Fintech & Payments Company Setup & Structuring in Australia

Australia is one of the Asia-Pacific region';s most active fintech jurisdictions, combining a mature regulatory framework with a government-backed innovation agenda. A company entering the Australian payments or fintech market must obtain the correct licence before operating, structure its corporate vehicle to satisfy both regulatory and investor requirements, and embed compliance systems from day one. Failure to do so exposes founders and directors to civil penalties, licence refusal and personal liability. This article covers the regulatory landscape, available corporate structures, licensing pathways, AML/CTF obligations, capital and governance requirements, and the most common structuring mistakes made by international entrants.

Australia';s fintech and payments sector sits at the intersection of three primary regulators. Understanding which regulator governs which activity is the first structural decision a founder must make.

The Australian Securities and Investments Commission (ASIC) supervises financial services and markets. It administers the Corporations Act 2001 (Cth), which under Chapter 7 requires any entity carrying on a financial services business to hold an Australian Financial Services Licence (AFSL). Payments and fintech products that involve financial products - including non-cash payment facilities, managed investment schemes or derivatives - fall within ASIC';s remit.

The Australian Prudential Regulation Authority (APRA) regulates deposit-taking, insurance and superannuation. A company wishing to accept deposits from the public must obtain an Authorised Deposit-taking Institution (ADI) licence under the Banking Act 1959 (Cth). APRA also administers the Restricted ADI (RADI) framework, which allows new entrants to operate under a restricted licence for up to two years before graduating to a full ADI.

The Australian Transaction Reports and Analysis Centre (AUSTRAC) administers the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). Any entity providing a designated service - including remittance, digital currency exchange or issuing or managing payment instruments - must enrol with AUSTRAC and implement a compliant AML/CTF programme.

The Reserve Bank of Australia (RBA) oversees payment system regulation under the Payment Systems (Regulation) Act 1998 (Cth) and can designate payment systems and impose access regimes. The New Payments Platform (NPP) and the card schemes operate under RBA oversight, which affects any company seeking direct settlement access.

A non-obvious risk is that many international founders assume a single licence covers all activities. In practice, a company offering digital wallets, currency conversion and investment products may need an AFSL, AUSTRAC enrolment and potentially an ADI or RADI licence simultaneously.

The corporate structure determines tax efficiency, investor access, regulatory eligibility and the ability to scale. Australia offers several vehicles, and the choice depends on the business model, funding stage and cross-border considerations.

A proprietary limited company (Pty Ltd) is the standard vehicle for early-stage fintechs. It is incorporated under the Corporations Act 2001 (Cth) and can have between one and fifty non-employee shareholders. A Pty Ltd cannot raise capital from the public without triggering disclosure obligations, which makes it suitable for seed and Series A rounds with sophisticated or professional investors. Incorporation typically takes one to two business days through the Australian Securities and Investments Commission';s online portal, with a modest government fee.

A public company limited by shares (Ltd) is required if the company intends to list on the Australian Securities Exchange (ASX) or raise capital from retail investors through a prospectus. The compliance burden is substantially higher: continuous disclosure obligations under the Corporations Act 2001 (Cth) s 674, annual general meeting requirements and enhanced auditing standards apply. Most fintechs incorporate as a Pty Ltd and convert to a public company at a later funding stage.

A foreign company branch registration is available under the Corporations Act 2001 (Cth) Part 5B.2. It allows an overseas entity to operate in Australia without incorporating a separate local entity. However, ASIC and APRA generally require a locally incorporated entity to hold an AFSL or ADI licence, making branch registration unsuitable as the primary regulatory vehicle for licensed fintech activities.

A holding company structure - where an Australian Pty Ltd or Ltd sits beneath an offshore holding company in Singapore, the Cayman Islands or the British Virgin Islands - is common among venture-backed fintechs. This structure facilitates offshore fundraising, employee option pools governed by familiar law and eventual exit flexibility. The key compliance consideration is that the Australian operating entity must independently satisfy all local licensing and capital requirements, regardless of the offshore parent';s structure.

A common mistake is to incorporate the Australian entity as a wholly owned subsidiary of an offshore holding company without ensuring the Australian board has sufficient local directors and genuine decision-making authority. ASIC and APRA assess the substance of the Australian entity, not merely its legal form.

To receive a checklist for fintech corporate structuring in Australia, send a request to info@vlolawfirm.com

The Australian Financial Services Licence is the central regulatory instrument for most fintech and payments businesses. Understanding its scope, application process and ongoing obligations is essential before committing to a business model.

An AFSL is required under the Corporations Act 2001 (Cth) s 911A for any entity that carries on a financial services business in Australia. The definition of "financial service" includes dealing in, advising on or making a market in financial products. A non-cash payment facility - such as a stored-value wallet, a prepaid card or a buy-now-pay-later product - is a financial product under s 763D of the Corporations Act 2001 (Cth), and issuing or dealing in such a facility requires an AFSL unless an exemption applies.

Key exemptions that international entrants frequently rely on include the "authorised representative" model, where the applicant operates under the AFSL of an existing licensee, and the "sandbox" regime under ASIC';s regulatory sandbox, which allows limited testing of financial services without a licence for up to 24 months under the Treasury Laws Amendment (2018 Measures No. 2) Act 2019 (Cth). The sandbox has a cap on the number of retail clients and a maximum exposure limit, making it unsuitable for scaling.

The AFSL application process involves submitting a detailed application through ASIC';s online portal, including a business description, proof of organisational competence, financial resources evidence, compliance arrangements and a risk management framework. ASIC';s published service standard for processing applications is approximately 150 days from receipt of a complete application, though complex applications routinely take longer.

ASIC assesses whether the applicant has adequate financial resources under the Corporations Act 2001 (Cth) s 912A(1)(d). For a non-cash payment facility issuer, this typically means holding net tangible assets or a cash equivalent above a prescribed threshold. The threshold varies by licence type and the nature of the financial products covered.

Ongoing AFSL obligations include maintaining a dispute resolution scheme membership (the Australian Financial Complaints Authority, AFCA), holding professional indemnity insurance, lodging annual compliance certificates and notifying ASIC of significant breaches within ten business days under s 912D of the Corporations Act 2001 (Cth).

A non-obvious risk is that AFSL conditions are tailored to each licensee. An applicant that describes its business broadly to obtain wide licence conditions may face ASIC scrutiny if its actual operations do not match the licence scope. Conversely, narrow conditions can restrict future product expansion without a licence variation, which itself takes several months.

AUSTRAC enrolment is mandatory for any entity providing a designated service under Schedule 1 of the AML/CTF Act. For fintech and payments companies, the most relevant designated services are remittance dealing, digital currency exchange, issuing or managing payment instruments, and providing accounts.

Enrolment must occur before the entity commences providing the designated service. The process is administrative and completed online, but it triggers immediate substantive obligations. The entity must adopt and maintain an AML/CTF programme under Part 7 of the AML/CTF Act, which must include a Part A programme (covering governance, risk assessment, customer due diligence and transaction monitoring) and a Part B programme (covering employee due diligence).

Customer due diligence (CDD) obligations require the entity to verify the identity of customers before providing a designated service. For individual customers, this means collecting and verifying name, date of birth and residential address against reliable and independent sources. For corporate customers, the entity must identify and verify the beneficial owners - defined as individuals holding 25% or more of the entity - under the AML/CTF Rules.

Ongoing transaction monitoring must be calibrated to the entity';s risk profile. AUSTRAC expects fintechs to use automated monitoring systems capable of detecting structuring, unusual transaction patterns and high-risk jurisdictions. Threshold transaction reports (TTRs) must be submitted to AUSTRAC for cash transactions of AUD 10,000 or more, and suspicious matter reports (SMRs) must be submitted as soon as practicable after the entity forms a suspicion.

AUSTRAC has demonstrated a willingness to impose very substantial civil penalties for systemic AML/CTF failures. The risk of inaction is acute: operating a designated service without enrolment, or with a deficient AML/CTF programme, exposes the entity and its responsible officers to penalties under s 175 of the AML/CTF Act. Penalties can reach tens of millions of dollars for serious or systemic contraventions.

In practice, it is important to consider that AUSTRAC';s risk-based approach means a remittance business serving high-risk corridors will face significantly more intensive scrutiny than a domestic payment facilitator. The AML/CTF programme must be tailored to the actual customer base and transaction flows, not copied from a generic template.

Many underappreciate the obligation to conduct an independent review of the AML/CTF programme at least every three years under the AML/CTF Rules. International entrants often implement a programme at launch and then fail to update it as the business scales, creating a compliance gap that AUSTRAC identifies during supervision.

To receive a checklist for AUSTRAC enrolment and AML/CTF programme setup in Australia, send a request to info@vlolawfirm.com

A fintech that wishes to accept deposits from the public - including holding customer funds in a way that constitutes a "banking business" - must engage with APRA';s licensing framework under the Banking Act 1959 (Cth).

The Banking Act 1959 (Cth) s 7 prohibits any entity from carrying on a banking business without APRA';s authorisation. "Banking business" is defined to include accepting deposits from the public and using those funds to make loans or investments. A stored-value wallet that holds customer funds may or may not constitute deposit-taking depending on its legal structure: if funds are held on trust and not commingled with the company';s own funds, the arrangement may fall outside the Banking Act definition, but this requires careful legal analysis.

APRA introduced the Restricted ADI (RADI) framework to lower the barrier for new entrants. Under the Banking Act 1959 (Cth) and APRA';s Prudential Standard APS 001, a RADI may operate for up to two years with a simplified capital requirement - generally a minimum of AUD 3 million in Common Equity Tier 1 capital - and with restrictions on the volume of deposits it can accept. The RADI must demonstrate a credible path to full ADI status within the two-year window.

The full ADI application process is substantially more demanding. APRA assesses the applicant';s governance framework, risk management systems, capital adequacy under Prudential Standard APS 110, liquidity management under APS 210, and the fitness and propriety of directors and senior managers under Prudential Standard CPS 520. The process typically takes 12 to 18 months from lodgement of a complete application.

A practical scenario illustrates the choice: a fintech offering a digital transaction account with interest-bearing deposits must obtain an ADI or RADI licence. A fintech offering a prepaid card where funds are held in a trust account at an existing ADI can potentially operate under an AFSL as a non-cash payment facility issuer, avoiding the ADI licensing burden entirely. The second model is significantly faster and cheaper to implement, but it creates a dependency on the partner ADI and limits the fintech';s control over the customer relationship.

Another scenario involves a buy-now-pay-later (BNPL) provider. BNPL products were historically outside the National Credit Code (NCC) under the National Consumer Credit Protection Act 2009 (Cth), but legislative amendments have progressively brought certain BNPL products within the credit licensing regime. A BNPL provider must now assess whether it requires an Australian Credit Licence (ACL) from ASIC in addition to, or instead of, an AFSL.

The cost of pursuing a full ADI licence is substantial. Legal and advisory fees for the application process typically start from the low hundreds of thousands of AUD, and the capital requirement alone represents a significant commitment. The RADI pathway reduces upfront capital but requires a credible business plan and a realistic timeline to full ADI status.

Once the corporate structure and licences are in place, the fintech must maintain ongoing compliance across multiple regulatory dimensions. Governance failures are the most common cause of licence suspension or conditions being imposed by ASIC or APRA.

The Corporations Act 2001 (Cth) imposes director duties that apply regardless of licence type. Directors must act in good faith in the best interests of the company (s 181), exercise care and diligence (s 180), avoid conflicts of interest (s 182) and not improperly use their position or information (s 183). For AFSL holders, ASIC';s Regulatory Guide 104 sets out the organisational competence requirements, including the need for responsible managers with relevant knowledge and skills.

APRA-regulated entities face additional governance requirements under Prudential Standard CPS 510, which requires a board with a majority of independent non-executive directors, a board audit committee, a board risk committee and a board remuneration committee. These requirements apply to full ADIs and, in modified form, to RADIs.

Capital adequacy is a continuing obligation. AFSL holders must maintain adequate financial resources at all times, and ASIC can require an AFSL holder to provide evidence of its financial position at any time under s 912C of the Corporations Act 2001 (Cth). ADIs must maintain capital ratios in accordance with APRA';s Prudential Standards on an ongoing basis, with quarterly reporting to APRA.

Cybersecurity and operational resilience have become central compliance obligations. APRA';s Prudential Standard CPS 234 requires APRA-regulated entities to maintain information security capabilities commensurate with the size and extent of threats to their information assets. ASIC has signalled that it expects AFSL holders to have equivalent standards, and has taken enforcement action against licensees with inadequate cybersecurity frameworks.

Data privacy obligations under the Privacy Act 1988 (Cth) apply to any entity with an annual turnover above AUD 3 million, and to all entities handling sensitive financial information regardless of turnover. The Australian Privacy Principles (APPs) govern the collection, use, disclosure and storage of personal information. A fintech processing payment data must implement a privacy policy, a data breach response plan and data minimisation practices.

A third practical scenario: an international fintech group acquires an Australian AFSL holder to accelerate market entry. The acquirer must notify ASIC of the change of control and obtain ASIC';s approval before completing the transaction, as a change of control of an AFSL holder requires ASIC to be satisfied that the new controller meets the fit and proper requirements. Failure to obtain pre-approval can result in the licence being suspended.

The loss caused by incorrect strategy at the governance stage is often disproportionate to the cost of getting it right. A fintech that appoints directors without relevant financial services experience, or that fails to establish a proper compliance function before launch, faces the prospect of ASIC imposing licence conditions that restrict its ability to onboard new customers - a commercially damaging outcome that can take months to resolve.

We can help build a strategy for your fintech';s governance and compliance framework in Australia. Contact info@vlolawfirm.com to discuss your specific situation.

What is the most significant practical risk for a foreign fintech entering Australia without local legal advice?

The most significant risk is misclassifying the financial products or services being offered and therefore applying for the wrong licence - or failing to identify that a licence is required at all. Australia';s financial services law uses precise statutory definitions, and a product that appears straightforward (such as a digital wallet or a currency conversion service) may simultaneously engage AFSL obligations, AUSTRAC enrolment requirements and, depending on the fund-holding structure, ADI licensing. Operating without the correct authorisation exposes the entity and its directors to civil penalties and potential criminal liability under the Corporations Act 2001 (Cth) and the AML/CTF Act. Rectifying a misclassification after launch is significantly more expensive and disruptive than addressing it at the design stage.

How long does it realistically take to become fully operational as a licensed fintech in Australia, and what does it cost?

The timeline depends on the licence type. AUSTRAC enrolment can be completed within days of incorporation, but the AML/CTF programme must be in place before the first designated service is provided. An AFSL application takes approximately five to seven months for a straightforward non-cash payment facility, and longer for complex or novel products. A RADI application typically takes nine to twelve months. A full ADI licence takes twelve to eighteen months or more. Legal and advisory costs for an AFSL application typically start from the low tens of thousands of AUD for a simple application, rising significantly for complex structures. RADI and ADI applications involve substantially higher costs, including capital commitments. Founders should budget for ongoing compliance costs - compliance officer salaries, technology systems, insurance and audit fees - which often exceed the initial licensing costs on an annual basis.

When should a fintech consider the RADI pathway rather than partnering with an existing ADI?

The RADI pathway makes sense when the fintech';s business model requires direct control over deposit-taking and the customer relationship, and when the founders have a credible plan to build the systems and capital base required for full ADI status within two years. Partnering with an existing ADI - sometimes called a "banking-as-a-service" or BaaS model - is faster, cheaper and lower-risk for a fintech at an early stage, but it creates dependency on the partner';s systems, pricing and risk appetite. The BaaS model is appropriate when the fintech';s competitive advantage lies in the customer experience or distribution rather than in the banking infrastructure itself. The RADI pathway is appropriate when the fintech intends to compete on the banking product itself, requires full control over interest rates and credit decisions, or is building toward a full banking licence as a strategic objective.

Setting up a fintech and payments company in Australia is a structured process with clear regulatory milestones. The key decisions - corporate vehicle, licence type, AML/CTF programme design and governance framework - must be made in the correct sequence and with full awareness of the regulatory obligations that attach to each choice. International entrants who treat Australian licensing as an administrative formality rather than a substantive compliance exercise consistently encounter delays, conditions and costs that could have been avoided with proper upfront structuring.

To receive a checklist for fintech & payments company setup and structuring in Australia, send a request to info@vlolawfirm.com

Our law firm VLO Law Firms has experience supporting clients in Australia on fintech, payments and financial services regulatory matters. We can assist with corporate structuring, AFSL and AUSTRAC applications, AML/CTF programme design, ADI and RADI licensing strategy, and ongoing compliance governance. To receive a consultation, contact: info@vlolawfirm.com