Fintech (non-bank) compliance in Victoria

Enrol with AUSTRAC as a reporting entity

Tranche 2 entities must enrol with AUSTRAC by 29 July 2026.

Notify the OAIC and affected individuals of eligible data breaches

Eligible data breaches must be notified to OAIC and affected individuals 'as soon as practicable'.

Report cyber security incidents to ASD (SOCI)

Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.

Comply with Design and Distribution Obligations (DDO)

Issuers and distributors of retail financial products must have a Target Market Determination (TMD) and distribute consistently with it.

BNPL providers — credit licensing from 10 June 2025

BNPL captured by the NCCP Act as a regulated credit product from 10 June 2025.

Hold AFSL with derivative authorisations (margin lending + CFD + binary)

Issuers of OTC derivatives to retail clients face product intervention orders + tightened conditions.

Major banks must provide CDR Banking + Action Initiation (2026)

CDR Action Initiation lets accredited recipients initiate payments + actions on consumer behalf.

Maintain a written AML/CTF program

Every reporting entity needs a documented AML/CTF program — Part A risk + Part B systems.

Consumer Data Right (CDR) participant accreditation + compliance

Banking, energy and (soon) non-bank lending data sharing — accredited participants must comply with privacy safeguards.

Crypto Asset Secondary Service Provider (CASSPr) licensing reforms

Treasury consultation 2024 on bespoke crypto licensing — separate from AFSL.

Crypto-Asset Reporting Framework (CARF) — implementation 2026-2027

AU adopts the OECD CARF for crypto reporting; reporting expected from 2027, first international exchange ~2028 (per Dec 2025 MYEFO).

Comply with credit reporting obligations (Part IIIA Privacy Act)

Credit providers and CRBs must adhere to the CR Code on collection, use, disclosure, hardship and dispute resolution.

Publish a Privacy Policy compliant with APP 1

Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.

Payment Service Provider (PSP) licensing reform — implementation pending

Treasury reform of payments licensing to capture digital wallets + Buy Now Pay Later + stored value.

Comply with Stored Value Facility rules (banking exception)

SVF providers must operate within APRA + Treasury rules on purchased payment facility regulation.

Comply with CDR Banking (Open Banking) — major + non-major ADIs

Banking data holders must share consumer data with accredited recipients on consumer consent.

Avoid unfair contract terms in standard form consumer & small business contracts

From November 2023, unfair contract terms carry pecuniary penalties — up to $100M per term (from 28 March 2026).

Comply with the Spam Act 2003 (consent, identify, unsubscribe)

All commercial electronic messages must have consent, identify the sender, and offer a working unsubscribe.

Comply with the ePayments Code

Voluntary but industry-standard code covering electronic transaction terms, mistaken internet payments, and unauthorised transactions.

Mandatory AI guardrails for high-risk AI (in development)

Australian Mandatory Guardrails for High Risk AI Settings — Treasury consultation in 2024/2025.

Adopt the Voluntary AI Safety Standard (DISR 2024)

10 voluntary guardrails for safe + responsible AI deployment; mandatory regime in development.