All questions


Australian laws impose licensing regimes and conduct obligations on certain consumer financial services activities.

The policy underpinning the regulation of consumer financial services in Australia has evolved in recent years. Laws regulating consumer financial services initially focused on ensuring that consumers were adequately informed about financial products and services offered to them. The law imposes obligations on providers of financial services to prevent unsuitable financial services being offered to consumers, and grant the regulator a power to intervene to prevent consumers from suffering significant detriment.

Legislative and regulatory framework

i Legislation

The Australian regulatory framework recognises two types of financial services: consumer credit, including consumer leases of goods, and 'other' financial services.

Consumer credit and leases

Consumer credit in Australia is regulated by the National Consumer Credit Protection Act 2009 (Cth) (the NCCP Act) and the National Credit Code (NCC) set out in Schedule 1 to that Act.

For credit to be covered by the NCC, it must have four elements:

  1. the debtor is a natural person or strata corporation;
  2. the credit is to be provided or intended to be provided wholly or predominantly:
    • for personal, household or domestic purposes (i.e., not businesses or investment purposes);
    • to purchase, renovate or improve residential property for investment purposes; or
    • to refinance credit that has been provided wholly or predominantly to purchase, renovate or improve residential property for investment purposes;
  3. a charge (interest or otherwise) is or may be made for providing the credit; and
  4. the credit provider provides the credit in the course of carrying on a business or providing credit in Australia or as part of or incidentally to any other business it carries on in Australia.2

There are no monetary or interest rate limits3 – credit that has the four elements described above will be regulated regardless of the amount of the credit provided and of the interest rate charged, unless a specific exemption applies. Once credit is regulated by the NCC, it is subject to a 48 per cent annual cost rate limit.4

The NCCP Act also regulates consumer leases, which are defined as leases of goods under which the hirer does not have a right or obligation to purchase the goods and:

  1. the goods are hired wholly or predominantly for personal, household or domestic purposes;
  2. a charge is or may be made for hiring the goods and the charge, together with any other amount payable under the lease, exceeds the 'cash price' (i.e., retail price) of the goods; and
  3. the lessor hires the goods in the course of a business of hiring goods or as part of or incidentally to any other business it carries on in Australia.5

The NCCP Act has four key limbs. The first creates a licensing regime with respect to consumer credit. Under this licensing regime, any person who wishes to engage in 'credit activities' must hold an Australian credit licence (ACL) authorising them to engage in those credit activities, or be an employee, director or authorised representative of such a person.6 'Credit activities' is defined to include providing credit, exercising the rights and obligations of a credit provider, taking the benefit of a mortgage or guarantee, exercising the rights and obligations of a mortgagee or beneficiary of a guarantee, or providing broker or intermediary-type services in relation to consumer credit or consumer leases.7 The Australian Securities and Investments Commission (ASIC), the general corporations, markets and financial services regulator in Australia, is responsible for granting ACLs.

There are several exemptions from the requirement to hold an ACL. These are provided for in the NCCP Act and the National Consumer Credit Protection Regulations 2010 (Cth) (the NCCP Regulations). Employees of an ACL holder and directors of a body corporate ACL holder are exempt from obtaining an ACL and can act as representatives of the ACL holder, when acting within the scope of their authority.8 A temporary employee is treated in the same manner as an employee who replaces another employee who is absent from work, or where they are performing substantially the same duties as that employee and are subject to similar controls or directions by the employer. There are also several other exemptions, including credit activities in connection with pawnbroking,9 employee loans,10 referral arrangements,11 employment agencies providing temporary staff or locums,12 and clerks' and cashiers' activities.13

The second key limb under the NCCP Act is set out in the NCC, which contains operational provisions relating to credit contracts and consumer leases. It prescribes the:

  1. form and content of credit and lease contract documents;
  2. disclosure requirements for fees and charges;
  3. procedures for varying consumer credit and lease contracts;
  4. circumstances in which interest may be debited to a loan account;
  5. rights to terminate consumer credit and lease contracts;
  6. procedures that must be followed by a credit provider or lessor when enforcing rights under a credit or lease contract or associated security interest;
  7. matters relating to mortgages and guarantees;
  8. advertising and marketing requirements; and
  9. related sales and issuance contracts.

The NCC contains the following notable provisions:

  1. a maximum annual cost rate (an effective interest rate taking into account non-interest charges payable) of 48 per cent per annum for consumer credit contracts;14
  2. a right for consumer debtors and lessees to request variation of their credit contracts or leases if they are suffering financial hardship;15
  3. the ability for a court to, on application by a consumer debtor or lessee, reopen and set aside or revise a transaction that is found to be unjust;16 and
  4. the ability for a court to, on application by a consumer debtor or lessee, annul or reduce certain unconscionable fees and charges.17

The third key limb under the NCCP Act is the 'responsible lending' regime. It requires credit providers and persons who advise or assist a consumer to enter into a credit contract or consumer lease to:

  1. provide a credit guide to the consumer setting out their fees, dispute resolution processes and other information required by the regulations;
  2. make reasonable enquiries about the consumer's financial situation and requirements and objectives in relation to the proposed credit contract or lease;
  3. take reasonable steps to verify the consumer's financial situation;
  4. assess whether the proposed credit contract or lease is unsuitable for the consumer;
  5. provide the consumer with a copy of the assessment on request; and
  6. not enter into the credit contract or lease, or advise or assist the consumer to enter into the credit contract or lease, if the credit contract or lease is assessed as unsuitable.18

A credit contract or lease is unsuitable if it will not meet the consumer's requirements or objectives, or if the consumer will not be able to comply with his or her obligations under the credit contract or lease or if the consumer could only comply with their obligations with substantial hardship. Whether or not a credit contract or consumer lease is unsuitable depends on the particular circumstances of each consumer. A separate assessment will need to be made with respect to each consumer who applies for credit or seeks advice or assistance in obtaining credit.19 Responsible lending enquiries are scalable according to the nature of the credit obtained. In all cases, however, it is necessary to collect at least some information about the consumer's income and expenditure. A recent Full Federal Court consideration of the obligations found the use that must be made of the information collected, and the weight to be given to particular information items, is at the credit provider's discretion, as long as they make an assessment of whether or not the credit contract will be unsuitable.20 The responsible lending provisions in the NCCP Act also contain miscellaneous rules about the need to give key facts sheets in relation to credit card contracts and standard home loans, and conduct in relation to credit cards.

In November 2020, the Australian government proposed a suite of reforms to the responsible lending obligations. These reforms were designed to stimulate the economic recovery of Australia following the systemic damage of the covid-19 pandemic. However, these reforms were met with parliamentary opposition and are unlikely to ever be implemented.

In February 2021, the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021 (Cth) was enacted. The Act amends the NCCP to establish a mandatory comprehensive credit reporting regime applying from 1 July 2021 and provides that a credit provider cannot refuse to provide further credit or reduce a customer's credit limit merely because financial hardship information exists. From July 2022, financial hardship reporting will be permitted within the credit reporting system. This will allow consumers to access their credit information that is held by a credit reporting body free of charge every three months. It will also require credit reporting bodies to provide consumers with their rating on a credit score scale and related information if requested by the consumer.

The fourth key limb under the NCCP Act is the imposition of criminal and civil penalties for failure to comply with an obligation in the NCCP Act or the NCC (including licensing conditions). ACLs have a general condition obliging their holder to comply with the credit legislation.21 This includes ancillary legislation discussed later in this chapter, dealing with privacy, anti-money laundering and counter-terrorism financing, and consumer protection. ASIC may take administrative action in response to non-compliance with the NCCP Act or NCC by banning a person from engaging in credit activities or imposing conditions on the person's ACL.

'Other' financial services

The provision of financial services (excluding credit) in Australia is regulated by Chapter 7 of the Corporations Act 2001 (Cth) (the Corporations Act). A person provides a financial service if they deal in, make a market for or provide advice with respect to a 'financial product'.22 A financial product is a facility through which, or through the acquisition of which, a person makes a financial investment, manages a financial risk or makes non-cash payments.23 Banking deposit products, payment facilities (e.g., stored-value cards and purchased payment facilities) and most insurance contracts are 'financial products' within the meaning of the Corporations Act.24 Credit facilities (both consumer and non-consumer) are expressly excluded from the definition of a financial product.25

Chapter 7 of the Corporations Act creates a licensing regime for the provision of financial services. Under that regime, any person who carries on in Australia a business of providing financial services must hold an Australian financial services licence (AFSL) covering the provision of the particular financial services being provided, be an employee or director of a holder of an AFSL, or be the authorised representative of the holder of an AFSL. AFSLs are granted by ASIC.

The Corporations Act distinguishes between retail and wholesale clients in relation to financial services. A person is a retail client unless they satisfy one of the conditions that qualify them to be a wholesale client.26 Broadly speaking, a retail client is the equivalent of a consumer (although the concept captures other persons, such as small businesses) and a wholesale client is someone who, because of their experience in financial services or the value of the transaction, is taken to be better able to protect their interests with regard to providers of financial services.

The Corporations Act imposes additional obligations when offering financial services to retail clients, rather than wholesale clients. A provider of financial services is required to give a retail client their financial services guide, which sets out information about the kinds of financial services provided, the remuneration of the provider, relationships of the provider that may give rise to conflicts of interest and other matters prescribed by the Corporations Act or the Corporations Regulations 2001 (Cth) (the Corporations Regulations).27 A provider of personal financial advice to a retail client must give that client a statement of advice setting out the advice, the basis on which the advice is given and other matters prescribed by the Act or the Corporations Regulations.28 A provider of financial advice to a retail client is also required to act in the best interests of the client and is prohibited from being a party to particular remuneration arrangements that are taken to carry a higher risk of creating conflicts of interest.29 A person issuing or (in certain circumstances) selling a financial product to a retail client, or advising a retail client to acquire a financial product in such circumstances, is required to give the client a product disclosure statement containing information about the benefits, risks, costs, returns and other significant characteristics of the financial product.30 The objective of these and other provisions in the Corporations Act is to ensure that retail clients have adequate information to make decisions in their interest about financial products and services. In practice, this means that some financial services are made available only to wholesale investors in order to reduce the costs of complying with the additional obligations arising from transactions with retail clients.

Failure to comply with an obligation in the Corporations Act may attract criminal or civil penalties. AFSL holders have a general obligation to comply with financial services laws, including the NCCP Act and the NCC (if applicable).31 ASIC may take administrative action in response to non-compliance with the Corporations Act by banning a person from engaging in financial services or imposing conditions on the person's AFSL.

Consumer protection under the ASIC Act

Division 2 of Part 2 of the Australian Securities and Investments Commission Act 2001 (Cth) (the ASIC Act) contains further consumer protections with respect to financial services – defined in substantially the same way as in the Corporations Act but including credit facilities. Consequently, the protections in the ASIC Act apply to financial services regulated by the Corporations Act and consumer credit and leases regulated by the NCCP Act. The ASIC Act prohibits unconscionable conduct (the unconscientious exploitation of a disadvantage suffered by another person), conduct that is misleading, deceptive or likely to mislead or deceive, and other unfair practices in connection with financial services.

The ASIC Act also provides that a term of a consumer or small business standard form contract for the supply of financial services is void if it is 'unfair'. A term of a contract is unfair if:

  1. it would cause a significant imbalance in the parties' rights and obligations arising under the contract;
  2. it is not reasonably necessary to protect the legitimate interests of the party who would be advantaged by it; and
  3. it would cause detriment to a party if it were to be relied on.

A contract is a standard form contract if it was prepared entirely by one party with no effective opportunity for the other party to negotiate the terms of the contract. In proceedings seeking a declaration that a contractual term is void, a contract is presumed to be a standard form contract unless a party to the proceedings proves otherwise.

From April 2021, the unfair contract terms regime was extended to consumer and small business insurance contracts governed by the Insurance Contracts Act 1984 (Cth) (ICA). The protections apply to new insurance contracts that are entered into, or contracts that are renewed, on or after 5 April 2021 and to terms in existing contracts that are varied from 5 April 2021.

Banking regulation

Banking business – the taking of money on deposit from customers and making advances of money32 – is regulated by the Banking Act 1959 (Cth) (the Banking Act). Under the Banking Act, a person must not carry on banking business unless they are authorised to do so by the Australian Prudential Regulation Authority (APRA).33 The Banking Act is not primarily concerned with conduct towards consumers, but rather with the protection of consumers' deposited funds. Consequently, the chief obligation for an authorised deposit-taking institution (ADI) under it is to comply with prudential standards issued by APRA.

Entities wishing to commence carrying on banking business can obtain, subject to meeting APRA's standards, a restricted ADI (RADI) authorisation from APRA, as opposed to a full or standard ADI authorisation. RADI authorisation imposes less stringent obligations than full ADI authorisation, including minimum capital requirements of only A$3 million plus a reserve for costs of winding down of 20 per cent of adjusted assets. RADIs are subject to a protected deposit limit of A$250,000 per customer and A$2 million in aggregate. RADIs are also subject to a two-year time limit to achieve the requirements for full ADI authorisation or to exit the industry. The purpose of the RADI licence is to enable the holder to build resources and capability in a restricted environment. During this stage, the holder is expected to progress to fully meet the prudential requirements to ultimately secure a full ADI licence. The RADI licence regime is likely to reduce a major barrier to entry into the banking market in Australia, resulting in greater competition and choice in relation to deposit account products. The restricted ADI licence assists those with traditional and non-traditional business models and start-up institutions,34 and at the time of writing two entities have obtained RADI licences and successfully transitioned to full ADI licences. However, one of those entities, Xinjia, has since handed back its licence, citing an 'increasingly difficult capital-raising environment'.35

The provision of purchased payment facilities (PPF) is banking business under Australian law and so requires an authority or an exemption from the Payment Systems Board (PSB) of Australia's central bank, the Reserve Bank of Australia (RBA) or a limited form of ADI authorisation from APRA. This is dealt with in further detail in Section III.i.

Payment systems

Providers of payments systems – funds transfer systems that facilitate the circulation of money – are subject to the Payment Systems (Regulation) Act 1998 (Cth) (the PSR Act). Under the PSR Act, the RBA through the PSB may designate a payment system if it considers it to be in the public interest to do so. The RBA may then impose access regimes and standards on participants in a designated payment system, and arrange for the arbitration of disputes between participants in a designated payment system. At the time of writing, the major credit, debit and prepaid card payment systems (Mastercard, Visa, American Express and EFTPOS) have been designated by the RBA and have had standards imposed on them. The Mastercard and Visa payment systems have also had access regimes imposed on them.36 Since 1 September 2017, all merchants have been prohibited from imposing surcharges on card transactions that exceed their cost of acceptance of cards for that payment system.37 The automated teller machine (ATM) system has also been designated and had an access regime imposed on it.38

The Privacy Act

Providers of consumer financial services in Australia are subject to the Privacy Act 1988 (Cth) (the Privacy Act) if they have, or have ever had, annual turnover greater than A$3 million.39 This is subject to certain exemptions, including in relation to media acts, employment records, political acts and practices, and related body corporate disclosures. In addition, there are some types of businesses to which the Privacy Act applies, irrespective of the size of the business. These include businesses providing health services, businesses that collect or disclose personal information for profit and contractors under contracts with the Commonwealth government.

The Privacy Act requires regulated entities to have and publish a privacy policy setting out how they deal with personal information; give certain disclosures when collecting personal information (called a privacy statement); use personal information only for the purposes for which it was collected and related secondary purposes; take reasonable steps to protect personal information and to ensure that it is correct and up to date; and give access to a person's personal information on request by the person.40

The Privacy Act, together with the Privacy (Credit Reporting) Code 2014, also regulates credit providers' abilities to provide information to credit reporting bodies (CRBs) and to use information obtained from CRBs. The types of information – 'credit information' – that credit providers may provide to CRBs are narrowly defined and, in the case of information about a person's default on a debt, a credit provider is required to give a grace period and at least two notices to the debtor before reporting the information to a CRB.41

The Privacy Act also contains a mandatory data breach notification regime42 requiring entities subject to the Privacy Act to investigate and notify both the regulator and affected individuals about 'eligible data breaches'. An 'eligible data breach' occurs if:

  1. there is unauthorised access to, or unauthorised disclosure of, information and a reasonable person would conclude that the access or disclosure would be likely to cause serious harm to any of the individuals to whom the information relates; or
  2. information is lost in circumstances where unauthorised access or disclosure is likely to occur and a reasonable person would conclude that the access or disclosure would be likely to cause serious harm to any of the individuals to whom the information relates.
Anti-money laundering and counter-terrorism financing

The lending of money, provision of a deposit account and provision of certain financial services (among other things) are 'designated services' under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act).43 Consequently, providers of such services are required to:

  1. become enrolled on the Reporting Entities Roll maintained by the Australian Transaction Reports and Analysis Centre (AUSTRAC);44
  2. adopt and maintain an anti-money laundering and counter-terrorism financing programme (the AML/CTF programme);45
  3. ensure that the board and senior management approve and oversee the operation and implementation of the AML/CTF programme;46
  4. perform customer identification procedures on customers before starting to provide a designated service to them;47
  5. provide to AUSTRAC an annual report self-certifying compliance with the AML/CTF Act;48
  6. report to AUSTRAC all international funds transfer instructions,49 transactions involving the transfer of more than A$10,000 in physical currency50 and certain suspicious matters;51
  7. appoint an AML/CTF compliance officer;52
  8. conduct pre- and post-employment screenings on employees;53 and
  9. comply with document retention obligations.
ii Regulation

ASIC is the primary regulator of financial services in Australia, responsible for administering the NCCP Act, the Corporations Act and the ASIC Act. In addition to administering the statutes for which it is responsible, ASIC also has the function of promoting:

  1. the adoption of approved industry standards and codes of practice;
  2. the protection of consumer interests;
  3. community awareness of payments system issues; and
  4. sound customer–banker relationships, including through monitoring the operation of industry standards and codes of practice and monitoring compliance with such standards and codes.54

Under the NCCP Act and Corporations Act respectively, ASIC is responsible for granting ACLs and AFSLs.

ASIC has a wide range of investigative powers at its disposal, including the power to conduct investigations of its own motion,55 to compel the production of documents56 and to compel a person to attend an examination and answer questions under oath.57

ASIC has standing to commence proceedings against persons whom it believes have contravened the NCCP Act or the Corporations Act in relation to consumer financial services. Only ASIC can seek civil penalties for contraventions of these statutes. Consumers' remedies in private proceedings are limited to compensation for losses actually suffered and injunctive and declaratory relief to restrain further contraventions of the law.58

As an alternative to court proceedings, ASIC may issue infringement notices if it has reasonable grounds to believe that a person has contravened a legislative provision eligible to be dealt with by way of infringement notice. Payment of an infringement notice is not taken to be an admission of guilt, does not amount to a conviction for an offence and bars further proceedings against the recipient in relation to the conduct to which the infringement notice relates.

ASIC may also impose conditions on a person's ACL or AFSL, or make orders banning a person from engaging in credit activities or providing financial services.

All ACL holders and AFSL holders who are authorised to provide financial services to retail clients must be members of the Australian Financial Complaints Authority (AFCA) scheme.59 The AFCA scheme is a non-judicial external dispute resolution scheme established under legislation to replace the pre-existing private schemes – the Financial Ombudsman Service, and the Credit and Investments Ombudsman and Superannuation Complaints Tribunal. External dispute resolution offers a less formal and more consumer-friendly means of resolving disputes with financial services providers, as it is not constrained by the rules of evidence and may look to legal principles, applicable industry codes or guidance, good industry practice, previous decisions and fairness in all the circumstances when deciding disputes.60

Providers of electronic payment facilities may voluntarily subscribe to the ePayments Code administered by ASIC. The ePayments Code provides additional protections to consumer users of electronic payment facilities, beyond those provided for by the law (e.g., rights to require the payment facility provider to recover mistaken payments on the consumer's behalf). Being voluntary, the ePayments Code does not have legal force, though its terms are usually incorporated into subscribers' agreements with customers and so have contractual force.

APRA is responsible for administering the Banking Act. It is empowered to authorise corporations to carry on banking business and to issue prudential standards. It also oversees credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurance, friendly societies, most entities in the superannuation industry and purchased payment facility providers. All financial institutions regulated by APRA have attendant reporting obligations. For example, most banks are required under the Financial Sector (Collection of Data) Act 2001 (Cth) (FSCODA) to provide statistical information to APRA (though FSCODA also imposes reporting obligations on some financial institutions not otherwise subject to APRA supervision). APRA is funded largely by the industries that it supervises.61

The RBA is responsible for administering the PSR Act, including designating payment systems, imposing access regimes and standards on participants in designated payment systems, and arranging the arbitration of disputes between participants in designated payment systems.

The Office of the Australian Information Commissioner (OAIC) is responsible for administering the Privacy Act. The Privacy Act confers on the Information Commissioner a range of privacy regulatory powers. These include powers that allow the OAIC to work with entities to facilitate legal compliance and best privacy practice, as well as investigative and enforcement powers to use in cases where a privacy breach has occurred.

AUSTRAC is responsible for administering the AML/CTF Act. Like ASIC, it may commence court proceedings seeking penalties for contraventions of the AML/CTF Act. In recent times, AUSTRAC appears to have increased its enforcement efforts and has enjoyed some success in civil penalty proceedings. In 2020, it achieved by far the largest corporate penalty in Australian history when it agreed on a A$1.3 billion penalty to settle Westpac's 23 million alleged contraventions of AML/CTF programme compliance and transaction reporting obligations under the AML/CTF Act.62

The Australian Competition and Consumer Commission (ACCC) is responsible for protecting consumer, business and communal interests through promoting competition and fair trade in the market.63 It ensures that all individuals and businesses comply with the Competition and Consumer Act 2010 (Cth), including the Australian Consumer Law (the Consumer Law). It also issues debt collection guidelines in conjunction with ASIC.64