The Australian Transaction Reports Analysis Centre (AUSTRAC) has officially tabled the new Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (AML/CTF Rules) in Parliament, following a two-stage public consultation process. AUSTRAC received 229 submissions and considered this feedback in finalising the AML/CTF Rules.
The AML/CTF Rules are now contained in two instruments:
- The AML/CTF Rules detailing the finer requirements for reporting entities under the amended Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth); and
- The Anti‑Money Laundering and Counter‑Terrorism Financing (Class Exemptions and Other Matters) Rules 2007.
AUSTRAC has also published a comparison table between the second exposure draft (ED2) and the final rules. Below, we summarise the key sections we identified in a previous article relating to virtual asset service providers (VASPs) and note whether they have been amended or are unchanged, as well as any new rules:
| Provision | Outline | Status |
| 1-6 Enrolment details | Section 1-6 specifies that the ‘enrolment details’ defined in section 5 of the AML/CTF Act are those listed in sections 3.2, 3.3 and 3.4 of the AML/CTF Rules. The details apply to all applications and must be provided when enrolling as a reporting entity. ED2 introduced additional requirements such as the number of employers and whether the entity is a member of any industry or professional associations which is reflected in the new rules. | Unchanged |
| 1-7 Registrable details | Under the ED2 rules, remittance service providers (RSPs) and VASPs must apply for registration with AUSTRAC before offering registrable services in addition to enrolling as reporting entities. Registration is different from enrolment because AUSTRAC must review and approve the application before granting registration.
According to the Explanatory Memorandum, an important aspect of the definition of ‘registrable details’ is that it determines what information AUSTRAC will publish on the Remittance Sector Register and the Virtual Asset Service Provider Register. This information can be accessed by foreign regulators and law enforcement agencies to allow them to verify that a person is appropriately regulated for AML/CTF to provide remittance or virtual asset services. The published details include the person’s name, ABN, the address of their principal place of business and the domain names of any websites through which services are provided. |
Amended |
| 3-2 Information about applicant’s designated services | This section prescribes the information required in an enrolment application. Section 3-2(2) requires the applicant to advise whether it is registered, has applied or intends to apply for registration on the VASP register. | Unchanged (previously section 2-2) |
| 4-2 Publication of register information | Subsection 4.2(1) requires the AUSTRAC CEO to publish the person’s name, the registrable details outlined above and an indication if the person’s registration is suspended on the VASP register. | Amended (previously section 3-2) |
| 4-4 Application – general information | The rule specifies the general identifying, ownership and operating structure information the candidate must include in their application such as identities of beneficial owners and the size, nature and complexity of the business. | Amended (previously section 3-4) |
| 4-5 Information relating to ML/TF risks | This section requires the applicant to identify the ML/TF risks they might face in providing their services, in five broad categories: 1. the types of customers they service; 2. foreign countries they operate in; 3. the specific products and services offered; 4. the delivery channels used to provide services; and 5. the types of transactions undertaken. | Unchanged (previously section 3-5) |
| 4-6 Information relating to AML/CTF policies | This section sets out the information required to be provided in a registration application about the candidate’s AML/CTF policies such as whether training is in place, whether policies are regularly reviewed and updated and undertaking due diligence on employees. | Amended (previously section 3-6) |
| 4-14 Additional requirements for VASP registration | Section 4-14 sets out the additional requirements for VASP registration such as the types of virtual assets offered, the delivery channels used to provide them, whether transaction or time limits apply and the expected average monthly number of designated services provided. Wallet address information must also be provided. | Unchanged (previously 3-14) |
| 5-3 Policies related to targeted financial sanctions | Under a new requirement introduced in ED2, all reporting entities must develop and maintain AML/CTF policies to ensure compliance with targeted financial sanctions when providing designated services. | Amended (previously 5-3). The amendment replaces the ED2 terminology of ‘money, property or virtual assets’ to simply ‘assets’. |
| 6-21 Establishing source of wealth | This is a new section that requires, when undertaking both initial and ongoing CDD where enhanced CDD obligations arise, a reporting entity must establish the source of wealth or funds of a customer. | New |
| 6-22 Enhanced CDD requirements for certain virtual asset services | This is a new section that requires a reporting entity to apply enhanced CDD measures on a customer where the customer has deposited or received physical currency in the course of exchanging virtual money or assets under item 50A of table 1 of the AML/CTF Act (s 6). Enhanced CDD includes: 1. collecting and verifying KYC information on the customer’s source of wealth (noting the additional trigger in 6-21); and 2. collecting and verifying KYC information on the customer’s source of funds for every transaction involving the exchange of physical currency for virtual assets or vice versa. According to the Explanatory Memorandum, ‘[t]his section responds to the inherently very high ML/TF risks presented by crypto-ATM and other physical currency based virtual asset exchange services’ (at [401]). | New |
Unless disallowed by Parliament, the new AML/CTF rules will come into effect on:
- 31 March 2026 for current reporting entities and VASPs, excluding threshold transaction and suspicious matter reporting which will remain the same until 2029;
- Enrolment for newly regulated sectors (tranche 2) will begin on 31 March 2026; and
- AML/CTF obligations for tranche 2 entities will begin on 1 July 2026.
In July of this year, AUSTRAC CEO Brendan Thomas released a media statement outlining AUSTRAC’s regulatory expectations for the implementation of the AML/CTF reforms. While perfection is not expected from day one, AUSTRAC emphasised that reporting entities must remain focused on identifying, mitigating and managing their money laundering risks.
However, AUSTRAC has yet to formally confirm that it will automatically transition all DCEs to VASP registration on the basis that they will apply enhanced compliance obligations required by the reforms and the process for varying a registration to include new designated services. To date, AUSTRAC has only confirmed that transitional relief will apply while a VASP application is awaiting processing. With the deadline for the regime counting down, it is hoped that AUSTRAC will provide further guidance on these matters in short order.
With the tabling of the new AML/CTF Rules, both existing and newly regulated reporting entities now have the additional clarity and detail needed to begin updating their AML/CTF programs, ensuring they are effective and compliant ahead of the new reforms. While the Parliament has 15 sitting days (until late November) to review the rules, it is anticipated that the rules will come into effect in their current form beginning in March next week.
