A Guide to How Crypto Exchanges Can Prepare for the New AFSL Rules

Introduction

The era of unregulated crypto exchanges in Australia is ending, with new draft legislation set to bring cryptocurrency platforms and digital asset custodians under the established Australian Financial Services Licence (AFSL) regime. This proposed reform, detailed in the Treasury Laws Amendment (Regulating Digital Asset, and Tokenised Custody, Platforms) Bill 2025 (Cth), formally integrates these operators into the existing financial services framework under the Corporations Act 2001 (Cth).

For crypto exchange operators, securing an AFSL is now a mandatory requirement for legal operation, representing a significant shift beyond basic Australian Transaction Reports and Analysis Centre (AUSTRAC) registration. This guide provides a practical, high-intent roadmap for exchange leaders and compliance officers, breaking down the new obligations and answering the core question of how do I get an Australian Financial Services Licence to meet the Australian Securities and Investments Commission’s (ASIC) expectations for consumer protection, custody, and disclosure?

The New Digital Asset Platform Regime Explained

Overview: Treasury Laws Amendment Bill 2025

The proposed Treasury Laws Amendment (Regulating Digital Asset, and Tokenised Custody, Platforms) Bill 2025 (Cth) signals a major regulatory shift for the Australian crypto industry. This draft legislation brings cryptocurrency exchanges and custodians into the established financial system by amending the Corporations Act 2001 (Cth).

Under this new regime, crypto platforms will be treated as providing a financial service and must hold an AFSL. This moves the sector beyond the previous AUSTRAC-only registration for anti-money laundering purposes, aligning digital asset platforms with traditional financial service providers like banks and brokers.

The government’s approach follows the principle of “same activity, same risk, same regulatory outcome,” with the primary goal of enhancing consumer protection and market integrity.

Defining Digital Asset Platforms (DAPs) & Tokenised Custody Platforms (TCPs)

The draft legislation introduces two new categories of financial products that form the foundation of the regulatory framework:

Platform Type	Definition & Scope
Digital Asset Platform (DAP)	A facility where an operator possesses one or more digital tokens on trust for a client. This includes services like trading venues, brokerages, custodial wallet providers, and staking-as-a-service platforms.
Tokenised Custody Platform (TCP)	A facility where an operator holds an underlying asset (e.g., gold, shares) and creates a unique digital token representing the right to redeem that asset. This covers services issuing “wrapped” tokens or tokenised real-world assets.

The regime specifically targets platforms performing a custodial function by holding assets for others. Consequently, certain services are excluded from these definitions, such as providers of self-hosted wallets where users retain control of their private keys, and platforms facilitating non-financial digital assets like in-game collectibles.

AFSL Licensing Thresholds & Exemptions

An AFSL becomes mandatory for any crypto exchange operator that crosses specific asset-holding thresholds. The requirement to hold an AFSL is triggered if a platform meets either of the following conditions:

• It holds digital assets with a total value exceeding A$5 million in aggregate.
• It holds digital assets valued at over A$1,500 for any individual client.

The draft legislation also provides common exemptions from AFSL requirements for smaller, low-value operators to reduce their regulatory burden. A platform may be exempt from needing an AFSL if it stays below certain limits, such as:

• Holding less than $5,000 per client
• Facilitating under $10 million in total annual transactions

However, these exemptions are tightly defined, and any operator intending to rely on them must formally notify ASIC. Most crypto exchanges operating at scale are expected to exceed these thresholds and will therefore be required to hold an AFSL.

Core AFSL Obligations for Digital Asset Platforms

Custody & Settlement Standards for Digital Assets

Under the new regime, licensed crypto exchanges must adhere to stringent standards for the custody and settlement of digital assets, bringing them in line with traditional financial services. ASIC’s updated Regulatory Guide 133 (RG 133) now explicitly applies to crypto-assets, setting minimum expectations for how platforms safeguard client funds.

These rules are designed to prevent the commingling of funds and protect consumers from losses due to operational failures or theft. To comply, platforms must demonstrate robust custody arrangements that include several key components:

Custody Component	Description & Requirement
Asset Segregation	Client digital assets must be held separately from the exchange’s own corporate funds, ideally on-chain through unique wallet addresses to protect them in case of insolvency.
Secure Private Key Management	Platforms must implement industry-best practices, including a mix of hot/cold storage, multi-signature arrangements, and hardware security modules (HSMs) to prevent single points of failure.
Regular Reconciliations	Exchanges must perform regular reconciliations of client asset holdings to ensure internal records match on-chain data and all client funds are accounted for.
Operational Resilience	Custody systems must undergo regular, independent AFSL audits, penetration testing, and be supported by comprehensive business continuity and disaster recovery plans

In addition to custody, the draft legislation requires platforms to establish clear and unambiguous rules for transaction settlement. Exchanges must document how trades are executed and cleared, ensuring settlement finality so that once a transaction is recorded, it is irreversible and transparent.

Governance Frameworks & the Role of Responsible Managers

A cornerstone of the AFSL regime is the requirement for a robust governance framework that ensures the platform operates efficiently, honestly, and fairly. This involves establishing clear lines of accountability, implementing comprehensive compliance and risk management policies, and effectively managing any conflicts of interest that may arise from vertically integrated business models.

A critical component of this framework is the appointment of competent Responsible Managers (RMs). These individuals are directly responsible for overseeing the financial services provided and must demonstrate to ASIC that the exchange has the necessary organisational competence.

According to ASIC’s RG 105, RMs must have the appropriate knowledge, skills, and, crucially, Australia-specific experience relevant to the financial services being offered. Nominating founders or overseas executives without this localised regulatory experience is a common reason for application delays or rejections.

New Disclosure Rules: The Platform Guide & Platform Rules

The new legislation introduces a tailored disclosure regime for digital asset platforms, replacing the traditional Product Disclosure Statement (PDS) with documents better suited to the crypto environment. This change is intended to provide retail clients with clear, concise, and effective information about the platform’s services and risks.

The new disclosure obligations require two key documents:

Document	Required Content
Platform Guide	Must explain the platform’s operational mechanics, fees and charges, asset holding arrangements, and the significant risks involved for retail clients.
Platform Rules	Must cover client eligibility criteria, trading protocols, settlement procedures, fee structures, and the processes for handling complaints and disputes.

Preparing Your AFSL Application: Key Proof Documents

Your Business Plan & Financial Projections

A successful AFSL application requires a detailed business plan that clearly explains your crypto exchange’s operations. This document should:

• Precisely outline the financial services you intend to provide (trading, staking, custody)
• Define your target market and operational model
• Detail your corporate and management structure to demonstrate clear accountability

Alongside your business plan, robust financial documentation is essential, including the B5 Financial Statements and Financial Resources core proof. ASIC expects:

• Recent audited financial statements
• Forward-looking projections for at least 3–5 years that are realistic and comprehensive
• Accounting for all operational expenses, including compliance costs, custody security, and Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) program implementation

It’s important to avoid overly optimistic forecasts that ignore market volatility or underestimate compliance overheads, as these are common red flags for regulators.

The Compliance Plan & Risk Management Framework

Your formal compliance plan serves as a blueprint for meeting all regulatory obligations under the AFSL regime. This document should detail your procedures for:

• Custody and platform operations
• Disclosure practices
• Managing conflicts of interest
• Integrating AUSTRAC obligations
• Handling customer complaints
• Ensuring accuracy in marketing materials

A separate but equally important requirement is a comprehensive risk management framework that identifies and outlines mitigation strategies for crypto-specific risks. Your framework should address key areas, including:

• Market Volatility: Policies for managing risks associated with rapid and severe price fluctuations
• Cybersecurity Threats: A detailed plan for preventing, detecting, and responding to cyberattacks and security breaches
• Technology Risks: Procedures for managing risks related to blockchain infrastructure, smart contract vulnerabilities, and platform outages
• Regulatory Risks: Processes for monitoring and adapting to changes in the financial services landscape
• Business Continuity: A disaster recovery plan to ensure operational resilience during significant disruptions

The Custody Policy & AUSTRAC Integration

A comprehensive custody policy is a critical proof document that details exactly how you will secure and safeguard client assets. This policy must align with ASIC’s guidance and describe:

• Your wallet architecture, including the separation of hot and cold storage solutions
• Private key management protocols, such as multi-signature arrangements and HSMs
• Measures to prevent single points of failure

Finally, your AFSL application must demonstrate that your AUSTRAC registration and AML/CTF program are already in place and fully integrated into your compliance framework. ASIC and AUSTRAC work closely together, and treating your AML/CTF obligations as separate or secondary is a critical error.

Your application should include evidence of your AUSTRAC registration and provide detailed AML/CTF policies and procedures, showing a cohesive approach to financial crime prevention from day one.

Common AFSL Application Mistakes by Crypto Exchanges

Appointing Unsuitable Responsible Managers

A primary reason for the delay or rejection of an AFSL application, and one of several common mistakes when applying for your AFSL, is the nomination of unsuitable RMs

Crypto exchanges often appoint founders or overseas executives who, despite having impressive international credentials, lack the specific, Australia-relevant regulatory experience that ASIC requires. ASIC assesses organisational competence based on the demonstrated, local knowledge of your RMs, particularly in financial services or crypto markets.

To avoid this pitfall, your nominated RMs must clearly meet the competency standards outlined in ASIC’s RG 105. This involves selecting individuals with a proven track record in the Australian financial services environment who can demonstrate hands-on experience with the specific authorisations your crypto exchange is seeking.

Submitting Weak Financials & Overlooking AML/CTF Integration

Two frequent errors that signal a lack of operational readiness to ASIC are:

• The submission of unrealistic financial projections
• The failure to integrate AML/CTF obligations

Many applicants provide forecasts that are overly optimistic, ignoring significant operational expenses such as compliance, insurance, and the impacts of market volatility. ASIC views these as red flags, so it is crucial to use conservative, stress-tested projections that show how your exchange can remain solvent even in market downturns.

Equally critical is the integration of your AUSTRAC obligations. Some crypto exchange operators treat their AML/CTF program as a separate formality to be addressed after the AFSL is granted. However, ASIC and AUSTRAC work closely together and expect your AFSL application to reference a fully implemented AML/CTF framework from the outset.

Submitting an application without being registered with AUSTRAC is a significant mistake that will cause your application to falter.

Using Inadequate Custody Solutions & Technology

Another common mistake is attempting to reuse offshore or generic custody systems that do not meet Australia’s stringent local standards. ASIC’s updated RG 133 explicitly applies to crypto-assets and sets high expectations for how client funds are secured. A failure to meet these standards can lead directly to a rejected licence.

ASIC will closely scrutinise your custody architecture, and your application must provide detailed technical policies and diagrams to prove your platform is secure and resilient.

Key areas that must be addressed include:

Key Area	Requirement
Asset Segregation	Demonstrate how client digital assets are held separately from corporate funds, ideally on-chain in unique wallets.
Wallet Architecture	Provide a clear description of hot and cold wallet splits and the security protocols for each.
Private Key Management	Detail robust procedures for managing private keys, such as using multi-signature arrangements and HSMs.
Resilience and Recovery	Present comprehensive business continuity and disaster recovery plans to protect assets from outages or cyberattacks.

Viewing the AFSL as a One-Time Task

Finally, many crypto firms mistakenly believe that compliance work ends once the AFSL is granted. In reality, obtaining the licence is just the beginning of your regulatory journey. ASIC engages in continuous supervision and expects an ongoing commitment to all compliance obligations.

Failing to budget for and implement sustained compliance measures is a critical error that can lead to severe consequences.

Ongoing responsibilities include:

• Regular breach reporting
• Annual audits and governance reviews
• Refreshed training for staff and RMs

A failure to maintain these standards post-approval can result in ASIC suspending or even cancelling your AFSL. Therefore, it is essential to cultivate a lasting compliance culture from the outset, rather than treating the application as a one-off task.

Understanding Enforcement & Penalties for Non-Compliance

Significant Financial Penalties for Unlicensed Operation

Operating a digital asset platform without the required AFSL is a serious offence under the Corporations Act 2001 (Cth), and it’s important to understand the consequences of operating without an AFSL. The draft legislation aligns consequences for unlicensed crypto exchange operators with those in the broader financial services sector to create a strong deterrent.

The penalties for non-compliance are substantial and can be applied in several ways to ensure they are proportionate to the scale of the unlicensed operation. A crypto exchange found to be operating without an AFSL may face fines calculated as the greater of:

• A fixed penalty of up to $16.5 million per offence
• Three times the benefit obtained from the unlicensed activity
• Or 10% of the platform’s annual turnover

These significant penalties underscore the importance of proactive compliance. For individuals involved in unlicensed operations, the consequences are equally severe and may include:

• Imprisonment for up to five years
• Substantial personal fines

ASIC’s Enforcement Powers & Recent Case Examples

ASIC has extensive enforcement powers to ensure compliance with the AFSL regime. Beyond imposing financial penalties, ASIC can take direct action against both the crypto exchange and the individuals responsible for its management. These powers include:

• Suspending or cancelling an AFSL
• Disqualifying directors from managing corporations
• Seeking court orders for customer remediation

Recent enforcement actions demonstrate that ASIC is actively targeting unlicensed activity in the digital asset sector, even before the new legislation is finalised. The regulator has shown a willingness to “test the regulatory perimeter” by pursuing crypto firms offering products that mimic traditional financial services.

Notable cases include actions against:

Case	Summary of Action / Ruling
Block Earner and Bit Trade	ASIC initiated proceedings, with courts confirming that crypto-based products marketed as interest-bearing accounts or managed investments require an AFSL.
Kraken	The Federal Court ruled against Kraken’s Australian operator for failing to comply with Design and Distribution Obligations (DDO) for its financial products.
Binance	ASIC cancelled the derivatives licence for Binance’s Australian arm due to issues with client classification, highlighting the focus on consumer protection.

Conclusion

The introduction of the AFSL regime for digital asset platforms marks a fundamental shift for the crypto industry, mandating compliance with comprehensive obligations for custody, governance, and disclosure. Proactive preparation, including developing robust proof documents and avoiding common application mistakes, is essential for crypto exchanges to navigate this transition successfully and avoid significant penalties for non-compliance.

Navigating these new requirements demands specialised expertise to ensure your crypto exchange meets ASIC’s stringent standards from day one. Contact AFSL House’s AFSL application lawyers for a consultation to secure your platform’s future in Australia’s regulated digital asset landscape

Frequently Asked Questions (FAQ)