How Australian Fintechs Can Add Crypto Features Without An AFSL

Australia's new Digital Assets Framework Bill 2025 requires crypto platforms to hold an Australian Financial Services Licence (AFSL). Penalties for operating without one can reach $16.5 million.

That single fact has scared a lot of Australian fintech teams away from crypto entirely.

However, the law only regulates platforms that operate as digital asset exchanges or custodians. It does not require every app that offers crypto functionality to become one.

There's a difference between running a crypto exchange and plugging into one. That difference is the entire basis for how your app can offer crypto features.

This article explains how that works in the Australian regulatory context, what the three main integration paths look like, and how to decide which one fits your platform.

An Australian Financial Services Licence (AFSL) is issued by the Australian Securities and Investments Commission (ASIC). It authorises a business to provide financial services (things like dealing in financial products, providing financial advice, or operating a market).

Historically, most crypto businesses in Australia only needed to register with AUSTRAC (the Australian Transaction Reports and Analysis Centre) as a Digital Currency Exchange (DCE) provider. That registration covers anti-money laundering and counter-terrorism financing obligations, but it doesn't regulate the product itself.

The Digital Assets Framework Bill 2025 changes this. It brings crypto platforms under the Corporations Act 2001, which means:

• Platforms that hold customer crypto must obtain an AFSL
• They must comply with custody, settlement, governance, and consumer protection standards
• ASIC gains broad powers to supervise and enforce compliance
• Penalties for operating without a licence can reach $16.5 million

In short, if your platform takes possession of customer crypto or exercises "factual control" over digital tokens, you are now operating a regulated financial service in Australia.

This is the concept at the heart of the new framework, and it's worth understanding clearly.

The Bill defines factual control as the practical ability to transfer a digital token or exclude others from doing so. It's not about what your terms of service say. It's about what your technology actually does.

You likely have factual control if your platform:

1. Manages or holds private keys (even via MPC or HSMs)
2. Can unilaterally approve transactions on behalf of users
3. Holds customer crypto during any part of the transaction process
4. Uses a third-party custodian but retains the ability to instruct them to move assets

Outsourcing key management to a provider like Fireblocks does not remove the licensing obligation. If you control the client relationship and can instruct the custodian, you're the regulated entity.

This distinction matters because it draws a clear line. If your platform never has factual control, because a licensed infrastructure provider handles the entire conversion, custody, and settlement process, then the AFSL obligation falls on that provider, not on your platform.

Here's a simplified breakdown.

You likely need an AFSL if you:

• Operate a crypto exchange or trading venue
• Hold customer crypto assets in custody
• Manage private keys on behalf of users
• Issue tokenised financial products
• Provide custodial staking services

You likely don't need an AFSL if you:

• Integrate a licensed third-party provider to handle conversion and compliance
• Never take possession of customer crypto
• Never manage private keys
• Act as a distribution layer, not an operator

There's also a low-value exemption. Platforms holding less than $5,000 per customer and processing under $10 million annually are exempt. But this threshold is low and most apps with any meaningful traction will exceed it quickly. So, it's not a viable long-term strategy.

Note that this is a general framework, not legal advice. The specific integration architecture determines where the regulatory boundary sits. Platforms should seek legal counsel to assess their specific setup.

Every Australian fintech evaluating crypto features faces the same architectural decision. There are three paths, and each trades off regulatory burden against user experience and control.

The simplest approach. Your app sends users to a third-party. The user creates a new account there, completes a separate KYC process, buys crypto, and transfers it back to your app manually.

Here, since your platform isn't providing a financial service, it does not require AFSL or AUSTRAC registration.

The problem:

• Users leave your app at the most valuable moment, i.e., the point of transaction
• They must create a new account and verify their identity again
• They navigate an unfamiliar interface
• They figure out wallet addresses and transfer crypto manually
• Drop-off rates compound at every step

For a fintech competing on product quality, this approach protects you legally but undermines the product. And it hands the customer relationship to the exchange.

This is the opposite extreme. Your platform builds the full conversion stack including licensing, banking integrations, payment processing, KYC/AML, crypto liquidity, fraud detection, settlement.

This requires AUSTRAC DCE registration, AFSL from ASIC (costs $50,000–$200,000 in application fees, takes 6–8 months), banking partnerships, liquidity management, and ongoing compliance.

This path is best for platforms where crypto conversion is the core product, where controlling the full flow is a competitive advantage, and where the team has the capital and expertise to operate a regulated financial service.

For fintechs where crypto is a feature, not the business, this path is overkill. If your core product is payments, banking, lending, or remittances, building a full exchange diverts engineering and compliance resources away from what makes your platform valuable.

This is the path that most fintech platforms globally are choosing.

Instead of redirecting users or building from scratch, the platform integrates with an AUSTRAC-registered infrastructure provider that handles payment processing, KYC, AML/CTF compliance, crypto liquidity, conversion, and settlement.

The platform controls the user experience. The provider handles the regulated machinery behind it.

What the user sees is a conversion flow inside the app they already trust. They select an amount, choose a familiar payment method, and receive crypto in their wallet.

What happens behind the scenes is that the infrastructure provider verifies the user's identity, processes the AUD payment, executes the conversion, monitors the transaction for compliance, and delivers the crypto to the specified wallet address.

Two integration models exist:

A single fiat-to-crypto conversion is not a simple transaction. It's a chain of regulated activities. Here's what Transak manages so your platform doesn't have to:

• Identity verification (KYC)
• Payment processing
• AML/CTF compliance
• Travel Rule compliance
• Conversion and liquidity
• Crypto delivery
• Fraud and chargeback management

Transak holds registrations and licences across multiple jurisdictions; AUSTRAC DCE registration in Australia, FCA registration in the UK, FinCEN MSB registration and state money transmitter licences in the US, and authorisations across the EU, Canada, and India. For Australian fintechs that also operate internationally, this means the same infrastructure provider can cover multiple markets without stitching together separate regional integrations.

Also Read: Transak Expands to Australia

No. It follows the same principle that operates across all financial services where regulated activities are performed by regulated entities, and other platforms integrate with them.

• Payment apps use licensed payment processors
• Lending apps use licensed credit providers
• Investment platforms use licensed custodians
• Fintechs use AUSTRAC-registered on-ramp and off-ramp providers like Transak

The regulatory obligation attaches to the entity performing the regulated service and not to every app that connects to it. This is not a loophole. It's how regulated infrastructure works.

The critical requirement is that the integration architecture genuinely separates the regulated activities from the platform's operations. If the platform intermediates funds, holds crypto during the conversion, or exercises factual control over tokens at any point, the analysis changes.

Also Read: What Is the European Travel Rule and How It’s Impacting Crypto Payments

As the infrastructure provider behind 450+ apps globally, including MetaMask, Ledger, and BitPay, and now AUSTRAC-registered in Australia, Transak can walk your team through integration options, supported payment methods, asset coverage, and compliance handling for the Australian market.

Integrate Transak Today