Increasing interest and support from regulators and the government, an innovative talent pool and a consumer market that embraces new technologies has encouraged the continued disruption by the fintech sector in Australia, in particular in relation to payments, data and cryptocurrency.

In 2021, the industry benefitted from record levels of investor capital with 82% of the 800+ Australian fintech companies having met or exceeded their capital raising expectations. This was up from 57% in 2020.

The worldwide recovery from the pandemic has seen Australian fintechs expanding overseas and an increased foreign interest, with more than 40% of Australian fintechs generating revenue from overseas and 18% receiving more than half their revenue from international customers. 2021 also saw a flurry of fintech IPOs, with Judo being the first Australian bank to list on the ASX in 25 years.

Buy now, pay later (BNPL) thrived in Australia in 2021. The BNPL industry continues to be largely unregulated in Australia. Although the BNPL industry released a voluntary Code of Practice in March 2021, the focus remains on whether there is sufficient protections for consumers.

There are also predictions that the cryptocurrency sector will experience significant growth, with estimates that cryptocurrency and digital assets may contribute up to 2.6% of the national economy by 2030. 

At the same time, major acquisitions of, and partnership activity between, fintechs and larger traditional banks have been seen. CBA formed a relationship with Klarna, NAB acquired neobank 86 400 and Westpac has a relationship with Afterpay.

Opportunities and Priorities in 2022

The COVID-19 pandemic has resulted in an accelerated adoption of digital wallets and contactless payment. In light of the rapidly evolving payments landscape and off the back of a number of major reviews into the industry, the Australian government has announced plans to reform the current payments systems regulatory framework, with a strategy designed to "enable Australia to be a world-leading digital economy and society by 2030".

As part of this regulatory push, the government has also placed an emphasis on the regulation of cryptocurrency. If implemented, these reforms will impose market licensing and custodial obligations on operators of digital currency exchanges. See Australia Trends & Developments for a detailed discussion of these proposed reforms.

Open banking continues to be a priority, with a movement towards open finance with proposals to extend the consumer data right regime to the non-bank lending, merchant acquiring, superannuation and general insurance sectors.

In 2021, it was estimated that there were over 800 fintech companies across Australia, with over 40% of the industry represented by payment companies. Other verticals that currently dominate the industry include small and medium enterprise lending, digital banks, blockchain and cryptocurrency.

According to Fintech Australia, 70% of the fintech firms in Australia provide business to business services and are filling market gaps left by traditional financial institutions, with an increasing number of fintech companies providing middle and back office operations.

There is no one regime that regulates fintechs in Australia. A number of regimes may apply depending on the nature of activities a fintech provider is engaged in and the type of clients that are targeted (ie, "consumers" or "corporates"). The key regimes are discussed below.

AFS Licensing Regime

A person who carries on a financial services business in Australia is required by the Corporations Act 2001 (Cth) (Corporations Act) to hold an Australian financial services (AFS) licence, unless an exemption applies. The Australian Securities and Investments Commission (ASIC) is responsible for enforcing compliance with the AFS regime. The regime also has extraterritorial operation as it deems a person (whether in Australia or not) to be carrying on a financial services business in Australia if they induce clients in Australia to use their services.

Whether a fintech provider needs to obtain an AFS licence depends on whether their product is a financial product (eg, a deposit product, a security, a managed investment product or a non-cash payment facility) and/or they provide financial services in respect of a financial product (eg, providing financial product advice, issuing a financial product, providing custodial services and making a market for a financial product). For example, payment products are often a non-cash payment facility. Digital/crypto-assets could be a security, derivative or a managed investment product.

Core elements of the AFS regime include general licensing obligations, disclosure requirements, and certain conduct obligations and restrictions (eg, dispute resolution requirements, client money obligations, regulation of "personal advice", breach reporting and the prohibition of misleading and deceptive conduct).

AML/CTF Regime

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) regulates providers of "designated services" who have a sufficient "geographic link" to Australia. The AML/CTF Act is enforced by the Australian Transaction Reports and Analysis Centre (AUSTRAC).

The AML/CTF Act regulates a wide range of financial services providers, ranging from lenders and issuers of stored value and payment cards to remittance services and digital currency exchange operators (see 5.2 Regulation of Cross-Border Payments and Remittances and 2.13 Impact of AML Rules).

Core obligations of the AML/CTF regime include the requirement to enrol and/or register with AUSTRAC, to have an AML/CTF program to identify, manage and mitigate money laundering and terrorist financing risks, to undertake appropriate customer identification and ongoing monitoring and to make certain reports to AUSTRAC, including suspicious matter reporting.

Credit Licensing Regime

Under the National Consumer Credit Protection Act 2009 (Cth) (NCCP Act) a person who engages in consumer credit activities in Australia must hold an Australian credit licence (ACL) issued by ASIC unless an exemption applies. A person may be providing regulated credit if, the credit is provided to a natural person or a strata corporation (the body responsible for managing commonly owned property) for personal, domestic, household or residential investment purposes and a fee is charged for providing the credit. This means loans made to most companies are not subject to the ACL regime. Certain types of credit are excluded from regulated credit, including short term credit and small amount credit contracts.

Core elements of the credit licensing regime include "responsible lending" obligations, prescriptive rules in respect of the form, content, advertising, variation and enforcement of loans and mandatory participation in the external dispute resolution scheme.

Registered Financial Corporation

A person that is engaged in the provision of finance (in the course of carrying on a business in Australia) may be required to register with the Australian Prudential Regulation Authority (APRA) as a registered financial corporation (RFC) under the Financial Sector (Collection of Data) Act 2001 (Cth) (FSCD Act). The requirement to register is not triggered unless the total amount of loans/debt for a financial year exceeds AUD50 million. If the threshold is exceeded, the person will need to register and regularly report to APRA on its financial position and its financing activities in Australia, subject to certain exemptions.

Payment System and Banking Regulations

The Payment Systems (Regulation) Act 1998 (Cth) (PSR Act) provides for the regulation of payment systems. The Reserve Bank of Australia (RBA) is tasked with overseeing the regulation of payment systems in Australia through the PSR Act (and other legislation). The RBA will only regulate "payment systems" where the RBA considers it would be in the public interest to do so (ie, failure of the payment system would have a materially detrimental impact on the economy).

The PSR Act also regulates stored value payment facilities. Broadly speaking, it requires operators of such facilities to be a bank or authorised by APRA or the RBA.

Concurrently, Australia's banking laws also regulate providers of stored value payment facilities. The Banking Act 1959 (Cth) prohibits a person from carrying on "banking business" in Australia unless it is authorised as an ADI by APRA or it falls within an exemption determined by APRA. The Banking Regulations 2016 (Cth) extends the definition of "banking business" to include the provision of a purchased payment facility that is subject to a determination by APRA.

Future Changes

It is important to note that significant changes to the regulatory regimes applicable to the fintech industry, particularly payments and digital asset providers appear likely. These reforms remain in early stages with no concrete proposals or draft legislation introduced by the government yet. However, this is very much a "watch this space" in 2022.

Except where a participant holds an AFS licence, there is no specific restriction on the amount or type of fees that can be charged to consumers or the remuneration that can be received in respect of them.

AFS licensees and their representatives who provide financial product advice to retail clients must not be paid and must not receive "conflicted remuneration" from anyone other than directly from the consumer, subject to certain exemptions. Conflicted remuneration is any benefit (ie, monetary or non-monetary) which could reasonably be expected to influence financial product advice given by a licensee or its representative. Volume-based benefits are presumed to be conflicted remuneration. This is a prohibition that participants in the robo-advice industry must be acutely aware of.

Otherwise, participants are free to set their prices and discount their goods and services as they see fit. However, the following should be noted:

• Australian anti-trust law requires prices to be set independently of competitors;
• pricing goods below cost can be illegal in certain circumstances;
• prices displayed by a business must be clear, accurate and not misleading to consumers; and
• remuneration disclosure requirements apply to AFS and credit licensees.

Regulatory regimes that are potentially applicable to fintech participants (see 2.1 Predominant Business Models) do not distinguish between a "fintech" and a "legacy" player. 

However, the government is embarking on reforms to specifically accommodate digital assets, payments and related activities that do not neatly fit into the current regulatory framework.

The enhanced regulatory sandbox (ERS) exemption (see ASIC INFO 248) allows businesses to test certain innovative financial products or services or credit activities for up to 24 months without first obtaining an AFS or credit licence (see 2.2 Regulatory Regime for information about the AFS and credit licensing regimes).

There are various pre-conditions to relying on the ERS. For example, applicants cannot already be licensed in Australia and they cannot have previously used the ERS for the same product. There is also a AUD10,000 individual client limit and an aggregate AUD5 million total exposure limit.

Interested parties must lodge an application to ASIC and satisfy two eligibility tests:

• sufficiently explain why exempting their proposed financial service, product or credit activity will result in a public benefit; and
• explain why each financial product, financial service or credit activity proposed constitutes a new or innovative improvement.

Although the ERS exempts a business from the need to hold an AFS or credit licence, the business must still comply with various ongoing obligations, including certain disclosure and conduct requirements and holding adequate professional indemnity insurance.

APRA also offers a regulatory stepping stone in the form of a "restricted ADI licence". The Restricted ADI licence allows eligible participants to conduct limited banking services for two years as they prepare to comply with the full prudential requirements of an ADI licence. APRA has recently shifted the focus of the Restricted ADI assessment to favour sustainable and ongoing metrics as opposed to a point in time evaluation to obtain the Restricted ADI licence. This change reflects recent difficulties faced by ADIs (see 2.9 Significant Enforcement Actions) which may mean that it is more difficult for new entrants to gain access to the Restricted ADI framework.

See 2.2 Regulatory Regime.

Broadly speaking, a regulated fintech provider is not prohibited from outsourcing but is required to have appropriate governance, compliance and audit processes to manage outsourcing activity. There are also no requirements for outsourcing contracts, except for custody contracts. However, given the regulated entity remains responsible for compliance with relevant obligations, service providers are typically required to perform activities to ensure compliance with relevant law. Unless the service outsourced is regulated (eg, custody), it is not necessary to outsource to a regulated service provider.

APRA-regulated entities face more stringent requirements and need to notify APRA when outsourcing material business activities and if offshoring, consult with APRA first, see 2.10 Implications of Additional, Non-financial Services Regulations (Cybersecurity). APRA also requires outsourcing contracts to comply with certain requirements.

See 7.1 Permissible Trading Platforms, 7.2 Regulation of Different Asset Classes and 7.3 Impact of the Emergence of Cryptocurrency Exchanges.

ASIC has been actively monitoring the fintech market. ASIC:

• has warned Australians "to be wary of investing in crypto and crypto-asset related financial products, such as options and futures, through unlicensed entities";
• is particularly focused on misleading or deceptive conduct in the marketing and selling of digital or virtual tokens via ICOs; and
• received delegated powers from the ACCC in April 2018 to take action under the Australian Consumer Law relating to crypto-assets (ie, meaning ASIC can take action regardless of whether the asset is a financial product).

ASIC took action in September 2018 to stop the offer of a crypto-asset managed investment scheme by Investors Exchange Limited because ASIC identified unlicensed conduct and the use of misleading and deceptive conduct.

Following the collapse of neobank Xinja at the start of 2021 in which APRA revoked Xinja's authorised deposit-taking institution (ADI) licence, APRA launched a review into its ADI licence granting framework and mandated higher capital requirements and plans for revenue-generating products. APRA is also investigating prudential matters following Xinja's ADI licence revocation, particularly in relation to capital raising tactics.

There have also been several investigations of criminal syndicates money laundering through the cryptocurrency bitcoin.

Towards the end of 2021, ASIC shut down unlicensed financial services business A One Multi. ASIC alleged that more than AUD2.4 million was transferred from A One Multi to purchase crypto-assets.

Privacy

Australian privacy laws (see Privacy Act 1988 (Cth)) regulate how entities are able to collect, hold, use and disclose different types of information, and impose higher obligations for certain types of information such as credit information, health information and other sensitive information (eg, racial or ethnic origin, political or religious belief, union membership, sexual orientation or practices and criminal record).

In addition, entities may be required to comply with the privacy protections under the Consumer Data Right (CDR) regulations, which are extensive (see 13. Open Banking).

Competition and Consumer Laws

As well as regulating anti-competitive conduct, Australian competition and consumer protection laws (eg, Competition and Consumer Act 2010 (Cth)) provide important protections to consumers when dealing with businesses, including from unfair contract terms, misleading or deceptive conduct, unconscionable conduct, false or misleading representations, consumer guarantees, bait advertising, pyramid selling and excessive payment surcharges. The Australian Competition and Consumer Commission (ACCC) is in charge of enforcing compliance with competition and consumer law.

Cybersecurity

For participants that are regulated by APRA, Prudential Standard CPS 234 sets out minimum information security standards to ensure regulated entities are protecting against security vulnerabilities and cybersecurity threats. The obligations imposed by CPS 234 also include consistent testing of security systems and notification obligations for regulated entities that experience information security incidents.

The Australian government has introduced reforms as part of its Australian Cyber Security Strategy 2020 (ACSS). A key part of the ACSS is the reform of security of critical infrastructure (SOCI) laws, which aims to manage risks to national security related to "critical infrastructure assets" within critical infrastructure sectors. Importantly, the new SOCI regime includes the financial services sector as a "critical infrastructure sector". This will likely have a bigger impact on legacy players, but fintechs supplying to those affected by this regime may see relevant requirements being "pushed down" to them from a contractual perspective to ensure compliance with the new laws.

Industry bodies play an active role in developing standards for fintech participants in Australia, e.g. FinTech Australia, Blockchain Australia and Regtech Australia. These industry groups often publish voluntary "best practice" codes for adoption to promote consumer protection, particularly where gaps exist within existing regulatory regimes.

For example, the Australian Finance Industry Association (AFIA) released a Buy Now Pay Later (BNPL) Code of Practice in 2021, which sets standards exceeding the requirements of relevant Australian law. While AFIA do not enforce their standards currently, a BNPL provider that wants to become a member of the Code must go through an accreditation process to become a "Code Compliant Member".

Legacy providers such as banks also often act as gatekeepers, particularly for unregulated services, often de-banking these entities. See 12.3 Classification of Blockchain Assets in relation to issues around de-banking.

Rules enforced by existing payment infrastructure providers and the international card scheme operators (eg, VISA, AMEX, etc) also establish practical standards and oversight for fintech operations.

Broadly speaking, it is possible for participants to offer both regulated and unregulated products and to do so through the same legal entity. For example, a BNPL provider could offer an unregulated BNPL product as well as obtain an Australian credit licence and offer a regulated "traditional" consumer loan product. However, it is common to seek to limit contagion risk by setting up separate companies to engage in different activities, particularly where some are regulated and others are not. Also, additional restrictions apply to APRA-regulated entities.

The Australian AML/CTF regime captures a broad range of financial services, including credit and debit cards, stored value facilities, money transfer services and digital currency exchange services. Accordingly, fintech companies may be subject to regulation under the AML/CTF regime (see 2.1 Predominant Business Models) – if so, they will have a number of obligations including enrolling with AUSTRAC, implementing an AML/CTF programme, performing KYC on all customers and their beneficial owners, reporting suspicious matters to AUSTRAC and annual compliance reporting.

Even if a participant is unregulated, it will likely be indirectly impacted by AML/CTF rules where it obtains services from a third party provider (eg, banks) who provide regulated services and are required to undertake detailed KYC on the participant. For example, it has been often reported that blockchain and cryptocurrency related companies have had difficulties accessing reliable banking services because they sit outside the risk appetite of banks and therefore are refused banking services. This is an issue that the Australian government is aware of, and is seeking to develop a clear process for any businesses that have been "de-banked" as part of its 2022 reform initiatives.

The key regulatory regime for robo-advisers is the AFS licensing regime (see 2.2 Regulatory Regime). The provision of financial product advice is a regulated activity in Australia that generally requires the provider of the advice to hold an AFS licence.

There are various classes of "financial products" recognised by the AFS licensing regime – for example, deposit products, derivatives, life and general insurance, managed investments and securities. The AFS licence specifies the particular types of financial products the licensee is permitted to provide services in respect of. Accordingly, a robo-adviser must ensure its AFS licence lists all relevant types of financial products that its robo-advice platform will cover.

There are also a number of other regulated activities which may be performed in connection with robo-advisory services such as arranging for the client to acquire, vary or dispose of financial products. Such "dealings" are a separate category of financial service and if such activities are to be engaged in, the corresponding AFS licence authorisation must be obtained.

ASIC has published regulatory guidance specifically for the robo-advice industry.

In addition, if robo-advice covers consumer credit products, the adviser will likely need to hold an Australian credit licence if specific products are identified.

Legacy players have shown a willingness to champion a hybrid model to incorporate robo-advice and/or solutions provided by robo-adviser platforms into their service offering.

However, Australia has stringent rules and requirements when it comes to the provision of "personal" financial product advice to retail consumers – which what most robo-advice solutions will be. Those rules impose high standards of behaviour on the adviser, including to act in the best interests of the client, give appropriate advice and give priority to the client's interests. Accordingly, robo-advisers (and robo-advice solutions) face the same compliance hurdles as "traditional" financial planning services, which has limited the growth of robo-advice within legacy players.

It is generally accepted in Australia that financial advisers owe fiduciary duties to their clients, particularly where they undertake dealings on behalf of the client. The best execution obligation as it is understood in Australia is essentially an aspect of the duty of loyalty that a fiduciary owes to their client. It is therefore likely to apply to robo-advisers when they also execute or arrange for the execution of trades by their clients.

Robo-advisers which are also market participants on an Australian financial market will also be subject to a statutory best execution duty under the Market Integrity Rules and therefore be required to take reasonable steps to obtain the best outcome for the client (rule 3.8.1 of the ASIC Market Integrity Rules (Securities Markets) 2017).

Licensed robo-advisers are also subject to general licensing obligations and specific advice obligations which are likely to be relevant, including:

• the duty to act in the best interests of clients;
• the duty to give priority to client interests; and
• the duty to do all things necessary to ensure that financial services are provided efficiently, honestly and fairly.

For a robo-adviser, clear monitoring and testing of the algorithms underpinning the advice and communication with clients using robo-advisers will be important. ASIC Regulatory Guide 255 is an important source for understanding how digital advice obligations and disclosure requirements apply.

Lending to individuals and strata corporations for personal, domestic or household purposes or for investment in residential property triggers the need to hold an ACL (see 2.2 Regulatory Regime).

Not all loans to consumers require an ACL, depending on how they are structured, the amount of the loan and its duration. For example some payday lenders, pawnbrokers and BNPL loans generally fall outside the ACL regime.

Loans made for business or investment purposes to individuals (other than investment in residential property) and all loans made to corporate entities (other than strata corporations) are not subject to the consumer credit laws. However margin loans provided to individuals are regulated as financial products under the AFS licensing regime.

In addition, loans made to consumers and small businesses using standard form contracts are regulated under more general consumer protection laws overseen by ASIC. These general consumer protections can apply even if the product itself sits outside the ACL and AFSL regimes. These consumer protections largely mirror those that are enforced by the ACCC under Australian Consumer Law (see 2.10 Implications of Additional, Non-financial Services Regulations).

Market practice for loans to individuals and small businesses is also heavily influenced by a number of industry codes, such as the Banking Code of Practice, the Customer Owned Banking Code of Practice and the Buy Now Pay Later Code of Conduct. In particular, the Banking Code of Practice is the first industry code approved by ASIC. Although not necessarily applicable to all lenders, the Codes may be influential to AFCA and courts where general concepts of unfairness are being considered.

Finally, all lenders are potentially subject to AML/CTF law and the need to register with APRA as a registered financial corporation regardless of the type of customer.

Processes for loan underwriting in Australia vary depending on the nature of the credit provided.

For regulated consumer credit loans, the process is heavily influenced by statutory "responsible lending" requirements. Lenders must ensure that a loan is "not unsuitable". Conducting a loan unsuitability assessment requires an understanding of the borrower's requirement and objectives in obtaining the credit as well as the capacity of the borrower to repay the loan. Responsible lending places obligations on credit providers to take reasonable steps to verify the financial circumstances of loan applicants. Responsible lending obligations also apply where existing borrower's seeking credit limit increases. ASIC has issued extensive guidance on responsible lending obligations and there have been a number of test cases. Generally speaking a loan will be regarded as unsuitable if the borrower is unable to repay it without incurring substantial hardship (and in that respect an inability to repay a loan without selling their principal place of residence).

APRA regulated bodies must also comply with prudential standards relating credit risk for all loans. APRA has also issued specific guidance for lender's in the residential property market.

Australian lenders in that market are able to obtain lender's mortgage insurance (LMI), which is provided by entities that hold an AFSL. The existence of LMI or a healthy loan to valuation ratio however does not avoid the need for meeting responsible lending laws.

Loan underwriting processes for business or investment purposes (other than investment in residential property) are not regulated by the responsible lending laws. However some lender's may be subject to common law obligations or obligations under codes of practice that apply to them when lending to small businesses in particular. These may impose obligations of prudence and diligence on lending into this sector (although those obligations tend not to be as prescriptive or onerous).

Loans can be funded through various channels including through P2P lending, mortgage funds, deposit taking and securitisation and corporate capital raising. However most arrangements will require regulatory licences.

The majority of loan funds in Australia are sourced through deposits. Persons raising funds through deposit taking must generally obtain an authorisation from APRA under the Banking Act 1959 to be an authorised deposit taking institutions (ADI). There are significant prudential obligations for ADIs including comprehensive rules relating to operational risks and capital adequacy. Obtaining an ADI authorisation requires significant resources and capabilities.

There is an alternative regime for raising funds from the public by issuing debentures regulated by ASIC which requires a regulated prospectus to be issued and for the issuer to enter into a trust deed and appoint a trustee to protect the interests of debenture holders. Issuers will not however need to hold an AFS licence unless they raise funds to make investments.

Raising funds for lending activities may however require an AFS licence if the fund raising structure is a managed investment scheme and not a debenture. P2P lending structures and mortgage funds will usually require an AFS licence. In most cases where a unit trust or fund structure is used, an AFS licence authorising the issue of interests in a managed investment scheme will be required. If the scheme is offered to retail clients, the scheme must be registered with ASIC. Registered schemes require detailed disclosure and attract high levels of compliance, operating costs and complexity.

There is a developed securitisation industry. This represents a small portion of funding for loans in Australia. An AFS licence is required if the lender is the securitisation product issuer or manager, unless an exemption applies. Although an ADI licence is not required, where an ADI is involved in issuing securitisation products, they must also comply with APRA prudential standards.

Loan syndication is a feature of corporate lending in Australia but this tends to be used only for larger corporate loans.

Syndication arrangements usually involve the appointment of one or two banks as arrangers who will be appointed to arrange the syndicate, including negotiation and management of loan and security documents.

A "manager" will act as the principal point of contact between the borrower and the members of the syndicate during the life of the loan. Often the same bank will be appointed as manager and lead arranger.

If the syndicated loan is secured, there will also usually be a third party trustee that holds the security on behalf of the lenders under a trust created for the purpose of the syndicated lending arrangement.

A variation on the loan syndicate is a club loan structure. These structures tend to be arranged by borrowers or their advisors. Under these arrangements there may also be a shared security arrangement.

The distinguishing feature of these arrangements is that while there will be common terms and conditions for arrangements with each lender, the club structure involves a series of parallel loans with each of the lenders in the club having a short form loan agreement with the borrower adopting the common terms but which contains key elements relating to pricing which are kept confidential between the borrower and the lender. The borrower will usually have a more active role in arrange the composition of the club and their respective contributions.

Payment rails in Australia include the card rails (Visa, Mastercard, Amex, eftpos), the rails for direct entry and direct debit payments known as the Bulk Electronic Payment System (BECS), the real-time payments rails operated by New Payment Platform Australia (NPP) and the international bank to bank transfer rails (SWIFT).

Payment processors are not limited to utilising only existing payment rails in the market. However, due to the time and cost involved in creating a new payment rail, in practice participants are largely limited to existing payment rails. This is evidenced by the fact that the NPP is the only one of the above-mentioned sets of rails that has been introduced within the last 25 years (launched in 2018) and it required the collaboration of 14 financial institutions, including all four of the major banks in Australia.

Operators of new payment rails will have to be mindful that it may attract regulation under AFS licensing and payment systems laws (see 2.1 Predominant Business Models).

Fintech providers that provide remittance/money transfer services (both domestic and cross-border) are at risk of being regulated under the AML/CTF regime. Remittance providers must successfully register with AUSTRAC before commencing any business in Australia.

See 2.1 Predominant Business Models and 2.13 Impact of AML Rules for more information about Australian AML/CTF regime.

Remittance providers regulated by the AML/CTF regime have a number of ongoing reporting obligations to AUSTRAC. In particular, they must report the details of every international funds transfer regardless of value and also report to AUSTRAC immediately upon becoming aware of suspicious matters.

In addition, remittance/money transfer services may also trigger obligations under the AFS licensing regime if those services involve offering a new non-cash payment facility to consumers and/or otherwise assisting a client to acquire financial products, such as opening bank accounts and acquiring debit/prepaid card facilities.

The key regulatory regimes potentially applicable to fund administrators are the AFS licensing and AML/CTF regimes. Whether a fund administrator is caught depends on the extent of their "administrative" activities. If activities are limited to pure "back office" services, then it is unlikely to trigger regulation under those two regimes. However, if the administrator interacts with customers directly, eg, operating a call centre, then they may require an AFS licence because such activity may involve the provision of financial product advice. Further, the AML/CTF regime regulates fund administrators who hold and use their AFS licence to arrange for a customer to receive another regulated service (eg, to be issued with an interest in a fund).

Other regulation may also apply – see 2.2 Regulatory Regime. For example, the need to comply with privacy law when collecting personal information. If the fund has investors that are US citizens or residents, the fund administrator will likely have to report that information to the US Internal Revenue Service and comply with the Foreign Account Tax Compliance Act.

Additionally, funds often delegate part of their regulatory obligations to the fund administrator, eg, the obligation to perform KYC on underlying customers. In this way, the fund administrators may indirectly be required to comply with relevant regulatory regimes as if they were a regulated entity.

Aside from responsible entities of registered managed investment schemes that operate a very small number of funds, fund administration services are typically outsourced in Australia.

It is industry custom for contracts between a fund operator and a fund administrator to be highly prescriptive setting out fixed fee services, detailed service standards and mandated regular meetings with the operator. The service standards for these agreements are typically that of a "professional and competent manner". A fund administration agreement will also incorporate compliance with relevant regulatory obligations.

Trading platforms and marketplaces that are most relevant to fintechs in Australia are cryptocurrency exchanges and NFT marketplaces. Of course, securities and other investments are traded through regulated financial markets or are made available to retail clients through registered funds, investor directed portfolio services (or "wrap accounts") or managed discretionary accounts. These structures are each subject to detailed regulatory requirements and frequently support the offer of separately managed account and manged portfolio offerings which are becoming increasing popular with financial advisers in Australia.

Cryptocurrency Exchanges

In Australia, there are a wide range of different cryptocurrency exchanges, such as Coinjar, Swyftx & Coinspot, to name a few.

Overview – AML/CTF Regime

The AML/CTF Act was amended in 2018 to specifically regulate digital currency exchanges. A digital currency exchange provider must register with AUSTRAC (and comply with other relevant obligations) if it exchanges money (Australian or foreign currency) for digital currency or digital currency for money (Australian or foreign currency), as part of operating a digital currency exchange business. See 2.2 Regulatory Regime and 2.10 Implications of Additional, Non-financial Services Regulations for more information about AML rules. Practically, most of the larger platforms allow for this functionality and are registered with AUSTRAC, for example Binance and Swyftx.

A cryptocurrency exchange that does not deal with fiat currency (ie, exchanging crypto for crypto only) will generally not be regarded as a digital currency exchange. However, the operator may be providing another designated service regulated under the AML/CTF Act (eg, remittance services).

AFS, markets and clearing licensing

A cryptocurrency exchange operator is likely to trigger the need for an AFS licence if one or more of the crypto-assets that users are permitted to trade on the platform are considered to be a financial product.

If the operator facilitates trading directly between users (such as a peer-to-peer platform), then the operator may need to obtain an Australian markets licence.

Depending on how transactions in crypto-assets that are financial products are cleared and/or settled, the exchange operator may also be operating a clearing and settlement facility and require a clearing and settlement facility licence.

The latter two licensing regimes presents a significant regulatory hurdle to overcome given they are time consuming, costly and onerous to obtain and maintain.

Currently, most of the larger exchanges do not operate with an AFSL (eg, Binance Australia, Swyftx & Coinspot), however, Crypto.com (another large exchange) did acquire an AFS licence through its acquisition of The Card Group Pty Ltd.

NFT Marketplaces

Generally, NFT marketplaces are not regulated. However, as discussed, it is largely dependent on the characterisation of NFT assets that are offered and what they are used for. See 12.9 Non-fungible Tokens (NFTs).

If the crypto-asset is or involves a financial product, then it may trigger licensing obligations on the product issuer or other entities involved in the offer of that asset to customers (unless an exemption applies).

Most relevantly, a crypto-asset could involve one or more of the following financial products:

• a managed investment scheme;
• an offer of a security;
• an offer of a derivative; or
• the token issued under an ICO could be a non-cash payment facility.

To ascertain whether a crypto-asset is one of these financial products, the rights attached to the crypto-asset must be assessed against the statutory definition of each type of financial product. ASIC has stated that what is a "right" should be interpreted broadly and includes rights that may arise in the future or on a contingency, and rights that are not legally enforceable.

Additionally, certain types of financial products may trigger regulation under different regulatory regimes – see 2.2 Regulatory Regime.

The emergence of cryptocurrency exchanges has and will have a significant impact on Australia's financial services regulatory framework. To date, there has only been one key change – which was amendments to the AML/CTF regime in 2018 to regulate digital currency exchange providers. The AFSL regime has not been amended specifically to capture digital assets and cryptocurrency exchanges.

However, this will may soon change given the Australian government announced proposals at the end of 2021 to undertake significant reforms in respect of cryptocurrency activities. The reforms aim to modernise and expand the licensing framework for businesses that Australian consumers engage with to buy, sell or hold digital assets like crypto-assets. This includes potentially requiring cryptocurrency exchanges to obtain an Australian markets licence and comply with custody requirements. The government also intends to undertake a token mapping exercise determine how different types of digital assets should be classified and treated under relevant financial services laws.

Not applicable given cryptocurrency exchanges are largely unregulated (currently) in Australia.

Order handling rules are contained in ASIC Market Integrity Rules. Not applicable given cryptocurrency exchanges are largely unregulated (currently) in Australia.

Peer-to-peer platforms are subject to the same regulations as other trading platforms discussed in 7.2 Regulation of Different Asset Classes. 

Rules for best execution are contained in ASIC Market Integrity Rules. Not applicable given cryptocurrency exchanges are largely unregulated (currently) in Australia. Of course, if a fiduciary relationship is established with a client, then the duty of loyalty will in effect impose best execution obligations on the provider.

Rules for payment order flows are contained in ASIC Market Integrity Rules. However, they are not applicable here given cryptocurrency exchanges are largely unregulated (currently) in Australia.

Regulated securities and futures markets (and participants in those markets) are subject to ASIC Market Integrity Rules. However, they are not here applicable given cryptocurrency exchanges are largely unregulated (currently) in Australia.

However, there are general prohibitions against misleading or deceptive conduct under Australian Consumer Law including using social media to generate the appearance of a greater level of public interest in a crypto-asset and undertaking or arranging for a group to engage in trading strategies to generate the appearance of a greater level of buying and selling activity for a crypto-asset.

Under the Corporations Act, ASIC is able to make market integrity rules for domestic licensed financial markets. In response to increased concerns about high-frequency and high-frequency-like trading in 2012, ASIC made market integrity rules specific to extreme price movement, automated trading, suspicious activity reporting, price improvement and block trade and market operator enhanced data reporting.

ASIC adjusts proposals for new rules as it continues to monitor trends in high-frequency trading. For example, in 2020 ASIC issued directions under the ASIC Market Integrity Rules to a number of large equity market participants, requiring those participants to limit the number of trades executed each day to prevent algorithmic and high frequency trading systems used by these participants from choking the post-trade settlements and clearing pipeline.

In addition, ASIC's approach to the regulation of high-frequency trading includes adopting measures for pre-emptive action, automated order processing certification, referrals to its enforcement department and Markets Disciplinary Panel and surveillance by ASIC's market surveillance system.

Making a market for regulated financial products requires an AFS licence if:

• a person regularly states the prices at which they propose to acquire or dispose of financial products on their own behalf; and
• others have a reasonable expectation that they will be able to regularly effect transactions at the stated prices; and
• the products are not superannuation, managed investment or investment-linked life insurance products issued by the person.

Making a market in other products (such as cryptocurrency or NFTs which are not financial products) is not regulated in Australia.

Part 3.2 of the ASIC Market Integrity Rules (Securities Markets) 2017 (Market Integrity Rules):

• requires a market participant trading on an Australian financial market to disclose when they are or may act as principal when entering into a market transaction as principal; and
• imposes obligations in relation to issuing market transaction confirmations, brokerage and commission and keeping records when a market participant is trading as principal. 

There are no specific regulations which distinguish between funds and dealers engaged in algorithmic trading. 

Developing and creating trading algorithms and other electronic trading tools are not specifically regulated in Australia. However, the Market Integrity Rules set out requirements for trading participants that use AOPs, such as having in place organisational and technical resources to ensure it can comply with its obligations for trading through AOPs and having security arrangements to monitor and prevent unauthorised access to the system. ASIC can also give directions to cease, suspend, limit or prohibit algorithmic programs (AOPs) where poor AOP controls lead to continuing patterns of issues such as order deletions and over trading.

Financial research platforms must hold an AFS licence if they provide financial product advice to retail or wholesale clients. Financial product advice is any recommendation or opinion, or a report of either of those things, that is intended to influence a person's decision about a financial product or a class of financial products, or which could be reasonably expected to have such an influence.

The Australian Code of Practice on Disinformation and Misinformation was adopted by Twitter, Facebook, TikTok, Google and various other social media companies in early 2021. The code is a voluntary code of conduct outlining actions that members will take to address disinformation and misinformation spread on their platforms. The code is designed to assist users of social media platforms to identify reliability and trustworthiness of news content and information. While the general public can make complaints about potential breaches of the Code by signatory platforms, the independent complaints sub-committee has no punitive powers where breaches occur.

Various consumer protection provisions, both within the general Australian consumer law and specifically within financial services law, help to regulate unverified information (see 2.10 Implications of Additional, Non-financial Services Regulations). However, they would not apply to members of the public so typically it is left to companies to pursue private legal actions (eg, injunctions) to address the spreading of rumours and other defamatory statements by specific individuals.

There are also of course stringent rules on insider trading and market manipulation which are offences.

Additionally, we understand that the fintech and crypto community have self-policing measures to deter such behaviour, with individuals or entities within the community that spread misinformation often finding themselves blacklisted.

Given "pump and dump" schemes and other unacceptable behaviour on social media often operate on an anonymous and international scale, policing them can be difficult. The government's current regulatory position is largely "buyer beware". Regulators such as the ACCC and ASIC rely on awareness and education campaigns to educate the general public and potential investors about the red flags and dangers of potential rug pull, pump and dump and other schemes. They are also appealing to the industry and consumers to report individuals who may be giving financial advice disguised as "opinions" on social media.

For example, ASIC recently warned companies about so called "finfluencers" who may engage in market misconduct including "pump and dump" schemes. These schemes involve an individual buying shares in a company and then promoting ("pumping") it, thereby increasing the share price before selling ("dumping") their now-overvalued shares, causing their value to plummet. ASIC monitors the market for extreme price movements that may be the result of pump and dump schemes, however companies and investors are urged to be aware of such schemes.

Investors are also warned by ASIC to be wary of "rug pull" schemes in which creators vanish with investor's funds after launching what appear to be legitimate crypto projects.

Federal and State discrimination law is the only regulation which directly impacts on Underwriting insurance underwriting. There are exemptions for certain types of discrimination where the discrimination is reasonable, eg, it is based on actuarial or statistical data which is reasonable to rely on and the discrimination is reasonable having regard to the data. Concerns have been expressed about the quality of the data relied by insurers in their underwriting processes: see PIAC report on Mental Health Discrimination in Insurance. The Financial Services Council (FSC) Life Insurance Code of Practice also imposes requirements for underwriting. The FSC has also adopted requirements relating to and a moratorium on genetic tests in life insurance in FSC Standard No 11.

Insurers are also subject to strong prudential regulation and disclosure requirements and the unfair contracts terms regime for insurance commenced in 2021. Privacy and data security is also a major regulatory consideration for insurers and insurtech.

The key "categories" of insurance in Australia are life (including annuities), general, and private health insurance. Industry participants generally specialise in one category of insurance. Each type of insurance has its own regulatory regime with different requirements applying to each. Generally speaking, insurers must be authorised by APRA. However, Lloyds syndicates can operate without APRA authorisation as can foreign insurers in certain circumstances, eg, where the insurance is not available from Australian insurers or the insured is a large business.

Issuing and distributing life and general insurance products also requires an AFS licence issued by ASIC unless an exemption applies (eg, wholesale insurers and their representatives are exempt).

Life investment policies trigger obligations both as a life insurance product and an investment product. This means, for example, disclosures about the fees and costs of a life investment policy typically have to include a level of disclosure akin to managed investment products.

Industry groups have also published codes of practice and conduct relating to life insurance, general insurance and insurance brokers.

There has not been any specific changes to regulation to capture regtech providers. As discussed in 2.2 Regulatory Regime, the nature of activities engaged in by the regtech provider will determine whether they trigger obligations under any of the financial services regulatory regimes. It is understood that most providers currently are "unregulated" but as the industry grows, the government may look to regulate or accredit regtech providers.

In ASIC's Corporate Plan 2021–25, it committed to supporting fintech, suptech and regtech and promoting the application of regtech to deliver better regulatory compliance and consumer outcomes. This can be seen through ASIC's establishment of the "ASIC Innovation Hub" which is designed to assist regtech start-ups with things like training datasets and networking opportunities.

Regulated financial services firms face a number of regulatory obligations. In particular, firms such as banks, insurers and superannuation funds must comply with stringent prudential standards set by APRA, including in relation to information security and managing data risk and outsourcing. Although those standards do not set specific requirements in terms of performance, broadly speaking they do require the regulated firm to monitor and ensure any outsourcing arrangement does not affect the firm's ability to comply with relevant obligations.

As a result, firms will impose contractual terms requiring that the regtech service provider and their technology performs in a manner which complies with relevant law and that the firm is indemnified for losses caused by the technology failing to operating in such a manner. APRA-regulated firms will also often require their technology service providers to be compliant with relevant APRA prudential standards as if they were a regulated entity (such as CPS 234 & CPG 235).

Two key trends of institutional adoption have been the harnessing of blockchain infrastructure for increased efficiencies and the creation of products to support crypto-assets in response to consumer demand.

The Australian Stock Exchange (ASX) was one of the first institutions to adopt blockchain infrastructure. ASX announced in December 2017 it would replace its clearing and settlement system, "CHESS", with a blockchain based system. The replacement was intended to digitise processes, allow access to real time data and develop applications to streamline corporate actions. The ASX project is anticipated to be fully operational in April 2023.

The Reserve Bank of Australia (RBA) has also been exploring potential efficiencies related to crypto-assets. In December 2021, RBA released a final report combined with industry partners on a new wholesale central bank digital currencies (CBDC) project. This project is a proof of concept for issuing tokenised CBDCs which could be used by wholesale market participants to fund, instantly settle and repay syndicated loans.

There has also been a trend towards increasing consumer access to crypto-assets; largely as a result of consumer demand. In November 2021, CBA (the largest consumer bank in Australia) announced that it would offer consumers the ability to buy, sell and hold crypto-assets directly through their banking app.

A range of exchange-traded products have also been launched to provide investors exposure to crypto-assets.

AUSTRAC regulates Digital Currency Exchanges and therefore takes an active role in assessing whether each exchange has appropriate systems and controls to identify, mitigate and manage the risk of users of the blockchain assets on an exchange for illegal activity.

ASIC has adopted a technology neutral approach with the view that crypto-assets which have the features of a financial products must be regulated accordingly. ASIC released detail guidance in INFO 225 to set parameters for determining whether a crypto-asset is a financial product and whether an entity is providing a financial service. ASIC has also released detailed guidance on exchange traded products (ETPs) seeking to offer exposure to crypto-assets.

The ATO was an early mover relative to other regulators issuing guidance and clarifying the application of the Capital Gains Tax regime to investments in crypto and other digital assets since 2014. The tax position on crypto-assets was also the subject of recommendations from the Senate Committee Report. Accordingly the Capital Gains Tax (CGT) regime will be subject to a review to re-assess when a genuine CGT event arises in the context of a crypto-asset transaction.

Parliamentary committees have also been engaged in a number of reviews regarding the sector. The "Senate Select Committee on Australia as a Technology and Financial Centre" issued its report on October 2021, recommending a number of changes to the existing regulatory framework to specifically consider and accommodate digital assets. The government has agreed to most of the recommendations so we are expecting major changes to this sector in the near future.

Only crypto-assets which have the features of existing regulated financial products or services will be regulated under the AFS licensing regime. As a result, the classification of blockchain assets must be considered on a case-by-case basis.

Even where a crypto-asset does not have the features of a financial product or service, the issuer (and any exchange) must comply with Australian Consumer Law.

In addition, crypto-assets may be registered on the Personal Property Securities Register (PPSR). The PPSR is an official government register of security interests in personal property, which allows individual to register their claim of a security interest over personal property on a publicly accessible register. With El Salvador accepting Bitcoin as currency, Bitcoin may now fall into the definition of financial property (ie, foreign currency) in Australia. NFTs may also fall into the category of general intangible property for the purposes of the PPSR. While the PPSR is a useful register for individuals to view the chain of property ownership, it remains to be seen whether individuals who have a security interest over blockchain based assets, which are inherently traceable, will adopt this practice.

See 2.1 Predominant Business Models, 7.1 Permissible Trading Platformsand 7.2 Regulation of Different Asset Classes for more information about the above regulatory regimes.

Issuers of blockchain assets are subject to regulation depending on the classification of that asset as outlined in 12.3 Classification of Blockchain Assets.

If an entity issues a crypto-asset that is a financial product, the issuer will need to comply with the AFS licensing regime (see 12.2 Local Regulators’ Approach to Blockchain). That regime contains various requirements the sale of financial products, including the need to provide appropriate disclosure through a prospectus (if a security) or a product disclosure statement (if another type of financial product).

An area of uncertainty that remains is the regulation of financial products issued through a decentralised autonomous organisation (DAO). The Government has indicated it will consider establishing a DAO company structure, which will inform how regulation and enforcement would be pursued.

See 12.5 Regulation of Blockchain Asset Trading Platforms and 12.9 Non-fungible Tokens (NFTs).

There is no specific regulation of blockchain asset trading platforms. However, if an entity makes a financial product available for consumers they may still be regulated in respect of that crypto-asset. For example, if a DCE lists a financial product and makes it available to consumers they may be seen as making a market for a financial product or dealing in a financial product. Both activities may be captured by the AFSL regime. This means that DCEs must actively review and consider the crypto-assets that they list and ensure that this aligns with the licenses that they have. Certain trading platforms, where a payment is made not through the delivery of physical currency, may also be considered as a non–cash payment facility which requires an AFS licence to operate.

DCEs are already captured by AML/CTF Laws if they enable the exchange of fiat to crypto-assets. To the extent that DCEs facilitate payments to a third party using crypto-assets, they may be providing a separate designated service under AML/CTF Laws as a remitter.

If a DCE is providing crypto-assets that are not financial products they are subject to consumer protection regulation, eg, the prohibition on misleading or deceptive conduct and the consumer guarantee regime.

Investing in blockchain assets does not of itself attract specific regulation, unless the asset itself is a financial product. If the asset is a "derivative", each party to the derivative contract is considered an 'issuer' of that product and that may attract AFS licensing obligations.

The fund/fund operator will typically be subject to AFS licensing (see 2.2 Regulatory Regime). Funds in Australia are typically structured as a trust and constitute a managed investment scheme. This requires the operator to hold an appropriate AFS licence. If the fund has retail clients, then it must be registered with ASIC and the fund operator is subject to a greater level of regulation, including to act in the best interests of members of the scheme.

In addition, fund operators will likely have to comply with AML/CTF laws (see 2.2 Regulatory Regime and 2.13 Impact of AML Rules).

Virtual currencies are specifically regulated as an asset/type of product by AML/CTF regulation. They are not subject to a bespoke classification by AFS licensing laws and are considered in the same way as other digital assets. Ultimately the purpose and features of the virtual currency/asset determines whether its classification as discussed in 7.2 Regulation of Different Asset Classes.

Currently, there are no specific regulations for DeFi platforms. Regulation such as AFS licensing and AML/CTF applies to a person that provides regulated services. The difficulty arises, as is the case with DeFi, where there is no identifiable person or entity which can be regulated.

In order to overcome this disconnect, instead of directly regulating DeFi the Government is considering how it can recognise the structure of DAOs specifically. These DAOs would include blockchain projects that contain a DeFi protocol. The creation of this new organisation type will provide clarity for legal liability and the structure of DeFi platforms.

NFTs are not specifically regulated in Australia. However, a broad range of assets may underpin an NFT and the nature of the underlying asset may affect its regulation. For example, a NFT underpinned by artwork will be regulated under a different framework than a NFT underpinned by a financial product – the latter could possibly trigger regulation under the AFS licensing regime. Generally speaking however a NFT is currently treated in a similar way to other non-tangible assets, allowing them to be bought, sold and owned. As such, Australian consumer laws will apply (see 2.10 Implications of Additional, Non-financial Services Regulations and 7.9 Market Integrity Principles).

In addition, the definition of "digital currency" in AML/CTF law is broad and could apply to certain NFTs.

In respect of NFT platforms, see 7.1 Permissible Trading Platforms.

The ATO has issued guidance that the income tax treatment of an NFT will depend on the holder's circumstances, the way the NFT is used and the reasons for holding and transacting the NFT.

The long-awaited Consumer Data Right (CDR) regime (commonly referred to as “Open Banking”) came into effect in 2020 as part of the Competition and Consumer Act 2010 (CCA). The CDR scheme provides consumers with greater access to and control over their data, by allowing consumers to require their existing service providers (currently banks) to share consumer’s data with other service providers. This is expected to increase competition and consumer choice, by permitting consumers to freely switch between service providers.

The CDR rules currently apply to consumer data relating to credit and debit cards, deposit accounts and transaction accounts, as well as data relating to mortgage and personal loans. The CDR regime will be expanding to the energy sector, followed by the telecommunications sector. The Government is also consulting on how the CDR regime can be extended to general insurance, health insurance, loyalty schemes, non-bank lenders and superannuation among other industries.

In industries covered by the CDR scheme, the CDR accreditation requirement is mandatory for all entities that receive consumer-specific data, including foreign legal entities that are subject to the CCA. The entities are known as data holders.

A data holder must transfer CDR data to an accredited data recipient at the consumer’s request. There are substantial sanctions for data holders that breach these obligations.

Under the CDR system, consumers consent to a transfer of their data from a data holder to an accredited data recipient, or from one accredited person to another accredited data recipient.

An accredited data recipient is an entity that has been accredited by the ACCC to receive consumer data to provide a product or service.

Those who wish to become accredited must demonstrate that they:

• are a fit and proper person;
• are able to take the steps required to adequately protect CDR data from misuse, interference, loss and unauthorised access, modification or disclosure;
• have internal and external dispute resolution processes;
• have adequate insurance; and
• have an Australian address.

An accredited data recipient also has ongoing obligations under the CDR Rules.

The CDR regime was rolled out with its own data security framework, that imposes a range of cybersecurity obligations on CDR participants in relation to the CDR data environment. Given CPS 231 and the recent introduction of the new CPS 234, most, if not all banks, were already subject to a series of strict cybersecurity requirements. Technology providers in particular are certainly seeing "push down" effects from CDR entities, whereby larger CDR entities contractually impose their data privacy and security requirements from the CDR regime on to their subcontractors and suppliers. CDR participants are also carefully considering risk allocation in relation to CDR cyber-incidents, particularly as the CDR rules as they currently stand are silent on the allocation of liability.

In relation to privacy, the CDR Privacy Safeguards were also outlined as part of CDR, which largely complement the Australian Privacy Principals in the Privacy Act 1988 (Cth) and set out the privacy rights and obligations for users of the CDR regime – in fact, the CDR Privacy Safeguards introduce further obligations in addition to APPs and heftier penalties. Larger CDR participants will likely be facing increased regulatory scrutiny, particularly as they have had the most time to familiarise themselves with the regime (with Australia’s Big 4 banks being one of the first CDR Data Holders activated) and have had the advantage of existing architecture and a large subcontracting database to rely on.