07 July 2026
With the passage of new corporate licensing and anti-money laundering and counter terrorism financing (AML/CTF) laws, cryptocurrency exchanges are facing increasing regulatory scrutiny in Australia. In April 2026, the Corporations Amendment (Digital Assets Framework) Bill 2025 (Bill) received royal assent, amending the Corporations Act 2001 (Cth) to regulate digital asset platforms and cryptocurrency exchanges, and introducing two new categories of financial product that will capture digital assets. AML/CTF reforms have also expanded regulation of the cryptocurrency sector.
This Insight discusses the current Australian regulatory framework in which cryptocurrency exchanges operate, and the enforcement risks that exchanges need to be aware of going forward.
Following the Corporations Act reforms, the Government has introduced two new categories of financial product:
The operators of these platforms will be subject to the general obligations of financial services law (AFSL and consumer protection requirements) and be required to hold an AFSL. DAP and TCP operators will also face additional specific obligations, including minimum standards for asset holding and disclosure obligations tailored to reflect their structure and risk profile. These obligations do not apply to digital asset issuers or to businesses that create or use digital assets for non-financial purposes.
Businesses will have 18 months to comply with the new licensing and operational standards, with the new framework set to commence on 9 April 2027.
The above changes are separate to the current AFSL regime, which requires a person that carries on a business of providing ‘financial services’ in Australia to hold an AFSL with appropriate authorisations. A number of activities in relation to cryptocurrency assets can be deemed ‘financial services’, and the categorisation of cryptocurrency assets and services under the AFSL regime is developing and has recently been subject to judicial consideration.
Notably in June 2026, the High Court unanimously found that Block Earner's fixed-yield digital asset ‘Earner’ product was a financial product that required the business to hold an AFSL. To use the Earner product, customers transferred AUD from their bank accounts into a Block Earner bank accounts and selected a cryptocurrency and amount of AUD to invest. Block Earner converted the AUD amount nominated by the customer into the nominated cryptocurrency, and offered a 7% fixed return, paid in the relevant cryptocurrency. The Court held the Earner product allowed a customer to make a financial investment within the meaning of section 763B of the Corporations Act, thus requiring Block Earner to hold an AFSL.
ASIC has also been actively enforcing the existing AFSLregime as it applies to cryptocurrency assets and cryptocurrency service providers. In recent years, ASIC has taken action against two companies in the cryptocurrency sector for providing financial services without an AFS licence.
In addition, a person that engages in a credit activity in Australia is required to hold an Australian credit licence with appropriate authorisations. Services provided in relation to some cryptocurrency assets can be considered a ‘credit activity’ to which the National Credit Code and the National Consumer Credit Protection Act 2009 (Cth) applies.
Cryptocurrency exchanges that provide specified ‘designated services’ are required to implement policies, systems and controls to appropriately manage and mitigate the risks of money-laundering and terrorist financing when conducting business in Australia. The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 (Cth) (Amended AML/CTF Act), which is supported by an updated set of AML/CTF Rules, recently introduced significant changes to Australia’s AML/CTFframework, including introducing new requirements for cryptocurrency exchanges. Changes took effect on 31 March 2026.
Businesses are subject to the AML/CTF regime if they provide a ‘designated service’. Since 2018, exchanging digital currency for money has been a designated service.1 From March 2026, the definition of “digital currency” is amended to “virtual asset” to align with international standards and captures a broader range of assets, including NFTs and governance tokens.
Along with the definitional change, new services relating to digital assets will also become designated, namely:
Regulated cryptocurrency exchanges must have, and comply, with an AML/CTF program. This is comprised of an ML/TF risk assessment (which assesses the risks of money laundering, financing of terrorism and proliferation financing that the exchange may reasonably face in providing its services), and AML/CTF policies, which must manage and mitigate those risks and ensure the exchange complies with its AML/CTF obligations.
Key obligations include:
Cryptocurrency exchanges must also apply to join the Virtual Asset Service Provider Register. Registration can be refused or made subject to conditions if AUSTRAC considers the money laundering, terrorist financing, or serious crime risk of the company is too high.6 Providing a designated service that relates to virtual assets while not on the register is a criminal offence.
Cryptocurrency exchanges that provide certain services relating to transfers of value are also required to collect, verify and provide certain payment information, such as the details of the payer and tracing information to others in a transfer chain.7 Where a transfer is made involving an unverified self-hosted virtual asset wallet (as opposed to a wallet hosted by a virtual asset service provider), this must also reported to AUSTRAC.8
Cryptocurrency exchanges that fail to comply with their AML/CTF obligations can face enforcement action from AUSTRAC including financial penalties of up to $33 million.
AUSTRAC’s recent Regulatory Expectations for Implementation and Priorities for 2025-26 reiterated its focus on the money laundering risks of cryptocurrency and observed that the maturity of cryptocurrency exchanges’ ML/TF/PF risk management practices is highly variable.
In early 2025, AUSTRAC issued ‘please explain’ letters to 50 Australian crypto and digital currency exchanges, outlining its concern that these exchanges were being used to launder proceeds of crime. AUSTRAC has also brought enforcement actions against 13 cryptocurrency exchanges in 2025 so far. These were issued, among other reasons, for failures to disclose criminal histories of key employees. It has also cancelled some cryptocurrency exchanges’ registrations for failures to satisfy AML/CTF obligations, and has imposed conditions on other exchanges’ operating licences.
In the wider cryptocurrency sector, AUSTRAC has taken action against a number of crypto ATM providers. It refused to renew the registration of one ATM operator that demonstrated ongoing compliance risks, and imposed minimum standards on other crypto ATM providers, including a $5,000 limit on cash deposits and withdrawals and requiring improvements to customer due diligence.
In mid-March 2026, legislation was introduced into Parliament proposing to expand AUSTRAC’s powers to prohibit high-risk products, services or delivery channels. The new power would enable the AUSTRAC CEO to restrict or prohibit high-risk products, services or delivery channels in an entire sector if these present an unacceptable risk of money laundering or terrorist financing. At present, AUSTRAC can only cancel, suspend, or impose conditions on specific reporting entities if they present such risks.9 The explanatory memorandum suggests that the power could be used to prevent the exchange of money for virtual assets via a cryptocurrency ATM. AUSTRAC has repeatedly said that it considers crypto ATMs as one of the highest risks for money laundering in Australia.
To exercise this proposed new power, the AUSTRAC CEO would be required to rely on material that demonstrated the high-risk nature of the product, service or delivery channel (deemed a ‘high risk mechanism’), as well as the impact of any restriction or prohibition. Any exercise of this power would be preceded by a mandatory consultation with affected persons.
Australian sanctions laws apply to Australian citizens, Australian registered bodies corporate overseas, and companies conducting activities in Australia. Cryptocurrency exchanges that satisfy these criteria must ensure that they do not make assets (which includes cryptocurrency) available to or for the benefit of a person or entity that is sanctioned. They must also take reasonable steps to ensure that they are not facilitating such payments, which may include screening all customers and parties to transactions against the DFAT Consolidated List. To do this, cryptocurrency exchanges will need to collect details about their customers, which go hand in hand with customer due diligence obligations under the AML/CTF regime.
The Australian Sanctions Office has released guidance for cryptocurrency exchanges in relation to the specific sanctions risks that they face.
While crypto exchanges are not currently regulated by the Scams Prevention Framework (SPF), the Australian government has noted that it may expand the SPF to cryptocurrency exchanges in future. Given the scrutiny of scams in Australia and recent public commentary about the use of cryptocurrency businesses in common scams10, the possibility of future expansion of the SPF to cryptocurrency exchanges should not be ignored.
With the plethora of legislative reforms passed in 2026, businesses operating in the Australian cryptocurrency sector should revisit their regulatory controls and put in place procedures to ensure they meet new legislative requirements.
[1] AML/CTF Act, s 6, Table 1, 50A.
[2] Ibid, s 6, Table 1, 50B.
[3] Ibid, s 6, Table 1, 46A.
[4] Ibid, s 6, Table 1, 50C.
[5] Ibid, s 6, Table 6, 3.
[6] Ibid, s 76E.
[7] Ibid, s 63-66.
[8] Ibid, s46A.
[9] Ibid, s 75G-H, s 76J-K.
[10] https://www.austrac.gov.au/general-public/cryptocurrency-atm-scams; https://www.asic.gov.au/about-asic/news-centre/news-items/scam-alert-scammers-luring-investors-onto-fake-crypto-asset-trading-platforms/
Authors
Partner
Partner
Senior Associate (Admitted in England & Wales, not admitted in Australia)
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.