TL;DR: Australia has made its VASP register public and, from July 1, Travel Rule obligations apply to newly regulated virtual asset services, requiring sender and recipient information plus seven-year retention, according to SumSub. The shift makes registration status, transfer-chain data, and offboarding discipline central to virtual asset governance rather than back-office compliance.
NHIMG editorial — based on content published by SumSub: Australia launches public VASP register as Travel Rule to take effect
By the numbers:
- A separate reporting requirement for transfers involving unverified self-hosted wallets remains deferred until March 31, 2029.
Questions worth separating out
Q: How should organisations govern virtual asset providers under the Travel Rule?
A: Treat provider legitimacy as an access control problem, not only a compliance check.
Q: Why does the Travel Rule matter for identity governance?
A: Because it extends identity control from account creation into transaction execution.
Q: What breaks when transfer records are not retained long enough?
A: Audits, investigations, and registration reviews lose the evidence needed to reconstruct who was involved and what controls were applied.
Practitioner guidance
- Build provider-status checks into onboarding Verify AUSTRAC registration before enabling exchange, custody, or transfer relationships, and re-check status on a scheduled basis.
- Map Travel Rule fields to transfer workflows Define where payer and recipient details are collected, validated, transformed, and passed through intermediaries so the required information survives each handoff without manual re-entry.
- Align record retention with regulated evidence needs Preserve registration evidence, transfer metadata, and verification artefacts for the full seven-year period, with access controls that support audit, investigation, and legal hold requirements.
What's in the full analysis
SumSub's full news post covers the operational detail this post intentionally leaves for the source:
- The precise categories of virtual asset services that now need registration before offering covered services.
- The transfer-chain information collection and verification steps that providers must complete under the Travel Rule.
- The deferred reporting requirement for unverified self-hosted wallets and the March 31, 2029 date.
- The licensing changes affecting digital asset and tokenized custody platforms in Australia.
👉 Read SumSub's coverage of Australia's public VASP register and Travel Rule changes →
Australia’s public VASP register and Travel Rule: what changes now?
Explore further
Public VASP registration is a counterparty-governance control, not a publicity exercise. Making provider status visible changes how organisations decide who can sit in a regulated transfer chain. The control value lies in pre-transfer verification, ongoing legitimacy checks, and faster identification of providers that should be offboarded or blocked. Practitioners should treat the register as part of access governance for value movement, not as a static compliance directory.
A few things that frame the scale:
- Compliance records generally need to be retained for seven years, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who is accountable when a virtual asset provider is no longer registered?
A: The organisation relying on that provider remains accountable for checking status, stopping new exposure, and preserving evidence of its governance decisions. Public registration reduces ambiguity, but it does not remove responsibility for counterparty diligence, offboarding, or transfer oversight. The burden shifts from discovery to action.
👉 Read our full editorial: Australia’s public VASP register changes crypto compliance governance