FATF Travel Rule for Crypto VASPs: Australia Compliance Guide 2026

Australia has regulated crypto-asset businesses under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) since April 2018, when digital currency exchanges (DCEs) became a designated service requiring registration with AUSTRAC (Australian Transaction Reports and Analysis Centre). The FATF Travel Rule applies to Australia as a member of both FATF and the FATF-Style Regional Body, the Asia/Pacific Group on Money Laundering (APG). Australia's Travel Rule threshold is AUD 1,000 — aligning with the FATF baseline but differing from the EU's zero-threshold approach. The Financial Services and Credit Panel review of Australia's AML/CTF regime, completed in 2024, has led to significant amendments to the AML/CTF Act that DCEs must prepare for. This guide details what Australian VASPs need to do to comply in 2026.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for advice specific to your situation.

Australia's Travel Rule: AML/CTF Act Framework

The Australian Travel Rule for digital currency is established under Part 5 of the AML/CTF Act (wire transfer requirements) as applied to DCEs through the AML/CTF Rules. When a DCE sends or receives a digital currency transfer at or above AUD 1,000, it must comply with the transfer record-keeping and transmission requirements under the AML/CTF Rules 2007.

AUSTRAC published updated guidance on digital currency transfers in 2023, clarifying that DCEs must collect originator and beneficiary information for qualifying transfers and that this obligation extends to transfers where another DCE acts as an intermediary. The guidance is available at austrac.gov.au.

Data Required Under the Australian Travel Rule

For digital currency transfers at or above AUD 1,000:

AUSTRAC Registration as a DCE

All businesses providing digital currency exchange services in Australia — whether buying/selling, exchanging, or transferring digital currency on behalf of customers — must register with AUSTRAC as a Reporting Entity providing a designated service. Operating as a DCE without AUSTRAC registration is a serious offence under the AML/CTF Act, and AUSTRAC has pursued enforcement action against unregistered exchanges, including the highly publicised enforcement proceedings against Binance in 2024.

Australian Regulatory Framework: AUSTRAC, ASIC, and ATO

AUSTRAC — Financial Intelligence Unit and Regulator

AUSTRAC is both Australia's financial intelligence unit and the regulator responsible for AML/CTF compliance by DCEs. It receives:

• Suspicious Matter Reports (SMRs) — equivalent to SARs in the US or STRs in Canada
• Threshold Transaction Reports (TTRs) — for cash transactions above AUD 10,000
• International Funds Transfer Instructions (IFTIs) — for cross-border transfers

AUSTRAC's enforcement actions have resulted in record penalties: the Westpac settlement in 2020 (AUD 1.3 billion) and subsequent actions against smaller entities demonstrate that AUSTRAC is one of the most active AML enforcement agencies in the Asia-Pacific region. DCEs found to have systematic AML/CTF deficiencies face similarly severe consequences.

ASIC — Australian Securities and Investments Commission

ASIC regulates crypto-assets that qualify as financial products under the Corporations Act 2001. Crypto businesses offering products or services that fall within ASIC's definition of a financial product — including certain stablecoins, crypto derivatives, and crypto managed investment schemes — must hold an Australian Financial Services Licence (AFSL) in addition to their AUSTRAC DCE registration. ASIC published its crypto-asset regulatory framework roadmap in late 2024, with draft legislation expected in 2026.

ATO — Australian Taxation Office

The ATO treats crypto-asset transactions as taxable events (capital gains tax for most individuals and business income for those trading commercially). DCEs must keep records of client transactions for tax purposes and respond to ATO data requests. The ATO has issued formal notices to crypto exchanges requiring bulk data disclosure about Australian account holders.

KYC Document Requirements in Australia

Documents for Individual Customers

Under the AML/CTF Act and Rules, DCEs must conduct customer identification using either document verification or electronic verification (KYC procedures under Chapter 4 of the AML/CTF Rules):

• Australian passport, driver's licence (state/territory issued), or Medicare card — acceptable identity documents
• For foreign nationals: foreign passport plus Australian visa entitlement (verifiable through VEVO — Visa Entitlement Verification Online)
• Tax File Number (TFN) — Australia's equivalent of the UK National Insurance number; not required at onboarding but relevant for tax reporting
• Proof of address (utility bill, bank statement) for enhanced due diligence cases

Documents for Business Customers

For corporate customers:

• ASIC company extract (the equivalent of a UK Companies House certificate) — downloadable at asic.gov.au
• ABN (Australian Business Number) — unique business identifier (equivalent to the UK's Company Registration Number)
• ACN (Australian Company Number) for incorporated entities
• Identity documents for all beneficial owners (25%+ ownership threshold)
• Trust deed and trustee identification for trust structures

CheckFile processes over 3,200 document types across 32 jurisdictions with 24-language OCR support, enabling Australian compliance teams to verify domestic documents (ASIC extracts, state driver licences) and international documents within a single KYC platform.

Privacy Act 1988 and the Australian Privacy Principles

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) govern how DCEs must handle personal information collected for KYC and Travel Rule purposes. The Office of the Australian Information Commissioner (OAIC) oversees compliance.

Key obligations for DCEs:

• APP 3 (Collection): Collect personal information only for a legitimate purpose — AML/CTF compliance is an explicit legitimate purpose
• APP 11 (Security): Protect customer data with security safeguards appropriate to the sensitivity of the information
• APP 8 (Cross-border disclosure): When transmitting Travel Rule data to overseas VASPs, ensure the recipient has equivalent privacy protections (Australia-only transfers are lower-risk)
• Data breach notification: Mandatory notification to OAIC and affected individuals for eligible data breaches affecting personal information

The Privacy Act was significantly amended by the Privacy and Other Legislation Amendment Act 2024, which strengthened enforcement powers, increased penalties, and introduced a statutory tort for serious invasions of privacy — considerations DCEs must factor into their Travel Rule data-sharing workflows.

Unhosted Wallets: AUSTRAC's Risk-Based Approach

Australia has not implemented a specific unhosted wallet ownership verification requirement equivalent to the EU's Article 19 (Regulation (EU) 2023/1113). However, AUSTRAC's risk-based approach guidance requires DCEs to assess the risk associated with transfers to or from non-custodial wallets and to apply enhanced due diligence for higher-risk transfers.

AUSTRAC has flagged the following as indicators of higher risk for unhosted wallet transfers:

• Transfers immediately following account opening
• Transfers to or from wallets associated with mixing services (blockchain analytics)
• Large-value transfers with no apparent business purpose

Travel Rule Messaging in Australia

Compliance Checklist for Australian DCEs

• Register with AUSTRAC as a DCE (digital currency exchange) reporting entity
• Develop and implement an AML/CTF program meeting the Part II requirements of the AML/CTF Act
• Implement Travel Rule data collection for all digital currency transfers ≥ AUD 1,000
• Report suspicious matters (SMRs) within 3 business days of forming a suspicion
• Report threshold transactions (TTRs) for cash dealings ≥ AUD 10,000
• Screen customers against AUSTRAC's designated terrorist organisation list and UN sanctions
• Ensure Privacy Act 1988 / APP compliance for KYC data handling
• Verify ASIC AFSL requirement if offering financial products
• Retain records for seven years (AML/CTF Act record-keeping requirement)

For additional compliance context, see our articles on FATF high-risk countries and AML transaction monitoring.

Frequently Asked Questions

Is the Australian Travel Rule threshold AUD 1,000 or AUD 10,000?

The Travel Rule threshold for digital currency transfers under the AML/CTF Act is AUD 1,000 — the same as the FATF baseline and Canada's PCMLTFA threshold. The AUD 10,000 threshold applies to Threshold Transaction Reports (TTRs) for cash transactions, which is a separate obligation from the Travel Rule.

Does AUSTRAC's Travel Rule apply to peer-to-peer crypto transfers?

No. The Travel Rule applies only when a reporting entity (a registered DCE) is involved in the transfer as originator or beneficiary. Direct transfers between individuals using non-custodial wallets without any DCE involvement are not captured by the AML/CTF Act's Travel Rule provisions.

Do stablecoins fall within AUSTRAC's definition of digital currency?

Yes. AUSTRAC defines "digital currency" broadly to include any digital representation of value that can be transferred electronically. Stablecoins — whether pegged to fiat or collateralised by assets — fall within this definition. DCEs dealing in stablecoins must comply with the full suite of AML/CTF obligations.

How does the VEVO requirement work for KYC of foreign nationals?

VEVO (Visa Entitlement Verification Online) allows Australian organisations to verify a person's visa status and work entitlements. DCEs onboarding foreign nationals (non-Australian passport holders) should use VEVO to verify that the individual is lawfully present in Australia — this is part of the identity verification process under the AML/CTF Rules.

What are the record-keeping requirements for Travel Rule data in Australia?

Under Section 114 of the AML/CTF Act, DCEs must retain records related to designated services (including Travel Rule data) for seven years from the date of the transaction or the end of the customer relationship, whichever is later. This is stricter than the five-year retention period required in the EU, UK, and Canada.