TL;DR: Australia has made its VASP register public and, from July 1, Travel Rule obligations apply to newly regulated virtual asset services, requiring sender and recipient information plus seven-year retention, according to SumSub. The shift makes registration status, transfer-chain data, and offboarding discipline central to virtual asset governance rather than back-office compliance.
At a glance
What this is: Australia has publicised its VASP register and tied it to Travel Rule enforcement for newly regulated virtual asset services.
Why it matters: It matters because IAM, compliance, and platform teams now need stronger identity, transfer, and lifecycle controls for virtual asset providers and their access chains.
By the numbers:
- A separate reporting requirement for transfers involving unverified self-hosted wallets remains deferred until March 31, 2029.
👉 Read SumSub's coverage of Australia's public VASP register and Travel Rule changes
Context
Australia’s public VASP register is a governance change, not just a registry update. For the first time, consumers and businesses can check whether a provider is registered with AUSTRAC before using it, which raises the bar for legitimacy, accountability, and ongoing supervision in virtual asset services.
The Travel Rule adds a second control layer: providers involved in transfers must collect and verify payer and recipient information, then pass required details through the transfer chain. That shifts compliance from point-in-time registration to identity-linked transaction governance across the service lifecycle.
Key questions
Q: How should organisations govern virtual asset providers under the Travel Rule?
A: Treat provider legitimacy as an access control problem, not only a compliance check. Verify registration before onboarding, monitor status changes, and require transfer workflows to carry payer and recipient details end to end. If the provider is unregistered, suspended, or offboarded, the organisation should stop relying on that relationship until governance evidence is restored.
Q: Why does the Travel Rule matter for identity governance?
A: Because it extends identity control from account creation into transaction execution. The rule requires identity information to follow the transfer, which means governance teams must care about data quality, validation, retention, and handoff integrity. Without that, organisations can know who opened the account but still lose accountability when value moves.
Q: What breaks when transfer records are not retained long enough?
A: Audits, investigations, and registration reviews lose the evidence needed to reconstruct who was involved and what controls were applied. In virtual asset services, that means organisations may be unable to prove compliance, defend a decision, or trace suspicious activity across the transfer chain. Retention gaps quickly become accountability gaps.
Q: Who is accountable when a virtual asset provider is no longer registered?
A: The organisation relying on that provider remains accountable for checking status, stopping new exposure, and preserving evidence of its governance decisions. Public registration reduces ambiguity, but it does not remove responsibility for counterparty diligence, offboarding, or transfer oversight. The burden shifts from discovery to action.
Technical breakdown
Public VASP registers and trust verification
A public VASP register changes the trust model from assumed legitimacy to verifiable status. For regulated virtual asset services, registration becomes a discoverable control that can be checked before onboarding, transfer initiation, or counterparty acceptance. That is important because fraud, laundering, and sanctions exposure often begin with weak provider identification rather than transaction volume alone. Public visibility also supports third-party due diligence and offboarding decisions when a provider is no longer active or fails to meet regulatory expectations.
Practical implication: verify provider status before enabling exchange, custody, or transfer integrations.
Travel Rule data collection across the transfer chain
The Travel Rule requires identity information to travel with the value transfer. In practice, that means collecting payer and recipient details, validating them, and passing the required records through intermediaries without breaking the chain of accountability. This is not the same as simple KYC at account creation. It is a transaction-level identity control that depends on data quality, interoperability, and retention discipline across systems that may not share the same workflow or trust boundary.
Practical implication: design transfer workflows so required identity fields are captured and preserved end to end.
Seven-year retention and lifecycle governance
Retention obligations turn compliance into a lifecycle problem. If transfer records, verification artefacts, and registration evidence are not retained for the required period, organisations cannot prove who transacted, under what status, or with what supporting controls. That matters for audits, investigations, and registration renewal decisions. It also means offboarding is not just deactivation of access, but controlled preservation or disposal of regulated records tied to the provider lifecycle.
Practical implication: align record retention, access review, and offboarding processes to the seven-year rule.
Threat narrative
Attacker objective: The objective is to move value through a poorly governed service path while reducing traceability and regulatory visibility.
- Entry occurs when a consumer or business interacts with an unregistered or no-longer-authorised virtual asset provider that appears legitimate but lacks regulatory standing.
- Credentialed escalation follows when incomplete payer, recipient, or platform information allows a transfer to proceed without full accountability across the chain.
- Impact is increased exposure to money laundering, terrorism financing, and serious crime, with weaker investigative traceability and poorer enforcement outcomes.
Breaches seen in the wild
- ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Public VASP registration is a counterparty-governance control, not a publicity exercise. Making provider status visible changes how organisations decide who can sit in a regulated transfer chain. The control value lies in pre-transfer verification, ongoing legitimacy checks, and faster identification of providers that should be offboarded or blocked. Practitioners should treat the register as part of access governance for value movement, not as a static compliance directory.
Travel Rule enforcement exposes the gap between account identity and transaction identity. Many programmes can identify a customer at signup but still fail to govern the identity data that must move with each transfer. That is where regulatory accountability breaks down: the transaction may be valid at origin but unverifiable in transit. The implication is that identity governance must extend into payment and transfer workflows, not stop at onboarding.
Seven-year retention creates a record-lifecycle obligation that most organisations underestimate. Retention is not just storage, because the organisation must preserve enough evidence to reconstruct who was involved, what was verified, and whether the provider remained registered. Transfer-chain accountability debt: this is the specific failure mode the new rule surfaces, where records exist in fragments but not as a defensible compliance trail. Practitioners should recognise that fragmented evidence weakens both audit readiness and incident response.
Australia’s digital asset reforms are moving virtual asset services into mainstream financial controls. That signals a broader convergence between crypto governance and traditional identity, compliance, and licensing disciplines. Providers that still treat registration, KYC, transfer messaging, and recordkeeping as separate operational chores will find the model increasingly untenable. Security and compliance teams should prepare for more evidence-based supervision, not lighter-touch oversight.
The public register also shifts the burden from consumer caution to institutional assurance. Businesses can no longer justify weak counterparty diligence by pointing to market opacity. The registry becomes part of vendor risk management, platform onboarding, and ongoing relationship governance. Practitioners should use it to reduce exposure to unregistered or suspended providers before those relationships become an audit or incident problem.
From our research:
- Compliance records generally need to be retained for seven years, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- For a broader governance lens, read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle controls that support regulated recordkeeping.
What this signals
Transfer-chain governance is becoming the new baseline for regulated digital assets. Teams that already manage service accounts, secrets, and privileged workflows will recognise the pattern immediately: the control surface is no longer a single login, but a chain of identities, validations, and retained evidence. If your programme cannot prove who moved what, through which provider, and under which status, the governance model is already too weak.
The most practical next step is to fold public provider status into vendor risk and access decisions, then align transfer records with identity lifecycle controls. That is where the public register, Travel Rule workflow, and retained evidence become one operating model rather than three disconnected tasks. For a parallel framework lens, anchor the review in the NIST Cybersecurity Framework 2.0 and the Ultimate Guide to NHIs - Regulatory and Audit Perspectives.
For practitioners
- Build provider-status checks into onboarding Verify AUSTRAC registration before enabling exchange, custody, or transfer relationships, and re-check status on a scheduled basis. Treat loss of registration as a trigger for review, suspension, or offboarding.
- Map Travel Rule fields to transfer workflows Define where payer and recipient details are collected, validated, transformed, and passed through intermediaries so the required information survives each handoff without manual re-entry.
- Align record retention with regulated evidence needs Preserve registration evidence, transfer metadata, and verification artefacts for the full seven-year period, with access controls that support audit, investigation, and legal hold requirements.
- Use the register in third-party risk reviews Fold public VASP status into counterparty due diligence for platforms, custodians, and exchange partners, especially where transfers, custody, or customer transfers depend on that relationship.
Key takeaways
- Australia’s public VASP register turns provider legitimacy into a verifiable control, not an assumption.
- The Travel Rule extends identity governance into the transfer chain, where payer and recipient data must remain accountable in motion.
- Retention, offboarding, and third-party risk management now sit on the same compliance path for virtual asset services.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Transfer governance depends on verifying and limiting authorised provider access. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Public registration and lifecycle offboarding mirror NHI credential governance and revocation. |
| NIST SP 800-63 | Identity verification and federation concepts inform payer and recipient validation in transfer chains. |
Use digital identity assurance principles to validate transfer participants and preserve evidence of verification.
Key terms
- Virtual Asset Service Provider: A virtual asset service provider is a business that offers exchange, custody, transfer, or related services for digital assets. In governance terms, it is a counterparty whose registration status, operational scope, and recordkeeping obligations affect whether transfers can be trusted and legally supported.
- Travel Rule: The Travel Rule is a compliance requirement that identity information must accompany certain virtual asset transfers. It turns a transaction into an identity-aware workflow, requiring payer and recipient data to be collected, verified, and retained so accountability survives the transfer chain.
- Transfer-Chain Accountability: Transfer-chain accountability is the ability to prove who participated in a value transfer, what identity data was verified, and which provider handled each step. It matters because regulatory supervision fails when records stop at the first hop or become fragmented across intermediaries.
- Regulated Record Retention: Regulated record retention is the practice of preserving compliance evidence for a required period with enough integrity to support audits, investigations, and legal review. For virtual asset services, the issue is not storage alone, but whether the retained records remain complete, accessible, and defensible.
Deepen your knowledge
NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
This post draws on content published by SumSub: Australia launches public VASP register as Travel Rule to take effect. Read the original.
Published by the NHIMG editorial team on 2026-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org