1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

The regulatory regime governing the fintech space broadly applies to:

  • financial services;
  • consumer credit;
  • banking;
  • consumer protection;
  • privacy; and
  • anti-money laundering and counter-terrorism financing ('AML/CTF').

Financial services: Chapter 7 of the Corporations Act 2001 (Cth) ('Corporations Act') regulates financial services, including licensing, conduct and disclosure. Entities carrying on a financial services business in Australia must hold an Australian financial services licence ('AFSL'), unless an exemption applies. For example, 'financial services' can include:

  • investment or wealth management services;
  • non-cash payment services;
  • advisory services;
  • wealth and trading platform services;
  • crowdfunding platform services; and
  • services provided by financial product crypto asset issuers and dealers.

Consumer credit: The National Credit Code (contained in the National Consumer Credit Protection Act 2009 (Cth) ('NCCP Act')) regulates consumer credit and leasing, imposing a requirement for entities providing consumer credit activities to hold an Australian credit licence ('ACL') unless an exemption applies.

Banking and prudential: The Banking Act 1959 (Cth) ('Banking Act') regulates the banking sector, including any entity carrying on a banking business (ie, lending and taking funds on deposit), which must be registered as an authorised deposit-taking institution ('ADI'). The ADI requirement also captures purchased payment facility ('PPF') operators under the Payment Systems (Regulation) Act 1998 (Cth) ('PSR Act'), unless an exemption applies. Superannuation, life and general insurance are also prudentially regulated (see question 4.9).

Consumer law: The Australian Consumer Law (contained in the Competition and Consumer Act 2010 (Cth) ('CCA')) applies to all businesses that engage or contract with Australian consumers and includes general prohibitions on:

  • misleading and deceptive conduct;
  • false or misleading representations;
  • unconscionable conduct; and
  • unfair contract terms.

Equivalent provisions apply to financial services businesses under the Australian Securities and Investments Commission Act 2001 (Cth) ('ASIC Act').

Privacy: The Privacy Act 1988 (Cth) ('Privacy Act') regulates the handling of personal information by government agencies and private sector organisations with revenue exceeding A$3 million. It includes 13 Australian Privacy Principles ('APPs') imposing obligations on the collection, use, disclosure, retention and destruction of personal information. It also has a comprehensive notifiable data breaches framework.

AML/CTF: The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) ('AML/CTF Act') imposes customer diligence, monitoring and reporting obligations on businesses providing 'designated services' with an Australian connection. Designated services include a broad range of banking, financial services, gambling, digital currency exchange, payments and remittance activities (see question 6.1).

Other: Other reporting and ownership requirements in the financial sector exist under the Financial Sector (Collection of Data) Act 2001 (Cth) and Financial Sector (Shareholdings) Act 1998 (Cth).

1.2 Do any special regimes apply to specific areas of the fintech space?

Regulatory regimes broadly target specific activities (see question 1.1). However, regulators generally take a technologically agnostic approach to administration and do not target fintech as a discrete area.

Some business models may raise additional regulatory considerations (eg, fintechs processing large volumes of personal information and data may have a greater emphasis on privacy requirements); however, using technology to distribute regulated services does not, in itself, vary the associated regulatory obligations. For example, while a traditional lender and a challenger lender may distribute services differently, they will generally have the same regulatory obligations under the credit regime.

That said, the Australian government is consulting on approaches to regulate crypto assets as a distinct area, predominantly in response to the Senate Select Committee's 2021 final report on its review of Australia as a technology and financial centre.

In early 2022, the Treasury consulted on a proposed licensing framework for crypto asset secondary service providers. This was generally targeted towards entities providing custody, brokerage, exchange and transmission services in relation to crypto assets that are not otherwise caught under the financial services regime. At the time of writing, the Treasury has not reported on the outcome of the consultation and the recent change of government has created uncertainty around the future of such proposals. Both the new government and the Treasury have indicated that they will take a balanced approach to regulation and will prioritise a 'token mapping' exercise to identify how crypto assets and related services should be defined and regulated. A consultation paper is expected to be released soon.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

Australian regulators and agencies are each mandated administration of laws applicable to a particular industry or legal area. Of relevance to fintech, these include the following:

  • Australian Securities and Investments Commission ('ASIC'): As the corporate and product regulator, ASIC is responsible for administering the financial services, credit and markets regimes under the Corporations Act, the NCCP Act, the ASIC Act and associated regulations.
  • Australian Prudential Regulation Authority ('APRA'): As the prudential regulator, APRA is responsible for administering the banking, superannuation, insurance and prudential regimes under the Banking Act, the insurance legislation and associated regulations, as well as PPF providers under the PSR Act.
  • Reserve Bank of Australia ('RBA'): As the payment systems authority, the RBA is responsible for supervising Australia's core banking and payment systems, including in relation to payment schemes and PPF providers under the PSR Act that are to be authorised and supervised by APRA.
  • Australian Competition and Consumer Commission ('ACCC'): As the competition regulator, the ACCC is responsible for promoting competition and fair consumer outcomes across all businesses under the CCA.
  • Office of the Australian Information Commissioner ('OAIC'): An independent agency within the attorney general's portfolio, the OAIC is responsible for administering and supervising privacy processes and obligations for organisations regulated under the Privacy Act.
  • Australian Transaction Reports and Analysis Centre ('AUSTRAC'): As Australia's financial intelligence agency, AUSTRAC is responsible for preventing, detecting and responding to criminal abuse of Australia's financial system, including through organisations regulated under the AML/CTF Act.

Each regulator and agency has varying levels of legislative, investigative and enforcement powers under its respective regime. For example, ASIC has the power to establish instruments that vary the application of the Corporations Act and provide relief to certain organisations from regulatory requirements, as well as the ability to investigate and penalise businesses for breaching such requirements.

1.4 What is the regulators' general approach to fintech?

Australian regulators have generally been receptive to new technology (including in the fintech and crypto asset spaces), and have sought to improve their understanding of, and engagement with, businesses by regularly consulting with industry on proposed regulatory changes. While regulators take a technologically agnostic approach to regulation (see question 1.2), they acknowledge that technology can impact on and improve the way that regulated services are provided and are open to granting temporary relief to allow new businesses to test the Australian market with less onerous regulatory obligations. This includes through the enhanced regulatory sandbox, which is a 24-month conditional exemption from the requirement to hold an AFSL or ACL to test financial or credit services and products (as relevant) in the Australian market.

ASIC is a founding member of the Global Financial Innovation Network, a global network of regulators and organisations designed to enhance regulatory cooperation across jurisdictions for new and innovative fintech businesses entering Australia. ASIC and AUSTRAC have each established an Innovation Hub designed to assist new market entrants in understanding their obligations under Australian law, with ASIC's Digital Finance Advisory Panel advising on approaches to regulating the fintech sector.

ASIC has also entered into a number of cooperation agreements with overseas regulators, which aim to better understand the regulatory approach and product offerings in other jurisdictions.

1.5 Are there any trade associations for the fintech sector?

There are a range of grassroots and established trade associations throughout Australia, varying from communities promoting specific product and service verticals within the industry to those participating on behalf of the fintech sector as a whole. Prominent groups include the following:

  • FinTech Australia: FinTech Australia is a large member-based organisation that seeks to promote growth across the fintech sector and participates in policy-based discussions and consultations with government agencies to drive appropriate regulation in the industry.
  • Blockchain Australia: Blockchain Australia is Australia's peak blockchain industry network that seeks to advocate and educate a broad spectrum of industries (including fintech) to enhance the adoption of blockchain and distributed ledger technology ('DLT') across Australia. It is also a membership-based organisation and advocates the development of commensurate regulatory regimes in the blockchain and crypto space through various parliamentary and industry working groups.
  • Australian DeFi Association: The Australian DeFi Association is an industry-led group that seeks to educate the broader community on the benefits and uses of blockchain technology, particularly in relation to financial services and literacy. The group operates across most Australian states, with a view to connecting and enhancing Australia's decentralised finance community.

There are also various membership-based networks within the fintech sector that operate with a quasi-regulatory mandate. For example, Australian Payments Network is a membership-based network promoting efficiency and innovation, as well as managing risks across Australia's payments system. It provides policy and regulatory-based benefits for members while also administering procedures and regulations associated with various payment methods (eg, cards, direct debit, cheques and electronic transfers).

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

Australia has a significant adoption rate of new products and technologies across a range of industries. Within the fintech industry, this has primarily occurred through the unbundling of services traditionally provided by the banking sector. These include the following:

  • Payments: Australia has seen a proliferation of new and alternative payment systems and models that provide customers with a broader range of options to make payments online and in-store.
  • Brokerage and wealth management: A range of established Australian fintechs offer alternatives to wealth management (including spend tracking, goal saving and roboadvice), as well as brokerage across traditional equity markets (Australian and offshore) and crypto asset markets, which are increasingly becoming an integrated service offering.
  • Alternative lending and buy now, pay later ('BNPL'): Australia is one of the world's most established markets for alternative lending, particularly in relation to the BNPL model. These services provide alternative lending structures that allow customers to engage in more piecemeal uptake of credit products for specific items and services.
  • Crypto assets: Australia has a significant position in a range of crypto asset products and services, particularly in decentralised finance. From exchanges and futures markets to payments and yield platforms, there is broad adoption across the industry that seeks to transform customer financial freedom.

2.2 What products and services are offered?

See question 2.1 in relation to the spectrum of products and services that are offered within these sub-sectors. The common threads across most of these sub-sectors relate to enhancing technological integration between products and services and reducing customer and business barriers to adoption. For example:

  • many new alternative payments models and credit products seek to lower the regulatory barriers for businesses to acquire payments from multiple payment sources, while also better integrating with customer platforms and checkouts to allow for faster and more secure payments that provide customers with great optionality for debit and credit-based payments;
  • brokerage and wealth management platforms have sought to automate finance tracking and financial decisioning for customers, while also providing expanded access to new markets and assets. For example, some platforms provide blended brokerage services across Australian and US equity markets, as well as integrated foreign exchange ('FX') services and access to new assets such as crypto assets; and
  • as noted in question 2.1, Australia's crypto asset market is defined by the creation of new financial infrastructure around crypto assets. This includes fiat to crypto onboarding, crypto exchanges and wallet services, collateralised lending and payments, yield generation and brokerage platforms, as well as integrated offboarding and merchant acquiring services.

2.3 How are fintech players generally structured?

Entity structuring is typically determined by the sub-sector and investment models associated with the relevant product or service. The most common entity structure in Australia is a proprietary company limited by shares, which provides profit sharing, decision making and limited liability benefits to shareholders.

If a fintech is considering listing its shares on a public equities exchange, this will typically trigger entity structuring requirements associated with listing, such as converting the company to a public company, which attracts additional disclosure obligations, financial requirements, governance and decision-making processes.

Investment fund structuring will generally be determined by the commercial parameters of the offering associated with investment eligibility, capital contributions and profit distribution. The most common structures are:

  • unit trusts (which allow for the unitisation of investor interests); and
  • limited partnerships (which allow for greater investment optionality and attribution among partners).

Australia also recently adopted a corporate collective investment vehicle entity scheme, which allows a company limited by shares to operate across various sub-funds and offers an alternative to trust-based managed investment schemes ('MIS').

An increasingly common model for communities within the crypto asset sector is the decentralised autonomous organisation ('DAO'). The DAO model is a popular means of governance and is typically underpinned by the use of tokens to determine membership and participation rights, with varying levels of councils and governance groups mandated with managing day-to-day operations. While the legal recognition of DAOs remains uncertain in many jurisdictions, it is common to implement a corporate agent model whereby a corporate entity (eg, a public company limited by guarantee) will engage with other corporates on the DAO's behalf.

2.4 How are they generally financed?

Entity financing is typically determined by the entity type (see question 2.3), as well as the stage of the fintech. Many of Australia's fintech providers are start-up or early-stage organisations that seek to operate at the fringes of the dominant banking sector by unbundling products and services for a better customer experience. The most common structure is the proprietary company limited by shares, and many providers will bootstrap their financing with friends and family rounds until a minimum viable product or service can be achieved. Once market adoption has been proven, many providers will seek funding through venture capital networks. Australia has a strong venture capital industry that has a committed focus on technology providers. Given the growth rate of fintech businesses, capitalisation will typically occur as equity financing (either directly or through various funds). However, entities may also seek debt financing or convertible notes for specific expansion or product enhancement projects.

Australia has had a regulatory framework around crowd-sourced equity funding ('CSF') since 2017. This model has experienced significant adoption as it allows for the operation of platforms that enable companies to seek equity funding directly from the public (subject to eligibility requirements and limitations). This has become a popular method for fintechs to source finance directly from potential customer groups.

Financing within the crypto industry has also been underpinned by direct from public financing, typically through token offerings. However, over time this has also expanded to hybrid offerings for venture capital and institutional firms, including hybrid equity and token financing.

2.5 How are they positioned within the broader financial services landscape?

As noted in question 2.4, Australian fintechs typically operate at the fringes of the banking sector to provide better customer experiences for unbundled products and services, which over time has transitioned to core banking services (as assisted by the introduction of the restricted authorised deposit-taking institution ('RADI') regime in 2018, which paved the way for technology-driven neo-banks). The 2017–2019 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry highlighted a range of deficiencies within Australia's banking sector, particularly as it relates to appropriate consumer servicing and outcomes from established institutions. Against this backdrop, fintechs have been broadly accepted by regulators and government agencies as being able to enhance consumer servicing through the use of technology and are now becoming the leaders in this space to provide appropriate and desirable consumer outcomes.

Given the emphasis on technology and integration, fintechs typically target younger demographics as recipients of financial services. However, this is expanding to other demographics as technology adoption and education rates increase.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

The level of outsourcing undertaken by fintechs is generally determined by their sub-sector and size. Australia has a healthy market for servicing back-office functions and has led to a disaggregation of providers for operational support, many of which are utilised by start-up and early-stage fintechs. However, as businesses grows, it is common to internalise many of these functions.

If an entity operates in a highly regulated industry, there are generally requirements that must be met before certain core systems can be outsourced. For example, if a fintech is an ADI or a RADI operating in the banking sector, it will be subject to prudential standards set and administered by APRA. This includes minimum standards regarding outsourcing arrangements involving a material business activity, which can be highly prescriptive. In such circumstances, fintechs may seek to internalise certain core business units and activities.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

There are no specific laws regulating e-commerce transactions in Australia. However, there are legislative requirements that apply generally and fintechs should be aware when providing products or services in the e-commerce space.

  • Electronic signatures: The Electronic Transactions Act 1999 (Cth) ('Electronic Transactions Act') allows for contracting in an online environment by removing requirements usually necessary to ensure contracts are legally binding. The Electronic Transactions Act allows for certain documents requiring a handwritten signature, to be executed or agreed electronically.
  • Privacy: Fintechs dealing in personal information through e-commerce transactions must comply with the Privacy Act, including the APPs (see question 5.1).
  • Consumer protections: The Australian consumer law in the CCA provides consumers with certain rights and protections, including product suitability guarantees and prohibitions against unfair contract terms. Consumer guarantees cannot be excluded by contract and fintechs should be aware of these minimum requirements. Fintechs should also review their standard form contracts to determine whether any terms may be 'unfair' and therefore no longer binding.
  • Disclosure: When providing services online, fintechs should ensure that their various terms, polices and conditions are in a readily accessible location and easy to understand format.
  • Spam: Under the Spam Act 2003 (Cth) ('Spam Act'), sending direct marketing materials via 'commercial electronic messages' (including emails and text messages) will generally require prior express or inferred permission from the intended recipient. It is best practice to obtain express permission by including an 'opt-in' to marketing communications at the time when customers provide their contact details. All communications must clearly identify the provider and contain 'opt-out' (ie, unsubscribe) functions.

(b) Mobile (m-commerce)

Considerations in question 3.1 apply to transactions undertaken in an m-commerce environment.

Further, fintechs undertaking telemarketing activities must comply with the Do Not Call Register Act 2006 (Cth) ('DNCR Act'), including the Do Not Call Register. This allows individuals to register their telephone and mobile numbers to opt out of receiving unsolicited telemarketing calls. Entities must check their calling lists against the Do Not Call Register to ensure that no numbers they intend to call are listed on the register. It is recommended that entities check their calling lists against the register every three months to ensure continued compliance.

(c) Big data (mining)

Collecting or mining big data raises various considerations for fintechs.

There are no laws directly prohibiting data mining or data scraping. However, fintechs should consider the Privacy Act requirements if the mining or scraping involves the collection of personal information – in particular, the requirements to:

  • manage personal information in an open and transparent way;
  • only collect personal information that is reasonably necessary for the entity's functions or activities;
  • only collect personal information directly from the individual to whom the information relates;
  • ensure that the use and disclosure of personal information are restricted to the purpose for which it was collected, unless a permissible secondary purpose applies; and
  • protect personal information from misuse.

Additionally, the Spam Act contains prohibitions against email address harvesting and the use of address harvesting software. This includes:

  • searching the Internet for electronic addresses (eg, email addresses); and
  • creating and using harvested address lists.

From a contractual perspective, fintechs must consider their terms of use for the websites they are mining or scraping data from, as these terms of use may prohibit such activities.

Regarding data sharing and portability between entities in various sectors, the consumer data right ('CDR') regime under the CCA applies in the financial services sector (see question 5.1). Once accredited under the CDR, fintechs may request that consumer-related data be shared by large data holders (eg, ADIs); but in doing so, they must comply with requirements under the CDR regime in protecting and reporting on the use of this data.

(d) Cloud computing

There are no specific laws relating to cloud computing in Australia. However, general laws impose regulatory requirements on fintechs operating in Australia, and considerations in question 3.1 apply to cloud computing solutions. Fintechs should note the requirements under Australian consumer law, particularly their rights (as consumers) and obligations (as vendors).

Regarding the Privacy Act, fintechs should specifically note:

  • APP 8 (offshoring of personal information); and
  • APP 11 (security requirements in relation to personal information).

Given the nature of cloud computing, these services may be hosted on servers and data centres located overseas, meaning that the personal information collected by these services is held offshore. Under APP 8, entities must ensure that all data held outside of Australia is protected to the standards of the Privacy Act and fintechs must ensure that, when choosing server or data centre providers, these providers adhere to the Privacy Act and APPs. In relation to APP 11, fintechs must take reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access and disclosure. Data held in the cloud is more vulnerable to unauthorised access and entities must ensure that greater protections are given to data held through these means.

Fintechs providing products or services to government entities via a cloud services model should be aware that additional security and privacy obligations may be imposed on them, such as certification and audit requirements, or the requirement that data must be held within Australia.

(e) Artificial intelligence

The regulation of artificial intelligence ('AI') in Australia is limited, with no specific laws governing its use, development and adoption. However, Privacy Act requirements will apply to AI technologies that use personal information (see question 5.1). Importantly, the Privacy Act does not contain a specific principle related to automated decision making (eg, as is available under the General Data Protection Regulation); however, privacy reforms may introduce a similar principle in the future.

Where an AI product contains facial recognition technology or uses other biometric information, this is considered 'sensitive information' and further Privacy Act obligations apply. Fintechs using this type of AI must obtain consent from individuals prior to collecting, using and disclosing biometric information.

Fintechs should also consider any discrimination or biases that may arise from their use of AI products. Australia has various anti-discrimination laws prohibiting discrimination against persons due to their sex, race, disability, age or other attributes. Fintechs should monitor their AI products to ensure such discriminatory outcomes are not experienced.

Despite the lack of specific regulation, AI is an area of interest for Commonwealth and state governments. Various strategies, guidance and frameworks have been implemented across all governmental levels, providing information on the government's current approach to AI integration and adoption in Australia. While not currently legal requirements for the private sector, they provide guidance on the Australian government's vision and concerns associated with AI adoption. Notably, the Commonwealth government has designed 8 AI Ethics Principles, which provide a voluntary framework designed to complement (but not substitute) current AI practices. These may provide insight into how the Australian governments may regulate AI in the future.

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

There are no specific laws regulating blockchain or other distributed ledger technology (DLT) in Australia. However, ASIC maintains a public information sheet (INFO 219 Evaluating Distributed Ledger Technology) outlining its approach to the regulatory issues that may arise through the implementation of blockchain technology and DLT solutions more generally. Fintechs considering operating market infrastructure or providing financial or consumer credit services using DLT, will remain subject to the compliance requirements that currently exist under the applicable licensing regime. There is a general obligation that entities relying on technology in connection with the provision of a regulated service must have the necessary organisational competence and adequate technological resources and risk management plans in place. While the existing regulatory framework is sufficient to accommodate current implementations of DLT, as the technology matures, additional regulatory considerations will arise. Various cryptocurrency networks have also implemented 'smart' or self-executing contracts. These are permitted in Australia under the Electronic Transactions Act and equivalent Australian state and territory legislation. Under the Electronic Transactions Act, self-executing contracts are permitted in Australia, provided that they meet all the traditional elements of a legal contract.

While crypto asset services may already be captured under existing regulatory regimes (eg, dealing in crypto assets that are financial products will trigger AFSL considerations), various reviews have highlighted a perceived gap regarding regulation of service providers for crypto assets that are not caught under these regimes. As noted in question 1.2, Australia is currently undergoing a period of regulatory change as the Australian government considers approaches to regulatory crypto assets and providers as a discrete area of law.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

As noted in question 2.4, Australia has had a crowd-sourced equity funding (CSF) regime for companies to raise funds from large pools of investors by utilising licensed CSF platforms instead of listing on a securities exchange. While the regime reduces the regulatory barriers to investing in small and start-up businesses, the framework also includes certain licensing and disclosure obligations for CSF intermediaries (ie, persons listing CSF offers), including the requirement to hold an AFSL.

There is no specific regulatory framework applicable to crowd lending services. The Australian government has previously indicated its intention to consult on the extension of the existing CSF regime to debt funding; however, at the time of writing, this has not occurred.

As noted in question 1.1, providing consumer credit services (eg, providing loans to individuals for domestic, personal or household purposes) will trigger the requirement to hold an ACL and comply with associated obligations. Where peers provide loans to other peers, they should consider whether the need to hold an ACL arises. Providers of marketplace lending products (including peer-to-peer lending services) generally may need to hold an AFSL and comply with associated obligations. Further, if the operator is aware that its platform is being used by unregulated persons providing credit to third parties without holding an ACL, this can give rise to regulatory intervention and enforcement processes.

(b) Online lending and other forms of alternative finance

As noted in question 1.1, providing consumer credit services (eg, providing loans to individuals for domestic, personal or household purposes) will trigger the requirement to hold an ACL and comply with associated obligations. Similarly, all loans (including business loans that are not regulated under the NCCP Act) are subject to consumer protection provisions in the ASIC Act, including prohibitions on misleading or deceptive conduct. Providing loans will also trigger enrolment, customer diligence, monitoring and reporting requirements under the AML/CTF Act. The fact that credit services may be provided online does not vary the regulatory requirements associated with the services, but may impact on how the provider complies with such requirements.

As noted in question 2.1, Australia has a strong alternative finance sector providing consumers with an expanded range of credit options (eg, BNPL). These products are typically characterised by short-term or no-cost credit structures, and it is common for such products to fall within defined exemptions from the requirement to hold an ACL. These exemptions provide limited relief for products meeting prescriptive requirements that are considered to lower consumer risk.

(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)

Payment services may be regulated as financial services where they relate to ADI deposit-taking facilities or non-cash payment ('NCP') facilities. NCP facilities are facilities through which a person can make a payment otherwise than through the delivery of physical currency and can capture a broad range of value transfer mechanisms (including online marketplaces). NCP facility providers must hold an AFSL or be exempt from this requirement (eg, exemptions capturing gift vouchers and loyalty schemes).

Where the service includes a digital wallet allowing customers to pre-fund amounts to make payments to third parties, it may also be regulated as a PPF under the PSR Act, requiring the operator to be an ADI or be exempt from this requirement (eg, exemptions capturing limited value and payee facilities).

Providing the above services will typically trigger AML/CTF obligations covering remittance services and stored value cards. AUSTRAC has increasingly been taking a broad view of the concept of remittance and has recently applied it to value transfers within marketplaces.

The Australian government has recently concluded a raft of reviews into Australia's payments systems, stored value facilities and mobile digital wallets. Among the recommendations are significant shifts to bring new payments and digital stored value facilities within the regime. While still subject to industry consultation, many of the recommendations focus on reshaping the regulatory regime to capture integrated payments models, as well as expanding the definition of PPFs to capture a broader range of stored value facilities.

(d) Forex

Foreign exchange (FX) contracts (ie, contracts to buy, sell or exchange one currency (whether Australian or not) for another currency) which are not settled immediately are financial products under the Corporations Act. Entities advising or dealing in FX contracts will trigger the requirement to hold an AFSL or be exempt from this requirement. In the fintech context, FX services are regularly coupled with domestic or international transfer or payments services and can therefore trigger additional AFSL considerations in relation to NCP facilities.

Providing FX will also trigger enrolment, customer diligence, monitoring and reporting requirements under the AML/CTF Act. If the service also captures funds transfer or payments functionality, this may trigger additional AML/CTF obligations in relation to remittance services.

(e) Trading

There are a range of functions that fintechs play in the financial product trading sector. These include the following:

  • Brokerage: Advising clients and dealing on their behalf in relation to trading financial products (eg, securities, derivatives) will trigger the requirement to hold an AFSL or be exempt from this requirement. This can also attract AML/CTF obligations in relation to acting as a client's agent in acquiring or disposing of securities, derivatives, carbon units and FX contracts (as relevant). Brokerage services are also gaining traction in the crypto asset space. While acting as a broker for a client in relation to crypto assets that are not financial products does not, of itself, trigger regulatory outcomes, many providers are developing sufficiently equivalent compliance frameworks to manage consumer risks. This exercise is also undertaken to become 'institutional ready' for the implementation of any proposed licensing frameworks in the future.
  • Platforms: Wealth management platforms providing customers with access to financial products may be treated as MISs or investor directed portfolio services. Interests in such platforms are financial products, triggering the requirement for the operator to hold an AFSL. Operating such platforms also attracts enrolment, customer diligence, monitoring and reporting requirements under the AML/CTF Act.

(f) Investment and asset management

Investment and asset management services can range from fund establishment and operation to managed discretionary accounts, each of which broadly relates to advising and dealing in financial products for customers and will trigger the requirement to hold an AFSL or be exempt from this requirement. Dealing in financial products on behalf of customers will attract AML/CTF obligations.

Australia has also seen an increase in the volume of wholesale and retail funds investing in crypto assets (typically single asset funds holding Bitcoin or Ether). While underlying assets may not be financial products, financial services licensing considerations apply to the operation of the fund in which they are held. This requires fund operators, advisers and distributors to comply with financial services laws, and will typically require the engagement of a specialist crypto asset custody provider to meet the minimum regulatory standards associated with holding fund assets.

(g) Risk management

The Corporations Act includes a general definition of 'financial product' capturing (among other things) facilities through which a person can manage a financial risk. A person manages a financial risk if it manages the financial consequences of particular circumstances happening or avoids or limits the financial consequences of fluctuations in, or the value of, receipts or costs.

While standard risk products such as derivatives and insurance contracts (see question 4.9) are explicitly listed as financial products, there are various arrangements that can fall within this broader general definition of 'risk product'. In the fintech context, this typically arises in relation to product-specific extended warranties or compensation schemes where the customer pays to limit the possibility of future undesirable financial consequences. Advising and dealing in risk products (including derivatives, insurance and general risk products) will trigger the requirement to hold an AFSL or be exempt from this requirement. This will also attract enrolment, customer diligence, monitoring and reporting requirements under the AML/CTF Act. As the volume of add-on services in the fintech industry continues to expand, providers should consider whether such services may constitute general risk products.

(h) Roboadvice

As noted in questions 2.1 and 2.2, Australia has an evolving class of automated advice and wealth management providers. Automated digital advice (or roboadvice) is not independently regulated in Australia; however, where such advice relates to financial products or recommendations relating to customer investments, this can be caught under the financial services licensing regime.

Providing general or personal advice in relation to financial products triggers the requirement to hold an AFSL or be exempt from this requirement. This ordinarily involves providing an opinion or recommendation intended to influence a person's financial decisions. The rise of roboadvice has historically been an area of inquiry for ASIC, leading to the release of Regulatory Guide 255 Providing digital financial product to retail clients ('RG 255'). RG 255 sets out ASIC's expectations regarding how licensed providers are to manage digital and automated financial product advice given to retail clients. This includes expectations around:

  • ensuring that distribution channels are appropriate for target markets;
  • maintaining adequate resources to monitor algorithms and the quality of advice provided by digital systems; and
  • ensuring that scaled advice is provided in a manner that maintains the best interests of the client.

Fintechs should consider these frameworks before implementing roboadvice or automated finance decisioning mechanisms.

(i) Insurtech

Insurance is primarily regulated under four pieces of legislation:

  • the Insurance Act 1973 (Cth) ('Insurance Act');
  • the Insurance Contracts Act 1984 (Cth) ('Insurance Contracts Act');
  • the Life Insurance Act 1995 (Cth) ('Life Insurance Act'); and
  • the Corporations Act.

APRA is responsible for the general administration of the Insurance Act and the Life Insurance Act. Entities seeking to provide life or general insurance must be authorised by APRA and comply with associated prudential regulation and standards.

ASIC is responsible for the general administration of the Insurance Contracts Act, monitoring and promoting market integrity and consumer protection and licensing under the Corporations Act. Advising and dealing in insurance products will trigger the requirement to hold an AFSL or be exempt from this requirement. This will also attract enrolment, customer diligence, monitoring and reporting requirements under the AML/CTF Act.

Australia has an evolving insurtech market that seeks to provide alternative insurance options for specific products, services and job types (including in the gig economy). As noted in question 1.2, while the technological aspects of insurtech can enhance product and service delivery aligned with consumer outcomes, the regulation applies in a technologically agnostic manner and there are no regulations that specifically target insurtech as a discrete area.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

As noted in question 1.1, data protection and privacy are primarily regulated under the Privacy Act. Notably, the Privacy Act sets out 13 APP obligations in respect of personal information, including the following:

  • Privacy policy (APP 1): Entities must establish and publish clear and up-to-date privacy policies and procedures on their website about personal information management.
  • Collection (APP 3): Entities may only collect personal information if it is reasonably necessary for an entity's functions or activities.
  • Sensitive information (APP 3): 'Sensitive information' (eg, racial, ethnic, sexual orientation or health information) requires express or inferred consent to be collected.
  • Notice (APP 5): Entities must notify end users of certain matters when collecting personal information (eg, purposes for collection, potential disclosures (including offshore)).
  • Secondary purposes (APP 6): Entities may only use or disclose personal information for the purpose for which it was collected. Secondary purposes are only permitted with consent (subject to exceptions).
  • Direct marketing (APP 7): Entities must not use personal information to promote goods and services directly with an individual, unless an exception applies. Where permitted, communications must always include an 'opt out' of receiving direct marketing.
  • Cross-border disclosure (APP 8): Entities disclosing personal information offshore must take reasonable steps to ensure the offshore recipient does not breach the APPs.
  • Data integrity (APP 10): Entities must take reasonable steps to ensure that the personal information they collect and hold is accurate, up to date and complete.
  • Data security (APP 11): Entities must:
    • take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure; and
    • destroy or de-identify that information if no longer needed (subject to exceptions).
  • Access and correction (APPs 12 and 13): Individuals must be permitted to access and correct their personal information.

The Privacy Act is currently under review, with several areas that may be subject to reform, including:

  • stronger consent requirements;
  • introduction of a statutory tort for invasion of privacy; and
  • higher penalties for interference with privacy.

While these reforms have not been implemented, fintechs should monitor these developments.

There are privacy obligations under the Spam Act (relating to unsolicited commercial electronic messages) and the DNCR Act (regulating unsolicited commercial calling).

Fintechs should also consider the applicability of the following:

  • Consumer data right ('CDR') regime: The CDR allows for the transfer and portability of consumer data between data holders and accredited third parties. Fintechs wishing to participate must become accredited and adhere to associated obligations.
  • Notifiable data breaches regime: Under the Privacy Act, entities that suffer a personal information data breach (including where unauthorised access or disclosure to personal information is likely to occur) that is likely to result in serious harm to associated individuals must notify the affected individuals and the OAIC.
  • Credit reporting: Fintechs classified as a credit reporting body or credit provider must adhere to further and specific privacy obligations under the Privacy Act in relation to the credit reporting sector.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

There are no specific laws regulating cybersecurity requirements for companies generally. However, companies in certain regulated sectors (eg, financial) are generally subject to additional cybersecurity and information security requirements:

  • Prudential Standard CPS 234: ADIs, insurance and superannuation providers are subject to further information security obligations imposed by APRA under the CPS 234 prudential standard, including maintenance of information security capabilities, information security policy frameworks, incident management mechanisms and internal auditing.
  • Security of Critical Infrastructure Act 2018 (Cth) ('SOCI Act'): The SOCI Act imposes obligations on organisations (including in the financial services and markets sector) to ensure the cyber resilience of their assets and applies only to banking assets that are "critical to the security and reliability of the financial services and markets sector". These include obligations to report on:
    • cyber incidents;
    • ownership and operational information relating to critical infrastructure assets; and
    • the maintenance of a risk management programme.
  • AFSL holders: The Corporations Act imposes general risk management obligations on AFSL holders, which has been interpreted under Australian law to include the maintenance of adequate cybersecurity risk management systems.
  • Government contracting: Depending on the level of government and confidentiality of data involved, service providers contracting with a government entity (Commonwealth or state) will typically be subject to additional cybersecurity obligations.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

The regime governing anti-money laundering is:

  • the AML/CTF Act; and
  • the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No 1),

which, together, regulate entities (referred to as 'reporting entities') that provide designated services with an Australian connection.

Designated services cover a broad range of financial services that capture most fintech businesses, including:

  • account operators;
  • stored value card operators;
  • lenders;
  • insurers;
  • deposit-takers;
  • lessors;
  • financial product issuers and dealers;
  • exchange providers;
  • remittance providers;
  • funds transfer operators;
  • custody providers;
  • AFSL holders; and
  • digital currency exchange providers.

Reporting entities must:

  • enrol with AUSTRAC;
  • implement know-your-customer processes to adequately verify the identity of their customers;
  • adopt and maintain an AML/CTF program; and
  • meet ongoing obligations to monitor and report suspicious and large transactions.

Australia also has a sanctions regime that (among other things) places targeted financial sanctions on designated persons and entities. This is a dual sanctions regime that implements both:

  • multilateral sanctions set by the United Nations Security Council; and
  • Australia's own autonomous sanctions under the Autonomous Sanctions Act 2011 (Cth) and Australian Autonomous Sanctions Regulations 2011.

These laws broadly prohibit persons and entities from dealing with persons and entities from specific countries or in relation to specific sanctions (as administered by the Department of Foreign Affairs and Trade). All Australian persons and entities must comply with this regime.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

There are no specific competition laws targeting fintechs in Australia. However, the competitive dynamics driving the sector have the potential both to engage and to challenge traditional competition law principles in the CCA. For example, numerous recent government and regulator-led inquiries have considered the impact of fintech on competition in Australia's payments system. Key competition law developments arising from these inquiries include:

  • the least-cost routing initiative; and
  • the ACCC's ongoing enforcement investigation into third-party access to payments on Apple's mobile devices.

The fintech sector is characterised by smaller market disruptors competing to outpace innovation in the banking and financial services markets. In this competitive environment, traditional providers must ensure that any commercial actions taken in response to fintech disruption do not result in the foreclosure of rivals or lead to a substantial lessening of competition.

The RBA is also leading a pro-competitive initiative to promote the adoption of least-cost routing, which encourages merchants to route consumer debit card transactions via the debit network that costs them the least to accept. In a warning to payments providers attempting to circumvent these efforts, the ACCC recently commenced legal proceedings against Mastercard for allegedly tying discounted rates for credit card transactions to the exclusive use of its own debit network in its customer contracts. The ACCC also accepted a court-enforceable undertaking from the parties in the recent merger of BPAY, eftpos and NPPA, in which eftpos committed to promoting and making least-cost routing available to merchants.

Fintech innovations where underlying technologies (eg, blockchain) rely on the exchange of competitively sensitive information may also raise competition concerns. See question 1.1 for general consumer protection obligations that apply to all businesses (including fintechs).

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

There are various ways innovation in the fintech space can be protected in Australia:

  • Copyright: Copyright law in Australia protects many aspects of fintech innovation, including source code, visual features, application programming interface structures and other works. Copyright arises automatically on the creation of an original work. An important limitation is that it protects the material expression of an idea, rather than the idea itself.
  • Patents: It is challenging to secure patent protection for fintech innovations in Australia. Notably, there is uncertainty as to whether an invention that uses or features computer software or hardware will be patentable subject matter under the Patents Act 1990 (Cth) and courts will likely consider this issue on a case-by-case basis. Generally, a mere scheme, plan or discovery, and abstract ideas and information, are not patentable subject matter.
  • Confidential information: Trade secrets and know-how are particularly valuable in the fintech space, given the difficulties in securing patent protection for software. Confidential information is protected under common law; there is no statutory trade secrets regime. This means that robust contractual and practical protections in respect of confidential information are essential.
  • Trade marks: Establishing a unique brand and building goodwill in that brand is a key strategy for protection of fintech innovation in Australia, given the limitations of the other forms of protection outlined above. Australia recognises both registered and unregistered trade mark rights; however, registered trade marks are significantly simpler to enforce and commercialise.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

The Australian government offers a research and development ('R&D') tax incentive ('R&DTI'), providing tax offsets for companies conducting eligible R&D activities. R&DTI eligibility requires that a company be incorporated in Australia; if it is incorporated overseas, it must be an Australian resident for income tax purposes or otherwise be eligible through the double taxation treaty between Australian and the relevant country. The R&DTI has an A$150 million threshold on R&D claims, above which a party may be unable to receive further tax benefits.

Many fintechs have successfully applied for the R&DTI, which provides for a tax offset depending on a company's turnover and the extent of its R&D expenditure. Eligible activities must be experimental and for the purposes of generating new knowledge (eg, new or improved materials, products, processes or services).

The Australian government has also recently aligned the tax treatment of intangible assets (including copyright) with tangible assets, so that a company can self-assess the effective life of an asset for the purposes of depreciation.

State and territory governments also offer grants to fund innovation and R&D. For example:

  • the New South Wales government offers the minimum viable product grant of up to A$25,000 to help technology start-ups to engage with potential business customers to achieve market validation and first sale; and
  • the Victorian government offers grants of up to A$50,000 for Victorian technology companies to implement defined projects to develop commercial technology.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

The Fair Work Act 2009 (Cth) is the primary employment regime in Australia. It sets minimum employee entitlements, such as leave entitlements, minimum wages and termination-related entitlements. It also provides the governing framework for modern awards, enterprise agreements and disputes related to termination or industrial action (ie, strikes). Fintechs should be familiar with the following:

  • Modern awards: These instruments set out additional minimum terms and conditions of employment (eg, penalties and overtime) that apply to certain employers and industries. Relevantly for fintechs, modern awards can apply to software developers and computer engineers, administrative employees and some financial services companies.
  • Superannuation: Employers must pay employees and some contractors a percentage of their remuneration (currently 10.5%) to an approved superannuation fund and in accordance with the Superannuation Guarantee (Administration) Act 1992 (Cth).
  • Other laws: Long-service leave and work health and safety laws also apply to all Australian companies. These entitlements are governed by state or territory legislation, which means that obligations will vary depending on the location of work.

Failure to comply with these legislative regimes can result in:

  • financial penalties;
  • imprisonment in the case of some serious offences;
  • backpay of unpaid entitlements;
  • employee litigation;
  • regulatory investigations or prosecutions; and
  • reputation damage.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

Other than offering competitive benefits (eg, salary, relocation and equity and share incentives) and advertising through appropriate global channels, visa sponsorship in Australia can also be used to attract specialist talent from overseas. Employers that are registered business sponsors with the Department of Home Affairs can elect to sponsor a foreign worker to obtain a visa to work lawfully in Australia for:

  • up to two or four years under the subclass 482 Temporary Skill Shortage visa; and
  • up to five years for regional positions under the subclass 494 Skilled Employer Sponsored Regional (Provisional) visa.

Relevantly to the fintech space, finance brokers, dealers, investment advisers and managers are among the list of occupations that are considered 'skilled occupations' for visa sponsorship eligibility.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Australia's fintech landscape continues to evolve as consumer preferences shift towards greater choice and flexible outcomes, particularly in relation to wealth management, payments and crypto assets. It is expected that these sectors will remain at the forefront of Australia's narrative around the proliferation of the fintech industry.

Australia's regulatory framework as it applies to the fintech industry is also on the precipice of significant change. While a raft of government reviews into payments, crypto and digital business regulatory frameworks over the past year suggest that a significant regulatory shift may occur in the second half of 2022 and into 2023, the change in government has brought into question the extent to which recommendations from these reviews will be a priority. However, there is a clear expectation that regulatory clarity in many areas of the fintech industry is seen as a necessity for Australia to continue its push to become a centre of financial technology and innovation, and it is expected that this will result in various legislative reform proposals in the coming 12 months.

We expect that regulators will continue to provide concessions in the wake of the COVID-19 pandemic to promote business growth and product innovation; however, this will be balanced by the ongoing regulatory and enforcement focus on consumer outcomes. The coming years will provide significant opportunity for fintechs seeking to disrupt the way financial services are provided to consumers across a range of areas, and will signify a shift in the way technology products are regulated for years to come.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

A key sticking point for fintech players seeking to enter the Australian market is navigating the various regulatory regimes applicable to their business. This is particularly the case where there are varying levels of cross-jurisdictional reach and application associated with some regimes. For example, the AFSL regime can apply to offshore entities that induce Australian customers to acquire their financial services (even if provided from offshore); whereas the AML/CTF regime requires a more established geographical connection with Australia to apply. Therefore, it is vital for offshore businesses to seek and engage legal counsel early in the process to determine a roadmap that can support any rollout with an appropriate regulatory profile.

A second issue that offshore providers should consider early when entering the Australian market is local resourcing. Establishing a local proprietary company will require at least one Australian resident director. Seeking local authorisations and licences (eg, AFSL and ACL) will require the business to have appropriate resourcing to support the provision of services to the Australian market, including technological, human resources, competency, risk and compliance processes. Obtaining authorisations and licences can involve protracted lead times, which must be taken into account. Before entering the Australian market, fintech providers should consider the extent to which they wish to 'step in' to the various regulatory regimes in this jurisdiction and consider alternative structures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.