australia's overhaul is not one reform. It is three parallel tracks, each with its own regulator, scope, and deadline:

Track What it covers Who regulates Key date
AML/CTF reform All VASPs, regardless of whether assets are financial products AUSTRAC Live 1 July 2026; new VASPs register by 29 July 2026
Existing financial services law (INFO 225) Digital assets that are already financial products under the Corporations Act ASIC AFSL application by 30 September 2026
DAF Act Digital asset platforms and tokenised custody, including crypto assets that are not financial products ASIC Commences 9 April 2027

The three tracks operate independently — complying with one does not satisfy the others.

These tracks operate independently. Complying with one does not satisfy the others, and many firms will sit in two or all three.

Frequently asked questions:

Does my business need to register with AUSTRAC as a VASP?

If you provide designated virtual asset services with a geographical link to Australia, including crypto-to-crypto exchange or custody, yes. Registration with the Australian Transaction Reports and Analysis Centre closes 29 July 2026.


Do I need both AUSTRAC registration and an ASIC licence?

Many firms will need both. AUSTRAC registration covers your anti-money laundering obligations as a virtual asset service provider. An Australian Financial Services Licence covers financial services relating to digital assets that are financial products. The two regimes run in parallel, and satisfying one does not mean you satisfy the other.


Do I need an AFSL now, or can I wait for the DAP regime in 2027?

They are different frameworks. If your digital assets are financial products under existing law, you need an AFSL now, and must apply by 30 September 2026 if relying on ASIC's no-action position. The DAF Act covers Digital Asset Platforms (DAPs) and Tokenised Custody Platforms (TCPs) and commences on 9 April 2027.

What happens if I miss the 30 September deadline?

The no-action relief falls away. Unlicensed firms face civil and criminal penalties of up to 10% of annual turnover.

What monitoring systems do AUSTRAC and ASIC expect crypto firms to have?

Risk-based transaction monitoring that detects complex AML typologies across all service lines, and for platform operators, market surveillance capable of detecting and deterring manipulation and abuse. Solidus Labs' HALO platform provides both capabilities for digital asset firms.

Solidus Sync
Get our latest insights and analysis
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Loader Animation