Australia’s crypto AML/CFT guide shows compliance pressure rising

At a glance

What this is: This practical guide focuses on AML/CFT compliance for Australian VASPs and argues that regulatory readiness depends on structured onboarding, monitoring, and recordkeeping.

Why it matters: It matters because crypto programmes now sit at the intersection of human identity verification, NHI-style system access, and governance controls that must satisfy both fraud and compliance expectations.

By the numbers:

• Australia’s crypto market is set to reach 11.38 million users by 2025.

👉 Read SumSub's practical guide to AML/CFT compliance for Australian VASPs

Context

Australia’s crypto market is expanding quickly, but that growth is being matched by heavier regulatory scrutiny and more pressure on virtual asset service providers to prove compliance. In practice, this is an identity and governance problem as much as a legal one, because enrolment, customer due diligence, transaction reporting, and record retention all depend on reliable identity controls.

For VASPs, the challenge is not simply meeting AUSTRAC obligations in theory. It is building a repeatable compliance model that can survive scale, onboarding pressure, fraud attempts, and audit expectations without turning verification into a bottleneck.

Key questions

Q: How should VASPs build AML/CFT controls that hold up under AUSTRAC scrutiny?

A: VASPs should build AML/CFT controls as an end-to-end identity governance process, not a collection of isolated checks. That means connecting enrolment, customer due diligence, transaction monitoring, suspicious activity reporting, and retention into one operating model with clear ownership and evidence trails.

Q: Why do crypto onboarding and compliance often drift apart in regulated environments?

A: They drift apart when onboarding is designed for speed while compliance is designed for proof. If verification outputs do not feed monitoring, escalation, and audit records, the business may onboard customers quickly but still fail to demonstrate control effectiveness later.

Q: What breaks when VASPs treat verification as a one-time check?

A: A one-time check breaks the link between identity assurance and ongoing risk management. In practice, that creates blind spots when customer behaviour changes, when suspicious transaction patterns emerge, or when regulators ask for evidence that controls worked over time.

Q: Who is accountable when a crypto firm cannot prove AML/CFT compliance?

A: Accountability sits with the organisation’s control owners, not the verification tool. Regulated firms need named responsibility for program design, evidence retention, and review escalation so that compliance can be defended during audit, investigation, or enforcement review.

Technical breakdown

AUSTRAC enrolment and AML/CTF program design

AUSTRAC enrolment is the starting point, but it is only the first control layer. A usable AML/CTF program has to define who owns compliance decisions, how customer risk is assessed, which evidence is retained, and how exceptions are escalated. In crypto environments, this is rarely a one-team task because onboarding, fraud review, monitoring, and reporting often sit in different operational functions. The governance failure is not a missing policy document. It is a weak operating model that cannot connect identity verification to ongoing compliance duties.

Practical implication: Map enrolment, risk ownership, and reporting responsibilities to named control owners before scale creates inconsistent compliance decisions.

Customer due diligence and transaction monitoring in crypto

Customer due diligence in VASPs is not a one-time KYC step. It is an ongoing risk process that combines identity proofing, behavioural checks, transaction pattern review, and escalation paths for suspicious activity. Because crypto activity can move quickly across wallets, exchanges, and jurisdictions, detection has to be tied to identity context rather than isolated event review. That means teams need a defensible way to correlate customer identity, account behaviour, and transaction anomalies without creating blind spots between onboarding and monitoring.

Practical implication: Link CDD outputs to transaction monitoring rules so that risk signals update as customer behaviour changes.

Verification partner selection and fraud prevention controls

A verification partner should be judged on control fit, not marketing language. The practical questions are whether the solution supports strong onboarding, fraud resistance, audit evidence, and operational scale across different customer journeys. In regulated crypto, the wrong partner choice creates downstream problems: inconsistent identity proofing, weak evidence trails, and manual review overload. The guide’s value is that it frames verification as a compliance dependency rather than a convenience feature.

Practical implication: Evaluate providers against auditability, onboarding performance, and fraud resistance before embedding them into regulated workflows.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Hugging Face Spaces breach — Hugging Face Spaces breach exposed API keys and authentication tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Compliance pressure in crypto is really an identity governance problem. AUSTRAC obligations do not fail because firms lack policy language. They fail when enrolment, due diligence, suspicious transaction reporting, and recordkeeping are not governed as one lifecycle. For VASPs, the control question is whether identity evidence can be traced from first contact through audit review. Practitioners should treat AML/CFT as an identity control plane, not a legal afterthought.

Crypto onboarding creates a high-friction identity boundary that many programmes still under-control. The practical risk is not just fraud, but inconsistent evidence quality across automated and manual verification paths. That makes downstream monitoring harder, because transaction review cannot outperform the identity data it receives. The governance lesson is to align verification depth, escalation thresholds, and exception handling before volume grows.

Platform choice now shapes compliance posture as much as policy does. If a verification stack cannot produce durable evidence, support repeatable checks, and scale with audit demands, it becomes part of the compliance risk surface. This is why VASPs need to evaluate tooling through lifecycle governance, not just onboarding speed. The practitioner implication is that vendor selection and control design are inseparable.

Named concept: compliance-to-onboarding drift. This is the gap between what an AML/CTF program requires and what the onboarding flow actually captures under production pressure. It emerges when growth, fraud prevention, and regulatory evidence collection are handled as separate objectives. Practitioners should assume that any mismatch here will show up first in exceptions, audits, or enforcement inquiries.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• That reinforces why governance programmes should pair identity verification with Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs when credentials and service access are part of the workflow.

What this signals

Compliance-to-onboarding drift: when identity proofing, monitoring, and retention are managed separately, regulatory evidence becomes fragmented and operationally expensive. For crypto teams, that means the next audit problem is often seeded in the onboarding design, not in the control review.

With 71% of NHIs not rotated within recommended time frames, according to the Ultimate Guide to NHIs, regulated programmes should assume that any system handling credentials, approvals, or API access can accumulate hidden compliance risk fast.

The practical response is to treat verification, lifecycle governance, and records retention as one control chain. Teams that can evidence who was approved, how they were checked, and what changed afterwards will be better placed to defend both fraud and compliance decisions.

For practitioners

• Separate compliance ownership from operational execution Assign clear owners for AUSTRAC enrolment, AML/CTF program maintenance, suspicious transaction review, and record retention. The goal is to avoid shared accountability that leaves gaps between onboarding, monitoring, and audit response.
• Tie customer due diligence to ongoing transaction monitoring Make sure identity proofing outcomes feed into monitoring rules and escalation logic. Static onboarding checks are not enough when customer behaviour, wallet patterns, or risk signals change after account creation.
• Require durable evidence trails from verification workflows Choose verification processes that preserve reviewable records for decisions, exceptions, and rechecks. Auditability should be a selection criterion, not a later integration concern.
• Test onboarding flows against fraud and compliance edge cases Run scenarios that include document mismatch, repeated failed verification, high-risk transaction patterns, and manual override paths. This exposes where controls break under real workload conditions.

Key takeaways

• Australia’s crypto compliance challenge is an identity governance problem as much as a regulatory one.
• The scale of the market increases the cost of weak onboarding, poor evidence retention, and disconnected monitoring.
• VASPs should align verification, lifecycle governance, and transaction review before regulatory pressure exposes gaps.

Key terms

• AML/CFT Program: A formal control framework for preventing money laundering and terrorist financing. In regulated crypto environments it defines who approves customers, how risk is assessed, what gets monitored, and how evidence is retained for audit and regulator review.
• Customer Due Diligence: The process of verifying a customer’s identity and risk profile before and during the relationship. In practice it combines document checks, behavioural review, and escalation logic so that onboarding does not become a one-time compliance event.
• Verification Partner: A third-party provider that helps a business validate identity evidence, automate review steps, or reduce fraud at onboarding. The right partner is judged by auditability, control fit, and the quality of evidence it can preserve for regulated operations.
• Compliance-to-Onboarding Drift: The gap that appears when regulatory obligations and real onboarding workflows move in different directions. It is often visible when speed, fraud prevention, and evidence collection are managed separately, leaving the organisation unable to prove control effectiveness later.

Deepen your knowledge

AML/CFT compliance for VASPs and identity-driven onboarding are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building regulated access and evidence controls in a crypto environment, it is worth exploring.

This post draws on content published by SumSub: Practical Guide to AML/CFT Compliance for VASPs under AUSTRAC. Read the original.