Navigating ASIC & APRA: A Compliance Handbook for Australian BaaS Partners

The Compliance Question That Almost Killed a $4 Million Product Launch

When Ava Chen, a Melbourne-based fintech founder, decided to embed savings accounts directly into her property management platform in early 2025, she thought the hardest part would be the technology. She was wrong.

Three months and two legal opinions later, Ava’s team was paralysed. APRA’s prudential framework demanded one set of obligations. ASIC’s licensing regime demanded another. And a looming AUSTRAC reform meant her AML program needed a complete overhaul before she could onboard a single customer. The launch stalled. Investor confidence wavered. The $4 million she’d raised was burning fast.

Ava’s story isn’t unusual — it’s the norm for Australian businesses entering the Banking-as-a-Service (BaaS) space without a clear compliance map. The opportunity in embedded finance is enormous: Australia’s embedded finance market was valued at approximately USD 11.51 billion in 2025 and continues to grow at pace. But the regulatory architecture surrounding it is unlike anything most technology founders or business operators have encountered.

This handbook exists so you don’t repeat Ava’s mistake. It translates the dense regulatory language of APRA, ASIC, and AUSTRAC into a practical, decision-ready framework that any Australian business can follow. Whether you’re a SaaS platform exploring branded cards, a marketplace considering embedded lending, or an enterprise retailer eyeing deposit products, this is your compliance starting point.

Why Compliance Isn’t a Cost Centre — It’s Your Competitive Moat

Many businesses approach regulatory compliance as a necessary evil: a tollbooth on the road to revenue. In the Australian BaaS landscape of 2026, that mindset is dangerously outdated.

Here’s the reality: the businesses winning in embedded finance aren’t the ones with the flashiest user interfaces. They’re the ones that institutional partners — sponsor banks, fund managers, insurance underwriters — trust enough to put on their regulated balance sheets. And trust, in financial services, is spelled C-O-M-P-L-I-A-N-C-E.

Consider it this way. A BaaS partnership is like a tandem skydive. Your sponsor bank is the instructor strapped to your back. They hold the Authorised Deposit-taking Institution (ADI) licence. They bear the prudential risk. They answer to APRA if something goes wrong. Before they jump out of a plane with you, they need to know — with certainty — that you won’t do anything that puts their licence in jeopardy.

Understanding APRA’s Three-Tier Framework: Where Your Sponsor Bank Sits Matters

Why should you, as a non-bank BaaS partner, care about a framework designed for banks? Because the tier your sponsor bank occupies directly affects the speed, cost, and flexibility of your partnership.

Tier 1 — Most Significant Financial Institutions (MSFIs)

These are banks with assets exceeding AUD 300 billion — essentially Australia’s “Big Four” (CBA, Westpac, NAB, and ANZ). They face the highest prudential and supervisory standards. Partnering with an MSFI gives you unmatched brand credibility and balance sheet depth, but the compliance requirements they impose on partners tend to be equally rigorous. Onboarding timelines can stretch to six months or longer, with extensive due diligence on your technology, data handling, and customer-facing processes.

Tier 2 — Significant Financial Institutions (SFIs)

The threshold for this tier has been raised from AUD 20 billion to AUD 30 billion in assets to keep it proportionate. SFIs include mid-tier banks like Macquarie, Bendigo and Adelaide Bank, and Bank of Queensland. These institutions face meaningful prudential requirements but with greater flexibility in how they apply them. For many BaaS entrants, an SFI sponsor bank offers the best balance of regulatory rigour and commercial agility.

Tier 3 — Non-Significant Financial Institutions (Non-SFIs)

Banks below the AUD 30 billion threshold. These institutions benefit from simplified capital and risk reporting requirements, which reduces their operational overhead — and often yours as well. Many of the banks that act as BaaS sponsor banks fall into this category. They can move faster, customise arrangements more easily, and offer more competitive pricing on compliance pass-throughs.

Think of it like choosing a co-working space. Tier 1 is a premium CBD tower — incredible address, but rigid lease terms and expensive fit-outs. Tier 3 is a flexible creative hub — faster to set up, more adaptable, and often better suited to fast-moving startups and scale-ups.

What APRA’s Licensing Simplification Means for New Entrants

ASIC’s Expanding Perimeter: From Financial Products to Digital Assets

For BaaS partners in 2026, ASIC’s relevance has expanded dramatically with the introduction of the Digital Asset Platform (DAP) licensing regime.

The Digital Asset Platform (DAP) and Tokenised Custody Platform (TCP) Licence

Through the Corporations Amendment (Digital Assets Framework) Bill 2025, ASIC has classified Digital Asset Platforms and Tokenised Custody Platforms as “financial products.” This means operators must now hold an Australian Financial Services Licence (AFSL) to operate lawfully.

What does this mean in plain language? If your BaaS-powered product involves any form of digital asset — whether that’s cryptocurrency trading, tokenised real-world assets, or stablecoin-based settlement — you’re now inside ASIC’s regulatory perimeter.

Key obligations under the new regime include:

• Minimum asset holding and safeguarding standards — you must demonstrate that customer assets are segregated and protected.
• A tailored “DAP/TCP Guide” — a disclosure document outlining your platform’s risks, fee structure, and governance arrangements.
• Compliance with ASIC-issued custody, transaction, and settlement standards — these set the operational baseline for how digital assets are stored, traded, and finalised.

The Transitional “No-Action” Window

ASIC has granted a sector-wide “no-action” position until 30 June 2026 for businesses that have lodged a licence application. This transitional period allows existing digital asset operators to continue trading while they work toward full compliance.

For BaaS partners, this creates both opportunity and urgency. If your product roadmap includes digital asset features — even tangentially, such as stablecoin payouts or tokenised loyalty points — now is the time to begin your AFSL application process. Waiting until after the no-action window closes exposes you to enforcement risk.

The AFSL: Your Gateway Licence for Financial Services

Even outside the digital asset context, many BaaS-enabled products require an AFSL or authorisation under an existing licensee. This is particularly true if your platform provides financial product advice (even general advice), deals in financial products on behalf of customers, or operates a financial marketplace.

The good news? Many BaaS providers — including Corporate Alliance — hold their own AFSL, which means their partners can operate under their licence umbrella. This dramatically reduces the time and cost of entering the market. However, it also means you must understand the conditions of that licence and ensure your product design stays within its authorised scope.

AUSTRAC’s 2026 AML/CTF Reforms: The Compliance Deadline You Can’t Afford to Miss

Major reforms to the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act arrive in two waves:

• 31 March 2026: Reforms commence for current reporting entities — this includes all existing financial service providers, remittance businesses, and digital currency exchanges.
• 1 July 2026: “Tranche 2” entities come into scope for the first time. This captures the legal, accounting, real estate, and jewellery industries — sectors that have historically operated outside AML/CTF obligations.

What This Means for BaaS Partners

Every BaaS-enabled product that touches money — payments, deposits, lending, card programs — triggers AML/CTF obligations. Even if your sponsor bank handles the bulk of regulatory reporting, you are not exempt from your own due diligence responsibilities.

At a minimum, your AML/CTF program must cover:

• Customer identification and verification (KYC) — both at onboarding and on an ongoing basis.
• Transaction monitoring — detecting unusual patterns that may indicate money laundering or terrorism financing.
• Suspicious matter reporting (SMRs) — escalating concerns to AUSTRAC within prescribed timeframes.
• Record keeping — maintaining transaction and identification records for the required retention periods.

AUSTRAC has released “Program Starter Kits” tailored for small businesses, which provide templates and guidance for building a compliant AML/CTF program from scratch. These are a practical starting point, but they are no substitute for professional legal advice tailored to your specific product and risk profile.

Post-July 2026: AUSTRAC’s Enforcement Posture

AUSTRAC has been explicit about its priorities after 1 July 2026. Enforcement will focus on entities that wilfully ignore their obligation to enrol or that are blind to money laundering activities occurring through their platforms. The message is clear: ignorance is not a defence, and inaction will be treated as complicity.

The Consumer Data Right Expansion: New Compliance Obligations from Mid-2026

The regulatory picture wouldn’t be complete without addressing the Consumer Data Right (CDR), Australia’s open banking framework. In 2026, the CDR is expanding beyond traditional banks to encompass non-bank lending providers — and with it comes a new set of data-sharing compliance obligations.

Key milestone dates to mark in your calendar:

• 13 July 2026: Product data sharing obligations commence for all relevant non-bank lenders.
• 9 November 2026: Consumer data sharing obligations commence for “Initial Providers” (lenders with loans and leases exceeding $10 billion).
• 10 May 2027: Consumer data sharing obligations commence for “Large Providers” (lenders with more than 1,000 customers and loans exceeding $1 billion).

Two changes are particularly significant for BaaS partners. First, the historical data requirement has been reduced from seven years to two years, which substantially lowers the cost burden. Second, Buy Now, Pay Later (BNPL) products are now explicitly included in data-sharing obligations — meaning any BaaS product with a BNPL component must be CDR-ready.

Who Is Responsible for What? Mapping the BaaS Compliance Chain

One of the most common — and most dangerous — misconceptions in BaaS is the assumption that the sponsor bank handles all compliance. In reality, regulatory responsibility in a BaaS partnership is distributed, and the boundaries must be contractually explicit.

Here’s how the responsibility chain typically works:

The Sponsor Bank’s Responsibilities

• Holding the ADI licence and meeting APRA’s prudential capital, liquidity, and reporting requirements.
• Owning the deposit products and maintaining the required level of depositor protection.
• Submitting regulatory reports to APRA, ASIC, and AUSTRAC on behalf of the licensed entity.
• Maintaining oversight of all partners operating under its licence umbrella.

The BaaS Platform’s Responsibilities

• Providing compliant technology infrastructure — including KYC/AML APIs, secure data storage, and audit-ready transaction logs.
• Ensuring their platform meets the sponsor bank’s operational risk standards.
• Managing vendor pass-through compliance (e.g., card production, fraud monitoring).

Your Responsibilities as the Brand Partner

• Implementing front-end KYC collection and ensuring data quality.
• Adhering to the sponsor bank’s and BaaS platform’s approved product parameters — you cannot unilaterally change features, pricing, or risk settings.
• Maintaining your own AML/CTF program and suspicious matter reporting obligations.
• Ensuring all customer-facing communications (marketing, disclosures, terms of service) comply with ASIC’s responsible lending and product disclosure requirements.

Think of it as a three-legged stool. Remove any one leg — the sponsor bank’s prudential rigour, the platform’s technical compliance, or your operational discipline — and the entire structure collapses.

Your Compliance Readiness Framework: Five Questions Before You Sign a BaaS Partnership

Compliance readiness is not about memorising legislation. It’s about asking the right questions early enough that the answers shape your product design, partner selection, and commercial negotiations.

Before you sign any BaaS partnership agreement, work through these five questions with your leadership team:

1. Does your product require an AFSL — or can you operate under your partner’s licence?

If your platform provides financial product advice, deals in financial products, or involves digital assets, you may need your own AFSL. If your BaaS provider holds an AFSL (as Corporate Alliance does), understand exactly which authorisations you’re operating under and whether your product fits within those conditions. Example: Oliver, a Brisbane-based SaaS founder, assumed his expense management tool didn’t need an AFSL because it “only moved money.” A compliance review revealed that the tool’s automated categorisation of spending constituted general financial product advice — bringing it inside ASIC’s perimeter.

2. Which APRA tier does your target sponsor bank occupy, and how does that affect your go-to-market timeline?

A Tier 1 (MSFI) bank may offer greater brand credibility, but expect longer due diligence cycles and more restrictive product parameters. A Tier 3 (Non-SFI) bank may offer faster onboarding and more flexible terms. Map your launch timeline against the typical onboarding cadence for each tier. Example: Isabella, co-founder of an Adelaide-based PropTech startup, initially targeted a Big Four partner for prestige. After learning the onboarding process would take nine months, she pivoted to a Non-SFI sponsor bank and launched in fourteen weeks.

3. Is your AML/CTF program designed for the post-March 2026 regime — or the old one?

The AUSTRAC reforms that commenced on 31 March 2026 introduced updated requirements for customer identification, transaction monitoring, and reporting. If your compliance program was built before this date, it likely needs updating. Don’t assume your BaaS provider’s AML tools are automatically compliant — verify independently. Example: Ethan, who runs a Perth-based digital marketplace, discovered during a routine audit that his platform’s KYC flow collected identity documents but didn’t verify them against the Document Verification Service (DVS) — a gap that would have been flagged under AUSTRAC’s updated standards.

4. Does your product roadmap touch digital assets — even tangentially?

Tokenised loyalty points, stablecoin settlement, cryptocurrency rewards — any of these features may trigger ASIC’s DAP licensing requirements. If your 12-month roadmap includes any digital asset functionality, begin your AFSL/DAP application process now. The no-action window closes on 30 June 2026. Example: Charlotte, CEO of a Sydney-based loyalty platform, planned to introduce tokenised reward points in Q3 2026. Her legal team identified that the tokens met ASIC’s definition of a digital asset, requiring a DAP licence. Because she started the application process early, she was able to launch on schedule under the no-action transitional provision.

5. Are your CDR obligations mapped and resourced?

If your BaaS product involves lending — including BNPL — check whether you fall within the CDR’s expanded scope. Map the applicable compliance dates (July 2026, November 2026, or May 2027) against your product launch and determine whether you’ll be a data holder, a data recipient, or both. Each role carries distinct technical and legal obligations.

The Australian BaaS Compliance Checklist: Your Pre-Launch Audit in Ten Steps

Use this checklist as a practical pre-launch audit. Each item should be signed off by both your legal counsel and your BaaS provider before you onboard your first customer.

1. Licence mapping complete — You’ve confirmed whether your product requires its own AFSL, operates under a partner’s licence, or falls outside ASIC’s perimeter entirely.
2. Sponsor bank due diligence finalised — You understand your sponsor bank’s APRA tier, their partner onboarding requirements, and their compliance pass-through expectations.
3. AML/CTF program updated for 2026 — Your program reflects the post-March 2026 AUSTRAC reforms, including updated KYC, transaction monitoring, and SMR processes.
4. AUSTRAC enrolment confirmed — Your business is enrolled with AUSTRAC as a reporting entity (or confirmed exempt).
5. Digital asset assessment completed — You’ve assessed whether any product feature triggers DAP/TCP licensing obligations and initiated an AFSL application if required.
6. CDR obligations mapped — If your product involves lending or BNPL, you’ve identified your CDR data-sharing obligations and compliance dates.
7. Responsibility matrix documented — A clear, contractual document specifies which compliance obligations sit with the sponsor bank, the BaaS platform, and your business.
8. Product disclosure reviewed — All customer-facing materials (terms of service, product disclosure statements, marketing copy) have been reviewed for ASIC compliance.
9. Incident response plan in place — You have a documented process for handling data breaches, fraud incidents, and suspicious matter reporting.
10. Ongoing monitoring framework established — Compliance is not a one-time event. You have scheduled quarterly reviews of your AML/CTF program, licence conditions, and regulatory developments.

From Compliance Confidence to Market Launch: Your Next Step

If this handbook has done its job, you now have a clear understanding of the regulatory architecture surrounding BaaS in Australia — and a practical framework for navigating it.

But understanding the rules and executing within them are two different things. The difference between a compliant product that launches on time and a stalled project that haemorrhages capital often comes down to one factor: the quality of your infrastructure partner.

Corporate Alliance provides the regulated infrastructure that Australian businesses need to launch embedded finance products with confidence. As an AFSL licence holder, Corporate Alliance offers Instant NPP Payments, House Accounts, Sub Accounts, and PayID with customised domain support — all built on compliant, real-time rails.

Whether you’re a platform exploring your first BaaS integration or an established business expanding into embedded finance, the compliance journey starts with the right conversation.

Continue Your BaaS Strategy: Related Guides

• The Definitive Guide to Banking-as-a-Service (BaaS) in Australia (2026 Edition) — the complete strategic overview.
• Top 5 BaaS Platforms in Australia: Features, Fees, and Flexibility Compared — side-by-side provider analysis.
• Beyond Fintech: How Australian E-commerce & PropTech Use BaaS to Boost LTV — real-world use cases.
• Leveraging Open Banking: How CDR and BaaS Converge in 2026 — the data and capability intersection.
• The Hidden Costs of BaaS: Licensing, Transaction Fees, and Implementation — commercial due diligence.