A Guide to Fintech in Australia

A Guide to Fintech in Australia

Australia has one of the fastest growing financial technology (fintech) sectors in the world, built on Australia’s ~$10 trillion financial services industry. The growth of Australia’s fintech industry has been propelled by an ambitious and innovative fintech community, changing consumer expectations, and a technologically neutral regulatory framework.   


Definition of fintech

Fintech refers to the use of technology to provide financial services. Fintech can complement, improve, compete with or disrupt traditional financial methods, products and delivery models. Some examples of the impact of fintech on these methods, products and models include:

  • Payments - In an increasingly cashless world, transactions are completed in near real-time without any cash changing hands. Mobile banking, peer-to-peer transfer technology, distributed ledger technology and digital currencies have disrupted traditional payment methods. Payments now more closely reflect an exchange of goods and services for some agreed modicum of value, which may not resemble fiat or government backed currency. Our clients often want to commercialise fast, transparent and convenient payment systems, or create an ecosystem in which participants agree among themselves to exchange “X” for “Y”.
  • Markets and platforms - Peer-to-peer and disintermediated marketplaces and platforms now exist alongside traditional markets and platforms, offering customers alternative and convenient ways to interact with others and access products and services. This means that the typically “under-banked” and “under-invested” – groups of customers underrepresented as traditional consumers of financial services, such as young investors or first-time borrowers – are now able to access products and services that they have been previously locked out of. With this comes new challenges in providing regulated products and services to a new and unique customer base, in a responsible and compliant way.
  • Infrastructure - Technology has changed the financial services regulatory infrastructure. The systems that facilitate the movement and regulation of transactions are increasingly global and digital. With this comes opportunities for faster and more transparent transactions, but also risks to security and data protection. Our clients are leading the development of the infrastructure to service and support financial services innovations and disruptions. Our role is to work with clients to develop solutions that balance these opportunities and risks.

Who administers fintech regulation in Australia

There are many regulators and agencies that administer the laws applicable fintech businesses.  Each maintains oversight in relation to a particular industry or legal area.

Australian Securities and Investments Commission (ASIC) 

­ASIC is Australia’s corporate, markets, financial services and consumer credit regulator. ASIC’s responsibilities include administering the Australian financial services, financial markets and consumer credit licensing regimes, supervising regulated entities and enforcement activities.

In the fintech context, ASIC supervises financial product advisers, issuers, secondary service providers, consumer credit lenders, intermediaries and market operators.

ASIC also enforces consumer protection laws under the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act) in relation to financial products or services including credit activities.  It has also been delegated powers by the Australian Competition and Consumer Commission (ACCC) to take action under the Australian Consumer Law in relation to cryptoassets.

Australian Prudential Regulation Authority (APRA)

APRA is an independent statutory authority that supervises banking, insurance and superannuation institutions and promotes financial system stability in Australia. APRA is responsible for administering the banking, superannuation, insurance and prudential regimes including with respect to licensing, supervision and enforcement of authorised deposit-taking institutions (including banks, building societies and credit unions) and providers of purchased payment facilities, and the creation and administration of prudential standards in relation to financial soundness, risk management and governance within such institutions.

Australian Transaction Reports and Analysis Centre (AUSTRAC)

AUSTRAC is Australia’s financial intelligence agency, responsible for preventing, detecting and responding to criminal abuse of Australia’s financial system and is responsible for administering Australia’s anti-money laundering and counter-terrorism laws (the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth)). The AML/CTF Act regulates most financial services and lending businesses, including fintechADIs, lenders, stored value providers, remittance providers, product issuers, foreign exchange  dealers and digital currency exchanges.

Office of the Australian Information Commissioner (OAIC)

The OAIC is the independent national regulator for privacy and freedom of information. The OAIC administers the Privacy Act 1988 (Cth) which regulates the handling of personal information by large and Government agencies. The role of the OAIC includes investigating complaints relating to the handling of personal and sensitive information, overseeing the notifiable data breach scheme and, in conjunction with the Australian Competition and Consumer Commission , overseeing the consumer data right.

Australian Competition and Consumer Commission (ACCC) 

The ACCC is Australia’s national competition and consumer law regulator. Fintechs that are not otherwise subject to the consumer protection provisions in the ASIC Act are likely subject to the equivalent provisions in the Australian Consumer Law. The consumer protection provisions include prohibitions on misleading and deceptive conduct, false or misleading representations, unconscionable conduct and unfair contract terms. The ACCC has delegated its power to ASIC to take action under the Australian Consumer Law in relation to crypto-assets.

Reserve Bank of Australia (RBA)

The RBA is Australia’s central bank and provides a range of banking services to the Government and its agencies, overseas central banks and official institutions. It is also responsible for maintaining the stability of the financial system through monetary policy and regulating payment systems.

Australian Financial Complaints Authority (AFCA)

AFCA is Australia’s independent disputes resolution body that considers consumer complaints about financial products and services including credit, finance and loans, insurance, deposit and payments products, investments and financial advice and superannuation. AFCA primarily resolves consumer disputes, however AFCA has discretion to hear complaints from wholesale clients about AFCA member firms.

Council of Financial Regulators (CFR) 

The CFR coordinates Australia’s key financial regulators, APRA, ASIC, the RBA and the Treasury. While the CFR has no formal regulatory or policy decision-making powers it coordinates and facilitates cooperation among the regulators to promote stability in Australia’s financial system and support effective and efficient regulation, including through its consultations, policy statements and other reports.

The fintech landscape in Australia 

Marketplace lending 

Marketplace or peer-to-peer lending connects investors (lenders) with borrowers without a bank or traditional financial institution participating as an intermediary in the deal. The marketplace operator often provides additional services such as identity verification, loan servicing, suitability assessment and repayment management. Marketplace lending models may fall within the Australian financial services regime, consumer credit regime and the AML/CTF regime. ASIC has provided guidance in its information sheet 213 to assist providers of marketplace lending products and others providing financial services in connection with these products.

Buy now, pay later

Buy now, pay later (BNPL) has been a growth area in Australia with a few providers dominating the Australian fintech landscape. Currently, some BNPL providers operate outside the Australian consumer credit licensing regime, although they are regulated under the ASIC Act, the design and distribution obligations and the AML/CTF Act.  As a result of mass consumer adoption and concerns regarding consumer outcomes, the Treasury has recently proposed alternatives for increased regulation of BNPL service providers.


Australia has an evolving insurtech market that is pushing change in a sector that has historically been dominated by a small number of providers. Coming out of the Royal Commission, insureds have clear expectations regarding matters such as policy features, portfolio holdings and claims handling. There is an opportunity for insurtech to make inroads in this closely held, typically sticky, sector. However, the high barriers to entry continue to make it difficult for fintech to meaningfully disrupt incumbents.


Australia is one of the world’s major regulatory technology hubs and the Australian regulators consider that regtech has the potential to help businesses to build a culture of compliance, identify learning opportunities, save time and money on regulatory matters and lead to positive consumer outcomes.  Key areas of regtech include in relation to AML/CTF and sanctions, regulatory compliance for financial services, governance, fraud and cyber security.  A range of technologies are being used in the regtech space including artificial intelligence, natural language processing, machine learning, distributed ledger and blockchain technologies. Regulators such as ASIC and AUSTRAC are also exploring and utilising regtech solutions in their oversight of the financial services industry (suptech).


The Australian banking sector is highly regulated with stringent licensing, conduct (including reporting) and regulatory capital requirements which act as significant hurdles for new businesses entering the market, following the introduction of APRA’s ‘restricted’ ADI (ie, restricted bank) (RADI) licensing framework in 2018, there have been a number of new entrants in the Australian banking industry, including digital banks (neobanks). In Australia, neobanks have been characterised by targeting more digitally-oriented customers with a focus on delivering more convenient and cost-effective products and many are now owned by incumbent financial institutions.

Robo advice and wealth management

Robo advice refers to platforms that make use of algorithms to provide financial product advice. Australia is currently experiencing a downturn and consolidation of its advice industry, due in large part to the increased costs of obtaining advice coming out of the Royal Commission. It is expected that the recommendations to be made in the Quality of Advice Review at the end of 2022 will create opportunities for a re-commencement and diversification of advice providers, including opportunities for robo advisers to enter the market.

Equity Crowd-sourced funding 

In 2017 the equity crowd-sourced funding (CSF) regime was introduced creating a licensing regime for intermediaries to provide services to public companies seeking to raise funds from retail investors.  This regime has since been expanded and can now be used by proprietary companies to raise equity.

While reducing the regulatory barriers to investing in small and start-up businesses (including fintechs), the framework also created certain licensing and disclosure obligations for CSF intermediaries / platform operators (ie, persons listing CSF offers). While there are a range of reporting requirements imposed on companies engaging in crowdfunding, there are also a number of concessions made with respect to restrictions that would otherwise apply to their fundraising activities. Eligible companies can seek funding from a broader range of investors with an appropriate offer document (with requirements less onerous than listing on an exchange), whilst investor protection is maintained.

Cryptocurrencies and crypto assets

Cryptocurrency (also known as virtual assets, digital assets, crypto assets or digital currencies) refer to digital tokens created from code using blockchain that do not exist physically in the form of notes or coins. There are many types of cryptocurrencies that may be utilised by fintech businesses and projects. These include stablecoins, central bank digital currencies (CBDCs), non-fungible tokens (NFTs), soulbound tokens (SBTs) and governance tokens.  See 'A guide to Web3 in Australia for further information about their regulation in Australia.    


Blockchain or distributed ledger technology (DLT) may be used by a range of businesses including AFSL and ACL holders and start-ups and the prevalence to which it is being used has been increasing particularly by operators of financial market infrastructure, financial institutions, financial services providers and other fintech businesses. One example of the use of blockchain technology is asset tokenisation. See 'A guide to Web3 in Australia' for further information about the regulation of blockchain in Australia.    

Decentralised finance

Defi has become a popular alternative to the centralised banking and financial system.  See 'A guide to Web3 in Australia' for further information about the regulation of defi in Australia.    

Payments and digital wallets

Payments and digital wallets are an integral part of Australia’s fintech landscape. See 'A Guide to Payments in Australia' for further information about their regulation in Australia.    

How are fintech businesses regulated in Australia?

Depending on the products and services offered by a fintech business, one or more of the below laws may apply.

A business that carries on a financial services business in Australia must hold an Australian financial services licence (AFSL) and comply with conduct and disclosure requirements, unless exemptions apply.

Financial products include facilities for making a financial investment, facilities of managing a financial risk and facilities for making a non-cash payment. Financial products specifically include securities, interests in managed investment schemes, derivatives, deposit products, superannuation interests, life insurance, general insurance, foreign exchange contracts not settled immediately, Australian carbon credits, eligible international emissions units and margin lending facilities.

Financial services include providing financial product advice, dealing in financial products, making a market for a financial product, operating a registered scheme, and providing a crowd-funding service.

Retail product issuers and distributors must also comply with design and distribution obligations (DDO), including the requirement to develop and comply with appropriate target market determinations (TMD).

Please contact our Fintech + Web3 team should you wish to discuss.


Fintechs engaging in consumer credit activities must comply with credit laws under the National Consumer Credit Protection Act 2009 (Cth) (NCCP Act) (including the National Credit Code (Credit Code)), the ASIC Act and associated regulations as administered by ASIC. This includes the requirement to hold an Australian credit licence (ACL) unless an exemption applies.

The ACL requirement applies to credit (ie, contracts for deferred debt) regulated under the Credit Code, meaning credit that is provided:

  • to natural persons or strata corporations;
  • for predominantly personal, household or domestic purposes or residential property investment;
  • for a fee or charge; and
  • in the course of carrying on a business of providing credit in Australia.

If the Credit Code applies, the provider must hold an ACL unless an exemption applies. Credit activities include providing credit as a credit provider (issuer), providing a credit service, providing a consumer lease, mortgage or guarantee. Credit services include providing credit assistance (eg, suggesting or assisting a consumer take a particular action in relation to a credit contract or consumer lease) and acting as an intermediary between a consumer and a credit provider or between a consumer and lessor. 

There are various ACL exemptions that apply for credit products, which typically relate to low value and short term credit arrangements, certain referral arrangements or otherwise being supervised by an appropriately licensed entity (being a credit representative).

Credit providers should also be aware of the conduct and disclosure obligations that attach to dealing in consumer credit, primarily in relation to responsible lending and issuing credit guides. Credit issuers and distributors should also ensure compliance with DDO, including the requirement to develop and comply with appropriate TMDs. Providers of short term credit and continuing credit contracts must also comply with product intervention orders.

Please contact our Fintech + Web3 team should you wish to discuss.


Fintechs that provide designated services with a geographical link to Australia (referred to as reporting entities) must comply with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules). This includes the requirement to enrol (and register, if providing remittance or digital currency exchange (DCE) designated services) with AUSTRAC as a reporting entity and comply with various obligations such as transaction monitoring and reporting. Reporting entities must have an AML/CTF Program in place that complies with the AML/CTF Rules, setting out how the reporting entity complies with its obligations.

A geographical link will be established if the designated service is provided through a permanent establishment in Australia or a permanent establishment in a foreign country if the provider is a resident of Australia or a subsidiary of a resident of Australia.

Designated services include a broad range of dealings in accounts with financial institutions, loans, foreign exchange, DCE, stored value cards, remittance services, issuances of financial products, depository and custodial services and AFSL holders arranging for customers to receive other designated services. In particular, the remit of the AML/CTF regime is broad such that businesses are often captured without otherwise being required to hold an ACL or AFSL (eg, the definitions of ‘loans’, ‘remittance service’, ‘foreign exchange’ and ‘stored value card’ are very broad). It is vital to understand whether your fintech business may be providing one or more of these designated services.

There are limited exemptions to the requirements under the AML/CTF Act. However, in some circumstances AUSTRAC may publish no action positions or grant application-based exemptions from these requirements where the money laundering and terrorism financing (ML/TF) risk profile of a particular business or service is low.

Please contact our Fintech + Web3 team should you wish to discuss.


Fintech businesses should be aware of various consumer protections. These exist in the form of prohibitions on (among other things) misleading and deceptive conduct, false or misleading representations, unconscionable conduct and unfair contract terms as set out in the ASIC Act (administered by ASIC) and the Australian Consumer Law, as set out in the Competition and Consumer Act 2010 (Cth) (administered by the ACCC).

Please contact our Fintech + Web3 team should you wish to discuss.


Where a fintech business is a reporting entity under the AML/CTF Act, a credit reporting body or has revenue of at least $3 million, it will need to comply with the Privacy Act 1988 (Cth) (Privacy Act). Among other things, this means it must have a privacy policy that complies with the Australian Privacy Principles, which impose obligations on the collection, use, disclosure, retention and destruction of personal information.

The Privacy Act extends to acts undertaken outside Australia and its external territories where there is an “Australian link” (ie, where the organisation is an Australian citizen or organisation or carries on a business in Australia and collects personal information in Australia). It also includes a framework for cross-border disclosure of personal information.

Entities that must comply with the Privacy Act must also comply with the Notifiable Data Breaches (NDB) scheme which mandates that they are required to notify any affected individuals and the OAIC in the event of a data breach (ie, unauthorised access to or disclosure of information) which is likely to result in serious harm to the individual to whom the information relates. 

Please contact our Data + Privacy team should you wish to discuss.


The consumer data right (CDR) enables consumers to exercise greater access and control over their data and gives customers a right to require data holders to share their data with accredited data recipients (including banks, comparison services, fintechs or third parties). The CDR initially was implemented in the banking sector under the ‘Open Banking’ regime and has since been extended to other sectors. Under Open Banking, the CDR provides a secure and trusted method for ‘accredited data recipients’ to access consumers’ (both individual and business consumers) banking data. Having access to banking data can provide greater insights into a customer’s financial situation and allow financial service providers to provide their services more efficiently. The CDR’s impact on financial service providers is likely to increase over time with the roll out of the CDR economy wide. In particular, the Federal Government has announced that the CDR regime will be extended to “Open Finance” (that is, non-bank lending, insurance, superannuation and payments data). This will mean customers can exercise greater access and control over their data and more fintechs will be able to provide services where customers can more easily swap service providers, which enhance customer experience and provide more personalised offerings.

Please contact our Competition + Regulation team should you wish to discuss.


ADIs and non-bank lenders that are corporations engaging in the provision of finance in the course of carrying on business in Australia have general financial reporting obligations under the Financial Sector (Collection of Data) Act 2001 (Cth) (FSCODA). FSCODA operates to facilitate the collection of statistical data on financial sector entities to assist APRA with performing its supervisory functions and for statistical purposes. There are exceptions from the definition of registrable corporation, including entities for which the sum of the values of the corporation’s assets in Australia that consist of debts due to the corporation resulting from transactions entered into in the course of the provision of finance by the corporation and the sum of the values of the principal amounts outstanding on loans or other financing does not exceed $50 million.

Please contact our Fintech + Web3 team should you wish to discuss.


The regulation of foreign financial service providers (FFSPs) is in a state of flux. Currently FFSPs carrying on a financial services business in Australia require an AFSL or must rely on an exemption (such as being appointed an authorised representative of an AFSL holder or relying on limited connection relief), unless relief is granted.

Historically, FFSPs regulated in comparable jurisdictions had the benefit of limited licensing relief for financial services provided to wholesale clients.  In 2020, this was repealed and replaced with a foreign AFSL regime. In 2021, the Government proposed reverting back to the comparable jurisdiction regime (with some amendments).  Legislation to this effect was put to the Australian parliament in early 2022 but lapsed with the change of Government. Currently no intention has been announced regarding the future of FFSP regulation in Australia. 

Foreign fintechs providing consumer credit must hold an ACL unless an exemption applies.

Foreign companies carrying on a business in Australia may be required to establish a local presence (ie, register with ASIC and create a branch) or incorporate a subsidiary. The greater the level of system, repetition or continuity associated with business activities in Australia, the greater the likelihood that registration will be required.

Generally, a service provider from outside Australia may respond to requests for information and issue products to an Australian resident if the resident makes an unsolicited approach and there has been no conduct on the part of the issuer designed to induce the investor to make contact, or activities that could be misconstrued as the provider inducing the contact.

Please contact our Fintech + Web3 team should you wish to discuss.


Future of fintech regulation in Australia

Royal Commission 

Australia’s financial services policy and regulatory context is largely informed by the findings of the 2017–2019 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission).  The Royal Commission made a series of recommendations for regulatory reform, focusing on matters such as prioritising the interests of consumers, overhauling conflicted remuneration structures and changing the way add-on products are distributed.  A raft of legislative changes followed to implement these recommendations. fintechs – particularly those that are motivated to provide financial services in a way that is more convenient, personalised and simplified for consumers – will be well placed to adapt to these changes, and seize the opportunity presented by the current public sentiment of dissatisfaction with traditional providers. 

Simplification of the financial services laws 

As part of the Government’s response to the Royal Commission, the Australian Law Reform Commission (ALRC) conducted an inquiry into simplifying Australia’s financial services regulatory framework to make it “more adaptive, efficient and navigable for consumers and regulated entities”.  The ALRC has provided interim reports in two areas, being the design and use of definitions in corporations and financial services legislation, and the regulatory design and hierarchy of laws. The ALRC is expected to release a third interim report on the potential to reframe or restructure ie,Australia’s financial services laws by the end of August 2023.

Payments system regulation

The Australian Government has been undertaking various reviews into aspects of payment systems regulation, including:

Crypto assets

Several consultations have recently concluded on proposed regulation concerning the treatment of crypto assets and their related services. See 'A Guide to Web3 in Australia' for further information

Buy now pay later

On 21 November 2022 Treasury released a consultation paper on a proposed regulatory framework for BNPL providers in Australia (see here: Treasury consults on options to regulate Buy Now, Pay Later in Australia). Three options, leveraging the existing regulatory framework are proposed. Either:

  • amending the NCCPA to impose specific obligations for BNPL providers to conduct an affordability test, strengthening the BNPL industry code and taking steps so the BNPL industry code is mandatory and enforceable by ASIC;
  • requiring BNPL providers to hold an ACL or be otherwise authorised whereby BNPL providers would need to comply with most general obligations of credit licensees; or
  • treating BNPL similarly to other credit products under the NCCPA and requiring BNPL providers to obtain an ACL and step fully into the regulatory regie for credit providers.

Regulatory assistance

Australian regulators are committed to help fintech businesses with guidance to enhance regulatory understanding and programs to assist in offering products and services to Australian consumers.

Fintech Sandbox

ASIC operates a regulatory sandbox which allows fintechs to operate small scale financial services or credit activities as pilot projects without an AFSL or ACL. There are strict eligibility criteria for the type of businesses that can participate and the products and services that qualify, including that there must be a net benefit to the public and the product or service must be new and innovative.  

ASIC innovation hub

ASIC has established an innovation hub to assist startups and fintechs which:

  • have not commenced operating under an AFSL or ACL, are in the process of obtaining an AFSL or ACL or have been operating with an AFSL or ACL for less than 12 months;
  • involve potentially ground-breaking innovation (a new or significantly different product or service from those currently available); and
  • potentially provide a better outcome for investors and consumers.

Regulator engagement 

Both ASIC and AUSTRAC have published guidance to enhance regulatory understanding.

ASIC and AUSTRAC host meetups with industry and advisers to discuss the latest initiatives and news with financial innovation and technology. 

AUSTRAC recognises that regtech plays an important role in assisting reporting entities to meet their AML/CTF obligations and provides general guidance about AML/CTF regulation through its AUSTRAC RegTech Engagement program.

AUSTRAC Innovation hub

AUSTRAC’s Fintel Alliance has an Innovation Hub targeted at combatting ML/TF and improving the fintech sector’s relationship with Government and regulators. It also assesses the impact of emerging technologies such as blockchain and cryptocurrency.


AUSTRADE assists fintechs in exporting their services overseas.

International assistance 

Australia has memorandums of understanding (MOUs) with regulators around the world to assist fintechs in cross-border expansion including with Canada, Kenya, Singapore, the United Kingdom and United States.

The role of our advisors and how we can help with your fintech inquiries

The application of regulation to fintech businesses can be a complex landscape to navigate.It is vital your business has legal advisers that understand these regimes. Gilbert + Tobin’s Fintech + Web3 team has a strong track record and breadth of expertise in the industry, advising all types of fintech businesses (eg, lenders, BNPL providers, banks, financial institutions, robo advisers, wealth management platforms, acquirers, digital marketplaces, digital currency providers, digital wallet operators, equity crowd-sourced funding platforms and companies seeking funding and more). Our services include regulatory advice, product ideation and establishment, licensing, disclosure, conduct review, regulator engagement and more.

Whilst it is important to engage legal advisers early to ensure that your business is appropriately structured from the outset, our team provides end to end services. Please be in touch should you wish to discuss.