This is the working version of the brief we share with digital-asset teams who are getting ready for the Digital Assets Framework Act. If you own the affiliate programme, the compliance file, or the marketing P&L, it's written for you. We've kept the substance and cut the legalese.
First, a quick mental model
Picture three circles. One is AML, run by AUSTRAC, and it asks the question, "who is this customer?". The second is market conduct, run by ASIC, and it asks, "is this platform behaving like a proper financial venue?". The third is token integrity, also run by ASIC, and it asks, "does the token actually represent what you say it does?".
Those three circles map to three labels: VASP, DAP and TCP. Most exchanges sit in all three. That is the single most important thing to take from the DAF Act. It is not a new category on top of the old one. It is three overlapping categories that you have to comply with at the same time.
There is also a fourth circle, always on: the Privacy Act, run by the OAIC. It covers every organisation that handles personal information. Affiliate sign-up pages are full of personal information, so the fourth circle is always on.
Why affiliate content is now a licensing question
Here is the shift in plain terms. Before the DAF Act, if an affiliate wrote something misleading about a crypto product, it was a brand and consumer-law problem. You had to take it down. You might get a fine. Your reputation took a hit.
After the DAF Act, if that same affiliate writes something misleading about a DAP or TCP product, it sits inside the AFSL perimeter. The regulator can look at the affiliate, look at the platform, and ask a much harder question: did the platform take reasonable steps to supervise the content being produced in its name? If the answer is no, the licence itself is in play.
That is the pivot. The affiliate programme goes from being a growth channel with compliance overheads to being part of the licensing story the platform tells ASIC.
Six affiliate risks we see in AFSL readiness reviews
These are the things that keep coming up when we audit APAC crypto affiliate programmes. None of them are exotic. Most programmes have at least three of them.
1. Legacy "no KYC" promotional copy
Old review sites and YouTube descriptions still say things like "sign up in 30 seconds, no ID required". That was always a marketing stretch. Now it cuts directly against the updated customer-due-diligence rules that kicked in on 31 March 2026.
The fix: run a search across every partner domain for the words "no KYC", "no ID", "fast sign-up" and similar phrases. Retire the creative. Keep evidence of removal dates in the AFSL file.
2. Sub-affiliates you've never seen
You onboarded a network partner. That network runs its own second-tier and third-tier affiliates. They post in Telegram groups, run Discord servers, and buy paid search, often under handles that never appear in your tracker. Your compliance exposure travels with that traffic.
The fix: Trackback Discovery surfaces the tail that your tracker does not see, so you know who is actually driving sign-ups. You cannot supervise what you cannot see.
3. Performance claims on yield and stablecoin products
"Earn 9% APY on USDC." You have seen the copy. Under the DAF Act, that reads as a general financial promotion. It needs a risk warning. It needs something to substantiate the number. On most affiliate pages today, it has neither.
The fix: treat every yield claim the way a fund manager treats a past-performance statement. Evidence, warning, balance. If the partner can't show their workings, the claim comes down.
4. NFT drops that are really investment products
Some of the most popular crypto-adjacent affiliate campaigns in 2025 were for fractional-ownership NFTs. Strip the wrapper off and the underlying asset is a share of a villa, a vintage car, a bond portfolio. That's a financial product under the DAF Act, not a collectible.
The fix: map every partner campaign to one of the three labels. Anything that turns out to be a DAP or TCP offer needs proper disclosure, not NFT drop copy.
5. Paid search on regulator and competitor terms
Affiliates bidding on "ASIC crypto licence" or "AUSTRAC registered exchange" is unfortunately common. So is ad copy that implies regulatory endorsement ("fully licensed and approved"). The ACCC already takes a dim view. Under the new regime, ASIC is going to as well.
The fix: a standing paid-search scan on regulator terms, competitor names and your own brand. Brand protection and PPC monitoring does this across Google, Bing and paid social, and the trail is evidentially strong.
6. Generic disclaimers that aren't Australian
Affiliate pages often use the same footer disclaimer on every page, written for a US audience, referring to the SEC or FINRA. In Australia that helps nobody. It needs to reference Australian risk warnings, point to MoneySmart, and, where relevant, name the Financial Services Guide.
The fix: a localised boilerplate for Australian traffic, reviewed by the platform's compliance function and audited quarterly.
A 12-month plan that mirrors ASIC's roadmap
ASIC has published its own 18-month implementation roadmap. Our plan maps to it, and assumes you start in Q1 2027. That's the earliest realistic start point for a dedicated readiness programme, because licence applications open in Q4 2026 and the standards package publishes across the middle of the roadmap.
Phase 1, Q1 to Q2 2027. Baseline and purge
The first job is to see what you have. A full inventory of partners, sub-affiliates, influencers, paid-search bidders and review sites that still link to you. The second job is to retire anything that will not survive the new rules. Legacy no-KYC copy, pre-Tranche-2 customer-due-diligence wording, anything that leans on an INFO 225 carve-out.
The third job is to refresh every privacy notice on every partner landing page. OAIC alignment, no full ID-copy retention, purpose-limited language. Dry but essential.
Phase 2, Q2 to Q3 2027. Programme build
Now you build the machinery. An AML/CTF programme that covers affiliate onboarding, not just direct customers. Pre-approval workflow for every creative that touches an Australian audience. Automated monitoring through Rightlander Compliance to catch drift once assets are in market, because the creative always drifts.
Travel Rule goes live for any value transfer, including cashback and referral mechanics. Design it in at the programme level so partners inherit it, rather than bolting it on for each campaign.
Phase 3, Q3 to Q4 2027. Licence application and standards
You file the AFSL application with DAP or TCP authorisation, or both. Your standards package is mapped to your internal control library. Every partner onboarding pack references the asset-holding, transactional and financial requirements.
The affiliate programme gets a pre-launch gate. No new partner goes live without a creative review, a jurisdictional fit check, and a privacy-impact assessment. Quality monitoring runs against the live partner base, with exception reporting to the compliance-manager dashboard every week.
Phase 4, 2027 onwards. Operate under supervision
You are now a supervised entity. The monitoring keeps running, because ASIC expects ongoing reporting and will watch for market-conduct issues in real time. Partners from outside Australia get a quarterly review: is the offer genuinely local, or is it being held out to Australian retail clients? Annual re-papering is tied to the AFSL renewal and any authorisation changes.
What evidence looks like
One of the most common questions we get is, "what does good evidence look like?" Here is a simple test. If a regulator asked you tomorrow to produce 12 months of proof that every piece of affiliate creative touching Australia carried a proper risk warning, could you, within 72 hours?
If yes, you are probably in the right place. If not, the readiness work starts with closing that gap. Evidence-grade monitoring is dated, tamper-resistant, and tied to a specific URL or social post. It lives somewhere the audit team can reach without going through marketing.
Five questions for your next compliance sync
- Do we know every landing page, review site and social account driving traffic into our Australian product surface, including partners we never directly onboarded?
- Which of our current partners will themselves apply for DAP or TCP authorisation, and which will exit the Australian market when the regime commences?
- If INFO 225 relief expires in June 2026, which of our current marketing claims need to be retired or re-evidenced before then?
- Do our affiliate contracts reference AFSL authorisation, AML/CTF obligations, Travel Rule and Privacy Act compliance, or are they still mirroring a pre-DAF template?
- If ASIC asked us to show 12 months of evidence that our affiliate creative carried appropriate risk warnings, could we produce it within 72 hours?
Where Rightlander fits
Rightlander is the affiliate compliance platform regulated brands use to see every partner, in every market, every day. For DAF Act readiness, that means three things.
First, affiliate publisher compliance. Every landing page, review site and article a partner runs gets scanned. Missing risk warnings, unsubstantiated claims and mis-categorised offers get surfaced. Evidence captures in a form you can file.
Second, brand protection and PPC monitoring. Unauthorised bidding on your brand, on regulator terms, and on competitor names, across Google, Bing and paid social, in Australia and in the source markets that drive traffic in.
Third, sub-affiliate transparency. Tier-2 and tier-3 activity that your network does not surface: Telegram, Discord, YouTube, influencer posts. Most residual risk sits here.
Rightlander integrates with the networks and trackers APAC crypto operators already use. The readiness programme is compliance and editorial work, not engineering.