Digital assets licensing arrives in Australia

Our corporate site Contact us

This article was written in partnership with Norton Rose Fulbright.

Australia’s digital asset sector is entering a new regulatory phase. For the first time, crypto exchanges, custody providers and tokenised asset platforms will be subject to a comprehensive, purpose-built licensing framework. This shift brings digital assets firmly within the regulatory mainstream and has direct implications for governance, operational resilience and risk transfer.

On 1 April 2026, the Australian Parliament passed the long-awaited Corporations Amendment (Digital Assets Framework) Act 2026 (“the Act”), following two formal consultation processes in 2023 and 2025. The Act brings digital asset providers within the existing Australian Financial Services Licence (AFSL) regime administered by ASIC, aligning digital assets more closely with regulatory treatment of traditional financial services.

The Act received royal assent on 8 April 2026 and will commence on 9 April 2027, followed by a six-month transition period. During this runway, affected businesses will need to assess whether their operating models fall within the new definitions, determine their licensing pathway and uplift governance, controls and documentation to meet regulatory expectations.

While the reforms are intended to support innovation, they also materially raise the bar on consumer and market protections.

As commencement approaches, counterparties and insurers are likely to place greater weight on demonstrable governance, operational controls and incident readiness from digital asset providers. Organisations that use the transition runway to strengthen control evidence are typically better positioned to secure appropriate insurance coverage and reduce execution risk ahead of the deadline.

More broadly, the Act marks the formal integration of digital assets into Australia’s financial services regime. The obligations that now apply to licensed digital asset operators – safeguarding client assets, maintaining dispute resolution systems, providing standardised disclosures and operating within ASIC’s supervisory perimeter – are the same obligations that have governed traditional financial services for decades.

The Act also sits within a wider global shift towards comprehensive digital asset regulation. For organisations operating across multiple jurisdictions, the convergence increases complexity, requiring careful management of multi-jurisdictional compliance obligations, differing licensing standards and understanding how obligations interact. In this environment, proactive and coordinated risk management is increasingly essential.

Key concepts introduced by the Act

The Act introduces several new concepts into the Corporations Act 2001 (Cth) including:

Digital token: an electronic record that one or more persons can factually control.
Digital Asset Platforms (DAPs): a facility under which an operator holds one or more digital tokens on behalf of another person.
Tokenised Custody Platforms (TCPs): a facility under which an operator identifies one or more underlying assets (other than money) and creates a single digital token conferring a right to redeem or direct delivery of the underlying asset. The underlying assets are held by the operator on behalf of another person.

New financial products under the AFSL framework

DAPs and TCPs are new financial products under the AFSL framework. Businesses operating in these categories will require appropriate authorisation and will be subject to the usual AFSL obligations.

Depending on their business model, firms may apply for their own AFSL, become an authorised representative of an existing AFSL holder, or rely on a legislative exemption.

The chosen structure can also affect how liability is allocated and, in turn, how insurance arrangements should be structured. Where businesses operate as an authorised representative, through outsourcing or white-label arrangements, it is important that contractual obligations align with the insurance program in place. Misalignment can create “silent” gaps between regulatory responsibility, contractual liability and policy response.

Core AFSL obligations for digital asset providers

What licensing under the AFSL regime requires in practice

In accordance with the licence conditions and financial services laws.

Digital asset providers must maintain adequate arrangements to manage conflicts of interest that may arise in the provision of financial services.

Licensees are required to comply with applicable financial services laws and take reasonable steps to ensure representatives also comply.

Organisations must hold sufficient financial resources, technology capability and skilled personnel to deliver licensed financial services and support effective supervision and control.

Licensees must ensure that the organisation maintains the necessary competence, knowledge and skills to provide the financial services covered by the licence.

Representatives and relevant providers must be adequately trained and competent to provide financial services, including meeting applicable professional standards.

Licensees must have adequate risk management systems in place to identify and manage operational and compliance risks.

Organisations must maintain compliant internal dispute resolution procedures meeting ASIC standards and, where retail clients are served, be members of the Australian Financial Complaints Authority (AFCA).

Licensees must hold adequate professional indemnity insurance and compensation arrangements to cover potential claims from retail clients.

Organisations must meet ongoing minimum financial obligations applicable to their licence.

Licensees are required to notify ASIC of reportable situations within prescribed timeframes, including significant breaches or likely breaches of financial services laws.

What ASIC is likely to focus on

While the AFSL obligations are familiar to traditional financial services participants, ASIC’s supervisory focus in the digital asset sector is likely to centre on how the obligations are implemented in practice, particularly in relation to:

Custody and asset safeguarding: compliance with ASIC asset-holding and transactional standards, including commingling risk, insolvency exposure, and misuse of client assets.
Platform rules: preparation and maintenance of platform rules governing operations that have contractual effect with clients.
Disclosure: a tailored disclosure regime, including a platform guide (DAP/TCP guide) for retail clients.
Agents and liability: operators may appoint agents but retain full liability for their actions.
Anti-money laundering and counter-terrorism financing overlay: interaction with AUSTRAC’s new Virtual Asset Service Provider regime, which may create dual compliance obligations.

Implementation roadmap and regulatory perimeter

ASIC has published its implementation roadmap outlining an 18-month program of consultation and guidance ahead of commencement. Standards, licensing authorisations, and operational requirements will be progressively clarified.

When the no-action relief under Information Sheet 225 expires on 30 June 2026[NRFA6.1], it will remove a longstanding safety net for platforms that have historically relied on it.

Safeguarding client assets under ASIC standards raises the bar for key management, segregation, and operational continuity. What has been treated as “best-practice” for some participants becomes a legal obligation. Failures are no longer purely reputational – they may attract regulatory consequences and, in serious cases, criminal exposure.

Operator liability increases expectations on boards and senior management of licensed DAPs and TCPs to meet governance and conduct standards consistent with traditional AFSL holders.

Digital asset platforms remain high-value targets and operate in a threat environment where control failures can quickly translate into significant losses. This risk profile is one that traditional insurance was not designed to address.

Many participants will be subject to ASIC supervision for the first time. The transition period provides a finite window to uplift governance, controls and documentation.

Licensing exemptions

A targeted exemption applies to lower‑risk operators. There is available where:

the total underlying client assets are below A$5,000 per client, and
the total transaction value across all relevant platforms does not exceed A$10 million over a 12-month period.

These thresholds are designed to avoid disproportionate burdens for small, low‑risk providers while preserving retail protections for larger or riskier business models. Businesses relying on the exemption must lodge a prescribed form with ASIC.

Relying on an exemption does not eliminate exposure to risks such as theft, fraud, operational errors, outages or consumer complaints. Commercial counterparties may still require insurance as a condition of engagement. Businesses should also be alert to potential “cliff edge” effects as volumes grow and governance, controls and insurance arrangements may need to be uplifted quickly to keep pace with the regulatory perimeter and stakeholder expectations.

A separate exemption applies where services are limited to advising about the existence of, or arranging for a person to use, a DAP or TCP, and those services are not a significant part of the business.

Transition and next steps

The Australian Government has indicated it will work with ASIC and industry to ensure a smooth transition period, including guidance on how existing operators should migrate to the new AFSL settings. Staged commencement and transitional arrangements are expected, with further detail expected through regulations and regulator guidance (to be released in Q1 2027).

The legislation provides a six-month transition period from commencement. During this period, the DAP and TCP amendments do not apply while a business does not yet hold the relevant AFSL authorisations. Where an application or variation of an existing an AFSL is lodged during the transition period, the amendments do not apply until ASIC has determined that application.

Given that key liability policies, particularly professional indemnity (PI) and directors and officers (D&O) are typically written on a claims-made basis, the transition period is also a critical time to manage continuity, including retroactive dates and notification discipline. As business models evolve during the runway, brokers and insurers should be kept informed with actual operations to reduce the risk of coverage disputes later.

In practical terms, affected businesses should now:

map their business activities to the new definitions to determine whether a new AFSL or a variation is required;
assess whether current or planned operations fall within the exemption thresholds; and
where required, prepare AFSL application materials and uplift governance, risk, and controls to meet requirements.

Technical controls

The first line of defence

Robust technical controls underpin effective digital asset risk management. For custodial firms, this includes meeting or exceeding institutional-grade key management, rigorous smart contract audits, continuous monitoring and detection capabilities to identify anomalous activity early, and penetration testing aligned to the threat environment.

ASIC’s operational standards will set minimum requirements. However, organisations that build only to the regulatory baseline may carry higher residual risk and, increasingly, face higher insurance costs. The relationship between control maturity and risk transfer is direct, but not linear – and insurers in the digital asset space are increasingly sophisticated in how they assess and rate these exposures.

Governance frameworks

Board‑level accountability under the AFSL regime

AFSL status brings heightened expectations for governance and conduct. Boards and senior management of DAPs and TCPs will be accountable for compliance and conduct, supported by clear risk appetite statements, board-level risk oversight, documented policies and effective escalation pathways.

For crypto-native firms, this represents a material shift in operating discipline, requiring greater structure without losing the agility needed to innovate.

Operational resilience

Continuity and recovery matter

Licensed operators will be expected to maintain continuity and recovery standards commensurate with their client obligations. This includes documented business continuity plans, tested disaster recovery capabilities, as well as pre-arranged recovery pathways for custody failures.

In digital assets, losses can be irreversible. Prevention, early detection and rapid containment are therefore critical components of operational resilience.

Looking ahead

Australia’s digital assets licensing regime marks a significant shift in how digital asset activity is regulated and supervised. For many operators, the move into the AFSL framework will require more than a licensing application. It will demand sustained focus on governance, operational controls and risk management.

The transition period provides a finite window for organisations to assess how the new framework applies to their business models, address gaps in controls and documentation, and prepare for ongoing regulatory scrutiny. Decisions made during this period are likely to shape regulatory outcomes, operational resilience and access to risk transfer over the longer term.

Insurance programs typically need to be tailored to meet the unique exposures of digital asset custody, fiduciary duties, cyber threats, and regulatory scrutiny.

As the regulatory perimeter continues to evolve in Australia and globally, digital asset operators that take a structured, coordinated approach to risk management, working closely with their insurance broker, will be better positioned to operate with confidence under the new regime.

Learn more

Marsh continues to monitor regulatory developments affecting digital asset providers. For organisations assessing the implications of Australia’s digital assets framework, our specialists can support structured risk assessments, governance uplift and alignment of insurance arrangements with and organisation’s actual risk posture and evolving regulatory expectations. If you have questions about potential implications on your insurance program, please reach out to your Marsh representative or get in touch. 

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modelling, analytics, or projections are subject to inherent uncertainty, and any analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change.

Page Compliance ID