AUSTRAC and crypto in Australia: why that exchange keeps asking questions

If you’ve ever tried to onboard with an Australian crypto exchange, you’ve probably had the same moment: “Why do they need all this?”

The short answer is AUSTRAC.

AUSTRAC is Australia’s AML/CTF regulator, and if your business provides certain “designated services” (including crypto exchange and remittance), you become a reporting entity. That status comes with real obligations: enrolment, registration (for some services), a written AML/CTF program, customer checks, and ongoing reporting.

This is a high-level overview of what AUSTRAC expects, how crypto businesses typically fit in, and what the compliance “minimum viable setup” looks like.

Who needs AUSTRAC registration in crypto

In Australia, any business providing digital currency exchange (DCE) services must be registered with AUSTRAC. AUSTRAC explicitly notes it can refuse an application.

If you provide remittance services or DCE services, you must enrol and register with AUSTRAC, and you must not start providing those services until AUSTRAC confirms your registration. AUSTRAC is clear that operating without being registered is against the law and penalties may apply.

There’s also a broader concept: if you provide any designated services, you must enrol with AUSTRAC within 28 days. austrac.gov.au

Enrolment vs registration (people mix these up)

Enrolment is basically “telling AUSTRAC who you are” as a reporting entity. Registration is an extra step required for specific higher-risk sectors like remittance and DCE.

AUSTRAC’s own guidance frames it simply:

• if you provide designated services → enrol within 28 days
• if you provide remittance or DCE → don’t operate until you’re registered and AUSTRAC confirms it

The compliance backbone: your AML/CTF program

This is the part that shapes everything else.

AUSTRAC requires reporting entities to have a written AML/CTF program that explains how you identify, mitigate, and manage money laundering and terrorism financing risks, and you must have it before you start providing designated services. austrac.gov.au

AUSTRAC also explains the program is risk-based (tailored to your customers, services, delivery channels, and jurisdictions), and it traditionally has two parts:

• Part A: your risk controls and systems
• Part B: how you identify customers and beneficial owners and verify identity

This is why exchanges ask for source of funds, occupation, expected activity, and sometimes additional verification. It’s not (only) paranoia — it’s the risk-based program working as designed.

The three reports that drive most day-to-day compliance

AUSTRAC compliance isn’t just “KYC at onboarding.” Reporting timelines are strict and operationally sensitive.

1. Suspicious Matter Reports (SMRs)If you form a suspicion (money laundering, other offences, etc.), you must submit an SMR:

• within 24 hours if it relates to terrorism financing
• within 3 business days for other suspicions

1. Threshold Transaction Reports (TTRs)If you provide a designated service that involves a cash transaction of A$10,000 or more (or foreign currency equivalent), you must submit a TTR within 10 business days. 
2. International Funds Transfer Instruction (IFTI) reportsIf you send an IFTI out of Australia or receive an IFTI into Australia, you must submit an IFTI report within 10 business days. 

The annual compliance report (the deadline that sneaks up)

On top of transaction reporting, AUSTRAC requires an annual compliance report. The standard submission window is between 1 January and 31 March each year, covering the previous calendar year.

This is one of those obligations that sounds administrative until it isn’t. It’s also the kind of thing that partners (banks, payment processors) may ask you to confirm you do consistently.

A quick “startup reality” checklist

If you’re building a crypto exchange, broker, on/off-ramp, or remittance-like product in Australia, a sensible high-level checklist looks like this:

• confirm your scope: are you a DCE provider, remittance provider, or both?
• enrol within 28 days of providing designated services
• register before you operate (for DCE/remittance)
• implement a written AML/CTF program before go-live
• be ready for reporting operations: SMR (fast), TTR and IFTI (within 10 business days)
• plan for the annual compliance report each Jan–Mar

Also worth knowing: AUSTRAC’s guidance flags reforms coming, with some changes commencing on 31 March 2026, and transitional guidance already published.

What this means for your product and UX

This is where good fintech teams differentiate.

A “compliance-first” onboarding doesn’t have to feel hostile. The best AUSTRAC-aligned products usually:

• ask for the minimum upfront, then progressively verify based on risk and activity
• explain questions in plain language (“We’re required to verify this under AUSTRAC rules”)
• design flows that capture data once and reuse it (instead of repeatedly asking users the same thing)
• log decisions cleanly, because audits don’t care about vibes, only evidence

In other words: treat AUSTRAC compliance like a product surface, not a back-office tax.