.webp)
AUSTRAC (the Australian Transaction Reports and Analysis Centre) is Australia’s financial intelligence unit and AML/CTF regulator. It has two jobs: supervising businesses for compliance under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and channeling financial intelligence to law enforcement so they can identify, pursue, and prosecute financially-enabled crime.
AUSTRAC oversees more than 17,000 businesses across banking, fintech, payments, and digital assets. It operates within the FATF framework, the global benchmark for AML/CTF regulation. Australia is scheduled for a FATF mutual evaluation in 2026. That evaluation explains why AUSTRAC pushed through its most consequential legislative overhaul in two decades: the AML/CTF Amendment Act 2024, followed by the AML/CTF Rules 2025, tabled in Parliament on August 29, 2025.
That legal overhaul raised the bar for every business operating in Australia’s financial system. AUSTRAC is not a passive regulator. They pursued multi-billion dollar penalties against Westpac, the Commonwealth Bank, and Tabcorp for AML/CTF failures.
For crypto founders, this enforcement record is a clear signal: get your AUSTRAC registration right from day one.
Any business providing a designated service with a geographical link to Australia must enroll with AUSTRAC. If you provide virtual asset or remittance services specifically, you must also register.
The March 31, 2026 regulatory expansion significantly broadened who needs an AUSTRAC license. Before that date, only Digital Currency Exchange (DCE) operators, meaning businesses exchanging crypto for fiat or vice versa, were required to register. After it, the following activities triggered mandatory AUSTRAC registration as a Virtual Asset Service Provider (VASP):
From July 1, 2026, the regime expands further. Lawyers, accountants, conveyancers, real estate agents, and dealers in precious metals providing designated services also come under AUSTRAC’s oversight. For crypto and fintech founders, the critical registration deadlines are March 31 and July 29, 2026.
If you think your platform sits in a grey zone, such as crypto-to-crypto only or using an intermediary structure, review your obligations against the expanded framework. Assuming you do not need AUSTRAC registration is a mistake that can end your business.
Running a virtual asset business without AUSTRAC registration is a criminal offence under the AML/CTF Act. Civil penalties for corporations can reach AUD $22.2 million per contravention. This is not a fine you absorb and continue operating.
The consequences go beyond fines. Australian banks will not process payments for unregistered crypto businesses. Without a bank account, you cannot support fiat deposits or withdrawals. For most exchanges, that makes the core product inoperable.
In 2025, AUSTRAC moved beyond warnings. It named operators publicly, cancelled registrations, and pursued civil proceedings against crypto businesses with inadequate AML/CTF programs or that had never registered. With Australia’s FATF mutual evaluation scheduled for 2026, AUSTRAC has every incentive to maintain pressure on crypto operators.
Beyond compliance, AUSTRAC registration is a commercial signal. Australia is the 13th largest economy globally, with 26 million consumers and high cryptocurrency adoption. Banking partners, institutional liquidity providers, and Asia-Pacific investors expect a valid AUSTRAC license before engaging. Without it, you are locked out of partnerships that make a crypto exchange viable.
AUSTRAC registration is not a form-filling exercise. You must demonstrate that your compliance infrastructure is genuine, operational, and tailored to your business model. Here is what you need before submitting your application.
Your business must be structured as an Australian Pty Ltd or registered as a foreign company branch with ASIC. At least one Australian-based director with real governance responsibilities is mandatory. A nominee without actual oversight responsibilities does not qualify.
Appointing a qualified AML/CTF Compliance Officer (AMLCO) became a legal requirement from March 31, 2026 under the AML/CTF Rules 2025. This person designs, implements, and maintains your compliance program. They do not have to be an Australian resident, but they must have verifiable AML/CTF expertise.
This is the core document in your application. It must cover your ML/TF risk assessment, Know Your Customer (KYC) and Customer Due Diligence (CDD) procedures, transaction monitoring framework, employee training, Suspicious Matter Reporting (SMR) procedures, and Threshold Transaction Reporting (TTR) for transactions over AUD $10,000. Boilerplate won’t pass AUSTRAC’s review. What the regulator looks for is whether your program genuinely describes how your specific operation identifies and manages ML/TF risk, not whether the document hits the right topic headings.
A registered Australian address is required. A serviced or virtual office works if there is real physical access available. A forwarding address or mail-only setup without any workspace access does not satisfy the requirement.
National Police Certificates must be provided for all directors, your AMLCO, and ultimate beneficial owners (UBOs) controlling at least 25% of the business. Certificates must be issued within six months of your application date and must cover all relevant countries of residency and citizenship.
AUSTRAC requires a detailed business plan covering your services, target market, technology infrastructure, KYC and AML technology providers, and three-year financial projections, plus financial statements from your most recent financial year.
Your legal entity name, trading names, Australian Business Number (ABN), Australian Company Number (ACN), and any relevant foreign registration details are all required fields in the enrollment form.
AUSTRAC KYC requirements are set out in Parts 2 and 4 of the AML/CTF Act and operationalized through the AML/CTF Rules 2025. Every registered VASP must verify customer identity before providing a designated service and maintain ongoing due diligence throughout the business relationship.
At onboarding, you must collect the full name, date of birth, residential address, and government-issued identity documents. For individual customers, that typically means a passport or driver’s license. For corporate customers, you need to trace ownership all the way to the ultimate beneficial individuals, including complex trust and nominee structures. Trust and nominee arrangements deserve extra attention here. They are a documented weak point in Australian AML compliance, and AUSTRAC’s published guidance flags them as structures where beneficial ownership is regularly under-identified.
AUSTRAC KYC requirements are not uniform across your customer base. You calibrate the depth of verification to each customer’s risk profile. Low-risk customers go through a lighter process. High-risk customers such as politically exposed persons (PEPs), those from sanctioned jurisdictions, or customers with unusual transaction patterns require Enhanced Due Diligence (EDD), including source of wealth documentation and adverse media screening.
Your obligations do not end at onboarding. Under Part 7 of the AML/CTF Rules 2025, you must continuously monitor your customer base and update KYC information when behavior changes materially. A customer who stated they remit $5,000 monthly and suddenly cycles through $500,000 in a week triggers a review, and potentially a Suspicious Matter Report.
From July 1, 2026, VASPs must comply with Australia’s implementation of the FATF Travel Rule. This requires collecting and transmitting originator and beneficiary information for domestic and international virtual asset transfers, regardless of transaction value. Think of it as the crypto equivalent of SWIFT messaging requirements: the compliance data travels alongside the transaction.
Any cash or digital currency transaction over AUD $10,000 requires a Threshold Transaction Report (TTR) filed with AUSTRAC. And if you identify a transaction potentially connected to money laundering, terrorism financing, or serious crime, you must file a Suspicious Matter Report (SMR) within the required timeframe. These are ongoing operational obligations, not boxes you tick at registration and forget.
AUSTRAC operates on hard deadlines, and the 2026 window is tighter than most founders expect. Key milestones from AUSTRAC are:
AUSTRAC’s assessment window runs up to 90 days from when it receives a complete application. Factor in time to incorporate your entity, appoint personnel, build your AML/CTF program, and collect police certificates. The realistic door-to-approval timeline for a new applicant is about six months.
Existing DCE operators have an automatic path: AUSTRAC confirmed they are recognized as VASPs from March 31, 2026, without needing to re-register. They still need to update enrollment details in AUSTRAC Online between March 31 and May 30, 2026.
AUSTRAC processes all enrollment and registration through AUSTRAC Online. Here is how to get an AUSTRAC license, step by step.
Register your Pty Ltd or foreign company branch with ASIC. Appoint your Australian-based director and AML/CTF Compliance Officer. Obtain your ABN and ACN. This typically takes one to two weeks.
This is the longest step and where most applications fail. AUSTRAC assesses the substance of your AML/CTF program against your actual operations. Off-the-shelf documentation consistently fails that test. Engage a compliance consultant or legal adviser with AUSTRAC experience before you start writing.
Go to AUSTRAC Online and create a business account for your entity. Once active, you gain access to the AUSTRAC Business Profile Form (ABPF).
The ABPF builds your entity’s regulatory profile. It covers your registered business name and trading names, ABN/ACN, designated services you operate, Australian address, and details of your AMLCO and senior compliance personnel. The form allows you to save progress and return to it. Once submitted, AUSTRAC assigns your AUSTRAC Account Number (AAN), the business identifier you will use in every interaction with the regulator.
For VASPs and Remittance Service Providers, enrollment alone is not enough. After enrollment, AUSTRAC sends you a registration form. Complete it with your business structure, ownership details, financial statements, and the enforcement and criminal history of key personnel.
Provide National Police Certificates for all directors, your AMLCO, and UBOs. Certificates must be issued within the past six months and must cover all relevant countries of residency and citizenship.
AUSTRAC has up to 90 days to assess your application and may request additional information during this time. Do not launch your VASP or remittance service before receiving written approval. Launching early is the same criminal offense as never applying.
Yes, and for many founders, acquiring a ready-made AUSTRAC license is the faster path into the Australian market.
DCE registration has been active in Australia since 2018. A pool of already-registered entities exists today, some operational with active users and revenue and some dormant shells with clean compliance records. Acquiring one gives you immediate regulatory standing without the six-month wait for a fresh registration assessment.
A dormant DCE entity with no outstanding regulatory issues generally changes hands between AUD/USD $150,000 and $250,000. The exact figure depends on how long the registration has been held, the compliance record, and whether corporate infrastructure comes with it. Operational entities with active banking relationships, user bases, and revenue trade higher based on financial profile, compliance history, and infrastructure.
As a current example, Acquire.Fi’s Licensed Organization Marketplace lists an operational AUSTRAC-registered crypto exchange paired with a Panama derivatives license. The business generates $377,000 USD in annual revenue, carries zero liabilities, holds a Top 50 CoinGecko ranking, and is listed at $300,000 USD. For a buyer wanting Australian market access now rather than six months from now, that is a realistic entry point.
Any acquisition of a registered AUSTRAC entity requires notifying AUSTRAC of the change in beneficial ownership. The regulator conducts a fit-and-proper review of incoming directors and UBOs before finalizing the change of control. You cannot assume operational control without AUSTRAC’s written approval of the new ownership structure, so build that timeline into your acquisition planning.
A new AUSTRAC application has many advantages over buying a ready-made AUSTRAC license. Refer to the table below for more information.
If you decide to acquire a business with a ready-made AUSTRAC license, make sure to review the license scope and conditions, inspect the AML/CTF program, and any open regulatory findings. Don’t forget to verify if banking relationships are intact and confirm no enforcement correspondence is outstanding. A clean compliance record is worth a premium. Regulatory problems follow the new owner, not the seller.
With deep roots in traditional finance and the digital asset industry, Acquire.Fi operates as a specialist M&A advisory firm. Coverage spans M&A, secondaries, OTC, and capital markets advisory across digital assets and frontier tech. Decades of combined experience across every stage of the deal lifecycle.
.webp)