A Guide to Web3 in Australia

A Guide to Web3 in Australia

Developments in financial technology (A Guide to Fintech in Australia) are a feature of Australia’s financial services industry. Australia has seen an extensive array of mature product offerings leveraging innovative technology to improve - and disrupt – the design and delivery of financial services.

There is a continuing focus on the opportunities and potential for blockchain technology and smart contracts to enhance and augment financial products and services and a corresponding interest in the use of cryptocurrency, tokens, coins and assets (crypto assets). The Australian Government and regulators are ostensibly receptive to innovation in financial services however there is considerable discussion around the risks and challenges for market participants and customers as web3 has evolved beyond recognisable digital representations of value to novel concepts like decentralised finance (DeFi), stablecoins, non fungible tokens (NFTs), digital markets, tokenised assets, identity, exchanges and decentralised autonomous organisations (DAOs).

What is web3?

Web3 has been heralded as the next generation of the internet using blockchain and digital assets, and the phasing in of an era of decentralised, permissionless and trustless digital economy.

information economy


This is the version of the internet known as the information economy. It was dominated by the consumption of information uploaded online. Web1 is generally known as being read only because users could search and read information on static webpages but there wasn’t any deeper engagement or creation of content. For example, users could access offline content like magazines and publications that had been uploaded online for distribution or see websites for companies, but they typically didn’t interact with other users.


Web2 enabled far greater participation for users, forming the read and write era. Web2 users generate network value on a single protocol where large volumes of users access various platforms and create accounts, write content and interact with each other. Web2 saw the rise of social media and other platforms to facilitate user interactions (eg, through the sharing of user generated content). However, users generally do not own the content (the platform does).


Web3 has a far greater focus on the protocol layer (as opposed to apps built on the protocol, ie Web2) and individual ownership of data and assets. Web3 leverages the open protocol attributes of web1 while using new technology like blockchain and digital assets to allow users to maintain, participate in and own the network.

Core elements of web3, crypto and blockchain

Following is an overview of the building blocks of web3 based strategies.

Blockchain in Australia

A blockchain is a ledger method for recording transactions, organised in blocks or groups of data across many computers (ie, nodes) that are linked and secured. This is different from traditional record keeping methods that store data in a central place. Each block can only hold a certain amount of information, so new blocks are continually added to the ledger, forming a chain. Each block has its own unique identifier, which is a cryptographic hash. The hash protects the information in the block from anyone without the required code and also protects the block’s place on the chain.

Blockchain is a core component of cryptocurrency networks and acts as the ledger on which a permanent record of all transactions is kept. Blockchain is touted for its benefits such as immutability (ie, it is very difficult to alter or amend records), trust, traceability, security and transparency. It also provides businesses with increased efficiency by automating processes and reducing the need for intermediaries.

In Australia, there have been several leading blockchain initiatives, including industry specific trials in financial services, energy, minerals, agriculture, food and beverage and the public sector. Blockchain has been used to manage validation, facilitate payment flows, manage supply chains, trade assets and operate marketplaces.

Smart contracts

A smart contract is a computer program or a transaction protocol stored on blockchain that automatically executes actions according to the terms of a contract or an agreement. For example, a smart contract can hold crypto assets and send them as directed based on certain conditions. Smart contracts allow developers to build apps on blockchain protocols to provide other services or functionality.

Cryptocurrency and crypto assets

Cryptocurrency (also known as virtual assets, digital assets, crypto assets or digital currencies) refers to digital tokens created from code using blockchain that do not exist physically in the form of notes or coins. Currently, Australian law does not equate cryptocurrency with fiat currency and does not treat cryptocurrency as “money” and there are currently no express prohibitions on the use or trading of cryptocurrency in Australia. Examples include Bitcoin (the native token of the bitcoin network) and Ether (the native token of the Ethereum network).

While cryptocurrency is generally used as a catch all term, there have been a variety of new assets that have emerged in web3. These include:

  • Stablecoins: Stablecoins are cryptocurrencies that peg their value to some external “stable” reserve asset, usually a fiat currency like the US dollar or commodity like gold. The combination of traditional-asset stability with digital-asset flexibility has had significant uptake and stablecoins have become a very popular way of storing and trading value in the crypto ecosystem. Because stablecoins are seen to bridge the worlds of crypto and fiat, stablecoins have been become popular in the context of accessing DeFi. Stablecoins can be collateralised, which means each token is backed 1:1 with a real world asset (eg, US dollars) or they can be algorithmic. Algorithmic stablecoins are a series of smart contracts that attempt to balance the supply of tokens in circulation to maintain the value of the token.
  • Central bank digital currencies (CBDCs): CBDCs are a new form of digital payment instrument issued by a central bank (for example, the Reserve Bank of Australia (RBA)) that is representative of a national currency. CBDCs can be indirect (ie, wholesale only) meaning CBDCs are only accessible to wholesale market participants in the payments and settlement systems context, which would simplify the complex payment mechanisms currently in place between banks and the RBA. CBDCs can also be direct (ie, retail) meaning the RBA directly issues CBDCs to individuals as a payment mechanism and all transactions and payments between individuals will operate at the RBA level. In Australia, it has generally been the RBA’s position that a retail CBDC will not bring substantive benefits. As at August 2022, the RBA has been collaborating with the Digital Finance Cooperative Research Centre on a research project to explore use cases for and the potential economic benefits of a CBDC in Australia.
  • Non fungible tokens (NFTs): An NFT is a cryptographic token that represents a unique asset (ie, it is not interchangeable). NFTs can be tokenised versions of real world assets or they can represent digital collectibles. The key benefit of NFTs is that they represent verifiably scarce, portable, and programmable pieces of digital property. NFTs have to date largely been used in relation to digital art but they can also be used for things like video game items, a plot of land in the Metaverse, data and identity documentation, certificates and representations of real world assets like premium wine or luxury consumer goods. NFTs can be traded or sold in marketplaces like OpenSea and often represent the access point for digital projects like CryptoKitties and Axie Infinity.
  • Soulbound tokens (SBTs): SBTs are a type of NFT bound to a single wallet or individual, meaning they cannot be transferred to anyone else. SBTs can be used to store identification information in a secure way and can ensure that permissioned access to certain information is only provided on an as-needed basis. For example, a person could verify all certain credentials associated with their identity such as their identity documentation, medical information, credit information or educational qualifications and for each item, hold a corresponding SBT in their wallet.
  • Tokenised financial assets: Tokenised assets can comprise a range of items, such as tokens representing underlying financial products, being a financial product itself or using technology to bundle rights and income streams on-chain to create a new type of financial product. For example, various projects have tokenised traditional financial instruments like shares, carbon credits, mortgages and bundled income streams from various packaged debt products to provide customers with greater certainty around ownership and transferability.
  • Governance tokens: Governance tokens are designed to provide holders the right to vote on issues that govern the development and operations of a blockchain project. That is, governance tokens permit projects to distribute decision making power to the community behind the network.

Digital wallets

A crypto wallet is like a user account that facilitates customer interaction with a blockchain network. A wallet consists of:

  • a public key that is an alphanumeric identifier that functions as an address or location for the user, which can be publicly disclosed; and
  • a private key, being a confidential password that is used to ‘sign’ transactions as well as provide access to the wallet.

All users require a wallet to undertake actions like sending and receiving crypto assets.

Common wallet features and terminology

Hot vs cold wallets

Hot wallets are those that are connected to the internet meaning that users can more easily transact or trade. However hot wallets may be more susceptible to hacks.

Cold wallets are not connected to the internet meaning they are more resistant to hack attempts but are not as accessible as hot wallets.

Software vs hardware wallets

Software wallets are typically connected to the internet and permit users to access their keys using software. Software wallets include web wallets (ie, access using an internet browser), desktop wallets (ie, access by downloading software a computer) and mobile wallets (ie, access using a mobile phone application).

Hardware wallets are physical, electronic devices that store a user’s public and private keys offline.

Custodial vs non custodial wallets

Custodial wallets are where a third party holds the private keys to a user’s funds to enable transfer of those funds. A user may contractually own the crypto assets that can be accessed using the keys held in their custodial wallet but legal title to those crypto assets sits with the third party custodian (ie, claim based control). Custodial solutions are typically employed by exchanges however this does introduce an element of counterparty risk for users.

In contrast, users have complete control over their non custodial wallets (ie, the user holds the private key) however loss of this private key by the user generally means the crypto assets held in a non custodial wallet cannot be recovered.

Decentralised finance (DeFi) and centralised finance (CeFi)

Decentralised finance or DeFi refers to the shift from traditional, centralised financial systems to peer-to-peer finance enabled by protocols like Ethereum. With DeFi, customers can undertake activities that traditional financial institutions typically intermediate, like making payments,  lending, borrowing and trading financial products like derivatives but customers can do so without the presence of traditional financial institutions as intermediaries or central parties. In DeFi, smart contracts replace the intermediaries in the transaction.

CeFi connects traditional finance and blockchain technology by reintroducing intermediaries between users and DeFi.


‘Staking’ has various meanings, models and interpretations. Some examples include:

  • Ethereum validators stake (or lock) ETH to activate validator software and participate in the Ethereum proof of stake mechanism via which transactions are validated. The network chooses people to validate based on the size of their stake and the length of time they’ve staked their tokens so the most invested participants are likely to be rewarded for staking, or securing to operation of, the network;
  • decentralised groups providing liquid staking protocols that allow individuals to have access and exposure to staking rewards from node operators;
  • centralised providers who provide managed staking services that allow individuals to have access and exposure to staking rewards from the provider’s own node;
  • platforms that provide direct pass through access to other staking products but do not provide their own staking product; and
  • centralised providers that offer ‘staking’ under which users can lend assets to those providers and such providers use those assets to derive staking returns (a portion of which is provided to the lenders/users).

Centralised and decentralised exchanges

An exchange permits users to buy and sell crypto assets using fiat currency or other crypto assets. Centralised exchanges are run by a central party (ie, platform or market operator) that acts like a market maker to facilitate trades via the platform. Centralised exchanges generally take user funds or crypto assets and exchange these for the user’s desired crypto asset by drawing on the exchange’s existing reserves or by obtaining such assets from the exchange’s third party liquidity providers. Centralised exchanges often provide custodial services for users to store a user’s funds and crypto assets on-platform.


A decentralised exchange (or DEX) does not have a central party and executes buy and sell orders using smart contracts to effect automated peer to peer trading (ie, where buyers and sellers are matched or by drawing on an existing liquidity pool supplied by liquidity providers). Users that trade with a liquidity pool on a DEX are usually charged a transaction fee, which is then proportionally shared with users that have provided liquidity by contributing to a liquidity pool. As there is no intermediary, DEXs are non custodial meaning users retain control of their crypto assets.

Decentralised autonomous organisations (DAOs) 

A DAO is an open source code based organisation or community that is governed by its members typically using governance tokens. The ‘rules’ of the community are enforced using smart contracts such that there is no centralised authority and members do not need to be known to one another. A DAO’s governance token is generally used to incentivise participation in the DAO and holding governance tokens broadly permits the holder (being a member of the DAO) to vote on proposals relating to decisions of the DAO.

There has been significant industry and regulatory commentary as to the legal status of DAOs (and there is currently no legislated position on this in Australia).

Who are the key regulators today?

No regulator has been specifically tasked with supervising and regulating crypto assets in Australia and our regulators and agencies are each mandated with administration of laws applicable to a particular industry or legal area.

Australian Securities and Investments Commission (ASIC)

ASIC is Australia’s corporate, markets, financial services and consumer credit regulator. ASIC is responsible for overseeing licensing, supervision and enforcement of Australian companies, financial markets, financial services organisations (including banks, credit providers, insurers, superannuation providers, funds) and businesses dealing with or advising on investments, superannuation, insurance, deposit-taking and credit. ASIC also has delegated powers from Australia’s competition regulator, the Australian Competition and Consumer Commission, with respect to administering the Australian Consumer Law with respect to crypto assets.

Australian Transaction Reports and Analysis Centre (AUSTRAC)

AUSTRAC is Australia’s financial intelligence agency, responsible for preventing, detecting and responding to criminal abuse of Australia’s financial system. This includes oversight with respect to reporting entities that provide designated services (including digital currency exchange providers, remittance providers, certain financial product issuers and distributors and stored value facility operators) and overseeing reporting and other measures to combat money laundering and terrorism financing.

Australian Prudential Regulation Authority (APRA)

APRA is Australia’s prudential regulator, responsible for administering the banking, superannuation, insurance and prudential regimes. APRA is responsible for licensing, supervision and enforcement of authorised deposit-taking institutions (ie, banks) and other purchased payment facility operators, and the creation and administration of prudential standards in relation financial soundness, risk management and governance within such institutions.

Reserve Bank of Australia (RBA)

The RBA is Australia’s central bank and payment systems authority, responsible for supervising Australia’s core banking and payment systems. This includes conducting monetary policy, maintaining financial stability, issuing banknotes, supervising payment schemes, as well as the clearing and settling transactions between authorised deposit-taking institutions and purchased payment facility operators authorised and supervised by APRA.

Treasury: The Treasury is not a regulator but a central policy agency for the Australian federal government. It has played an increasingly important role in Australia’s crypto asset and web3 landscape by consulting with industry and providing guidance as to the direction of how legislators seek to introduce changes with respect to the regulatory treatment of crypto assets and service providers.

How is web3 regulated in Australia?

The regulation of crypto assets and web3 business models in Australia is complex and will be subject to significant change in the next few years. Market events and increasing calls from industry for clarity in regulation have caused Australian regulators, particularly ASIC, to become more active in the web3 landscape with a strong emphasis on consumer protection and market integrity.

Currently, there are no laws in Australia that have been implemented to specifically regulate crypto assets and Australia’s regulatory regimes adopt a technology-neutral approach, such that services will be regulated equally, irrespective of the method of delivery. There have been some legislative amendments to accommodate the use of crypto assets however the predominant focus has been the transactional relationships (eg, the issuing and exchanging process) and activities involving crypto assets and how these are captured under existing regulatory frameworks in Australia.

As with crypto assets, there are also currently no specific regulations dealing with blockchain or other distributed ledger technologies (DLT) in Australia. However, ASIC maintains a public information sheet (INFO 219 Evaluating distributed ledger technology) outlining its approach to the regulatory issues that may arise through the implementation of blockchain technology and DLT solutions more generally. Businesses considering operating market infrastructure, or providing financial or consumer credit services using DLT, will remain subject to the compliance requirements that currently exist under the applicable licensing regime.

An entity carrying on a financial services business in Australia must comply with financial services laws under the Corporations Act 2001 (Cth) (Corporations Act), the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act) and associated regulations as administered by ASIC. This includes the requirement to hold an Australian financial services licence (AFSL) unless an exemption applies.

Fintech and web3 businesses may also need to hold an Australian market licence where they operate a facility through which offers to buy and sell financial products are regularly made (eg, an exchange). If an entity operates a clearing and settlement mechanism which enables parties transacting in financial products to meet obligations to each other, the entity must hold a clearing and settlement facility licence or be otherwise exempt.

The legal status of crypto assets and adjacent services turns on their structure and the associated rights (which should be interpreted broadly). Depending on the circumstances, the following financial products may be relevant: deposit products, securities, derivatives, interests in managed investment schemes (MIS) (ie, collective investment vehicles), miscellaneous investment and risk management facilities and facilities through which non-cash payments (NCP) can be made. The broad definition of what constitutes a financial product under the Corporations Act means that crypto asset issuers and adjacent service providers will need to undertake a detailed exercise to understand the key product features that may trigger regulatory obligations or give rise to risk due to regulatory uncertainty.

ASIC has released INFO 225 Crypto-assets (INFO 225) to assist businesses involved with crypto assets or providing crypto asset-adjacent services. In INFO 225, ASIC provides high-level regulatory signposts for crypto asset participants to determine whether they have legal and regulatory obligations. These signposts are relevant to crypto asset issuers, crypto asset intermediaries, miners and transaction processors, crypto asset exchanges and trading platforms, crypto asset payment and merchant service providers, wallet providers and custody service providers, and consumers.

Financial services may capture activities such as marketing or promoting activity, providing financial products or making them available to customers and arranging for customers to acquire or close products. An entity that facilitates payments by crypto assets may also be required to hold an AFSL and the operator of a crypto asset exchange may be required to hold an Australian market licence if the supported assets are financial products.

Entities dealing in financial product crypto assets will need to comply with the regulatory requirements under the Corporations Act, which generally include disclosure, registration, licensing and conduct obligations. Product issuers and distributors should also ensure compliance with design and distribution obligations, including the requirement to develop and comply with appropriate target market determinations.

Please contact our Fintech + Web3 team should you wish to discuss.


Certain credit activities will trigger the requirement to hold an Australian credit licence (ACL) under the National Consumer Credit Protection Act 2009 (Cth) (NCCP Act) (including the National Credit Code (Credit Code)), and requirements under the ASIC Act and associated regulations as administered by ASIC. The ACL requirement applies to credit (ie, contracts for deferred debt) regulated under the Credit Code, meaning credit that is provided:

  • to natural persons or strata corporations;
  • for predominantly personal, household or domestic purposes;
  • for a fee or charge; and
  • in the course of carrying on a business of providing credit in Australia.

Principal issuers of consumer credit contracts will trigger the requirement to hold an ACL. Web3 participants (particularly in centralised finance or CeFi) will need to consider whether credit licensing obligations are triggered in the context of borrowing or lending (including where loans are made using crypto assets or crypto assets are used as collateral for a fiat loan).

The ACL requirement also captures a broad range of businesses that provide credit services such as credit assistance (eg, suggesting or assisting a person in relation to credit) or credit intermediation (eg, acting as an intermediary in relation to credit). There are various ACL exemptions that are available for certain credit products, such as low value and short term credit arrangements or otherwise being supervised by an appropriately licensed entity.

Credit providers should also be aware of the conduct and disclosure obligations that attach to dealing in consumer credit, including in relation to responsible lending, breach reporting and disclosure. Product issuers and distributors should also ensure compliance with design and distribution obligations, including the requirement to develop and comply with appropriate target market determinations.

Please contact our Fintech + Web3 team should you wish to discuss.


Entities that provide designated services with a geographical link to Australia (referred to as reporting entities) must comply with the Australian AML/CTF regime, which is captured under the Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth) (AML/CTF Act) and associated rules. This includes the requirement to enrol (and sometimes register) with the Australian Transaction Reports and Analysis Centre (AUSTRAC) as a reporting entity and comply with various compliance, transaction monitoring and reporting obligations. Relevant designated services include a broad range of dealings in accounts with financial institutions, acquisition and disposal of certain financial products, digital currency exchange, stored value cards, custodial services and remittance services.

Digital currency exchange (DCE) providers are required to register and enrol with AUSTRAC and must implement know-your-customer processes to adequately verify the identity of their customers, with ongoing reporting obligations such as annual compliance reporting and the requirement to monitor and report suspicious and large transactions. Exchange operators must also keep certain records relating to customer identification and transactions for up to seven years. DCE providers are required to renew their registration every three years. The DCE sector has been of great interest to AUSTRAC, in particular monitoring the money laundering and terrorism financing risks associated with digital currency.

Please contact our Fintech + Web3 team should you wish to discuss.


Crypto asset issuers and service providers must also consider whether they are subject to prudential regulation. While ASIC is responsible for regulating the issuance and distribution of deposit products, the operation and financial stability of businesses providing banking services falls under the Banking Act 1959 (Cth) (Banking Act), associated regulations and prudential standards published by the Australian Prudential Regulation Authority (APRA). Generally, entities that are carrying on a banking business (eg, taking money on deposit and making advances of money) in Australia are required to be authorised by APRA as an authorised deposit-taking institution (ADI) and comply with associated obligations and prudential standards.

Entities that are holders of stored value in connection with a purchased payment facility (PPF) are required under the Payment Systems (Regulation) Act 1998 (Cth) (PSRA) to become an ADI authorised by APRA. A PPF is a facility (other than cash) where the customer is able to make payments up to the amount available under the facility and those payments are made by the provider of the facility (or another person acting in accordance with instructions). This may be relevant for digital wallet providers that are offer customers digital wallets as a means of payment and storing value for customers.

The RBA has issued various declarations exempting certain PPFs from the application of the PSRA or exempting certain entities from the requirement to be an ADI though none specifically relate to crypto assets. There is an open question as to how crypto asset banking participants can comply in practice with the banking and stored value regime and it is anticipated that the regime will be subject to change such that it is fit for purpose for the emerging financial system and can accommodate future developments and technological advances, such as proposals for global stablecoins.

Please contact our Fintech + Web3 team should you wish to discuss.


Even if crypto assets or crypto adjacent services are not captured under the Corporations Act, they may still be subject to other regulation and laws, including the Australian Consumer Law set out at Schedule 2 to the Competition and Consumer Act 2010 (Cth) relating to the offer of services or products to Australian consumers. The ACL prohibits (among other things) misleading or deceptive conduct in a range of circumstances including in the context of marketing and advertising and unconscionable conduct. The protections of the ACL are generally reflected in the ASIC Act, providing substantially similar protection to investors in financial products or services.

ASIC has also received delegated powers from the Australian Competition and Consumer Commission to enable it to take action against misleading or deceptive conduct in connection with crypto assets (regardless of whether it involves a financial product).

Please contact our Fintech + Web3 team should you wish to discuss.


Smart contracts (including self-executing contracts) are permitted in Australia under the Electronic Transactions Act 1999 (Cth) (ETA) and the equivalent Australian state and territory legislation. The ETA provides a legal framework to enable electronic commerce to operate in the same manner as paper-based transactions. Under the ETA, self-executing transactions are permitted in Australia, provided that they meet all traditional elements of a legal contract, including an intention to create legally binding obligations; offer and acceptance; certainty; and consideration. The pre-determined and self-executing form of smart contracts creates difficulties where there is an element of discretion available to either party.

Please contact our Fintech + Web3 team should you wish to discuss.


The taxation of crypto assets in Australia has been an area of much debate, despite recent attempts by the Australian Taxation Office (ATO) to clarify the operation of Australian tax law. For income tax purposes, the ATO views cryptocurrency as an asset that is held or traded (rather than as money or a foreign currency) however the tax implications for holders of cryptocurrency will depend on the purpose for which the cryptocurrency is acquired or held.

Please contact our Taxation and Fintech + Web3 teams should you wish to discuss.


While crypto asset issuers and service providers have sought to understand and comply with Australia’s existing regulatory framework, it is apparent that the existing regimes are not fit-for-purpose for web3 .

There have been numerous Government reviews in connection with how crypto assets and crypto asset-adjacent services should be regulated as well as how the broader financial services landscape should be regulated. These include:

It is expected that the outcome of these reviews will have significant effects on the current regulatory regimes relevant to crypto assets.

Please contact our Fintech + Web3 team should you wish to discuss.


The role of our advisors and how we can help with your web3 inquiries

The application of existing regulation to new and emerging web3 assets and business models is complex, exacerbated by anticipated regulatory changes. It is more important than ever for businesses and projects to partner with legal advisers that have a deep understanding of web3 and the evolving regulatory regime.

Gilbert + Tobin’s Fintech + Web3 team has a strong track record and breadth of expertise in the industry. Our experience is across the sector and includes digital wallets, stored value and payments providers, payment schemes and infrastructure operators, centralised and decentralised platforms and projects (including DeFi and DAO projects), traditional and emerging product distributors, digital currencies and exchanges, neobanks, fractionalised and tokenised assets, marketplace lending and buy now pay later products. We are well positioned to advise on regulatory regimes; product ideation, establishment and roll out; licensing and relief applications; distribution; disclosure; conduct review and more.

It is important to engage legal advisers early to ensure that your business is appropriately structured from the outset. Please be in touch should you wish to discuss.