Fintech landscape and initiatives

General innovation climate

What is the general state of fintech innovation in your jurisdiction?

The Australian fintech sector is evolving rapidly, as entities work together to transform the industry and re-shape the provision of financial services. EY’s Global Adoption Index 2019 found that the rate of fintech adoption in Australia has increased from 33% in 2017 to 64% in 2019. Like Atlassian, fintech innovation in Australia has grown from a group of small start-ups and speculative ventures into a large and diverse ecosystem. Regulators – including the Australian Securities and Investment Commission (ASIC) – have been engaging with fintech entities with a regulatory sandbox and an innovation hub to provide support to early-stage businesses. In 2019 Australia’s first fintech minister (Assistant Minster the Hon Jane Hume) was sworn in, recognising the importance of fintech to the Australian economy.

Government and regulatory support

Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

While various regulators and government departments offer fintech-specific services or benefits, there is no overarching fintech strategy yet implemented by the government.

ASIC’s innovation hub encourages eligible businesses to apply for informal assistance and guidance on Australia’s financial services laws. Unfortunately, the hub does not offer businesses any legally binding guidance or specific confirmation as to whether exemptions to certain regulatory requirements will apply. The hub does provide a designated contact for applicants and 12 months of informal guidance.

ASIC also operates a fintech regulatory sandbox, allowing eligible fintech entities to test certain products or services for up to 12 months without an Australian financial services licence. The sandbox is limited to services offering advice or dealing in certain deposit or payment products (up to A$10,000 if issued by an authorised deposit-taking Institution), general insurance (up to A$50,000 insured), liquid securities (up to A$10,000) and limited consumer credit contracts (with certain features and between A$2,001 and A$25,000).

ASIC has also signed international cooperation agreements designed to break down market entry barriers with regulatory counterparts in:

In 2017 the Australian Transaction Reports and Analysis Centre (AUSTRAC), Australia’s anti-money laundering regulator, launched the Fintel Alliance Innovation Hub to broaden the opportunity for partnering organisations to co-design and test solutions to assist in evaluating financial intelligence. Further, AUSTRAC has implemented an operations hub, where data is combined with tracking tools to identify the most effective practice methodologies and provide a platform for financial intelligence to be exchanged face-to-face. 

The government has emphasised its commitment to implementing the consumer data right (CDR) regime, which seeks to ensure that information is accessed and transferred to accredited data recipients in a safe and efficient manner.

On 14 June 2019 the Treasury released its revised draft open banking designation instrument for consultation, which was made under Section 56AC(2) of the Competition and Consumer Act 2010 (Cth). This designation sets out the classes of data that are included in the CDR regime to help consumers unlock their data and move easily between financial service providers.

Government support for blockchain initiatives has also been growing. On 18 March 2019 the Hon Karen Andrews announced that the Department of Industry, Innovation and Science will be investing in the development of a national blockchain strategy. To further this initiative, the Australian Trade and Investment Commission funded 30 organisations to join the Mission to Consensus, one of the largest annual blockchain conferences.

The Treasury is due to publish its report on initial coin offerings (ICOs), arising from a consultation on ICOs held in early 2019. 

Financial regulation

Regulatory bodies

Which bodies regulate the provision of fintech products and services?

ASICThe Australian Securities and Investment Commission (ASIC) is the primary regulator of credit and financial products in Australia. It regulates the conduct of providers of credit and financial products and services.

ASIC is responsible for granting and regulating Australian credit licences (ACLs) in accordance with the National Consumer Credit Protection Act 2009 (Cth) (NCCP Act) and the National Consumer Credit Protection Regulations 2010 (Cth) (NCCP Regulations).

ASIC is also responsible for granting and regulating Australian financial services licences (AFSLs) in accordance with Chapter 7 of the Corporations Act 2001 (Cth), which creates a licensing regime for the provision of financial services.

APRAThe Australian Prudential Regulation Authority (APRA) is responsible for prudential supervision and regulation of banks, insurers and superannuation funds (other than self-managed superannuation funds). It is responsible for authorising entities to carry on banking or insurance business in Australia or to be the trustee of a superannuation fund (other than a self-managed superannuation fund). APRA’s main concern is financial system stability.

AUSTRACMost financial services are considered designated services under the Anti-money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and are regulated by the Australian Transaction Reports and Analysis Centre (AUSTRAC).

RBAThe Reserve Bank of Australia (RBA) is Australia’s central bank. In addition to its traditional central bank functions, the RBA is responsible for regulating payment systems (ie, systems that facilitate the circulation of money). Under the Payment Systems (Regulation) Act 1998 (Cth), the RBA has the power to designate a payment system where it is in the public interest to do so. The RBA may then impose access regimes and standards on participants in a designated payment system and arrange for the arbitration of disputes between participants.

ACCCThe Australian Competition and Consumer Commission (ACCC) is responsible for protecting consumer, business and communal interests by promoting competition and fair trade in the market. The ACCC ensures that all individuals and businesses comply with the Competition and Consumer Act 2010 (Cth), including the Australian Consumer Law.

Regulated activities

Which activities trigger a licensing requirement in your jurisdiction?

The following activities constitute carrying on a financial services business in Australian and will require an AFSL:

  • providing financial product advice;
  • dealing in a financial product;
  • making a market for a financial product;
  • providing a custodial or depository service;
  • operating a registered managed investment scheme;
  • providing a crowdfunding service; and
  • providing traditional trustee company services.

In general, these activities include any product or service with a predominant investment character and any dealing in that product or service.

Activities relating to the following credit products constitute carrying on a credit activity and require an ACL:

  • credit contracts;
  • credit services (ie, credit assistance and acting as an intermediary);
  • consumer leases;
  • mortgages; and
  • guarantees, both as the credit provider or as a person that performs the obligations, or exercises the rights, of a credit provider.

Lending is regulated only if it is to an individual or strata corporation predominantly:

  • for personal, domestic or household purposes;
  • to purchase, renovate or improve residential property for investment purposes; or
  • to refinance credit that has been provided wholly or predominantly to purchase, renovate or improve residential property for investment purposes.

However, some exceptions apply.

Taking money on deposit (other than as a part payment for goods or services) and making advances of money amounts to banking business and will require an authorised deposit-taking institution (ADI) licence.

Consumer lending

Is consumer lending regulated in your jurisdiction?

Consumer lending in Australia is regulated by the NCCP Act, which includes the National Credit Code (NCC), and the NCCP Regulations made under the act.

Under the NCCP Act, any persons that engage in a credit activity must hold an ACL. There are several exemptions from the requirements to hold an ACL.

Responsible lendingChapter 3 of the NCCP Act details the responsible lending obligations for credit licensees, which vary according to the types of credit activity in which they engage. The key obligations are to give a credit guide (when applicable) to collect and verify financial information about a prospective debtor and to assess the unsuitability of a credit contract for a particular consumer.

ASIC’s guidance regarding responsible lending is set out in “Regulatory Guide 209: Credit licensing: Responsible lending conduct”, which ASIC is currently reviewing to provide more specific guidance about responsible lending obligations.

External dispute resolutionAll ACL holders must be a member of the Australian Financial Complaints Authority scheme, which is the mandatory external dispute resolution scheme for financial services providers.

Secondary market loan trading

Are there restrictions on trading loans in the secondary market in your jurisdiction?

At present, there are no legislative restrictions on trading loans in the secondary market in Australia. However, trading is limited as there is not a particularly active market since lenders prefer to take a ‘buy and hold’ approach. Further, for consumer debts regulated by the NCCP Act, assignees of the legal title must also hold an ACL.

Collective investment schemes

Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

Collective investment arrangements usually fall within the scope of the Corporations Act definition of a ‘managed investment scheme’ (MIS). 

An arrangement or scheme will be an MIS if:

  • people contribute money or money’s worth as consideration to acquire interests to benefits produced by the scheme (whether the rights are actual, prospective or contingent, and whether they are enforceable);
  • any of the contributions are pooled or used in a common enterprise to produce financial benefits or benefits consisting of rights or interests in property for the members who hold interests in the scheme; and
  • members of the scheme do not have day-to-day control of the operation of the scheme (regardless of whether they have voting or other similar rights).

The definition of an MIS is deliberately broad and can include arrangements which would not traditionally be considered an investment. Examples include class action litigation, collective buying schemes, some digital token offerings, lottery syndicates and time share schemes.

After being announced in the 2016-17 Federal Budget, the regulatory framework for a new corporate collective investment vehicle (CCIV) structure has yet to be implemented. The most recent round of consultation on the CCIV regulatory and tax bills concluded on 28 February 2019.

The CCIV is designed to encourage the entry of new and alternative service providers into the Australian market by providing an internationally recognisable investment structure and making compliance processes simpler for Australian fund managers seeking to offer products overseas.

At present, given the broad definition of MIS, fintech entities making an offering which are at risk of being considered an MIS must obtain an AFSL and meet disclosure requirements to offer their product.

Alternative investment funds

Are managers of alternative investment funds regulated?

Collective investment undertakings that do not provide investors day-to-day control over the operation of the investment are generally considered to be an MIS. The activities involved in operating an MIS are generally financial services and require the provider to hold an AFSL. Funds offering specific asset classes such as hedge fund or property products may be subject to additional licensing and disclosure obligations.

Peer-to-peer and marketplace lending

Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

Australia has no specific legislation dealing with peer-to-peer lending. However, the investment aspect of these marketplaces will often be structured as an MIS regulated by the Corporations Act, requiring the operator to hold an AFSL.

Provision of consumer credit is regulated under the NCCP Act, requiring the operator to hold an ACL. The NCCP Act and the NCC contain consumer protection provisions requiring the operator to assess whether credit is unsuitable to a consumer before providing it. Credit provided for investment purposes, business purposes or to non-natural persons is not regulated by the NCCP Act but may be subject to the ASIC Act if it is provided to small businesses.

Additional advertising guidance has been published by ASIC for marketplace lending products.


Describe any specific regulation of crowdfunding in your jurisdiction.

Australia’s regulatory framework for equity-based crowd-sourced funding (CSF) was expanded by the Corporations Amendment (Crowd-Sourced Funding for Proprietary Companies) Act 2018 (Cth), allowing eligible proprietary companies to raise up to A$5 million using CSF.

CSF offers can be made only by ‘eligible’ CSF companies, including:

  • unlisted public companies with less than:
    • A$25 million in consolidated gross assets; and
    • A$25 million in annual revenue; and
  • proprietary companies which:
    • maintain a minimum of two directors;
    • prepare annual financial and directors’ reports in accordance with accounting standards;
    • have their financial reports audited once they raise A$3 million or more from CSF offers; and
    • comply with the related party transaction rules that apply to public companies.

Other obligations applicable to CSF offers include:

  • an investor cap of A$10,000 per year per company for retail investors;
  • a CSF offer document containing minimum information; and
  • a five-day cooling-off period for investors.

In addition, CSF offers must be made by the holder of an AFSL or on a platform operated by a CSF intermediary holding an AFSL. 

Invoice trading

Describe any specific regulation of invoice trading in your jurisdiction.

In general, credit facilities (including any kind of financial accommodation provided by one person to another) are not financial products, so trading in debts is not subject to the AFSL regime. As far as the structure of a factoring arrangement may cause it to be an over-the-counter ‘derivative’ as defined in the Corporations Act (which ordinarily requires an AFSL to deal in), specific licensing relief is available under the ASIC Corporations (Factoring Arrangements) Instrument (2017/794) in certain circumstances.

Payment services

Are payment services regulated in your jurisdiction?

The provision of a purchased payment facility (PPF) or being the holder of stored value for a PPF is deemed to be carrying on banking business. Consequently, providers of PPFs (eg, digital wallet services) must obtain ADI authorisation from APRA. However, the authorisation granted is typically subject to a condition limiting them to providing PPFs and preventing them from lending money (other than incidental advances to customers in the course of providing a PPF).


Open banking

Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

There are currently no laws in force requiring financial institutions to make customer or product data available to third parties.

The Commonwealth government has announced that the first industry to be subject to the consumer data right will be the banking sector. Pending the introduction of legislation to mandate the sharing of product and customer data (to be shared at the customer’s direction), the ACCC and four major banks have commenced a voluntary pilot trial of product and consumer data sharing.

Insurance products

Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

In general, a person carrying on a life or general insurance business must be authorised by APRA to conduct business and hold an AFSL, unless an exemption applies. Persons other than insurers that sell or market insurance products must hold an AFSL unless a specific exemption applies. Persons that sell or market home contents or personal and domestic property insurance products with an insured value less than A$50,000 may be eligible for 12-month licensing relief under the regulatory sandbox exemption in the ASIC Corporations (Concept Validation Licensing Exemption) Instrument 2016/1175.

Credit references

Are there any restrictions on providing credit references or credit information services in your jurisdiction?

Subject to the Privacy Act 1988 (Cth), only credit reporting agencies are authorised to collect, collate and disclose consumer credit reporting information to credit providers. There are no restrictions on commercial credit references or commercial credit information, subject to privacy law.

Cross-border regulation


Can regulated activities be passported into your jurisdiction?

Foreign financial service providers (FFSPs) that provide financial services in Australia to wholesale clients only may rely on class relief under an Australian Securities and Investment Commission (ASIC) instrument from the need to hold an Australian financial services licence (AFSL) if they are regulated by certain overseas regulators.

The relief available for FFSPs is detailed in ASIC’s “Information Sheet 157 Foreign financial services provider – practical guidance”. The relief available under the listed instruments is due to expire on 30 September 2019. ASIC is currently proposing a new regime in which FFSPs from countries with a limited connection to Australia must obtain a modified foreign AFSL.

Requirement for a local presence

Can fintech companies obtain a licence to provide financial services in your jurisdiction without establishing a local presence?

To obtain an AFSL in order to provide financial services in Australia, companies must be registered as a foreign company carrying on business in Australia.

Foreign companies must maintain a registered office in Australia that is open every business day from at least 10am to 12pm and 2pm to 4pm. A representative of the foreign company must be present at the registered office whenever it is open.

Foreign companies must have a local agent responsible for any obligations that the company must meet. The local agent may be liable for breaches or penalties.

Sales and marketing


What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?

A person will be conducting financial and related activities whenever they publish advertisements in Australia that are reasonably likely to induce Australians to acquire a financial service or product. Marketing a product itself may constitute an Australian financial services licence-regulated activity, unless an exemption applies.

The Australian Securities and Investment Commission Act provides for consumer protection surrounding advertising and marketing of financial services, including prohibitions on misleading or deceptive conduct.

Advertisements and promotional material in respect of credit products must comply with the National Consumer Credit Protection Act 2009 (Cth). This includes a requirement to include a credit licensee’s Australian credit licence number on all printed ads.

Advertisements and promotional material in respect of financial products must comply with the Corporations Act. This includes a requirement to include the identity of the issuer or the seller, confirmation that a product disclosure statement (PDS) is available and a statement that a person should consider the PDS in deciding whether to acquire or to continue to hold a product.

The Australian advertising industry also self-regulates via industry standards.

Change of control

Notification and consent

Describe any rules relating to notification or consent requirements if a regulated business changes control.

Subject to exemptions, the Corporations Act contains a takeover prohibition, which prohibits a person from acquiring a relevant interest in the issued voting shares or the voting interests (as the case may be) of a listed body (including a listed managed investment scheme) or an unlisted company with more than 50 members in the entity if:

  • the person acquires the interest through a transaction (defined broadly) in relation to the securities; and
  • because of the transaction, that person's or someone else's voting power in the entity increases from less than 20% to more than 20%, or from a starting point that is more than 20% and less than 90%.

There are also restrictions on the acquisition of shareholdings in certain financial sector companies and on the acquisition of substantial interests in Australian businesses.

The takeover prohibition applies to the acquisition of relevant interests in:

  • listed Australian companies;
  • unlisted Australian companies with more than 50 members;
  • Australian-listed bodies; and
  • Australian-listed managed investment schemes.

The takeover prohibition will be triggered whenever a person seeks to acquire a relevant interest in securities which results in the person's voting power being more than 20%. This includes transactions where the person's voting power is already more than 20%. The requirements are expressed to apply both in and outside Australia.

The concept of 'relevant interest' is detailed and expansive. 'Voting power' is defined as the total number of voting shares or interests in which a person and their associates have a relevant interest, represented as a percentage of the total number of voting shares interests in the relevant entity. 'Associate' is also broadly defined to include:

  • subsidiaries, holding companies and sibling entities controlled by the same ultimate holding company;
  • persons with whom the relevant person enters, or proposes to enter, into an agreement for the purpose of controlling or influencing the composition of the target's board or its affairs; and
  • a person with whom the relevant person acts, or proposes to act, in relation to the target's affairs.

Under the Financial Sector (Shareholdings) Act 1998 (Cth), a person may not acquire more than 20% of the voting shares or practical control of Australian banks, other authorised deposit-taking institutions and Australian insurers without the approval of the federal Treasurer. The restrictions also apply to Australian and foreign holding companies of such financial sector companies.

Under the Foreign Acquisitions and Takeovers Act 1975 (Cth), there are restrictions on foreign persons acquiring a substantial interest (ie, more than 20% (individually) or 40% (collectively)) in Australian companies without the approval of the Foreign Investment Review Board. The constitutions of some Australian companies (particularly those privatised by the federal and state governments) also contain restrictions on foreign shareholdings.

There are several exceptions to the takeover prohibition, which allow a person to obtain voting power of more than 20% if they fall within the terms of the permitted exception. The most commonly relied on exceptions include:

  • making a takeover offer;
  • obtaining the approval of members of the target;
  • obtaining control by means of a scheme of arrangement;
  • 'creeping' (ie acquiring no more than 3% of the voting power in any six-month period);
  • underwriting; or
  • making the acquisition through an upstream company listed on an approved foreign financial market.

Financial crime

Anti-bribery and anti-money laundering procedures

Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

The Anti-money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF) imposes obligations regarding the prevention of money laundering and terrorism financing, including:

  • conducting know-your-customer customer identification;
  • transaction monitoring and reporting, including reporting transfers of physical currency of A$10,000 or more and international funds transfer instructions;
  • suspicious matter reporting;
  • having an AML/CTF programme in place; and
  • submitting annual compliance certificates with the Australian Transaction Reports and Analysis Centre (AUSTRAC).

Entities providing designated services under Section 6 of the AML/CTF Act must comply with the requirements of the act. ‘Designated services’ include:

  • taking deposits;
  • being a lender, account provider or insurer;
  • providing remittance services; and
  • exchanging currency (including digital currency).

In 2017 amendments to the AML/CTF Act established requirements for registrable digital currency exchanges to be registered with AUSTRAC.

The main provisions regarding anti-bribery are included in federal and state or territory legislation, including the Criminal Code Act 1995 (Cth). Federal legislation prohibits bribing foreign and Commonwealth public officials, and state or territory legislation prohibits some private and commercial bribery practices. There is currently no specific bribery legislation in place in Australia.


Is there regulatory or industry anti-financial crime guidance for fintech companies?

There is currently no guidance specific to fintech companies.

Peer-to-peer and marketplace lending

Execution and enforceability of loan agreements

What are the requirements for executing loan agreements or security agreements? Is there a risk that loan agreements or security agreements entered into on a peer-to-peer or marketplace lending platform will not be enforceable?

Loan and security agreements may be executed by companies either with or without a common seal in accordance with Section 127 of the Corporations Act. Subject to the formulation of a loan agreement, and state or territory requirements for the execution of deeds (where an interest in land can only be granted or disposed of by deed), these agreements may be executed electronically in accordance with the Electronic Transactions Act 2000 (Cth) and equivalent state or territory legislation. The same requirements apply to peer-to-peer or marketplace lending platforms.

Assignment of loans

What steps are required to perfect an assignment of loans originated on a peer-to-peer or marketplace lending platform? What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these loans without informing the borrower?

An assignment of loans in these circumstances may be effected by a deed of assignment and will be perfected once the assignee takes control of the loan. If no valid deed is effected, the assignment may constitute a deemed security interest and perfected by registering a valid security interest over the collateral on the Personal Property Securities Register (PPSR). Failure to register on the PPSR may result in the security becoming void against a liquidator. On liquidation, the unperfected security interest vests in the grantor on its liquidation and the relevant secured party loses their interest.

No notice or consent is required to transfer loans on a peer-to-peer lending platform. However, the assignee must provide a copy of their credit guide as soon as is practicable following the assignment.

Securitisation risk retention requirements

Are securitisation transactions subject to risk retention requirements?

There are currently no minimum risk retention requirements.

Securitisation confidentiality and data protection requirements

Is a special purpose company used to purchase and securitise peer-to-peer or marketplace loans subject to a duty of confidentiality or data protection laws regarding information relating to the borrowers?

If the special purpose company used to purchase and securitise is subject to the Privacy Act, the company must comply with its obligations under the act regarding data protection of the borrowers. The duty of confidentiality will apply to the underlying loan or security agreement, subject to the usual practice of including express consents in the underlying documents to permit disclosures.

Artificial intelligence, distributed ledger technology and crypto-assets

Artificial intelligence

Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

‘Robo-advice’ is defined in the Australian Securities and Investment Commission (ASIC) Regulatory Guide 255.

The obligations that apply to the provision of traditional financial product advice and digital advice are functionally identical. For example, no Australian financial services licence (AFSL) is required for the provision of factual information. However, if robo-advice is generating general or personal financial product advice then that advice will be a financial service under the Corporations Act, unless an exemption applies.

ASIC has provided specific relief from holding a licence to providers of generic financial calculators under Regulatory Guide 167 and the ASIC Instrument 2016/207. A ‘generic financial calculator’ is defined as a facility, device, table or thing used to make general calculations and which does not advertise a specific product.

To the extent that AI or robo-advice is used to provide a designated service under the Anti-money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), the business providing that service – even if automated – may have reporting obligations to the Australian Transaction Reports and Analysis Centre (AUSTRAC).

Distributed ledger technology

Are there rules or regulations governing the use of distributed ledger technology or blockchains?

There are no specific rules or regulations governing the use of distributed ledger technology or blockchain.  

ASIC’s INFO 219 sets out an assessment tool for businesses to identify whether an AFSL may be required for distributed ledger technology (DLT) based services. This tool includes a set of factors to be considered by the business, such as:

  • Which DLT platform is being used?
  • How it will be run?
  • How does it work?
  • How is the DLT using data?
  • How the DLT affects others? 

ASIC’s view is that many cryptographic token offerings will likely be a managed investment scheme (MIS), and that fintech providers which offer market infrastructure or clearing and settlement will require licensing or an exemption.


Are there rules or regulations governing the use of cryptoassets, including digital currencies, digital wallets and e-money?

The AML/CTF Act defines a ‘digital currency’ as:

  • a digital representation of value which:
    • functions as a medium of exchange, a store of economic value or a unit of account;
    • is not issued by or under the authority of a government body;
    • is interchangeable with money and may be used as consideration; and
    • is generally available to members of the public; or
  • a means of exchange or digital process or crediting declared to be digital currency under the AML/CTF Rules.

The AML/CTF Rules may be updated by the CEO of AUSTRAC and do not require Parliament to change underlying legislation. Where a business wishes to offer a service of converting fiat currency to cryptocurrency, it will be providing a designated service under the AML/CTF Act and that business will be required to be registered as a digital currency exchange (DCE) with AUSTRAC unless an exemption applies. This is expected to be expanded soon to capture conversion services from crypto to crypto.

The need for registration has seen more than 250 crypto exchanges globally register their businesses into Australia since the registration system was introduced.

For businesses that plan to issue or offer to deal in crypto assets, the starting point is to determine if the crypto asset or tokens are a financial product within the definition of the Corporations Act. If so, a business issuing crypto assets will be required to hold an AFSL. A business offering to deal in crypto assets, such as by operating a market, must also obtain an AFSL if it is dealing with, giving advice or providing intermediary services for crypto assets that constitute financial products.

If a business is offering payment services, such as accepting crypto assets and making payments, assuming the crypto asset is not a financial product, the business will still be providing a ‘non-cash payment facility’ as defined in Section 763D of the Corporations Act, and the entity will be required to hold an AFSL unless an exemption applies. Digital wallets in Australia will most likely constitute non-cash payment facilities. The non-cash payment facility concept in Australia is broadly analogous to the e-money regulatory system in Europe.

Finally, if crypto assets stored by a business is a financial product, that business must ensure that it holds the appropriate custodial and depository authorisations (ie, an AFSL).

Digital currency exchanges

Are there rules or regulations governing the operation of digital currency exchanges or brokerages?

The conversion of fiat currency to a crypto assets is a designated service, requiring registration as a DCE with AUSTRAC. In order to register as a DCE, a business must prepare an AML/CTF programme and meet specified threshold and suspicious transaction reporting obligations. 

In addition to the need to register with AUSTRAC, if a DCE is issuing tokens that are a financial product (eg, via an initial exchange offering or listing a token from an initial coin offering if the tokens constitute financial products), the exchange will need to hold an AFSL to deal in those tokens and may need a market authorisation. 

Depending on the exchange’s structure, and how crypto assets are cleared or settled, an exchange may be operating a clearing settlement facility and as a result be required to hold a clearing and settlement facility licence under Part 7.3 of the Corporations Act.

Initial coin offerings

Are there rules or regulations governing initial coin offerings (ICOs) or token generation events?

In May 2019 ASIC updated its INFO 225 guidance in relation to ICOs. ASIC considers that there is a high risk that most ICOs or token generation events will be considered an MIS requiring the responsible entity to hold an AFSL. ASIC expects entities which do not have an AFSL to be able to justify a conclusion that their token or ICO is not a financial product. 

Unfortunately, ASIC’s updated INFO 225 does not provide clear guidance on how entities can undertake a token offering which is compliant with the obligations of an MIS operated by an AFSL holder in relation to matters such as custody or secondary trading of crypto assets or provide any categories of crypto token which will not be considered financial products.

Data protection and cybersecurity

Data protection

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

While there are no legal requirements or regulatory guidance relating to personal data that is aimed specifically at fintech businesses, all are subject to the obligations of the Privacy Act, including a notifiable data breach reporting requirement. The Privacy Act is concerned with the protection of personal information, which includes an individual’s identity or information from which an individual’s identity can be ascertained. Additional protections are required when businesses deal with prescribed sensitive information that includes certain health-related information. The notifiable data breach reporting requirements require that processes be put in place by businesses to address data breaches, including reporting certain data breaches to the Office of the Australian Information Commissioner.


What cybersecurity regulations or standards apply to fintech businesses?

There are no overarching regulations or standards on cybersecurity in Australia. However, there are certain regulatory standards and guidelines which offer guidance.

The Australian Prudential Regulatory Authority (APRA) has issued several mandatory standards and regulatory guidelines concerning cybersecurity and cloud computing as they relate to businesses providing financial services, superannuation and insurance. These include prudential standards on outsourcing (CPS 231, SPS 231 and HPS 231), business continuity management (CPS 232 and SPS 232), information security (CPS 234) and related regulatory guidelines.

CPS 234, which took effect from 1 July 2019 and applies to certain APRA-regulated entities. Among other things, CPS 234 requires ARPA-regulated entities to:

  • clearly define information security-related roles and responsibilities;
  • maintain appropriate information security capability commensurate with the size and extent of threats to their information assets;
  • implement appropriate controls to protect their information assets and ensure their effectiveness through systematic testing and assurance; and
  • notify APRA of material information security incidents (separate to notifiable data breach obligations under the Privacy Act 1988 (Cth)).

Fintech businesses dealing with APRA-regulated entities may still need to be cognisant of CPS 234, as APRA-regulated entities must meet the requirements of CPS 234 even if their information assets are managed by third parties.

ASIC’s “Regulatory Guide 255 – Providing Digital Financial Product Advice to Retail Clients” sets out requirements that Australian financial services licensees that provide certain digital financial product advice should follow to protect against malicious cyber activity.

Outsourcing and cloud computing


Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

Certain Australian Prudential Regulatory Authority (APRA) regulated financial institutions are required to comply with prudential standards on outsourcing (CPS 231) and related guidelines. Separate prudential standards (SPS 231 and HPS 231) apply to registrable superannuation entity licensees and private health insurers respectively. These mandatory standards set out requirements on how material business activity can be outsourced.

A ‘material business activity’ is an activity which has the potential, if disrupted, to have a significant impact on the APRA-regulated institution or its ability to manage risks effectively.

The principal requirements under these prudential standards are:

  • having a board-approved policy for the outsourcing of material business activities and monitoring of outsourcing arrangements;
  • having an agreement with any outsourced service provider involving a material business activity which addresses, at a minimum, certain matters in CPS 231 (including matters relating to ownership, storage and control of data);
  • consulting APRA before entering into any offshoring arrangement involving a material business activity; and
  • notifying APRA as soon as possible after entering into an outsourcing agreement involving a material business activity, but no later than 20 business days after the execution of an outsourcing agreement.

In addition, APRA has issued several mandatory standards and regulatory guidelines concerning cloud computing, including standards on business continuity management (CPS 232 and SPS 232) and information security (CPS 234).

ASIC’s “Regulatory Guide 104 – Licensing: Meeting the General Obligations” sets out guidance of ASIC’s expectations for Australian financial services licensees outsourcing their functions. In particular, while they can outsource their functions, they cannot outsource their responsibilities as a licensee and remain responsible for complying with licensee obligations.

Cloud computing

Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

APRA has issued various mandatory standard and regulatory guidelines regarding cloud computing, including prudential standards on outsourcing (CPS 231, SPS 231 and HPS 231), business continuity management (CPS 232 and SPS 232) and information security (CPS 234).

CPS 231 concerns outsourcing arrangements generally and applies where the use of cloud computing services involves material business activities. APRA’s “Outsourcing Involving Cloud Computing Services” information paper provides regulatory guidance relating to risk management, notification and consultation obligations for APRA-regulated entities using cloud computing services.

The Privacy Act 1988 (Cth) regulates the collection, use, disclosure and handling of personal information that could be relevant to cloud computing services. Organisations that have to comply with the Privacy Act must comply with the Australian Privacy Principles and have specific obligations where data is disclosed outside Australia.

Intellectual property rights

IP protection for software

Which intellectual property rights are available to protect software, and how do you obtain those rights?

The two main forms of IP protection for software in Australia is copyright and patents.

CopyrightComputer programs as defined under the Copyright Act 1958 (Cth) qualify for protection under copyright law as literary works, provided that the requirements for copyright subsistence are met. There is no registration requirement in Australia.

Copyright law requires a computer program to be attributable to an author and not reproduced or copied from another source. As the copyright owner will usually be the author(s) who created or developed the source code of the software, fintech businesses must ensure that third-party software developers are commissioned such that copyright in the software is assigned to the fintech entity. Copyright will generally vest in the employer where an individual has developed the computer program in the course of their employment duties. The duration of the copyright protection for published works is usually 70 years from the death of the author of the copyright work.

PatentsIn Australia, two types of patent can be granted, the traditional standard patent providing 20 years of protection and an innovation patent providing 8 years of protection. The innovation patent has a faster and cheaper application process and less stringent patentability requirements, but has been under review and the government has accepted recommendations for its abolishment.

An invention must meet the requirements of Patents Act 1990 (Cth) to receive patent protection. Specifically, the patent must be a patentable subject matter that is new, useful, involves an innovative step (in respect of innovation patents) or inventive step (in respect of standard patents) and satisfies other formality requirements.

The requirement of patentable subject matter must be satisfied for business methods implemented by a computer program. In general, a separate result beyond the typical working of a computer must be achieved for a business method implemented in or by a computer process to be patentable. The mere use of well-known and understood functions of computers for implementing business methods is insufficient for patent protection.

Finally, certain aspects of software, including software-implemented inventions or business methods, may also be protected by imposing confidentiality obligations on customers and keeping those aspects a trade secret of the business.

IP developed by employees and contractors

Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

An employer will own intellectual property developed by an employee during the course of their employment – unless the employment contract stipulates otherwise – and where the material giving rise to the IP rights was created as part of the duties for which the employee was employed. Where an employee’s duties involve the development of intellectual property, their employment contract should refer to these duties and specify that IP rights in material created by the employee will be owned by the employer. 

New intellectual property developed by contractors or consultants will generally be owned by the contractor or consultant unless there is a written assignment to the contrary.

An employee, contractor or consultant that has assigned the IP rights in materials that they have created will continue to retain their moral rights, which are provided for in Part IX of the Copyright Act 1968 (Cth). Individuals have the following rights which last for the same period as copyright protection (generally 70 years):

  • to be identified as the author of the work;
  • not to have authorship of their work falsely attributed; and
  • the right of integrity of authorship (ie, the right not to have their work subjected to derogatory treatment).

Individuals cannot assign, transfer or sell their moral rights, but may consent to their moral rights being infringed, provided that the consent relates to specified acts or omissions or specified types of act or omission. An employee can also provide a broad consent to their employer covering any acts or omissions in relation to all works created by the employee during their employment.

Joint ownership

Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

The rights of a joint owner of intellectual property differs according to the type of intellectual property.

Unless there is an agreement to the contrary, co-owners of copyright material own the copyright as tenants in common in equal shares and not as joint tenants. A co-owner may not do or authorise any act comprised in the copyright of a work, including reproducing the copyright materials, granting a licence to a third party or charging or assigning any right in such copyright, without the consent of the co-owner. The non-consenting owner is entitled to an injunction against the infringing co-owner and licensee preventing such unauthorised acts.

A joint owner of a patent is entitled to an equal undivided share in that patent, unless there is an agreement to the contrary. Therefore, a joint owner may use the patent for their own benefit without accounting to the other joint owner(s), but may not grant a licence under, or assign an interest in, the patent without the consent of the other joint owner(s).

Trade secrets

How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

There is no statute that specifically protects trade secrets. However, Section 183 of the Corporations Act 2001 (Cth), which requires that a current or former director, officer or employee of a corporation must not improperly use the information to gain an advantage for themselves or others or cause detriment to the organisation, is sufficiently broad to cover trade secrets.

Trade secrets are also protected by equitable principles relating to breach of confidence. A breach of confidence requires that:

  • an obligation of confidence exists in relation to specific information;
  • the information disclosed is of a confidential nature;
  • the information was received in circumstances importing an obligation of confidence;
  • there is an actual or threatened misuse of the information without the disclosing party’s consent; and
  • the breach resulted in the disclosing party suffering damage.

The courts may make orders to protect trade secrets contained in discovered documents or documents produced by a third party. The court will weigh the risk of inadvertent or accidental disclosure and the likely loss against the extent to which a party’s ability to seek advice and provide instructions may be hampered if a claim for confidentiality is upheld. 


What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

Branding elements are usually protected by trademark registration.

A trademark is a badge of origin or a sign used to distinguish goods and services from those of others, including:  

  • product names;
  • tag lines;
  • logos;
  • aspects of packaging; and
  • colours, sounds and scents.

Trademark registration provides exclusive rights to use, license and sell the trademark for an initial period of 10 years, which continues indefinitely provided the renewal fees are paid every 10 years.

An application to register a trademark is made with IP Australia. Assuming no objections or oppositions, the process takes approximately seven months.

As a practical measure, before choosing a trademark applicants should ensure that the domain name (web URL), social media names (eg, Facebook page or Twitter handle) and business name are available.

Unregistered trademarks can be protected by establishing that the use of the same or a similar trademark by a person is likely to mislead others to believe that the person is somehow connected with the applicant (ie, misleading and deceptive conduct in breach of the Australian Consumer Law) or amounts to passing off. This requires the applicant to prove that they have reputation in the trademark to such an extent that the use of the trademark by someone else would be misleading.

To ensure that applicants do not infringe the rights of a third party’s existing brands, they should:

  • search the Australian Trademarks Register for any similar registered trademarks; and
  • conduct a general market knowledge enquiry to identify any unregistered trademarks which may have reputation.
Remedies for infringement of IP

What remedies are available to individuals or companies whose intellectual property rights have been infringed?

Registered IP rights are each governed by a different legislative scheme, for example: 

  • the Copyright Act 1968;
  • the Designs Act 2003;
  • the Patents Act 1990; and
  • the Trademarks Act 1995.

In general, the Federal Court of Australia is the most appropriate court to initiate proceedings for infringement of IP rights, particularly for registered rights or actions brought under the as the legislative schemes which govern those rights are federal acts.

The court has the power to award various remedies in IP infringement proceedings, including:

  • injunctive relief (both interim and final injunctions may be awarded);
  • an Anton Piller order (ie, search and seizure order); 
  • damages or account of profits;
  • declaratory relief;
  • costs; and
  • additional damages in circumstances of flagrancy of the infringement.

The limitation period for bringing infringement proceedings is six years. However, the courts will be less inclined to assist when an applicant has delayed bringing infringement proceedings.

It is not uncommon for the respondent to crossclaim with an action to revoke the registered right of the applicant (eg, on the grounds that the registration does not conform with the requisite requirements of registration). Therefore, it is prudent for the owner of the registered right to examine the validity of the registration before threatening infringement proceedings.

The recipient of a threat of infringement is entitled to initiate legal proceedings to seek orders that the threats are groundless and seek injunctive relief to prevent further threats from being made. In general, proceedings initiated on the basis of groundless threats will be unsuccessful once the applicant issues proceedings.


Sector-specific issues

Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

There are currently no sector specific competition issues; however, the imminent implementation of the proposed open banking regime in Australia through the adoption of the consumer data right is intended to improve competition in the banking sector. The open banking regime’s original implementation date of 1 July 2019 has been deferred. It is anticipated that the open banking regime will now commence on 1 February 2020.

Fintech companies are subject to the competition prohibitions under the Competition and Consumer Act 2010. These prohibitions include various anti-competitive practices, including misuse of market power, exclusive dealing, resale price maintenance and cartel conduct. The Australian Consumer Law also contains prohibitions against misleading and deceptive conduct, false or misleading representations, unconscionable conduct and unfair contract terms.

Finally, the Productivity Commission released its final report on its Competition in the Australian Financial System inquiry on 3 August 2018, recommending:

  • expanding the scope of products eligible for testing under the Australian Securities and Investment Commission’s regulatory sandbox;
  • ensuring that the open banking regime is implemented in a manner that enables the full suite of rights for consumer to access and use digital data; and
  • giving the Australian Competition and Consumer Commission a government mandate to champion competition in the financial system.

The government is still to provide a formal response to the inquiry.



Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

Australia has many tax concessions applicable to fintech companies. The early-stage investment company (ESIC) regime provides that a company must be recently incorporated and not have incurred expenditure or generated income over certain limits in the preceding income year. The company must meet either a 100-point or a principles-based innovation test. If the company qualifies as an ESIC, investors qualify for a 20% non-refundable carry forward tax offset. The amount of the tax offset is 20% of the amount paid for the shares to a maximum of A$200,000. Investors also enjoy no capital gains tax for the first 10 years of their holding of the shares.

Australia also has concessions for start-up companies in relation to employee share schemes. In general, any discount an employee receives on shares or options or rights is treated as assessable income. However, under this concession start-up companies can offer (without the discount being taxed):

  • shares with a discount to market value of no more than 15%; or
  • rights or options with an exercise price being the market value of a share when the right or option is acquired.

In calculating the market value of a share, the company can use a net tangible asset valuation method. This allows a fintech entity with, for example, a large IP or goodwill element to issue equity at a significant discount to employees.

Australia has an R&D tax incentive designed to encourage companies to invest in R&D activity. The tax incentive is in the form of two tax offsets that apply to eligible R&D expenditure, namely:

  • a 43.5% refundable tax offset for the first A$100 million of eligible expenditure for certain eligible entities whose aggregated turnover is less than A$20 million and provided they are not controlled by income tax exempt entities; and
  • a 38.5% non-refundable tax offset for the first A$100 million of eligible expenditure for all other eligible entities, which may be carried forward.

The Taxpayer Alert 2017/5 sets out the view of the Australian Taxation Office in relation to R&D claims on software development projects.

Increased tax burden

Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

There are no new or proposed laws or guidance specifically affecting fintech companies.


Sector-specific schemes

What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

There are no immigration schemes specific to the technology or financial sectors. The following visa options may be open to skilled workers recruited from overseas by fintech businesses:

  • Temporary Work (Short Stay Specialist) (subclass 400) visa – for three to six months in a highly specialised job.
  • Temporary Skill Shortage (subclass 482) visa – for up to four years, for workers sponsored by their employer and whose occupation is on the Australian government’s list of skilled occupations or the employer has a labour agreement with the Australian government.
  • Employer Nomination Scheme (subclass 186) visa – permanent, for workers nominated by their employer and whose occupation is on the Australian government’s list of skilled occupations.

Update and trends

Current developments

Are there any other current developments or emerging trends to note?

The key emerging trend to note is the adoption of open banking. February 2020 is the target timeframe for the four major banks in Australia (ie, Commonwealth Bank, ANZ, Westpac and NAB) to make their first set of product and mortgage data publicly available under the new open banking framework. Digital banking start-ups have seen funding surge at a global level, as consumers have driven an early adoption, which has quickly spread to small and medium-sized enterprises. Blockchain and distributed ledger technology are likely to see continued government support and engagement with highly disruptive potential. The Australian leadership in this space continues at the global level in both fintech blockchain projects and regulatory efforts.

Law stated date

Correct on:

Give the date on which the above content is accurate.

16 July 2019.