Hopping into Australia: a practical playbook for payments companies

Written By Adam Stevenson

Australia is a sophisticated, highly-banked market with high digital adoption and fast-account-to-account local payment rails. It’s also a jurisdiction where your go-to-market design determines whether you move quickly or get stuck translating unfamiliar legal concepts into operating reality. Here’s how payments companies can approach Australia with eyes wide open.

The first decision: partner-led vs. licensed

Most entrants into the Australian market choose between two paths (and many do both in sequence).

1) Partner-led distribution (fastest)

Integrate with a licensed provider by operating as a Corporate Authorised Representative (CAR) of an Australian Financial Services Licence (AFSL) holder. Under this model you arrange for your business customers to access the partner’s regulated products (e.g., non-cash payment facilities, FX) while you handle UX, onboarding and support. You must avoid giving financial product advice unless you’re authorised: keep communications to factual information (features, fees, processes) and ensure they’re fair, clear and not misleading under local advertising regulations.

2) Direct authorisation (control and longevity)

Obtain your own AFSL where your activity constitutes issuing or dealing in a financial product (for payments, usually a non-cash payment facility) or if you want to hold/safeguard customer money yourself in a wallet-like construct. If you provide remittance or FX as a designated service, you’ll also have a separate AUSTRAC registration and need to comply with local AML/CTF obligations (more below).

Map your products to Australian regulations

Payments & FX

  • AFSL: Issuing a non-cash payment facility (e.g., a wallet or platform that makes payments for customers) is typically a financial product. If you only arrange access to a partner’s facility, the CAR route can work but watch your messaging so you don’t “hold out” as the issuer of the financial product.

  • AML/CTF: If you provide remittance (accept instructions to transfer money) or currency exchange, you’re most likely a reporting entity that must register with AUSTRAC. If you’re not a remitter but you provide currency exchange or other designated services, then you’re most likely a reporting entity that must merely enrol with AUSTRAC. Whether you have to register or enrol with AUSTrAC, you’ll have to implement a risk-based AML/CTF program that covers KYC/KYB customer due diligence, transaction monitoring and regulatory reporting (SMRs/TTRs/IFTIs as applicable).

Wallets / stored value

  • Fintech obligations depend on structure: who holds funds; whether funds are redeemable; value limits; whether it’s a purchased payment facility (PPF) or other non-cash payment facility. Australian regulations can get complicated when a fintech intends to store value for customers in a wallet-like product as this may trigger bank licensing obligations.

  • Most fintechs structure their products to avoid triggering the PPF licensing regime in Australia. This is because a PPF license is a type of bank license that involves significantly more financial, technology and people resources compared to payments licenses in other markets.

  • Alternative structures include partnering with a local Australian bank that offers a tailored PPF solution for fintechs (where the bank agrees to act as the PPF provider to customers) or setting up a bank guarantee facility with a local Australian bank to leverage a regulatory PPF licensing exemption.

Reform horizon: Australia is modernising payments regulation, including a new payments licensing framework and updated oversight of stored-value/wallet products. Plan your design and timing with the reforms in mind so you don’t build for yesterday’s perimeter.

Card issuing

  • Most fintechs enter into a sponsor bank/program manager arrangement to issue cards. Your Australia entity still needs robust risk management arrangements to meet the requirements of the sponsor bank including strong outsourcing oversight procedures, financial promotions controls, and KYC/KYB alignment with the sponsor bank.

  • Fintechs seeking to directly issue cards is permissible under Australian regulations following regulatory reform several years ago. The uptake of direct issuing has increased following that regulatory reform but has been slow so fintechs generally need to provide legal opinions to card schemes to unlock the direct issuing pathway.

Acquiring

  • AFSL requirements relate to card payments (ie, outgoing payments) but not necessarily receiving funds (ie, incoming payments). This means that acquiring products can often be structured in a way to fall outside of the AFSL regulatory licensing regime supervised by the Australian Securities and Investments Commission (ASIC).

  • The Reserve Bank of Australia (RBA), separate to ASIC, supervises the interchange regulations that affect acquirers and card scheme operators. In particular, there are caps on interchange fees that materially affect commercial arrangements for fintechs that offer acquiring products in Australia when compared to other markets like the USA.

Lending

  • Lending to business customers in Australia is largely unregulated and does not necessarily require a fintech to obtain a licence. ASIC regulates lending to consumers and requires fintechs that lend to consumers to obtain an Australian Credit Licence (ACL). An ACL is not required if a fintech solely lends to business customers.

  • There are some local nuances regarding Buy-Now Pay-Later (BNPL) products and similar arrangements where ASIC’s product intervention powers need to be considered by some fintechs but, overall, lending to business customers does not require a regulatory licence from ASIC.

  • Lending is aesignated service that AUSTRAC regulates which requires fintechs that engage in lending to enrol with AUSTRAC. Enrolment with AUSTRAC is generally straight-forward as this process does not involve AUSTRAC assessing the application in detail. Nevertheless, fintechs enrolled with AUSTRAC must develop and implement an AML/CTF program.

Local regulatory “red flags”

  • Unregistered remittance activity. If you’re taking instructions and moving money, you likely need AUSTRAC registration as an “Independent Remittance Dealer” (IRD) before you start. The scope of IRD activities is broad and doesn’t necessarily involve touching customer funds, so make sure you get local advice to cover yourself. If you get the right advice from the start, the process to register with AUSTRAC as an IRD is relatively straightforward when compared to EMI licensing applications in the UK or MTL licensing applications in the USA.

  • Financial product advice. If you provide information about financial products, you need to make sure you aren’t providing “financial product advice”, which requires an AFSL or CAR authorisation. Australian law defines financial product advice as a recommendation or opinion that “is intended to influence a person or persons in making a decision about a particular financial product or class of financial products, or an interest in a particular financial product or class of financial products, or could reasonably be regarded as being intended to have such an influence”. In practice, this can cover a lot of marketing or sales activity that a fintech wishes to engage in, so care needs to be taken.

  • No-advice model. In order to avoid to need to hold an AFSL or CAR authorisation, fintechs often implement a “no-advice” model. This requires the fintech to set up internal controls to ensure that staff don’t inadvertently provide regulated financial product advice.

  • Conflicted remuneration. You may determine you need flexibility to allow your marketing and/or sales teams to provide financial product advice. If you take this approach, you need to ensure that any commercial arrangements with an AFSL holder that issues the financial product takes into account conflicted remuneration restrictions. In short, these restrictions limit volume based fees that may be paid by the AFSL holder and/or CAR.

  • Design and Distribution Obligations (DDO). DDO targets retail distribution. Many B2B products fall outside DDO, but don’t assume “business” automatically means “wholesale.” Keep eligibility gates tight and be prepared to evidence why your target market is not retail. If any features drift towards retail use, you may need a TMD and distributor controls. In practice, many fintechs take the approach of assuming their business customers are retail clients so implement DDO controls.

Data protection and cross-border processing

  • Australia’s privacy laws (ie, the Privacy Act) require lawful collection, purpose limitation, security, and accountability for overseas disclosures. The privacy laws take a principles based approach as set out in the Australian Privacy Principles (APPs).

  • If you process KYC/KYB or transaction data offshore, you need to ensure you have set up contractual and technical controls that meet APP 8 which sets out that you remain responsible for third-country vendors.

  • Generally, Australia’s privacy laws are not as stringent as the requirements imposed under the GDPR in the UK and EU or similar privacy laws in California. Many global fintechs elect to adopt the higher GDPR standard privacy requirements when entering the Australian market because it is operationally more efficient.

Operating model: what “good” looks like in Australia

Resourcing & capitalisation

  • If you intend to operate as a directly licensed entity via an AFSL or indirectly via a CAR, you will need to ensure your business is sufficiently resourced to comply with ASIC’s resourcing requirements.

  • You’ll need to inject minimum capital into your local Australian entity for this purpose but you can also set up intragroup funding agreements to avoid having to overcapitalise the local entity. Unlike capitalisation requirements in the UK for EMI licensees and the US for MTL licensees, less capital is required in Australia.

Governance & people

  • Local mind-and-management for key decisions, with clear accountability for compliance, risk, AML/CTF and ops. However, It’s possible that staff can be based outside of Australia as there is no express statutory requirement under AFSL or AML/CTF regulations that staff must be physically located in the country.

  • An outsourcing framework that documents diligence, performance/KRI reviews, audit rights, and exit plans for critical vendors is desirable as part of the fintech’s risk management framework.

AML/CTF program

  • If you take the direct licensing route, you’ll need to create an AML/CTF program that meets AUSTAC’s requirements. You can leverage your global AML/CTF program but you will need to supplement it to meet local Australian requirements (eg, ensure there is a “Part A” and “Part B” to the AML/CTF program).

  • Document an AML/CTF risk assessment tailored to your products, channels, counterparties and jurisdictions. You’ll need to submit this to AUSTRAC if you need to register as an Independent Remittance Dealler with them.

  • Your AML/CTF program will need to cover KYB/KYC with beneficial-owner capture, sanctions screening, transaction monitoring, SMR decisioning, QA, and independent review policies and procedures.

  • If you rely on a bank or financial partner for some steps, document the reliance carefully in accordance with the AML/CTF law. Where practicable, implementing a KYB/KYC reliance model can be financially attractive as it will save you time and costs having to carry out your own KYB/KYC procedure.

Financial promotions & “no advice”

  • Pre-clear with Legal content that is published on your website., especially as part of your initial launch. To give marketing teams more flexibility going forward, create a green-words/red-words list for teams (e.g., avoid “guaranteed savings,” “bank-like protection,” or implying government deposit protection).

  • If operating under a “no advice” model, implement procedures within the business to ensure staff are aware of their obligations. Carry out periodic testing on staff to ensure compliance.

Operational risk management

  • Create an operational risk management framework that includes incident management and notification runbooks (security, downtime, mis-routes, partner outages).

  • Ensure change management (eg, new products, new corridors, new payment methods, new data uses that impact Australian customers) are tied to a risk assessment, which could be set out in a Product Requirements Document (PRD).

Data & privacy

  • A “records of processing” inventory and vendor map (where KYC images and transaction metadata live; who can access; retention).

  • Transfer mechanisms and customer disclosures for offshore processing (you remain accountable under Australian Privacy Principles).

Sequencing market entry

  1. Model choice: Decide partner-led (CAR) vs direct licence per product. If you’ll do remittance/FX, map the AUSTRAC position either way.

  2. Funds-flow truthing: Lock the ledger view of money movement and safeguarding; align contracts, ops and customer terms to that truth.

  3. Regulatory artefacts: Build AML/CTF, outsourcing, operational resilience, and privacy packs; set up MI for board oversight.

  4. Sales & marketing guardrails: Train on RG 244 (“no-advice”), stand up a promotions approval path (RG 234).

  5. Reform-proofing: Sense-check design against the incoming payments licensing regime and stored-value changes; avoid technical debt that will force a rebuild later.

Bottom line

Choose your model deliberately, make the flow of funds unambiguous, keep marketing squarely factual, and treat AML/CTF and privacy as design inputs. Do that, and you can enter quickly under a partner model, then scale into direct authorisations when control and economics justify it – without rebuilding your stack to meet tomorrow’s rules.

The above content is general information and is not legal or other professional advice.

Adam Stevenson
Previous

“No PRD, No Build”: how fintech GCs can leverage product requirement documents
Next

Global ESOP: ensuring you set it up to attract the best talent