Regulatory Updates

AUSTRAC's Regulatory Priorities for 2025-26: Cash-Intensive Businesses and Remittance Squarely in the Crosshairs

AUSTRAC is shifting from compliance tick-boxes to risk-based enforcement — and remittance operators who handle cash or digital currency are the primary targets.

Compliance Desk
9 min read
AUSTRAC's Regulatory Priorities for 2025-26: Cash-Intensive Businesses and Remittance Squarely in the Crosshairs

Photo by The Yuri Arcurs Collection

When AUSTRAC published its regulatory expectations and priorities for 2025–26, it did something unusual. Rather than issuing a broad, sector-neutral compliance reminder, the regulator named its targets explicitly: cash-intensive businesses, digital currency exchanges, virtual asset service providers, and entities whose exposure to cash "creates particular vulnerabilities."

Remittance operators sit at the intersection of nearly every category AUSTRAC flagged. Operators who handle cash — and that's a significant proportion of the sector — are in the direct line of fire. So are those operating digital currency exchange services, offering crypto-based settlement, or running hybrid models that combine traditional remittance with digital asset services.

This isn't a warning shot. It's a firing schedule. Here's what operators need to know.

What AUSTRAC Actually Said

The 2025–26 priorities document, published in July 2025, represents a deliberate shift in AUSTRAC's regulatory posture. The regulator is moving from a model that primarily checked for compliance ("do you have an AML/CTF program?") to one focused on substantive risks and harms ("is your program actually working to prevent money laundering?").

AUSTRAC stated it will assess risk and behaviour at an industry and sector level rather than focusing solely on individual entities. This means the regulator is looking at patterns across the entire remittance sector — not just responding to individual tip-offs or isolated audit findings.

The key priority areas relevant to remittance operators include:

1. Cash-Intensive Businesses

AUSTRAC noted that while cash use in Australia is declining, more than $100 billion remains in circulation. Cash is "highly susceptible to money laundering because it is anonymous, accessible and widely accepted." Money laundering risks in cash-intensive businesses remain a top-tier concern.

For remittance operators, cash handling is often a core part of the business model. Customers walk into a shopfront, hand over cash, and funds are delivered to a recipient overseas. That model — which serves legitimate, often underbanked communities — also creates the exact vulnerability profile AUSTRAC is targeting.

2. Digital Currency Exchanges and VASPs

Digital currency exchanges (DCEs) and virtual asset service providers (VASPs) that "facilitate instantaneous global transfers" are explicitly called out. AUSTRAC's concern is that these services can move value across borders with speed and relative anonymity that traditional financial channels cannot match.

Remittance operators who also hold DCE registration — or who use crypto-based settlement without proper registration — are doubly exposed.

3. Entities with Mixed or Complex Service Models

Operators running hybrid models (cash collection combined with crypto settlement, or remittance bundled with foreign exchange services) face heightened scrutiny. AUSTRAC's sector-level analysis means the regulator is mapping how different service types interact and where gaps emerge.

The Enforcement Actions That Followed

AUSTRAC's priorities document wasn't just rhetoric. The enforcement activity that followed has been pointed and public.

Castra and Princeton Proceedings

In December 2025, AUSTRAC commenced civil penalty proceedings against Castra Licensee and Princeton Securities for failing to lodge compliance reports for the 2023 calendar year. Both entities had been issued infringement notices in September 2024 as part of a broader action against 16 businesses. Neither paid the infringement notice, prompting AUSTRAC to escalate to court action.

The message is straightforward: AUSTRAC is no longer willing to let compliance failures fade into the background. Non-payment of infringement notices — which might previously have been treated as an administrative matter — now triggers litigation.

The DCE Registration Blitz

AUSTRAC launched a "use it or lose it" campaign targeting inactive digital currency exchange registrations. Of the 427 registered DCEs at the time, AUSTRAC identified a significant proportion as inactive. Entities that could not demonstrate they were actively carrying on a DCE service, submitting compliance reports, and managing identified risks faced registration cancellation or non-renewal.

For remittance operators who also hold DCE registration, this is a direct warning: maintaining a registration you're not actively using — or not properly managing — is no longer tenable.

Broader Crypto Enforcement

By early 2025, AUSTRAC had already taken action against 13 crypto remittance and digital currency exchange providers, with more than 50 under active investigation. The enforcement pipeline is growing, not shrinking.

Proposed New Powers: The AUSTRAC CEO's Restrict-and-Prohibit Authority

Perhaps the most significant development beyond the priorities document itself is the proposed new power for the AUSTRAC CEO to restrict or prohibit high-risk products, services, or delivery channels.

Announced by the Minister for Home Affairs, this power would allow the AUSTRAC CEO to take action against specific service types — not just individual entities — that present unacceptable money laundering or terrorism financing risks.

Crypto ATMs as the Test Case

Crypto ATMs have emerged as the primary target. The number of crypto ATMs in Australia has grown from 1,200 (when AUSTRAC established its Crypto Taskforce in late 2024) to approximately 2,000. AUSTRAC estimates that nearly 150,000 transactions occur annually, moving roughly $275 million through these machines each year.

The statistics are stark: in a sample of 90 of the most prolific crypto ATM users across Australia, AUSTRAC and its law enforcement partners found 85 per cent were scam victims or money mules who had been tricked or coerced into moving money.

The proposed power would enable the AUSTRAC CEO to restrict or prohibit an entire product category — like crypto ATMs — if the risks cannot be adequately managed. The framework requires mandatory consultation with affected parties before exercising the power, except in urgent circumstances.

What This Means for Remittance Operators

While crypto ATMs are the immediate target, the proposed power is not limited to them. Any "high-risk product, service, or delivery channel" could be subject to restriction. For remittance operators, this means:

  • Cash-based remittance channels could theoretically be restricted if AUSTRAC determines the money laundering risks cannot be managed at a sector level
  • Specific corridor routes known for illicit finance risks could face restrictions
  • Crypto-based settlement methods used by remittance operators could be curtailed if the underlying platforms are deemed high-risk

The power hasn't been legislated yet, but the fact that it's been publicly proposed by the Minister signals the direction of regulatory travel.

The Shift to Risk-Based Regulation: What It Means in Practice

AUSTRAC's 2025–26 priorities mark a genuine philosophical shift. The regulator is no longer primarily interested in whether an operator has ticked compliance boxes. It wants to know whether the operator's AML/CTF program is actually effective at identifying and mitigating money laundering and terrorism financing risks.

In practical terms, this means:

  • Transaction monitoring that actually works. Having a monitoring system is not enough. AUSTRAC expects the system to be calibrated to the operator's specific risk profile, generating alerts that are investigated and resolved. Generic, off-the-shelf rules that produce thousands of unreviewed alerts will not satisfy the regulator.

  • Cash handling procedures that reflect real risks. If an operator handles cash, AUSTRAC expects documented procedures for identifying suspicious transactions, verifying the source of funds for large or unusual transactions, and escalating concerns. The procedures must be followed in practice — not just written into a manual.

  • Reporting that is current and accurate. Suspicious matter reports (SMRs), threshold transaction reports (TTRs), and international funds transfer instructions (IFTIs) must be filed on time and with accurate information. The Castra/Princeton proceedings demonstrate that even administrative reporting failures will be pursued.

  • A culture of compliance, not just a compliance function. AUSTRAC is increasingly looking at whether an entity's leadership takes AML/CTF obligations seriously. Board-level awareness, adequate resourcing of compliance functions, and genuine integration of AML/CTF considerations into business decisions are all on the radar.

What To Do Now

Remittance operators should treat the 2025–26 priorities as a compliance action plan. Here are the immediate steps:

  1. Stress-test your transaction monitoring. Run a review of your monitoring rules against your actual transaction data from the past 12 months. Are the rules generating meaningful alerts? Are alerts being investigated within your stated timeframes? Document the results.

  2. Review your cash handling procedures. If you accept cash, audit your processes against AUSTRAC's published indicators of suspicious activity for the remittance sector. Ensure frontline staff are trained and that training records are current.

  3. Confirm all reporting is up to date. Check that every required compliance report, SMR, TTR, and IFTI has been lodged. If there are gaps, rectify them immediately. The Castra/Princeton proceedings show that delinquent reporting will be prosecuted.

  4. Assess your DCE registration. If you hold a DCE registration, confirm you are actively providing DCE services and meeting all associated obligations. If the registration is dormant, consider whether voluntary deregistration is the appropriate course.

  5. Brief your leadership. Ensure your directors or business owners understand AUSTRAC's current priorities and the increased enforcement posture. Compliance is no longer a back-office function — it's a board-level responsibility.

Key Dates

DateEvent
July 2025AUSTRAC 2025–26 regulatory priorities published
September 2024Infringement notices issued to 16 entities (including Castra, Princeton)
December 2025Civil penalty proceedings commenced against Castra and Princeton
Late 2024 – ongoing"Use it or lose it" DCE registration blitz
TBC (proposed)AUSTRAC CEO restrict-and-prohibit power to be introduced to Parliament

AUSTRAC's message for 2025–26 is unambiguous: the regulator is watching the remittance sector more closely than ever, with sharper tools and a willingness to use them. Operators who treat compliance as a genuine risk management exercise — rather than a paperwork obligation — will be best positioned to navigate what comes next.

Check where you stand. Use the free Compliance Tracker to review your obligations, or build your AML/CTF program from scratch.

AUSTRACEnforcementcomplianceCash HandlingRegulatory Priorities
Was this article helpful?