Anti-Money Laundering Reforms 2026: New Compliance Obligations for Fintech Startups
Fintech

Anti-Money Laundering Reforms 2026: New Compliance Obligations for Fintech Startups

Richard Prangell | 22 Feb 2026 | 8 Mins Read

If you’re building a fintech startup in Australia, you’ve probably heard rumblings about anti-money laundering reform. The rumblings are now law, and the compliance deadlines are weeks away.

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) — which passed Parliament on 29 November 2024 — represents the most significant overhaul of Australia’s AML/CTF regime since the original Act was introduced in 2006. For fintech founders, the changes are substantial. New categories of virtual asset services are being brought into regulation, the definition of what counts as a “virtual asset” has been dramatically expanded, and the compliance framework itself has shifted from a prescriptive, box-ticking model to a risk-based, outcomes-focused approach.

Here’s what you need to know.

What’s Actually Changing?

The reforms have three main objectives: expand the regime to cover more services (the long-awaited “tranche 2”), modernise the regulation of virtual assets and payments technology, and simplify the overall framework to make it more flexible and less bureaucratic.

For fintech startups, the first two are where the action is.

The Expanded Virtual Asset Definition

The old AML/CTF Act used the term “digital currency” — a definition that was narrow and increasingly out of step with the market. The Amendment Act replaces it with a broader concept of “virtual asset” that captures:

  • Stablecoins — including privately issued stablecoins used in tokenisation projects or blockchain-based financial transactions, even those not generally available to the public
  • Non-fungible tokens (NFTs) — specifically those that function as a medium of exchange
  • Governance tokens — such as those used for participating in decentralised autonomous organisations (DAOs)

Central bank digital currencies, customer loyalty points (like frequent flyer points), and tokens used exclusively within a video game are excluded. But the net is now cast far wider than it was. If your startup touches any form of tokenised value transfer, you should assume the definition catches you until you’ve confirmed otherwise.

New Designated Services for Virtual Assets

The Amendment Act introduces several new “designated services” that trigger AML/CTF obligations. On top of the existing obligation covering fiat-to-crypto exchanges, the following are now regulated:

  • Virtual-asset-to-virtual-asset exchanges — including swaps between the same type of asset (yes, Bitcoin-to-Bitcoin “mixing” services are caught)
  • Virtual asset transfers — acting as an ordering or beneficiary institution in a value transfer chain
  • Virtual asset safekeeping — holding virtual assets or private keys on behalf of customers (think custody providers and staking services)
  • Participation in virtual asset offers or sales — providing financial services connected to ICOs, token sales, or similar issuances

If your fintech platform facilitates any of these activities — whether you’re a crypto exchange, a custody provider, a DeFi aggregator, a staking-as-a-service platform, or a token launchpad — you’re almost certainly caught.

One important carve-out: a person who solely provides a software application for virtual asset safekeeping (a non-custodial wallet, for example) is excluded from the safekeeping designated service. But the line between providing software and providing a service can be thin, and AUSTRAC has the power to make rules clarifying or narrowing exclusions as the market evolves.

The Key Dates

There are two critical compliance deadlines:

31 March 2026 — Changes take effect for entities already regulated under the AML/CTF Act, plus newly regulated virtual asset services and intermediary transfer message services. If your fintech is already enrolled with AUSTRAC as a digital currency exchange provider, this is your date. Your existing AML/CTF program needs to comply with the new framework from this point.

1 July 2026 — The broader “tranche 2” obligations kick in for newly regulated industries (lawyers, accountants, real estate agents, dealers in precious metals). While these don’t directly affect most fintech startups, they signal the broader regulatory environment your business operates in.

For virtual asset service providers, enrolment opens on 31 March 2026, and you must enrol within 28 days of commencing a designated service. If you provide a registrable virtual asset service, you must not operate without registration. Criminal penalties apply.

What You’ll Need to Do

1. Enrol and Register with AUSTRAC

If you provide a registrable virtual asset service with a geographical link to Australia, you must both enrol and register with AUSTRAC. Enrolment involves providing basic information about your business — its structure, services, key personnel, and contact details. Registration is a separate, more rigorous step that applies specifically to virtual asset and remittance service providers.

The geographical link test is broad. It covers services provided in Australia, services provided to Australian customers, and services provided through a permanent establishment in Australia. If you have Australian users, assume the link exists.

2. Develop an AML/CTF Program

Under the reformed framework, your AML/CTF program must contain two core elements:

  • A risk assessment — identifying and assessing the money laundering, terrorism financing, and proliferation financing risks your business faces
  • AML/CTF policies — documented policies, procedures, systems, and controls that manage and mitigate those risks

The old Part A / Part B structure is gone. You can organise your program however you like, provided it meets the requirements. But it must be documented, approved by a senior manager, kept up to date, and independently evaluated at least once every three years.

Critically, there’s now an explicit requirement to appoint a fit and proper AML/CTF compliance officer responsible for implementing the program. For early-stage startups, this might be a founder. But as you scale, it needs to be someone with genuine compliance expertise — and AUSTRAC expects this person to be empowered to act.

3. Implement Customer Due Diligence

The reforms separate customer due diligence (CDD) into initial CDD and ongoing CDD:

  • Initial CDD requires you to establish the identity of your customer, their representatives, any person they’re acting on behalf of, and any beneficial owner — before providing a designated service. You must also screen these persons against targeted financial sanctions lists and determine whether they’re a politically exposed person (PEP).
  • Ongoing CDD requires you to keep customer information up to date and monitor transactions on a risk basis throughout the relationship.

The approach is risk-based. Higher-risk customers and transactions require enhanced due diligence; lower-risk scenarios allow simplified measures. But you need to document your reasoning and be able to demonstrate it to AUSTRAC.

4. Comply with the Travel Rule

If your platform acts as an ordering or beneficiary institution in a virtual asset value transfer, you’re now subject to the travel rule. This requires you to transmit certain payer and payee information along the value transfer chain — similar to what already applies to banks and remitters for traditional wire transfers.

This is a significant operational requirement. It means your systems need to be capable of collecting, verifying, and transmitting the required information with each transfer. For platforms that currently operate with minimal identity verification (particularly in the DeFi-adjacent space), this will require meaningful infrastructure changes.

5. Report to AUSTRAC

Reporting obligations include suspicious matter reports (SMRs) when you form a suspicion that a transaction or customer may be related to money laundering, terrorism financing, or other serious crime. Threshold transaction reports and the detailed reporting framework will continue under transitional rules until 2029, at which point the new reporting requirements will apply in full.

The Consequences of Getting It Wrong

AUSTRAC is not a paper tiger. The regulator has a range of enforcement tools and has shown increasing willingness to use them — including against fintechs. Consequences of non-compliance include:

  • Civil penalty orders — up to 100,000 penalty units for a body corporate (currently $330 per unit, meaning a maximum of $33 million per contravention)
  • Infringement notices — for specific breaches of KYC, reporting, enrolment, and record-keeping obligations
  • Registration suspension or cancellation — AUSTRAC can refuse, suspend, or cancel your registration if your business poses an unacceptable ML/TF risk
  • Enforceable undertakings — public commitments to remediate compliance failures
  • Criminal penalties — for operating a registrable virtual asset service without registration

For a startup, any of these outcomes is potentially existential. A civil penalty proceeding alone — even if you ultimately prevail — will consume management attention and legal budget that an early-stage company can’t afford.

How to Prepare Now

If you’re a fintech founder, here’s a practical checklist:

  1. Determine whether you provide a designated service. Review the expanded list of virtual asset designated services against your product. If there’s any doubt, get legal advice now — not after AUSTRAC comes knocking.

  2. Map your compliance timeline. If you provide virtual asset services, 31 March 2026 is your date. Build backwards from there.

  3. Draft or update your AML/CTF program. Use AUSTRAC’s starter program templates if you’re starting from scratch, but tailor them to your specific risk profile. A generic program won’t satisfy the new risk-based framework.

  4. Appoint a compliance officer. This needs to be a real appointment with real authority, not a line on an org chart.

  5. Build your CDD infrastructure. If you don’t already have robust identity verification and screening processes, this is the single most important operational investment you can make before the deadline.

  6. Review your tech stack for travel rule compliance. If you facilitate virtual asset transfers, you need systems capable of transmitting and receiving the required originator and beneficiary information.

  7. Budget for compliance. AML/CTF compliance is not free. For an early-stage fintech, expect to spend meaningful time and money on program development, technology, legal advice, and ongoing monitoring. Factor this into your runway calculations and investor discussions.

The reforms are significant, but they’re not unreasonable. Australia’s AML/CTF regime was overdue for modernisation, and bringing the virtual asset sector into line with international standards — particularly the FATF Recommendations — was always a matter of when, not if. The startups that treat compliance as a competitive advantage rather than a cost centre will be the ones that earn investor and customer trust in the long run.

If you need help assessing whether your fintech triggers AML/CTF obligations or building a compliant program before the deadlines hit, get in touch.

Recent Articles

blog-image
Fintech
Anti-Money Laundering Reforms 2026: New Compliance Obligations for Fintech Startups
22 Feb 2026|8 Mins Read

If you’re building a fintech startup in Australia, you’ve probably heard rumblings about anti-money laundering reform. The rumblings are now law, and the compliance deadlines are weeks …

blog-image
Startups
Intellectual Property Assignment: Why Your Startup Might Not Own What You Think It Does
19 Feb 2026|8 Mins Read

Here’s a question that should keep founders up at night: does your company actually own its intellectual property?

blog-image
Startups
R&D Tax Incentive for Startups: What Qualifies and Common Pitfalls
16 Feb 2026|8 Mins Read

If you’re building a tech startup in Australia, there’s a reasonable chance someone has mentioned the R&D Tax Incentive to you. It’s one of the most significant government …