What crypto exchanges, wallet providers and digital asset businesses must do under Tranche 2 — registration, CDD, transaction monitoring and Travel Rule compliance.
Introduction
Australia’s Tranche 2 AML/CTF reforms extend compliance obligations to additional professional service sectors. For crypto and digital asset businesses, the key question is not whether AML regulation exists — but whether new obligations apply beyond existing AUSTRAC registration requirements, and which services trigger additional compliance responsibilities. This guide explains how Tranche 2 obligations may apply to crypto-related businesses, how KYC expectations interact with existing regulatory frameworks, and how directors can assess readiness without duplicating controls unnecessarily. Are Crypto Businesses Already Regulated?
Certain digital currency exchange providers are already regulated under Australia’s AML/CTF regime and must register with AUSTRAC. However, Tranche 2 reforms may capture additional service categories or clarify obligations for businesses involved in: Custodial wallet services Digital asset brokerage Token issuance and structuring services Acting as an intermediary in certain asset transactions The applicability depends on the specific services offered, not the label “crypto business.” Travel Rule Obligations in the Crypto Sector In addition to general AML/CTF obligations, certain digital asset businesses are subject to the Travel Rule, which requires the transmission of identifying information alongside digital asset transfers between regulated entities. In Australia, Travel Rule obligations apply to digital currency exchange providers registered with AUSTRAC and may extend depending on service structure and transaction thresholds. The Travel Rule is not separate from AML compliance — it is an operational expression of KYC and record-keeping requirements in the context of digital asset transfers.
For businesses already complying with the Travel Rule, the key question under Tranche 2 is whether existing controls are: Aligned with a documented AML risk assessment Applied consistently across service lines Adequately documented and reviewable When Do Tranche 2 Obligations Apply? Tranche 2 obligations apply where a business provides designated services under the AML/CTF framework. For digital asset businesses, this may include: Exchanging fiat and digital assets Providing custody or control over client assets Facilitating transactions involving beneficial ownership changes Structuring or administering digital asset entities or arrangements Where digital asset transfers occur between regulated providers, Travel Rule compliance may already address identity transmission requirements. However, Tranche 2 obligations extend beyond data transmission and require firms to demonstrate a coherent AML framework underpinning those processes.
Understanding whether your service falls within scope is the first step in assessing compliance requirements. What KYC Means for Digital Asset Businesses Know Your Customer (KYC) requirements in the crypto sector often already exist in some form — particularly for exchange platforms. Under Tranche 2, expectations focus on: Identifying and verifying individual and entity clients Understanding beneficial ownership Assessing transaction risk Documenting onboarding and monitoring decisions Where KYC systems already exist, the question becomes whether they are aligned with a documented AML risk assessment and proportionate to service risk. Interaction with Existing AML Programs Businesses already registered with AUSTRAC may have AML programs in place.
Tranche 2 does not necessarily duplicate these requirements — but it may require: Clarifying which services are designated Updating risk assessments to reflect expanded scope Ensuring documentation aligns with actual operational practices Controls should be coherent and defensible, not duplicated for form’s sake. For businesses already implementing Travel Rule technology solutions, it is important to ensure that technical integration is supported by: Clear policy documentation Defined escalation procedures Ongoing monitoring processes Risk assessment alignment Technology alone does not satisfy regulatory expectations without governance structure. The Role of a Risk-Based Approach Digital asset businesses operate in a rapidly evolving environment. A risk-based approach allows firms to: Scale enhanced due diligence where anonymity risk is higher Apply simplified procedures where risk is demonstrably lower Adjust monitoring in response to transaction patterns Regulatory expectations centre on proportionality and documentation — not blanket restrictions.
Common Pitfalls in the Crypto Sector Crypto and digital asset businesses most often encounter issues where they: Assume existing onboarding automatically satisfies all AML obligations Lack a documented firm-wide AML risk assessment Apply inconsistent controls across service lines Separate compliance policy from operational practice Assuming Travel Rule compliance alone satisfies broader AML obligations Regulators focus on whether risk assessments meaningfully inform KYC decisions. What the Regulator Is Looking For AUSTRAC expects digital asset businesses to demonstrate: Clear identification of designated services A documented AML risk assessment Consistent client due diligence procedures Evidence of ongoing monitoring where required The objective is coherent, proportionate controls — not technology-specific complexity.Tranche 2 Readiness Assessment If you are unsure whether your firm is in scope, a short readiness assessment can help. Request a 15-Minute Readiness Assessment.