Digital Asset AFSL: Standard & Tokenised Custody Platforms

Introduction

The Corporations Amendment (Digital Assets Framework) Bill 2025 introduces a new regime to regulate digital asset platforms and tokenised custody platforms as a type of financial product. This draft legislation requires operators to hold an Australian Financial Services Licence (AFSL) from the Australian Securities and Investments Commission (ASIC) to provide financial services while strengthening consumer protection in the crypto and digital assets industry.

Choosing the right licence depends on whether an AFSL holder has factual control of a digital token or holds an underlying asset on trust. A platform’s technology architecture often determines if AFSL holders must meet the 10 million net tangible asset requirements and comply with the new regime under the Corporations Act 2001 (Cth).

Defining Standard Custody for Digital Asset Platforms

The Principle of Factual Control & Possession

The Corporations Amendment (Digital Assets Framework) Bill 2025 introduces a pivotal legal concept known as “factual control” to determine who is in possession of a digital asset. This principle moves away from traditional ideas of legal ownership and instead focuses on the practical ability to control a digital token, which is defined as an electronic record. Consequently, this test of factual control is the primary trigger for requiring an AFSL as a Digital Asset Platform (DAP).

Under the new framework, a person, or platform is considered to possess a digital token if they can demonstrate the ability to perform three key actions:

• Transfer the electronic record to another person.
• Exclude others from being able to transfer the record.
• Identify themselves as the party capable of performing these actions.

Essentially, if your platform’s technical architecture gives you the power to move a client’s digital tokens or prevent them from doing so, you are deemed to have factual control. This applies even if you are acting on the client’s instructions, such as in the case of a digital wallet provider or custodian that holds assets in an omnibus wallet.

Core AFSL Obligations for DAP Operators

Operators of a DAP must obtain an AFSL and adhere to a range of core obligations under the Corporations Act 2001 (Cth). These requirements are designed to ensure consumer protection and align the digital assets framework with the standards of traditional financial services.

The primary compliance duties for licensed DAPs include:

• General Conduct: A fundamental obligation is to provide financial services efficiently, honestly, and fairly, which includes managing conflicts of interest and complying with all conditions specified on the AFSL.
• Disclosure Document: Operators must provide clients with a “DAP Guide” that replaces the traditional Product Disclosure Statement (PDS) and clearly explains how the service works, how client assets are held, associated risks, fees and charges, and the rights available to clients.
• Governance and Risk Management: Platforms are required to maintain strong internal governance and have adequate risk management systems in place tailored to address unique risks associated with digital assets, such as cybersecurity threats.
• Dispute Resolution: Licensed DAPs must have accessible internal and external dispute resolution systems to handle client complaints and provide compensation when necessary.
• ASIC Standards: Operators must comply with minimum standards set by ASIC that cover asset holding, transaction processing, and settlement procedures.

Understanding Tokenised Custody Platforms

Holding the Underlying Asset Not Just the Keys

A Tokenised Custody Platform (TCP) is a facility where an operator holds an underlying, often real-world, asset and creates a unique digital token representing a right to that asset. This model is designed for asset-backed tokens, where the token acts as a digital claim on a tangible or intangible asset held securely in trust.

Common examples of this model include:

• Platforms for tokenised real estate.
• Gold-backed tokens.
• Wrapped tokens.

The fundamental difference between a TCP and a DAP is what is being held in custody. While a DAP holds the digital token itself, a TCP operator is responsible for the safekeeping of the actual underlying asset on behalf of the token holder.

Consequently, the regulated custodial function for a TCP is the secure management of the off-chain asset, not merely the control of the token’s private key.

The Critical One-to-One Backing Rule

The new digital assets framework under the Corporations Amendment (Digital Assets Framework) Bill 2025 mandates a strict one-to-one relationship between the digital token and the underlying asset for a facility to be classified as a TCP.

This means each digital token must correspond to a single, identifiable underlying asset held by the operator. As such, this one-to-one backing is a critical structural requirement.

This rule is essential to determining the correct licensing structure for your platform. If a platform fractionalises a single asset into multiple tokens or pools assets, it may require alternative structuring and licensing arrangements.

To remain within the TCP framework, an operator must adhere to several conditions:

• Clients must have the right to redeem or request delivery of the actual underlying asset.
• The operator must act only on the lawful instructions of the client regarding the asset.
• The digital token can only be divided to the same extent that the underlying asset can be physically divided.

Comparing Net Tangible Asset & Capital Requirements

The $10 Million NTA for Custodial Services

Under the Australian financial services framework, entities providing custodial or depository services must meet significant financial requirements, so it is crucial to understand what are the financial requirement obligations.

This obligation extends to operators of both DAPs and TCPs that hold assets on behalf of customers.

Generally, any operator providing a custodial or depository service is required to hold a minimum of $10 million in Net Tangible Assets (NTA). This substantial capital requirement serves as a financial buffer, designed to:

• Mitigate the risks of platform collapse.
• Align the interests of the operator with those of its clients.

For TCPs, this high threshold reflects the increased legal and counterparty risk associated with holding real-world underlying assets in trust.

Exemptions for Small-Scale Digital Asset Platforms

The new digital assets framework provides Common Exemptions from AFSL Requirements for smaller, low-risk operators. This exemption is designed to reduce the regulatory burden on startups and businesses that are not operating at a large scale, allowing for innovation within the sector.

An operator may be exempt from needing an AFSL if its platform meets two specific criteria:

• It holds less than $5,000 per customer.
• It facilitates less than $10 million in total transaction value over a rolling 12-month period.

This de-minimis threshold applies to both DAPs and TCPs, providing a consistent standard for small-scale operations across different custody models. However, platforms that exceed either of these thresholds will be required to obtain an AFSL and comply with the full suite of financial and conduct obligations.

Tech Architecture & Workflow: Determining Your Licence

Key Management Workflows for DAPs

Your platform’s technical architecture is a significant factor in determining whether it is classified as a DAP. If your operational workflows are centred on cryptographic key management, it indicates you are exercising factual control over digital tokens.

This control is the primary trigger for DAP licensing under the Corporations Amendment (Digital Assets Framework) Bill 2025. Technology choices that demonstrate this level of control and point toward a DAP classification include:

• Multi-Party Computation (MPC): This technology distributes fragments of a private key across multiple parties. If your platform holds enough key shards to unilaterally approve a transaction, or if your platform’s shard is required for every transaction, you are considered to have factual control.
• Hardware Security Modules (HSMs): Using HSMs to store private keys in a secure, tamper-proof environment typically means the operator has sole access and the ability to sign transactions. This direct control over the keys classifies the service as a DAP.
• Cold Storage: Storing private keys in an offline, “air-gapped” environment gives the operator exclusive power to access the keys and authorise the transfer of digital assets. This workflow is a clear indicator of factual control and falls under the DAP model.

Asset Management Workflows for TCPs

In contrast to a DAP, the workflows of a TCP are focused on the management of the underlying real-world asset, not the cryptographic keys of the digital token itself. The technology and processes are designed to ensure the integrity of the link between the off-chain asset and its on-chain representation.

Workflows characteristic of a TCP include:

• Proof-of-Reserve Mechanisms: These are systems and regular audits designed to verify the existence and secure custody of the underlying assets held in trust. This process is fundamental to proving the one-to-one backing required for a TCP.
• Redemption Processes: A TCP must have a clear and reliable workflow that allows a token holder to redeem their digital token for the actual underlying asset. This involves verifying token ownership on the blockchain and facilitating the legal and physical transfer of the off-chain asset.
• Token Minting and Burning Protocols: The platform’s architecture must include strict protocols for issuing (minting) a new token only after the underlying asset has been secured in custody. Conversely, it must have a process for destroying (burning) the token when the asset is redeemed to maintain the one-to-one backing.

Navigating Hybrid Models & Third-Party Custodians

Outsourcing Key Management with Providers like Fireblocks

Many digital asset platforms use third-party infrastructure providers like Fireblocks to manage cryptographic keys through technologies such as MPC. However, outsourcing this technical function does not remove the platform operator’s licensing obligations under the Corporations Amendment (Digital Assets Framework) Bill 2025.

The operator who controls the client relationship is still considered to have “factual control” over the digital tokens. Because the platform retains the ability to instruct the third-party provider to move assets, it is viewed as the regulated entity. Consequently, the platform operator must:

• Hold the AFSL for a DAP.
• Remain legally responsible for the assets.

The Bill reinforces this by making operators expressly liable for the actions of their agents, meaning you cannot outsource the legal risk even if you outsource the technology.

Using Third-Party Custodians for Underlying Assets

For a TCP, it is common to engage third-party specialists to hold the underlying real-world assets, such as using a secure vault for gold or a trustee for property titles. In this model, the TCP operator remains the licensed entity responsible for the entire arrangement and must hold an AFSL.

The operator is ultimately accountable for ensuring the underlying asset is securely held on trust for the token holders. Therefore, the legal agreement between the TCP operator and the third-party custodian is critical. This contract must ensure that the assets are:

• Segregated and protected.
• Subject to regular, independent audits to verify the one-to-one backing of the digital tokens.

Even if the physical asset is lost or damaged while in the care of the third party, the TCP operator remains liable to the token holders. Furthermore, these third-party custody arrangements must be disclosed transparently in the platform’s TCP Guide.

Conclusion

The Corporations Amendment (Digital Assets Framework) Bill 2025 establishes two distinct licensing pathways, classifying platforms as either a DAP based on factual control of digital tokens or a TCP if they hold an underlying asset on trust. A platform’s technology architecture is the primary factor in determining the correct AFSL, with significant NTA requirements and strict compliance obligations applying to both models.

Navigating these new requirements requires careful planning and expert guidance to ensure your platform aligns with the correct regulatory pathway. Contact our AFSL compliance lawyers at AFSL House for a consultation today to transform these complex compliance challenges into a strategic advantage for your digital asset platform.

Frequently Asked Questions (FAQ)