Articles > Finance

How are Australian Fintechs regulated?

September 7, 2020   Kristine TranPhilip Evangelou

The explosion of Australian Fintech start-ups and businesses in recent years has disrupted the financial services industry – as well as the legal regulations surrounding this delicate part of the economy. Currently, there are over 650 Fintech companies operating in Australia and they are regulated by two key regulatory bodies:

  1. ASIC – Australian Securities and Investments Commission 
  2. APRA – Australian Prudential Regulatory Authority 

Currently, if your Fintech company engages in the following activities, it must comply with the regulations set out by ASIC and APRA:

  • Financial services;
  • Consumer credit lending;
  • Registering and disclosure obligations;
  • Consumer law requirements;
  • Privacy and anti-money laundering; and 
  • Counter-terrorist financing requirements. 

ASIC’s regulation of Fintech

ASIC is the primary regulating body for credit and financial services in Australia. The National Consumer Credit Protection Act 2009 (Cth) (NCCP Act) and the National Consumer Credit Protection Regulations 2010 (Cth) (NCCP Regulations) provides ASIC powers to grant and regulate credit licences to companies. 

Fintech and Australian Financial Service Licence (AFSLs)

Generally, you will need to obtain an AFSL if your Fintech company engages in activities in relation to financial services. This may include the following activities:

  • Financial product;
  • Custodial or depository service;
  • Registered managed investment scheme;
  • Crowdfunding service; and 
  • Traditional trustee company services. 

Fintech and Australian Credit Licence (ACL) 

According to ASIC, if your Fintech company engages in any credit activity, it must obtain an Australian Credit Licence (ACL), have an authorised representative to engage in credit services, or be exempt from holding a credit licence. ASIC requires companies to hold a credit licence for activities such as credit contracts, consumer leases, mortgages and or guarantees. 

For more information regarding credit licences and Fintech, please see our other articles: Do you need a credit licence from ASIC to operate a Fintech? and How does my Fintech comply with the National Credit Code?

Fintech and National Credit Code (NCC) 

The National Consumer Credit Protection (Fintech Sandbox Australian Credit Licence Exemption) Regulation 2020 (“Fintech Sandbox”) recently introduced licensing exemptions for Fintech companies. With this Fintech Sandbox, your fintech company may therefore be exempt from licensing requirements if you wish to test a new credit service or product for up to a period of 12 months.

APRA and Fintech

As Australia’s main banking regulator, APRA’s role is to protect the interests of depositors, policy holders and superannuation fund members. It oversees the conduct of banks, credit unions, building societies, general insurance and most superannuation trustees. 

APRA currently regulates institutions and ensures that there is a “stable, efficient and competitive financial system.” As of today, APRA requires any company that conducts a “banking business” such as taking deposits or making advances of money, to possess an Authorised Deposit Taking Institution (ADI). 

Restricted ADI Licence for Fintech Companies

However, if you are a new Fintech start-up or company entering the banking industry, you may be eligible for a restricted ADI licence regime. Under this new framework, your company can operate a limited range of banking activities for up to two years, whilst building up your company resources and financial capabilities. 

Once the two year period ends, your company must transition into a full ADI licence to continue operating in the banking industry. Alternatively, if your company fails to meet the prudential framework requirements of an ADI, you will have to cease operations. 

A Restricted ADI licence

Pursuant to the Bank Act 1959 (Cth), Fintech companies granted with an ADI can conduct limited low-risk banking services whilst seeking investment and resources in order to comply with the prudential framework for up to 2 years. However, if your company is granted an ADI, you must be able to deposit $2 million and disclose to  your clients of your restricted licence. 


In order to maximise your company’s chances on successfully obtaining a restricted ADI licence, it is highly encouraged that you: 

  • Notify and engage with APRA at the earliest stage possible to discuss relevant requirements;
  • Ensure that your company has implemented proper policies and is compliant with the application requirements, including capital requirements of a minimum of $4 million;
  • Prepared a viable strategy detailing your company’s plan to meet the prudential framework within the two year period. 

Your company’s ADI may take up to 3 to 18 months for APRA to assess, depending on the complexity of your company’s banking plans. 

Other Regulatory Frameworks


If your Fintech company engages in banking and digital currency, it must also be comply with obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (“AML/CTF Act”), and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML/CTF Rules). 

Your company will be subject to AML/CTF Act if it is an entity that provides “designated services” with an Australian connection. In 2018, the Australian Transaction Reports and Analysis Centre (AUSTRAC) became the governing body Anti-Money Laundering and Counter-Terrorism. 

If your company is a digital currency exchange provider, your company must adhere to the following: 

  • Register and enrol with AUSTRAC exchanges that take place;
  • Take appropriate steps to verify customer identification;
  • Adopt and maintain an AML/CTF policy;
  • Monitor and report any suspicious and large transactions. 

Key Points on Fintech and its regulation in Australia 

Fintechs must comply with both ASIC and APRA, and have an ongoing obligation to fulfil its compliance with the AML/CTF Act. Unless there are exemptions, your company must obtain an AFL or ACL if it engages in financial services or credit activities respectively. Additionally, any company engaging in banking services which involve depositing money or advancing sums of money must apply for an Authorised Deposit Taking Institution (ADI). 

Unless, your company is a recent entrant of the banking industry, and has limited resources, you can apply for a Restricted ADI and engage in limited banking activities for up to two years. After the two year period, your company must apply for a full ADI in order to continue operating as a banking institution. 

Furthermore, if your company engages in activities pertaining to digital currency, it must comply with the AML/CTF Act, and register exchanges with AUTRAC. 

Contact OpenLegal’s startup team if you would like to discuss the needs of your fintech.

About Kristine Tran

Avatar photoKristine is a legal intern at OpenLegal. She is a fifth year UTS law student nearing the final stages of her law degree. She has previously worked for a boutique law firm and volunteered as a paralegal with the Refugee Advice and Casework Services (RACS).

About Philip Evangelou

phillipPhil is a director at OpenLegal. He has over 16 years experience working in private practice and in-house counsel in Sydney and London, giving him expertise in employment law, IP, finance, leases, dispute resolution, insurance and contracts.