BIN Sponsorship & AFSL: Navigating Licence Requirements for Card-Issuing Fintechs

Introduction

For many fintechs and startups, BIN sponsorship provides a vital shortcut to issue cards and enter the banking ecosystem without becoming a full member of payment networks like Visa or Mastercard. However, relying on a partner’s bank identification number (BIN) does not exempt an organisation from its own regulatory requirements under the Corporations Act 2001 (Cth). Even when a sponsor handles the primary card issuance, fintechs that market or arrange access to these financial products are often providing a regulated financial service that likely requires an Australian Financial Services Licence (AFSL).

As the Treasury introduces significant reforms to replace the non-cash payment (NCP) facility regime with specific payment functions, maintaining strict regulatory compliance is more critical than ever. This guide provides a comprehensive overview for any service provider or startup looking to navigate the complexities of risk management, Know Your Customer (KYC) obligations, and the evolving expectations of ASIC. By understanding the distinction between issuing and arranging, your fintech can build a compliant user experience for the cardholder while successfully managing the risks associated with debit, prepay, and prepaid cards.

Issuing & Arranging: A Critical Distinction

Your Fintech’s Role as an Arranger

In a BIN sponsorship model, the sponsoring financial institution typically performs the role of the “issuer.” However, the Corporations Act 2001 (Cth) also regulates entities that “arrange for” a person to acquire a financial product.

This is a critical distinction, as a fintech’s activities often fall into the category of arranging, which is generally treated as a regulated financial service.

Several key activities are strong indicators that your fintech is “arranging” or dealing in a NCP facility. These actions trigger the need for your organisation to hold its own AFSL or understand what is an Authorised Representative of the sponsor.

These activities include:

• Designing the card product, which involves setting limits, fees, and rewards, and promoting it as your company’s card, even if the sponsor is named in the fine print.
• Operating the customer onboarding process, including managing KYC checks and all customer communications related to how the payment card is used and funded.
• Controlling the user experience by integrating the card into your app or platform, which includes how the card is displayed, provisioned to mobile wallets, and how transaction histories are shown.

ASIC interprets “arranging” broadly, and a sponsor’s AFSL does not automatically provide regulatory cover for your fintech. If your business is involved in making it possible for a client to acquire a card product, you are likely providing a financial service that requires authorisation.

Legal Responsibility for Customer Funds

In any BIN sponsorship arrangement, the legal responsibility for holding customer funds rests with the issuer.

The BIN sponsor, as the licensed entity and card scheme member, performs the classic issuer roles of:

• Holding or controlling the funds.
• Operating the payment facility.
• Managing settlement obligations.

While the sponsor is the legal issuer, the fintech acting as an arranger still carries significant regulatory liability. This liability is tied to its role in distributing and marketing the financial product.

A white-label AFSL program splits liability rather than completely shifting it to the sponsor. The fintech is exposed to AFSL liability if it:

• Provides financial services without authorisation.
• Misrepresents the product.
• Breaches other obligations.

Managing White-Label Card Liability & Sponsor Risk

Shared Liability: Fintechs & BIN Sponsors

In a white-label card program, the structure is designed so that the BIN sponsor is the legal issuer of the payment card. Meanwhile, the fintech partner manages distribution and the customer relationship.

However, this arrangement splits liability rather than completely transferring it to the sponsor. Consequently, each party retains significant responsibilities and potential exposures.

The issuer, or BIN sponsor, holds the primary regulatory burden. Their liabilities typically include:

• Regulatory Compliance: As the AFSL holder and card scheme member, the sponsor is responsible for complying with the Corporations Act 2001 (Cth), ASIC guidance, and payment network rules from Visa or Mastercard.
• Risk Management: The sponsor manages prudential-style risks, such as fraud and the settlement of funds across the payment networks.
• Oversight: They must ensure that any distributors or authorised representatives, like the fintech partner, are properly appointed and monitored, as these third parties are the ones interacting directly with customers.

The white-label fintech partner is exposed to different but equally serious liabilities. These are tied to its role in marketing and distributing the financial product and include:

• AFSL Liability: The fintech faces liability if it provides financial product advice, deals in, or arranges for the issue of the card without proper authorisation. This also extends to misrepresenting the product or breaching design and distribution obligations.
• Contractual Liability: Under the BIN sponsorship agreement, the fintech is often liable for fraud losses, chargebacks, breaches of Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) laws, and operational failures in its KYC and dispute handling processes.

A significant risk in these partnerships is “regulatory mis-alignment.” This occurs when a sponsor views the program as low-risk distribution, while the fintech engages in aggressive marketing campaigns that ASIC could interpret as unlicensed dealing.

When issues like fraud or customer complaints arise, regulators often trace the activity back through the issuer to scrutinise the fintech’s conduct.

Mitigating Risk with Your Sponsoring Institution

Fintechs cannot outsource their regulatory responsibilities and must proactively manage the risks associated with their sponsoring institution. This begins with conducting robust due diligence before entering into any BIN sponsorship agreement.

A fintech must treat its sponsor as a critical service provider and integrate them into its compliance and risk management systems.

Key checks to perform on a potential BIN sponsor include verifying that their AFSL authorisations and scheme memberships cover the specific type of payment card you intend to issue, whether it’s a reloadable-prepaid card or a corporate expense card.

It is also crucial to review the sponsor’s operational capabilities, as outsourcing these functions does not transfer the ultimate AFSL obligation to manage risk. You should specifically review:

• Security protocols and PCI DSS compliance.
• Fraud controls and operational resilience.

The sponsorship agreement itself is a critical tool for risk mitigation. Your contract should clearly define roles and responsibilities and build in essential protections for your organisation. Important contractual elements include:

• Audit Rights: The right to audit the sponsor’s compliance and operational controls.
• Data Access: Clauses that guarantee access to necessary data for monitoring and reporting.
• Exit Strategy: A clear plan for termination and an orderly transition to a new sponsor, ensuring continuity if the sponsor fails or the partnership ends.

The Future of Payments Regulation: The New Licensing Framework

The Seven New Payment Functions

Australia’s payments regulation is undergoing a significant transformation, with Treasury proposing to replace the broad and often ambiguous “NCP facility” regime under the Corporations Act 2001 (Cth).

This reform introduces a more specific, functions-based licensing framework designed to provide greater clarity and create a more level playing field for all payment service providers. The new model is built around seven distinct payment functions.

These functions are categorised into two main types: stored-value facilities and payment facilitation services.

• Stored-value facilities (SVFs):
  • Issuance of payment accounts or facilities: This covers providers of accounts that store value for customers for more than two business days, such as digital wallets and prepaid accounts.
  • Issuance of payment stablecoins: This applies to issuers of stablecoins that are intended to maintain a stable value relative to a fiat currency.
• Payment facilitation services (PFSs):
  • Issuance of payment instruments: This function includes the issuance of physical or digital cards, cheques, or credentials like a PIN that allow a customer to initiate a payment.
  • Payment initiation services: These are services that instruct a payment transaction on behalf of a customer from an account held at another institution.
  • Payment facilitation, authentication, authorisation, and processing services: This broad category captures services that enable payment instructions, including pass-through digital wallets.
  • Payments clearing and settlement services: This involves the clearing or settlement of payment obligations between different service providers.
  • Money transfer services: This function covers services that send or receive money for a customer, both domestically and internationally.

Impact of New Functions on AFSL Obligations

The introduction of this functions-based framework has direct and significant consequences for a fintech’s AFSL obligations.

The new regime is designed to reduce regulatory arbitrage, meaning that fintechs currently operating outside the AFSL perimeter through structural workarounds will likely be brought into the licensing framework.

The key impact is that regulatory ambiguity will be removed, and fintechs will need to hold an AFSL for the specific payment functions they perform.

For fintechs in a BIN sponsorship arrangement, this means you can no longer assume the sponsor’s licence provides complete regulatory cover. Your organisation’s activities will be classified under one or more of the new functions, including:

• Marketing a card to end-users.
• Controlling the user experience.
• Managing the onboarding process.

For instance, providing a white-label card to customers will likely be considered “issuance of payment instruments,” a regulated function typically requiring an AFSL.

Furthermore, Treasury has proposed removing the exemption for unlicensed product issuers that use licensed intermediaries. This change would directly impact fintechs that rely on a BIN sponsor’s licence to bring a product to market, making it clear that performing a regulated function requires its authorisation.

Consequently, your fintech must:

• Audit its operations to identify which specific functions it performs.
• Prepare to meet the corresponding AFSL requirements.

Navigating Compliance for Specific Card Issuing Models

ASIC’s View: Pass-Through Wallets (Apple Pay & Google Pay)

ASIC makes a clear distinction between two types of digital wallets, each with different regulatory implications for a fintech. Understanding this difference is crucial when integrating with services like Apple Pay or Google Pay.

The two categories are:

• Pass-through wallets: These include services like Apple Pay and Google Pay, where the wallet facilitates access to an underlying payment card or account without holding a balance itself. No standalone stored value facility exists within the wallet.
• Stored-value wallets: In this model, the provider holds a balance for the user and enables payments directly from that balance. This is typically treated as a NCP facility and is subject to the AFSL regime.

When a BIN-sponsored card is tokenised for use in Apple Pay or Google Pay, the mobile wallet is generally considered a pass-through service.

Consequently, the core AFSL obligations remain with the card issuer and any fintech arranging access to the card, not with Apple or Google.

However, a fintech will almost certainly be operating a regulated financial product if it combines:

• A stored-value ledger.
• A card linked to that ledger.
• Mobile wallet provisioning.

The upcoming payments licensing reforms will further clarify this by defining separate payment functions.

A fintech that controls the user-facing wallet and funding flows should expect to be treated as performing one or more regulated payment functions requiring an AFSL.

Compliance Checks for Outsourced Card Issuers

Outsourcing is a central component of BIN sponsorship and white-label card programs, but it does not transfer regulatory responsibility.

ASIC has consistently stated that AFSL holders cannot simply pass through their obligations to outsourced providers.

This principle works in both directions:

• The BIN sponsor must supervise the fintech’s conduct.
• The fintech must treat the sponsor as a critical service provider.

Fintechs must conduct robust due diligence and ongoing monitoring of their third-party issuers and processors.

Key compliance checks include:

• Verifying Authorisations: Ensure the BIN sponsor’s AFSL permissions and scheme memberships genuinely cover the specific type of payment card you plan to issue, including any features like reloadable prepaid functions or cross-border payments.
• Assessing Operational Resilience: Review the sponsor’s and processor’s security protocols, PCI DSS compliance, fraud controls, and overall operational resilience. Outsourcing these functions does not remove your organisation’s AFSL obligation to maintain adequate systems to manage risk.
• Establishing Contractual Rights: The sponsorship agreement must include clauses that give you essential protections. These should cover the right to audit the sponsor’s controls, guaranteed access to data for monitoring, and a clear exit strategy for an orderly transition to a new partner if the relationship ends.

Structuring a Compliant BIN Sponsorship Deal

Allocating AFSL Roles & Authorisations

To structure a compliant BIN sponsorship, you must treat the deal as a deliberate licensing and distribution framework—a process often requiring guidance from specialist AFSL lawyers—not merely a commercial shortcut. A critical first step is to clearly define the regulatory roles of both the fintech and the BIN sponsor. This involves the critical decision of obtaining your own AFSL vs. becoming an Authorised Representative of the sponsor.

This decision must be formally recorded in both the sponsorship agreement and any official appointment documents. Once roles are defined, you must map out all specific activities and assign responsibility for each one to either the fintech or the sponsor. This prevents any “regulatory no-man’s land” where compliance ownership is unclear.

Key activities to allocate include:

• Marketing and promotion
• Customer onboarding and KYC checks
• Handling customer complaints and disputes
• Operational support
• Any changes to the product design

If your fintech operates as a CAR, it is essential to ensure that all public-facing information is consistent. This includes aligning:

• ASIC register entries
• Template disclosures
• Website wording

Furthermore, the sponsor must have a documented and active monitoring program to oversee the representative’s conduct.

Aligning Product Design & Marketing with Regulatory Expectations

Your product design and marketing strategies must align with regulatory expectations to avoid scrutiny. If your payment card is intended to be a low-value or limited-purpose facility, such as a single-retailer gift card, you must ensure its design fits within the parameters ASIC has outlined for regulatory relief. This typically means the card should be:

• Non-reloadable
• Not redeemable for cash
• Marketed as a gift rather than a debit or budgeting tool

All public-facing materials must be transparent about whom the legal issuer of the financial product is. Your websites, apps, and marketing collateral should feature consistent AFSL or authorised representative disclosures. Avoid using promotional language that could mislead customers, such as suggesting the card has features like “bank-grade protection” unless these claims are explicitly backed by the issuer’s arrangements.

To ensure ongoing compliance, it is wise to implement a joint marketing sign-off process. This gives the sponsor a genuine opportunity to review and veto non-compliant campaigns before they launch. Recording these approvals provides a clear audit trail if ASIC questions how oversight is being exercised.

Embedding Governance & Incident Management

A compliant BIN sponsorship requires more than just a contract; it needs an embedded governance framework. This involves creating a joint risk and compliance plan for the card program. Rather than treating the BIN sponsor as a simple processor, this plan should include:

• Shared risk registers
• Clear incident escalation paths
• Protocols for data sharing to monitor for fraud and misconduct

Dispute resolution and complaints handling processes must be aligned with AFSL and ePayments Code expectations. There should be a clear line of responsibility for responding to customer complaints, particularly concerning:

• Unauthorised transactions
• Chargebacks
• Financial hardship

Finally, your organisation should be prepared for potential regulatory reviews. Develop a consistent and clear explanation of your program’s structure, complete with diagrams of the:

• Value chain
• Contracts
• Fund flows
• Authorisations

Having this documentation ready ensures you are not improvising when responding to inquiries from ASIC.

Conclusion

Navigating the complexities of BIN sponsorship requires fintechs to understand that arranging for card issuance is a regulated financial service, necessitating an AFSL or authorisation. As upcoming payment reforms introduce a functions-based framework, treating these arrangements as transparent regulatory partnerships is essential for maintaining compliance and managing shared liability.

To ensure your organisation meets its AFSL obligations and is prepared for the future of payments regulation, contact AFSL House’s lawyers for AFSL applications. Our specialised services and tailored compliance frameworks can help turn your regulatory challenges into strategic opportunities.

Frequently Asked Questions (FAQ)