VASPs should build AML/CFT controls as an end-to-end identity governance process, not a collection of isolated checks. That means connecting enrolment, customer due diligence, transaction monitoring, suspicious activity reporting, and retention into one operating model with clear ownership and evidence trails.
Why This Matters for Security Teams
AUSTRAC scrutiny is rarely about whether a VASP has a policy on paper. It is about whether the program can prove that customer identity, transaction risk, escalation, and recordkeeping work together under operational pressure. For VASPs, that means AML/CFT controls must be testable, repeatable, and tied to evidence, not left as disconnected onboarding, monitoring, and case-management steps. The control model should also reflect how digital assets move across wallets, intermediaries, and jurisdictions, which is why governance needs to align with the NIST Cybersecurity Framework 2.0 and AUSTRAC reporting expectations.
NHI Mgmt Group’s research shows only 5.7% of organisations have full visibility into their service accounts, which is a useful warning for any identity-heavy control environment: weak visibility undermines both prevention and defensibility. The same lesson appears in the Ultimate Guide to NHIs — Standards, where lifecycle control and evidence trails are treated as core security requirements, not nice-to-haves.
In practice, many security teams encounter gaps only after an AUSTRAC review or a real suspicious activity case has already exposed inconsistent records rather than through intentional control testing.
How It Works in Practice
Strong AML/CFT design for a VASP starts with a single operating model that links customer enrolment, due diligence, wallet attribution, sanctions screening, transaction monitoring, escalation, and retention. The question is not just whether each control exists, but whether the controls share the same identity record, risk rating, and case history. That is what allows the business to show who approved what, when the decision was made, and which evidence supported it.
A practical build usually includes:
- Risk-based onboarding with clear customer classification, beneficial ownership capture, and source-of-funds or source-of-wealth triggers where required.
- Transaction monitoring rules that are tuned to product, channel, geography, and blockchain typologies rather than copied from a generic banking model.
- Case management with immutable timestamps, reviewer attribution, and documented rationale for alerts, escalations, and closures.
- Retention controls that preserve KYC, communication, and alert evidence for the required period, with retrieval tests that prove records can be produced quickly.
- Periodic QA and scenario tuning so that thresholds, typologies, and risk indicators change as the business changes.
AUSTRAC-facing defensibility improves when the organisation can show policy, procedure, and actual execution all line up. The Hugging Face Spaces breach is not an AML case, but it illustrates a broader governance lesson: exposed trust boundaries and weak control ownership create avoidable evidence gaps that investigations later have to reconstruct. For identity assurance and onboarding rigor, practitioners should also anchor their program in the identity principles reflected in NIST Cybersecurity Framework 2.0.
These controls tend to break down when a VASP operates across multiple vendors or jurisdictions because ownership, retention, and escalation paths become inconsistent across systems.
Common Variations and Edge Cases
Tighter AML/CFT controls often increase onboarding friction and investigation overhead, requiring organisations to balance customer experience against regulatory defensibility. That tradeoff becomes sharper for VASPs handling self-custody wallets, travel-rule dependencies, or cross-border customer bases, where the quality of identity data can vary widely.
Current guidance suggests that there is no universal standard for every VASP model yet, so risk-based tailoring matters. A retail exchange, an OTC desk, and a custody provider may all need different alert logic, evidence thresholds, and escalation routes. The important point is that the rationale for those differences should be documented and consistently applied.
Edge cases also include wallet clustering uncertainty, rapid deposit and withdrawal patterns, and customers whose activity is legitimate but operationally hard to distinguish from layering behaviour. In those cases, the control objective is not perfect detection. It is showing that alerts were reviewed with context, decisions were supervised, and records were retained in a way that can withstand challenge.
That is why NHI Mgmt Group treats governance, lifecycle discipline, and auditability as inseparable in the Ultimate Guide to NHIs — Standards. The same discipline is what separates a paper program from one that can survive regulator questioning.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Risk governance supports a defensible AML/CFT operating model. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity lifecycle control maps to onboarding, rotation, and revocation evidence. |
| NIST AI RMF | AI RMF helps govern automated monitoring and case triage decisions. |
Track identity issuance, review, and offboarding so control evidence stays current and auditable.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
