The fintech landscape has rapidly expanded worldwide, forcing traditional financial institutions to evolve in response to this more innovative manner of conducting business. The International Banking Association’s publication “Fintech: how is the world shaping the financial innovation industry? (2024)” provides an analysis of the most current Australian laws and regulations regarding fintech.

1. Fintech regulatory framework: a summary of the most relevant laws and regulations concerning fintech and financial innovation

In Australia, the regulatory regimes are technology agnostic, with the same regulatory concepts applying to fintech businesses and other types of financial service providers. The regulatory framework that applies to fintech businesses includes:

• financial services and consumer credit licensing; 
• registration and disclosure obligations; 
• consumer law requirements; 
• privacy; and 
• anti-money laundering and counter-terrorism financing (AML/CTF) requirements.

Financial services and consumer credit laws

The Corporations Act 2001 (Cth) (Corporations Act) is the principal legislation that regulates the provision of financial services.

Fintech businesses that carry on a financial services business in Australia must hold an Australian financial services licence (AFSL) or be exempt from the requirement to be licensed. Financial services are broadly defined under the Corporations Act to include the provision of financial product advice, dealing in financial products (as principal or agent), making a market for financial products, operating registered schemes and providing custodial or depository services. There are specific things that are listed as financial products (eg, securities, derivatives and managed investment schemes). Financial products are also defined generally as a facility through which, or through the acquisition of which, a person makes a financial investment, manages a financial risk or makes a non-cash payment. The definitions of financial service and financial product will generally capture any investment or wealth management business, payment service (ie, non-cash payment facility), advisory business (including robo-advice), trading platform, or crowdfunding platform.

Fintech businesses may also need to hold an Australian market licence where they operate a facility through which offers to buy and sell financial products are regularly made and accepted (eg, an exchange). In addition, if an entity operates a clearing and settlement mechanism (CS) which enables parties transacting in financial products to meet obligations to each other, the entity must hold a CS facility licence, or be exempt from the requirement to be licensed.

Similarly, the National Consumer Credit Protection Act 2009 (Cth) (Credit Act) imposes a licensing obligation on entities that engage in consumer credit activities. Fintech businesses that provide marketplace lending products and related services will generally constitute consumer credit activities that trigger the requirement to hold an Australian credit licence (ACL) or be exempt from the requirement to be licensed.

Adjacent to the Corporations Act and the Credit Act, the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act) contains prohibitions on engaging in unconscionable conduct, and misleading and deceptive conduct, that will apply to fintech businesses that supply financial services or consumer credit.

The Australian Securities and Investments Commission (ASIC) is Australia’s financial markets conduct regulator and is responsible for regulating the financial services and consumer credit regimes. 

Australian consumer law

Fintech businesses may also be subject to prohibitions in the Australian Consumer Law under the Competition and Consumer Act 2010 (Cth) (Competition Act) which is enforced by the Australian Competition and Consumer Commission (ACCC).

The Australian Consumer Law applies to Australian businesses that engage or contract with consumers and small businesses. Obligations include a general prohibition on misleading and deceptive conduct, false or misleading representations, unconscionable conduct and unfair contract terms in relation to the offer of services or products.

Notably, from 10 November 2023 changes to the prohibition on unfair contract terms came into effect. Previously the unfair contract term regime only captured small business contracts that employed fewer than 20 persons. The regime now captures small business contracts with businesses that employ fewer than 100 persons or generate less than A$10m (in the last income year). Other changes include expanding the powers of Australian courts to enforce contraventions, while a civil penalty regime now applies.

While the Australian Consumer Law does not apply to financial products or services, many of these protections are enforced by ASIC either through mirrored provisions in the ASIC Act or through delegated powers.

Anti-money laundering and counter-terrorism financing laws

The Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth) (AML/CTF Act) applies to entities that provide ‘designated services’ and have a geographical link to Australia. Generally, the AML/CTF Act applies to any entity that engages in financial services, credit (ie, consumer or business) and payment activities, and the operation of digital currency exchanges. Obligations include enrolment with the Australian Transaction Reports and Analysis Centre (AUSTRAC), reports and customer due diligence.

On 20 April 2023, the Attorney General released proposed reforms to the AML/CTF Act which would result in lawyers, accountants, trust and company service providers, real estate agents and dealers in precious metals and stones coming within the scope and operation of the AML/ CTF Act. The proposed reform also recommends expanding the current regulation of services provided by digital currency exchanges (being the exchange of crypto currency for fiat currency and vice versa) to include:

1. exchanges between one or more other forms of digital currency; 
2. transfers of digital currency on behalf of a customer; 
3. safekeeping or administration of digital currency; and 
4. the provision of financial services related to an issuer’s offer and/or sale of a digital currency (eg, initial coin offerings where companies sell investors a new digital token or cryptocurrency to raise money for projects).

The proposed reforms also recommend expanding the travel rule to remittance service providers and digital currency exchange providers in line with international standards (capturing information about the originator and beneficiary of a transfer).

On 2 May 2024 the Attorney General commenced a second consultation on the proposed reforms to the AML/CTF Act with the release of five consultation papers. The first four consultation papers contain further detail about the proposed reforms affecting real estate professionals, professional services providers, dealers in precious metals and stones, digital currency exchange providers, remittance services providers and financial institutions. The fifth consultation paper details broader reforms to simplify, clarify and modernise the AML/CTF regime.

Notably, the fourth consultation paper details reform relevant to payment service providers, digital currency exchange providers and financial institutions. If accepted, the changes would broaden the remit of designated service providers to include digital currency exchanges that ‘make arrangements’ for the exchange of digital assets, and remittance providers that provide ‘value transfer’ services. The fourth consultation paper also contains a proposal to introduce a suitability test for ‘fit and proper persons’ of registrable designated service providers (eg, remittance service providers and digital currency exchanges). The second stage of consultation closed on 13 June 2024. An update on the outcome of the consultation is expected in 2024.

From a regulatory guidance perspective, on 27 June 2023 AUSTRAC issued guidance that seeks to clarify the role of financial institutions and business sectors that are increasingly being ‘debanked’ 52 International Bar Association Banking & Financial Law Committee because they are considered high risk. Debanking refers to financial institutions restricting, rejecting or terminating banking services to customers from certain industries. AUSTRAC’s guidance is not enforceable but provides a risk-based approach for financial institutions to follow when evaluating the legitimacy of customers from ‘high risk’ industries to minimise debanking.  

Banking laws and prudential regulation

The Banking Act 1959 (Cth) requires those engaged in the business of banking to be authorised by the Australian Prudential Regulatory Authority (APRA) (ie, be an ‘authorised deposit-taking institution’ or ADI) before engaging in such business. It also contains the Financial Accountability Regime (FAR) which replaced the Banking Executive Accountability Regime (BEAR) on 14 September 2023.

BEAR is administered by APRA and establishes, among other things, accountability obligations for ADIs and their senior executives and directors, deferred remuneration, key personnel and notification obligations for ADIs. FAR will be administered jointly by APRA and ASIC and has a wider remit than BEAR to include general insurers, life insurers, private health insurers, registrable superannuation entity licensees, and significant related entities. FAR is now applicable to the banking industry after a six-month transition period. The insurance and superannuation industries have an 18-month transition period, after which they must comply with FAR.

The Financial Sector Collection of Data Act 2001 (Cth) (FSCODA) is designed to assist APRA in the collection of information relevant to financial sector entities. FSCODA generally applies to any corporation engaging in the provision of finance in the course of carrying on business in Australia. APRA collects data from registered financial corporations under FSCODA. Generally, registered financial corporations with assets greater than AU$50m need to regularly report statements of financial position to APRA.

The Financial Sector (Shareholdings) Act 1998 (Cth) imposes an ownership limit of 20 per cent in a financial sector company without approval from the Treasurer. A financial sector company includes authorised deposit taking institutions, certain types of insurance companies and a holding company of either of those things. 

Privacy laws

The Privacy Act 1988 (Cth) (Privacy Act) regulates the handling of personal information by government agencies and private sector organisations that have an aggregate group revenue of at least AU$3m. In some instances, the Privacy Act will apply to businesses (ie, credit providers and credit reporting bodies) regardless of turnover. The Privacy Act includes 13 Australian Privacy Principles which impose obligations on the collection, use, disclosure, retention and destruction of personal information.

On 16 February 2023 the Attorney General released a report detailing 116 proposals at a principles level on how the Privacy Act can be uplifted to best fit consumer privacy needs (Privacy Report). The principles are aimed at strengthening the protection of individual personal information and enhancing individuals’ control over their data. The government published its response to the Privacy Report on 28 September 2023 and accepted (either in whole, or in principle) all but ten of the proposals. Draft legislation is expected in 2024.

In addition, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) contains the Notifiable Data Breaches (NDB) scheme which requires entities that are regulated under the Privacy Act to notify any affected individuals and the Office of the Australian Information Commissioner (OAIC) in the event of a data breach (ie, unauthorised access to or disclosure of information), which is likely to result in serious harm to those individuals.

The OAIC is Australia’s privacy and freedom of information regulator and is responsible for administering the Privacy Act and the NDB scheme. 

Payment system laws

Fintech businesses that provide payment services must operate in accordance with various laws that regulate the infrastructure of Australia’s payments system and may be subject to direct regulation for certain activities. See Question 3 for further information regarding the regulation of payment service providers.

The Reserve Bank of Australia (RBA) is Australia’s central bank and provides a range of banking services to the government and its agencies, overseas central banks and official institutions. It is also responsible for maintaining the stability of the financial system through monetary policy and regulating payment systems.

In 2021 the RBA completed a framework review of the regulatory regime supporting various payment methods. A key outcome of the review was the creation of a policy framework designed to encourage the deployment of least-cost routing, also known as merchant-choice routing, which is functionality that allows contactless (tap-and-go) dual-network debit card transactions at the point-of-sale to be processed through whichever network on the card is less costly for the merchant.

On 7 June 2023 the government released its Strategic Plan for Australia’s Payment System (Strategic Plan) outlining the policy objectives and priorities to reform the payments system. The Strategic Plan follows several reviews in recent years and a government consultation on proposed priorities and reform objectives, focusing its agenda on:

1. Promoting a safe and resilient system: through reducing the prevalence of scams and frauds, supervising systematically important payment systems and strengthening defences against cyber attacks. 
2. Updating the payments regulatory framework: by establishing a new payments licensing framework, enabling greater collaboration between payment system regulators, reducing small business transaction costs, implementing changes to the Payments Systems Act and promoting competition by facilitating transparent access to payment systems. 
3. Modernising payments infrastructure: by upgrading the electronic funds transfer system that facilitates processing of direct entry payments (eg, direct debits and credits between individual accounts at different financial institutions), maintaining adequate access to cash and phasing out cheques. 
4. Uplifting competition, productivity and innovation across the economy: through aligning payment system objectives and the Consumer Data Right framework, supporting the broader use of the government’s Digital ID solution, uplifting digital and technological skills and building public trust and confidence in artificial intelligence. 
5. Keeping Australia as the leader in the global payments landscape: through creating an environment that attracts and enables innovation, exploring the policy rationale for a central bank digital currency in Australia and supporting international efforts to facilitate cross-border payments. 

The focus areas are underpinned by the government’s key principles relating to the payments system: trustworthiness, accessibility, innovation and efficiency. The Strategic Plan was released alongside two consultations, the first on reforming the Payment Systems (Regulation) Act 1998 (Cth) (Payment Systems Act) and the second on modernising the licensing framework for payment services providers (PSPs). 

2. Regulations on crypto assets: a summary of the legal framework regarding crypto assets and how they are regulated

At the time of writing, there are no laws in Australia that have been implemented to specifically regulate crypto assets. Generally, the predominant focus on the regulation of crypto assets has revolved around applying the established financial services regulatory framework. The only formal monitoring of crypto asset activity in Australia is in relation to AML/CTF. Digital currency exchange providers have obligations under the AML/CTF Act: they must register with AUSTRAC and are required to keep certain records relating to customer identification and transactions for up to seven years.

There have been numerous government reviews that are either ongoing or have recently been completed in connection with how crypto asset and crypto asset-adjacent services should be regulated. In particular, on 3 February 2023 the government released a consultation paper into token mapping, which seeks to identify the key activities and functions of crypto assets and map them against existing regulatory frameworks. The consultation closed on 3 March 2023. As at the time of writing, the government has not released its findings from the consultation. 

The government has also indicated that it will release a licensing and custody paper for crypto asset service providers. It is expected that the recommendations from these reviews will have significant effects on the current regulatory regimes relevant to cryptocurrency.

On 29 March 2023 a private members bill was introduced to the Australian Parliament which proposes to regulate digital assets, including by introducing licensing requirements for digital asset exchanges, digital asset custody service providers and stablecoin issuers (Digital Assets Bill). The Digital Assets Bill also proposes to introduce disclosure requirements for facilitators of central bank digital currencies in Australia. The proposed licensing framework draws on familiar processes and requirements that already exist for AFSL and ACL holders. The Digital Assets Bill was introduced by a member of the opposing party to the current government and has not progressed through the Australian Parliament.

On 16 October 2023, the Treasury commenced a consultation on a proposed reform to regulate digital asset platforms under the existing financial services regime. The proposed reform includes introducing a requirement for ‘digital asset facilities’ (ie, multi-function platforms that hold client assets and allow clients to transact in platform entitlements) to be regulated as a financial product, and for certain providers of related services to be required to hold an AFSL. Enhanced conduct obligations and consumer protections are also expected to be imposed in respect of digital asset facilities. The proposed reform also includes a proposal to introduce minimum standards for facility contracts and entities that provide ‘financialised functions’ for non-financial product tokens (ie, entities that conduct token trading, staking, asset tokenisation and funding tokenisation). The consultation closed on 1 December 2023 and draft legislation is expected in 2024.

From a regulatory guidance perspective, ASIC has released Information Sheet 255 Crypto- ssets (INFO 225) to assist businesses involved with cryptocurrency or providing cryptocurrency- djacent services. INFO 225 covers regulatory considerations for cryptocurrency offerings, misleading and deceptive conduct, trading platforms and cryptocurrency offered via a regulated investment vehicle. 

3. Payment service providers and digital wallets: a summary of regulations applying to payment service providers and/or digital wallets

The provision of payment services is regulated by ASIC, APRA, the RBA and AUSTRAC under certain regulatory regimes as set out in Question 1.

Financial services

Under the financial services regulatory regime, a facility through which (or through the acquisition of which) a person makes a non-cash payment (ie, other than through the delivery of physical currency) (NCP) is a financial product (NCP facility). When delivering payment services, the provider will generally be dealing in the NCP facility and providing advice in respect of the same. Both activities constitute the provision of financial services and require the provider to hold an AFSL or rely on an exemption.

ASIC has outlined numerous AFSL exemptions from this requirement, including NCP-specific exemptions related to gift vouchers and loyalty schemes. Payment services providers often provide these financial services under licensing exemptions which apply when the services are provided on behalf of an AFSL holder.

Whether a digital wallet comprises an NCP facility will largely depend on the functionality of the wallet. A digital wallet may be a part of an NCP facility if it allows users to make payments to a number of payees or enables a payment to be initiated in a digital asset which is converted into fiat to enable completion of the payment.

Banking laws and prudential regulation 

Generally, service providers that operate as holders of stored value in relation to purchased payment facilities under the Payment Systems Act are required to be an ADI unless an exemption applies. 

A holder of stored value must also apply to the RBA for an authority under the Payments System Act, unless a declaration which exempts the holder applies.

A purchased payment facility is a facility (other than cash) where the same is purchased and can be used to make payments up to the amount available for use under the facility, and the payments are made by the provider or a person acting under an arrangement with the provider, rather than the user of the facility.

A digital wallet may constitute a purchased payment facility. This is possible where the digital wallet also allows deposits of fiat currency and the provider of the facility is the holder of stored value.

AML/CTF 

Many payment service providers also provide a designated service under the AML/CTF Act through a designated remittance arrangement. A designated remittance arrangement is where an instruction is accepted for the transfer of money or property, or where money or property is made available or arranged to be made available. Property includes digital assets (but not digital currency). Payment providers that provide designated services and have a geographical link to Australia must enrol and register with AUSTRAC before providing those services and comply with various AML/CTF obligations. AML/CTF obligations include adopting and implementing a risk-based AML/CTF program, undertaking ‘know your client’ due diligence on their customers and complying with various reporting requirements.

Upcoming reform

In parallel with the release of the Strategic Plan noted in Question 1, the Government released a consultation that proposes a tiered, risk-based licensing framework to be incorporated in the existing financial services regime. Regulation will be based on the relevant payment function provided, with corresponding regulatory obligations balanced against the level of risk posed to end customers. The consultation proposes to regulate two main payments categories: stored value facilities (SVF) and payment facilitation services (PFS), which are further broken down into seven defined payment functions.

On 8 December 2023, the Treasury released a second consultation paper proposing AFSL requirement and corresponding obligations for PSPs. The consultation paper proposes to replace the financial product definition of a ‘non cash payment facility’ with a new ‘payment product’ definition and inserts a new type of financial service, being a ‘payment service’, to be regulated under the financial services regime. The consultation paper also proposes introducing a range of exemptions from the requirement to hold an AFSL for certain types of products and PSPs. The consultation closed on 2 February 2024, with draft legislation expected to follow. The requirement for captured PSPs to hold an AFSL are expected to be enforced 18 months after the passage of legislation.

At the time of writing, buy-now pay later (BNPL) service providers are (only) required to comply with the product design and distribution obligations (DDO) under the Corporations Act. The DDO impose disclosure, reporting and product governance obligations on product issuers and distributors. BNPL providers are also able to voluntarily subscribe to the Australian Financial Industry Association’s BNPL Code of Practice which was developed in conjunction with the BNPL industry. The BNPL Code of Practice is not law and is not enforceable by regulators.

Following public consultation, on 22 May 2023 the government announced its plan to regulate the BNPL industry. BNPL providers will be required to obtain an ACL and comply with a reduced set of obligations under the Credit Act, including in relation to responsible lending, dispute resolution and hardship. On 12 March 2024, the Treasury commenced a further consultation with the release of draft legislation containing proposals to regulate certain BNPL arrangements as ‘low cost credit contracts’ under the existing regulatory regime for consumer credit products. The consultation closed on 9 April 2024 and draft legislation is expected by the end of 2024.

4. Special support to fintechs: a description of special programmes supporting the fintech ecosystem, fintech startups (eg, regulatory sandboxes and accelerator programmes) and regulations regarding special support

ASIC and AUSTRAC have established ‘innovation hubs’ designed to assist fintech businesses in understanding their obligations under Australian law.

The ASIC innovation hub is designed to foster innovation that could benefit consumers by helping Australian fintech startups navigate the Australian regulatory system. The Innovation Hub provides tailored information and access to informal assistance intended to streamline the AFSL application process for innovative fintech startups.

AUSTRAC’s Fintel Alliance has an innovation hub targeted at combatting money laundering and terrorism financing, and improving the fintech sector’s relationship with the government and regulators. The innovation hub also assesses the impact of emerging technologies such as blockchain and crypto assets.

Since 2016, ASIC has made certain legislative instruments establishing a fintech licensing exemption which allows fintech businesses to test certain financial services, financial products and credit activities without holding an AFSL or ACL by relying on the legislative instrument (referred to as the regulatory sandbox). Since September 2020, this has been further developed into an enhanced regulatory sandbox, which allows testing for a broader range of financial services and credit activities for up to two years. There are strict eligibility requirements for both the type of businesses that can enter the regulatory sandbox and the products and services that qualify for the licensing exemption. There are restrictions on how many people can be provided with a financial product or service, and caps on the value of the financial products or services which can be provided.

Regulators in Australia have been generally receptive to the entrance of fintechs and technology focused businesses. The financial services regulatory regime adopts a technology-neutral approach, whereby services will be regulated equally, irrespective of the method of delivery. However, further concessions have been made by regulators in order to support technology-focused startups entering the market.

ASIC has also entered into a number of cooperation agreements with overseas regulators under which there is a cross-sharing of information on fintech market trends, encouraging referrals of fintech companies and sharing insights from proofs of concepts and innovation competitions. It is also the intention of a number of these agreements to further understand the approach to regulation of fintech businesses in other jurisdictions, in an attempt to better align the treatment of these businesses across jurisdictions.

5. Open banking: a summary of regulations regarding open banking and direct or indirect regulations that affect open banking

On 12 August 2019, the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth) (CDR Act) amended the Competition Act, the Privacy Act and the Australian Information Commissioner Act 2010 (Cth) (AIC Act) to establish the Consumer Data Right (CDR).

The CDR gives customers a right to require banks and other data holders to share their data with accredited service providers (including banks, comparison services, fintechs or third parties), encouraging the flow of information in the economy and competition within the market. The CDR also contemplates the introduction of action initiation which would allow accredited data recipients to transact and transfer accounts on the customer’s behalf. Accredited data recipients are accredited by the ACCC to receive consumer data to provide a product or service.

The CDR framework is being rolled out across a number of economic sectors as determined by the Minister. Each designated sector will be subject to the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) (CDR Rules) and technical data standards for that sector as made by the ACCC and Data Standards Chair respectively. Consumers will be able to exercise greater access and control over their data. These data sharing arrangements are intended to facilitate easier swapping of service providers, enhancement of customer experience based on personal and aggregated data, and more personalised offerings.

The banking sector was the first sector to be designated under the open banking regime. The CDR rules for data sharing in the banking sector came into force on 6 February 2020, and consumers were able to consent to their bank sharing data with accredited data recipients from July 2020.

The open banking regime has been implemented in a phased approach, having regard to both the types of banking entities and the products they offer. From 1 July 2022, individual Australian bank customers can allow accredited third parties to access data across a full suite of banking products. The major ADIs must also facilitate data shared by business consumers, partnerships, and secondary users and joint accounts, with non-major ADIs required to deliver the same from 1 November 2022. The intention to implement action initiation in open banking has been confirmed by the Inquiry into Future Directions for the CDR. However, there has not been a designation or legislative change to require banks or other data holders to allow accredited data recipients action initiation.

On 25 August 2023, the government commenced two consultations which propose changes to the CDR Rules, including in relation to consent requirements and operational improvements. The proposals include expanding the CDR to the non-bank lenders sector. Both consultations closed on 6 October 2023.