Fintech & Payments Regulation & Licensing in Australia

Australia';s fintech and payments sector is regulated by one of the most structured licensing frameworks in the Asia-Pacific region. Any business offering financial services or payment facilities to Australian customers must hold the correct authorisation before commencing operations - failure to do so exposes the operator to civil penalties, criminal liability and forced wind-down. The Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA) share primary regulatory responsibility, with the Reserve Bank of Australia (RBA) overseeing payment system policy. This article covers the principal licence types, their conditions, procedural timelines, cost levels, and the strategic choices that determine whether a fintech enters the market efficiently or stalls at the gate.

Australia';s financial services regulation rests on the Corporations Act 2001 (Cth), which establishes the Australian Financial Services Licence (AFSL) as the central authorisation for most fintech activities. The Payment Systems (Regulation) Act 1998 (Cth) gives the RBA authority to designate payment systems and impose access and conduct rules. The Banking Act 1959 (Cth) governs deposit-taking and is the foundation for the Authorised Deposit-taking Institution (ADI) framework administered by APRA. The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) requires registration with AUSTRAC for businesses providing designated services, including remittance and digital currency exchange. The National Consumer Credit Protection Act 2009 (Cth) applies to credit-related fintech products.

These statutes do not operate in isolation. A single fintech product - say, a digital wallet that holds funds, facilitates transfers and offers a credit line - may simultaneously engage the AFSL regime, the stored value provisions under the Corporations Act, AUSTRAC registration requirements and APRA';s ADI rules. International operators frequently underestimate this layering. They arrive with a single-jurisdiction mindset, assume one licence covers all activities, and discover mid-launch that a second or third authorisation is required.

ASIC is the conduct and disclosure regulator. APRA is the prudential regulator. The RBA sets payment system rules but does not licence individual firms. AUSTRAC is the financial intelligence and AML/CTF regulator. Each authority has distinct enforcement powers, and a breach of one regime does not preclude parallel action by another.

The practical starting point for any market entry analysis is to map every product feature against each statutory definition. A feature that looks like a payment function may legally constitute a financial product under section 763A of the Corporations Act, triggering AFSL obligations. A feature that looks like a stored value facility may constitute a deposit under the Banking Act, requiring ADI status or an exemption.

The AFSL is the primary licence for fintech businesses dealing in financial products. Under section 911A of the Corporations Act, a person must hold an AFSL to carry on a financial services business in Australia. Financial services include dealing in, advising on, making a market in, or operating a registered scheme for financial products.

Financial products relevant to fintech include: interests in managed investment schemes, derivatives, foreign exchange contracts, securities, and - critically for payments - non-cash payment facilities. A non-cash payment facility (NCPF) is a facility through which a person makes payments other than by physical delivery of Australian or foreign currency. This definition captures digital wallets, prepaid cards, payment apps and many BNPL (buy now, pay later) products.

Applying for an AFSL requires demonstrating to ASIC that the applicant has adequate financial resources, competent responsible managers, appropriate risk management systems, dispute resolution arrangements (including membership of the Australian Financial Complaints Authority, AFCA), and compliance frameworks. ASIC';s processing time for a standard AFSL application is typically 150 to 240 days from lodgement of a complete application. Applications lodged with missing information reset the clock.

The AFSL is not a single-size authorisation. Each licence specifies the exact financial services and financial products the holder is authorised to provide. A fintech must identify precisely which authorisations it needs. Holding an AFSL authorised for NCPFs does not automatically permit the holder to deal in derivatives or provide personal advice.

Three practical pathways exist for fintech businesses that are not yet ready for a full AFSL:

• Becoming an authorised representative of an existing AFSL holder (the "AR model"), which allows the fintech to operate under the licensee';s authorisation while building its own compliance infrastructure.
• Using ASIC';s regulatory sandbox (the ASIC Corporations (Concept Validation Licensing Exemption) Instrument), which permits eligible fintechs to test certain services for up to 24 months without a licence, subject to strict caps on client numbers and exposure amounts.
• Relying on a specific exemption, such as the intermediary authorisation exemption for certain payment service providers operating within a licensed payment system.

The AR model is the most commonly used entry pathway. In practice, it is important to consider that the AFSL holder bears legal responsibility for the authorised representative';s conduct. This creates negotiation complexity: established licensees are selective about which fintechs they onboard, and the commercial terms - including indemnities and revenue sharing - can be onerous.

A common mistake is treating the regulatory sandbox as a soft entry point with no real obligations. The sandbox instrument imposes client caps (typically 100 retail clients), exposure limits, and mandatory disclosure requirements. Exceeding these limits without a licence constitutes a breach of section 911A.

To receive a checklist on AFSL application requirements for fintech businesses in Australia, send a request to info@vlolawfirm.com

The ADI framework under the Banking Act 1959 (Cth) is the most demanding regulatory pathway in Australian fintech. An ADI is authorised by APRA to accept deposits from the public. The definition of "deposit" is broad: it includes any amount paid on terms under which it will be repaid. A fintech that holds customer funds in a pooled account and promises to return them on demand may be taking deposits, even if it calls the product a "wallet" or "stored value."

APRA has published guidance distinguishing between deposit-taking and payment facilitation. The key factor is whether the customer has a legal claim against the fintech for the return of funds. If yes, and if the arrangement meets the statutory definition, the fintech requires ADI status or must rely on an exemption.

Obtaining an ADI licence is a multi-year process. APRA introduced a restricted ADI (RADI) pathway to allow smaller entrants to build towards full ADI status over a two-year restricted period. During the RADI phase, the entity may only accept deposits up to a prescribed cap (currently in the low millions of AUD in aggregate) and must operate under a business plan approved by APRA. The RADI pathway reduces the upfront capital requirement compared to a full ADI, but the prudential obligations - including capital adequacy, liquidity and governance standards - remain substantial.

The BNPL sector has undergone significant regulatory change. Previously, BNPL products were structured to avoid the credit licence requirements under the National Consumer Credit Protection Act 2009 (Cth) by charging fees rather than interest. Amendments to the Corporations Act and the Credit Act, effective from mid-2025, brought BNPL products within the regulated credit framework. BNPL providers must now hold an Australian Credit Licence (ACL), conduct responsible lending assessments, and comply with hardship provisions. International BNPL operators who entered the Australian market under the pre-amendment framework must have restructured their authorisations or face enforcement exposure.

Three scenarios illustrate the ADI and stored value analysis:

• A European e-money institution seeks to offer a digital wallet to Australian consumers. It holds an EU e-money licence but has no Australian authorisation. The EU licence has no extraterritorial effect in Australia. The entity must either obtain an AFSL with NCPF authorisation, structure the product so that funds are held by an Australian ADI on trust, or apply for ADI status itself.
• A domestic startup launches a prepaid card product where funds are held in a trust account at a major bank. ASIC has accepted that certain trust-based structures avoid the deposit-taking characterisation, but the structure must be correctly documented and the AFSL must cover the NCPF.
• A BNPL operator with AUD 50 million in receivables discovers post-amendment that its product is now regulated credit. The cost of ACL compliance - including responsible lending systems, dispute resolution membership and staff training - runs into the mid-six figures annually.

Australia does not yet have a comprehensive crypto asset licensing regime equivalent to the EU';s Markets in Crypto-Assets Regulation (MiCA). Regulation of crypto assets in Australia currently operates through a combination of existing frameworks applied by analogy, AUSTRAC registration requirements, and ASIC';s evolving guidance on when a crypto asset constitutes a financial product.

AUSTRAC registration is mandatory for any business providing digital currency exchange (DCE) services in Australia, under the AML/CTF Act. A DCE provider is a person who exchanges digital currency for money (or vice versa) as a business. Registration with AUSTRAC does not constitute a financial services licence; it is an AML/CTF compliance obligation. Registered DCE providers must implement an AML/CTF program, conduct customer due diligence, report suspicious matters and threshold transactions, and keep records for seven years.

ASIC';s position is that some crypto assets are financial products under the Corporations Act - specifically, those that constitute derivatives, managed investment scheme interests, or securities. A token that gives the holder a right to a share of profits, or that is structured as a debt instrument, is likely a financial product. A pure utility token or a stablecoin used solely as a payment medium occupies a greyer space. ASIC has issued information sheets (INFO 225 and INFO 230) setting out its analytical framework, but these are guidance documents, not binding rules.

The Treasury has consulted extensively on a crypto asset licensing framework that would require exchanges and custodians holding above threshold asset values to obtain an AFSL with specific crypto authorisations. Draft legislation has been in development, and operators should monitor the legislative pipeline closely. A non-obvious risk is that a business structures its product as a utility token to avoid financial product characterisation, only to find that ASIC takes a different view and commences an investigation. Enforcement action by ASIC can include injunctions, civil penalties and - for individuals - criminal referrals.

Practical steps for crypto operators entering Australia:

• Register with AUSTRAC before commencing DCE services. Operating without registration carries civil penalties under the AML/CTF Act.
• Obtain a legal opinion on whether each token or product constitutes a financial product under the Corporations Act.
• Monitor the Treasury';s crypto licensing consultation and engage in the submission process to shape the framework.
• Build AML/CTF systems to the standard required by AUSTRAC';s compliance guides, not merely to a minimum threshold.

A common mistake among international crypto operators is to register with AUSTRAC and assume that satisfies all Australian regulatory obligations. AUSTRAC registration addresses AML/CTF obligations only. If the product is a financial product, an AFSL is also required. Operating a financial services business without an AFSL while relying solely on AUSTRAC registration exposes the operator to section 911A liability.

To receive a checklist on crypto asset compliance requirements for Australian market entry, send a request to info@vlolawfirm.com

The RBA';s role in payments regulation is structural rather than firm-specific. Under the Payment Systems (Regulation) Act 1998 (Cth), the RBA';s Payments System Board can designate a payment system and impose access regimes and standards. The New Payments Platform (NPP), which underpins real-time payments in Australia, is subject to RBA oversight. The RBA has used its powers to require the major banks to provide access to the NPP on reasonable commercial terms, a measure that directly benefits fintech operators seeking to offer real-time payment services.

Fintechs seeking to access the NPP directly must become NPP participants, which requires meeting technical and operational standards set by NPP Australia Limited. Indirect access - connecting through an existing participant - is the more common route for smaller fintechs. The commercial terms of indirect access arrangements vary significantly, and the RBA has noted concerns about access barriers in its payment system reviews.

The Consumer Data Right (CDR), established under the Competition and Consumer Act 2010 (Cth) and implemented through the Banking (Open Banking) rules, gives consumers the right to share their financial data with accredited data recipients. For fintechs, CDR accreditation opens access to bank account and transaction data, enabling account aggregation, personal financial management and credit assessment products. There are two tiers of CDR accreditation: unrestricted accreditation (requiring full compliance with OAIC privacy standards and ACCC data security requirements) and sponsored participation (where an accredited data holder sponsors a fintech to access data on a more limited basis).

The CDR framework is expanding beyond banking to energy and telecommunications. Fintechs building multi-sector data products should track the CDR expansion schedule and consider whether early accreditation in adjacent sectors creates a competitive advantage.

A non-obvious risk in the CDR context is data liability. An accredited data recipient that suffers a data breach faces regulatory action by both the ACCC (as CDR regulator) and the OAIC (as privacy regulator). The overlap creates dual exposure. Fintechs must implement data security standards that satisfy both regulators, which in practice means ISO 27001-aligned controls and documented incident response procedures.

The RBA';s Strategic Plan for the Australian Payments System has flagged ongoing work on a licensing framework for payment service providers (PSPs) that would sit alongside the AFSL regime. This proposed PSP framework would create a dedicated licence category for businesses whose primary activity is payment facilitation, potentially simplifying the current situation where payment fintechs must navigate AFSL authorisations designed primarily for investment and advice businesses.

ASIC, APRA and AUSTRAC each have substantial enforcement powers, and Australian regulators have demonstrated willingness to use them against fintech operators, not only against traditional financial institutions.

ASIC can seek civil penalties of up to AUD 1.565 million per contravention for corporations (indexed periodically) under the Corporations Act, and criminal penalties for serious contraventions. ASIC can also seek injunctions to restrain unlicensed conduct, which can effectively shut down a business within days of an application to the Federal Court. ASIC';s enforcement approach has shifted toward earlier intervention: it now issues stop orders and interim injunctions at an earlier stage than it did previously, before waiting for a full investigation to conclude.

APRA';s enforcement powers under the Banking Act include issuing directions to ADIs and non-ADI entities, removing directors and senior managers, and applying to the Federal Court for orders including winding up. APRA has used its directions power against smaller deposit-taking entities and has signalled that it will apply the same scrutiny to RADI holders that fail to meet their business plan milestones.

AUSTRAC';s penalties for AML/CTF breaches are among the largest in Australian regulatory history. Civil penalty proceedings can result in penalties calculated by reference to the number of contraventions multiplied by the maximum penalty per contravention, producing aggregate amounts in the hundreds of millions of AUD for systemic failures. AUSTRAC has also entered into enforceable undertakings with major financial institutions, requiring remediation programs costing hundreds of millions of AUD. For a fintech, even a modest AUSTRAC enforcement action - a formal warning or an infringement notice - can damage relationships with banking partners and investors.

Three enforcement scenarios illustrate the risk profile:

• A payments startup operates a remittance service for 18 months without registering with AUSTRAC, believing that its small transaction volumes place it below the regulatory threshold. There is no volume threshold for AUSTRAC registration: any business providing designated services must register before commencing. The startup faces civil penalties and a mandatory remediation program.
• An AFSL holder authorised for NCPFs begins offering a margin lending product to retail clients without varying its licence. ASIC commences an investigation following a client complaint. The licensee faces both civil penalty proceedings and potential suspension of its AFSL pending the outcome.
• A BNPL operator continues to originate credit under its pre-amendment product structure after the regulatory change takes effect, on the basis that existing contracts are grandfathered. ASIC takes the position that new drawdowns under existing facilities constitute new credit and require ACL compliance. The operator faces enforcement action and must remediate affected customers.

The cost of non-specialist legal advice in this environment is high. A fintech that receives incorrect advice on whether its product requires an AFSL, and launches without one, faces not only regulatory penalties but also the cost of unwinding customer relationships, refunding fees and rebuilding systems to comply. These costs routinely exceed the cost of correct legal advice at the outset by an order of magnitude.

We can help build a strategy for regulatory compliance and market entry in Australia. Contact info@vlolawfirm.com to discuss your specific product and licensing pathway.

To receive a checklist on enforcement risk management and AML/CTF compliance for fintech operators in Australia, send a request to info@vlolawfirm.com

What is the biggest practical risk for an international fintech entering the Australian market without local legal advice?

The most significant risk is product mischaracterisation: assuming that a product which is unregulated or lightly regulated in the home jurisdiction falls outside Australian financial services law. Australia';s definitions of "financial product" and "financial service" are broad and have been interpreted expansively by courts and ASIC. A digital wallet, a BNPL product or a crypto token that requires no licence in the home jurisdiction may require an AFSL, an ACL or AUSTRAC registration in Australia. Operating without the correct authorisation exposes the operator to civil penalties, injunctions and reputational damage that can permanently close the Australian market to the business.

How long does it take to obtain an AFSL, and what does it cost?

A complete AFSL application takes between 150 and 240 days to process, assuming ASIC does not request further information. If ASIC raises requisitions - requests for additional documentation or clarification - the timeline extends. Legal fees for preparing and lodging an AFSL application typically start from the low tens of thousands of AUD for straightforward applications and rise significantly for complex multi-authorisation applications. Ongoing compliance costs - responsible manager training, AFCA membership, audit, legal review - add further annual expenditure in the mid-to-high tens of thousands of AUD. Businesses that underestimate these costs and timelines frequently run out of runway before receiving their licence.

When should a fintech use the authorised representative model instead of applying for its own AFSL?

The AR model is appropriate when the fintech needs to commence operations quickly, does not yet have the compliance infrastructure to satisfy ASIC';s organisational competence requirements, or is testing a product before committing to the full cost of an AFSL. The trade-off is that the fintech operates under the licensee';s authorisation and is subject to the licensee';s oversight, which limits operational independence. The licensee can terminate the AR arrangement, which would require the fintech to cease regulated activities immediately. A fintech with a validated product, stable revenue and a clear compliance roadmap should apply for its own AFSL rather than remain indefinitely as an AR. The transition from AR to own-licence status is a planned step, not an emergency measure.

Australia';s fintech and payments regulatory framework is comprehensive, multi-layered and actively enforced. The AFSL, ADI, ACL and AUSTRAC registration requirements each address distinct aspects of financial services activity, and most fintech products engage more than one regime simultaneously. International operators who approach the market with a single-licence mindset, or who rely on home-jurisdiction authorisations, face material enforcement risk. The regulatory environment is also evolving: BNPL is now regulated credit, crypto licensing legislation is in development, and the RBA';s PSP framework will reshape the payments landscape further. Early and accurate legal mapping of product features against Australian statutory definitions is the most effective risk mitigation available.

Our law firm VLO Law Firms has experience supporting clients in Australia on fintech regulation, payments licensing and financial services compliance matters. We can assist with AFSL applications, AUSTRAC registration, product characterisation analysis, authorised representative arrangements and regulatory strategy for market entry. To receive a consultation, contact: info@vlolawfirm.com