Compliance for fintech + payments + crypto in Australia
AFSL, ACL, AML/CTF, CDR, Payment Service Provider licensing reform, BNPL captured 10 June 2025, crypto asset platform regime in scoping, ePayments Code, RBA payments reforms.
Australia's fintech regulatory perimeter is undergoing the most significant rewrite since the post-GFC reforms. Treasury's payments licensing reform package, ASIC's BNPL capture (10 June 2025), the Crypto Asset Platform regime in scoping, CDR Action Initiation 2026, RBA payments architecture review — all stack on the existing AFSL + ACL framework.
Fintechs typically straddle multiple licensing perimeters. A neobank needs an ADI licence (or 'Restricted ADI'); a payments-only provider needs an AFSL with non-cash payment services authorisation (and likely a PSP licence under the reforms); a crypto exchange needs an AFSL + likely the new CASP authorisation when finalised; a BNPL provider needs an ACL from 10 June 2025.
This page captures the practical compliance picture for an AU-domiciled fintech serving retail customers.
1. The licensing perimeter — what authorisation do you actually need?
AFSL: financial products + dealing/advising. ACL: consumer credit. ADI: banking. PSP (in scope): payment services. CASP (in scope): crypto asset platforms. Often need ≥2. Pre-licensing engagement with ASIC + APRA (where ADI) recommended.
2. AML/CTF
Most fintechs are designated services providers under the AML/CTF Act 2006 — payment services, digital currency exchange (current designated service), remittance, account services. AML/CTF program (Part A + Part B), customer due diligence, AUSTRAC reporting (TTR/SMR/IFTI), AML/CTF officer.
3. CDR + Open Banking
Consumer Data Right designations expanding. ADIs are data holders. Accredited recipients face Privacy Safeguards. Action Initiation commences 2026 — enables write functions on customer authorisation.
4. BNPL capture (10 June 2025)
BNPL captured by NCCP as Low Cost Credit Contracts from 10 June 2025. Providers need ACL + modified responsible lending + AFCA membership. Industry consolidation expected.
5. PSP licensing reform
Treasury's PSP regime introduces tiered payments licensing (Major Payment Institution, Standard Payment Institution, etc. — final names TBC). Final regulations + transition arrangements expected 2025-2026.
6. Crypto Asset Platform licensing (CASP)
Treasury October 2023 proposal paper + 2024-2025 consultation. CASP regime aims to regulate digital asset platforms via AFSL + custody requirements. Draft legislation expected late 2025 / 2026.
7. ePayments Code
Voluntary but widely subscribed — sets liability allocation rules for unauthorised transactions. Reform in 2024-2025 to address scams + mistaken payments.
8. RBA payments architecture review
RBA leading payments system architecture review — outcomes affect interchange, surcharging, BECS retirement, NPP modernisation.
9. Privacy + cyber
APP entities — Privacy Act 1988 + 2024 amendments (statutory tort, OAIC penalties, Children's Code). Many fintechs subject to SOCI if payment service is critical infrastructure asset.
10. ASIC IDR (RG 271) + AFCA
AFSL + ACL holders bound by RG 271 IDR standards. AFCA membership mandatory. IDR data reporting twice-yearly to ASIC.
FAQ
Do I need an AFSL for a payment-only product?
Yes if the product is a 'financial product' under Corporations Act ch 7 — non-cash payment facilities almost always qualify. Limited carve-outs exist; pre-licensing advice essential.
Is BNPL still unregulated?
No — from 10 June 2025, BNPL is a Low Cost Credit Contract under NCCP. Providers must hold ACL.
When does the crypto regime finalise?
Treasury consulting through 2024-2025; draft legislation expected late 2025 to 2026; commencement likely 2026-2027 with transition.
Published obligations that apply to fintech (non-bank) (17)
- criticalCWLTHBNPL providers — credit licensing from 10 June 2025
BNPL captured by the NCCP Act as a regulated credit product from 10 June 2025.
- criticalCWLTHComply with Design and Distribution Obligations (DDO)
Issuers and distributors of retail financial products must have a Target Market Determination (TMD) and distribute consistently with it.
- criticalCWLTHEnrol with AUSTRAC as a reporting entity
Tranche 2 entities must enrol with AUSTRAC by 29 July 2026.
- criticalCWLTHHold AFSL with derivative authorisations (margin lending + CFD + binary)
Issuers of OTC derivatives to retail clients face product intervention orders + tightened conditions.
- criticalCWLTHMaintain a written AML/CTF program
Every reporting entity needs a documented AML/CTF program — Part A risk + Part B systems.
- criticalCWLTHMajor banks must provide CDR Banking + Action Initiation (2026)
CDR Action Initiation lets accredited recipients initiate payments + actions on consumer behalf.
- criticalCWLTHReport cyber security incidents to ASD (SOCI)
Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.
- highCWLTHComply with CDR Banking (Open Banking) — major + non-major ADIs
Banking data holders must share consumer data with accredited recipients on consumer consent.
- highCWLTHComply with credit reporting obligations (Part IIIA Privacy Act)
Credit providers and CRBs must adhere to the CR Code on collection, use, disclosure, hardship and dispute resolution.
- highCWLTHComply with Stored Value Facility rules (banking exception)
SVF providers must operate within APRA + Treasury rules on purchased payment facility regulation.
- highCWLTHConsumer Data Right (CDR) participant accreditation + compliance
Banking, energy and (soon) non-bank lending data sharing — accredited participants must comply with privacy safeguards.
- highCWLTHCrypto Asset Secondary Service Provider (CASSPr) licensing reforms
Treasury consultation 2024 on bespoke crypto licensing — separate from AFSL.
- highCWLTHCrypto-Asset Reporting Framework (CARF) — implementation 2026-2027
AU adopts the OECD CARF for crypto reporting from 2026; ATO reporting starts 2027.
- highCWLTHPayment Service Provider (PSP) licensing reform — implementation pending
Treasury reform of payments licensing to capture digital wallets + Buy Now Pay Later + stored value.
- mediumCWLTHAdopt the Voluntary AI Safety Standard (DISR 2024)
10 voluntary guardrails for safe + responsible AI deployment; mandatory regime in development.
- mediumCWLTHComply with the ePayments Code
Voluntary but industry-standard code covering electronic transaction terms, mistaken internet payments, and unauthorised transactions.
- mediumCWLTHMandatory AI guardrails for high-risk AI (in development)
Australian Mandatory Guardrails for High Risk AI Settings — Treasury consultation in 2024/2025.