Legal development

Regulating the crypto asset ecosystem Explaining Treasurys proposed licensing and custody regime

Insight Hero Image

    What you need to know

    • The proposals in the Consultation Paper apply to CASSPrs, including service providers who offer custody, storage, brokering, exchange and dealing services or operate a market in crypto assets for retail consumers.
    • The obligations that are proposed to apply to CASSPrs are similar to the obligations that apply to Australian financial services licensees (AFSL) and are intended to ensure minimum standards of conduct and operational resilience.
    • Treasury proposes that the CASSPr licensing regime will operate separately to the AFSL and Australian markets licensing regimes contained in the Corporations Act 2001 (Cth) (Corporations Act).
    • ASIC will be responsible for the administration of the CASSPr licensing regime and will be empowered to grant relief from some or all of the obligations.
    • Treasury has separately proposed alternative options for the licensing regime and the associated custody arrangements, including regulating CASSPrs under the AFSL regime or allowing industry to self-regulate.

    What you need to do

    • Consider how the obligations proposed by the Consultation Paper would apply to any services you provide or intend to provide in respect of crypto assets.
    • Identify any difficulties or issues that may arise with its implementation in your organisation.
    • Ensure that any written submissions you intend to make on the Consultation Paper are lodged with Treasury by 27 May 2022.


    In response to the rapid expansion of the crypto asset industry in recent years, as well as growing consumer interest in the area, Treasury has released a Consultation Paper outlining a proposed licensing regime for CASSPrs and specific custody obligations to safeguard private keys.

    The release of the Consultation Paper also fulfills the recommendations outlined in the Final Report of the Senate Select Committee on Australia as a Financial and Technology Centre (Final Report).  For more information on the Final Report, please see our previous Financial Services Update

    At present, there is no clear, holistic framework that regulates crypto assets or CASSPrs. The crypto asset ecosystem is otherwise governed by a range of piecemeal principles-based obligations that can be drawn from the Corporations Act, Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), and the Competition and Consumer Act 2010 (Cth).  The absence of such a regulatory framework poses significant challenges to the continued operation of the crypto asset ecosystem.  In particular, we note that:

    • the variety of different rights and features, as well as the broad range of novel use cases, makes the classification of crypto assets as either financial products or non-financial products complex and uncertain;
    • consumers have limited avenues for recourse in the event of operational, cybersecurity or financial failures of CASSPrs that result in the loss of their assets or balance (in fiat or crypto);
    • despite public perception to the contrary, CASSPrs are not regulated in the same way as AFSL holders and therefore are not subject to the same degree of regulatory oversight; and
    • owners, directors and managers of CASSPr business are not subject to fit-and-proper-person checks (or other similar tests of good character and propriety).

    Treasury has indicated that the proposals in the Consultation Paper seek to give consumers greater confidence in their dealings with CASSPrs, while simultaneously recognising the growing importance of the crypto asset ecosystem to both the Australian and global economy, and the need for regulatory certainty to encourage innovation and competition.

    Who is affected by the proposals?

    The Consultation Paper introduces the concept of a CASSPr.  

    A CASSPr is relevantly, "any natural or legal person who, as a business, conducts one or more of the following activities or operations for or on behalf of another natural or legal person: 

    • exchange between crypto assets and fiat currencies;
    • exchange between one or more forms of crypto assets;
    • transfer of crypto assets;
    • safekeeping and/or administration of virtual assets or instruments enabling control over crypto assets' and
    • participation in and provision of financial services related to an issuer's offer and/or sale of a crypto asset".

    For the purposes of this definition, "crypto asset" includes any "digital representation of value or contractual rights that can be transferred, stored or traded electronically, and whose ownership is either determined or otherwise substantially affected by a cryptographic proof", consistent with the definition given to it in ASIC Consultation Paper 343: Crypto-assets as underlying assets for ETPs and other investment products.  

    CASSPrs is a broader concept than "digital currency exchanges" which were the subject of recommendations in the Final Report.  This is because other relevant secondary service providers (e.g. brokerage services, dealers and custody services) would not be captured if regulation was limited to exchanges.

    Treasury is seeking feedback on the proposed terminology, particularly given that it is intended that one definition of crypto assets will be applied across all Australian frameworks.  Treasury is also welcoming submissions with respect to whether CASSPrs providing specific types of crypto assets (e.g. NFTs) should not be subject to the proposed requirements.  

    Key requirements under the proposed licensing regime:

    The key features of the proposed licensing regime for CASSPrs are outlined below:

    Scope of the licensing regime

    The Consultation Paper proposes that CASSPrs must obtain a licence where they:

    • provide retail customers access to non-financial product crypto assets (e.g. brokers, dealers or operators of markets for crypto assets);
    • provide safekeeping of all crypto assets on behalf of a customer; and
    • are captured by the Financial Action Task Force's definition of a Virtual Asset Service Provider for anti-money laundering and counter terrorism financing purposes (noting this definition forms the basis of the definition of CASSPr).

    The proposed licensing regime does not, however, apply to decentralised platforms or protocols, including, for example, decentralised exchanges upon which transactions occur between traders without the need for a secondary service provider to provide custodial or other management services. Despite this, in practice it is likely that many entities will provide retail clients with access to both a decentralised protocol and other crypto-related services which are otherwise caught by the regime, and may therefore still require a CASSPr licence.

    It remains unclear whether CASSPrs that provide services for all non-financial product crypto assets will be caught by the regime or if particular types of crypto assets will be included or excluded. Treasury welcomes submissions from industry on this point.

    Avoiding regulatory duplication

    The proposed licensing regime for CASSPrs is to be separate from the AFSL regime and the Australian markets licensing regime. In this regard, the policy proposal intends, as far as practicable, to ensure that providers are not subject to multiple regulatory regimes.

    Having said this, in our experience, many, if not most, CASSPrs already hold an AFSL or otherwise have an affiliate with an AFSL, meaning that there is likely to be some duplicate regulation.

    Moreover, to the extent that an entity provides a service relating to a crypto asset which meets the definition of a financial product and also provides a service relating to a crypto asset that does not meet this definition, it appears that these persons would be required to hold both an AFSL and a CASSPr licence. This is on the basis that these regimes separately apply to different types of products and would therefore be subject to different levels of regulatory oversight.

    Obligations for CASSPrs

    In order to comply with the proposed licensing regime, CASSPrs must adhere to a number of core obligations. These include that CASSPr licencees must:

    • do all things necessary to ensure that the services covered by the licence are provided efficiently, honestly and fairly; and any market for crypto assets is operated in a fair, transparent and orderly manner;
    • maintain adequate technological, and financial resources to provide services and manage risks;
    • have adequate dispute resolution arrangements in place (both internal and external);
    • ensure directors and key persons responsible for operations are fit and proper persons and are clearly identified;
    • maintain minimum financial requirements including capital requirements, noting that these requirements would be specified by ASIC and would depend on the types of services provided, as well as the volume of transactions;
    • comply with client money obligations;
    • comply with all relevant Australian laws, including the AML/CTF Act (a breach of the latter being grounds for a licence cancellation);
    • take reasonable steps to ensure that the crypto assets it provides access to are 'true to label' (e.g. not falsely described or otherwise misrepresented in a way that is intended to mislead);
    • respond in a timely manner to ensure scams are not sold through their platform;
    • not hawk specific crypto assets, that is not offer, or request or invite a consumer to ask for, specific crypto assets in the course of unsolicited contact;
    • be subject to regular auditing by independent auditors; and
    • maintain adequate custody arrangements (see more information on this below).

    Relevantly, a number of these obligations are akin to those which apply to AFSL holders and go towards ensuring minimum standards of conduct and operational resilience.

    Treasury has separately proposed two alternative options for licensing CASSPrs:

    1. that all crypto assets could be brought into the existing financial services regime by defining crypto assets as financial products under section 764A of the Corporations Act and tailoring the AFSL regime to achieve appropriate outcomes for crypto assets; and
    2. a self-regulation model under which industry would develop a code of conduct for crypto asset services that is approved by a regulator and meets minimum regulatory policy goals.
    Custody obligations

    The Consultation Paper also introduces mandatory minimum, principles-based custody obligations for private-keys that are held or stored by CASSPrs on behalf of consumers. This proposal responds to the risks faced by consumers in relying upon CASSPrs to maintain custody of their holdings and, if adopted, will increase consumer confidence in providers of custody services.

    Specifically, CASSPrs who maintain custody (either themselves or via third parties) of crypto assets on behalf of consumers will be required to:

    • hold assets on trust for the consumer;
    • ensure that a consumers' assets are appropriately segregated;
    • maintain minimum financial requirements including capital requirements;
    • ensure that the custodian of private keys has the requisite expertise and infrastructure;
    • generate and store private keys used to access the consumer's crypto assets in a way that minimises risk of loss an unauthorised access;
    • adopt signing approaches that minimise 'single point of failure' risk;
    • maintain robust cyber and physical security practices;
    • ensure independent verification of cybersecurity practices;
    • establish processes for redress and compensation in the event that crypto assets held in custody are lost; and
    • where applicable, properly assess third-party custodians compliance with the above requirements and ensure that third-party custodians have robust systems and practices for the receipt, validation, review, reporting and execution of instructions from the CASSPr.

    These obligations will be applied in a manner that is proportionate to the nature, scale and complexity of each custodian's operations.

    Treasury is seeking advice on whether additional obligations or standards would be necessary, including whether the regime should impose domestic location requirements for custodians.

    Treasury has also put forward an alternative proposal for the custody requirements under which the crypto asset custodian industry would work collaboratively to create and maintain minimum standards and expectations.

    Administration of the licensing regime

     The proposed licensing regime will be administered by ASIC. More work will be needed to define the scope and application of these obligations, as this will in turn determine the powers that ASIC requires (e.g. to grant or cancel licences).

    The Consultation Paper suggests that the obligations are intended to be applied in a flexible manner with the aim of ensuring that industry participants behave with honesty, fairness, integrity and competence. ASIC would be empowered to grant relief from some or all the obligations if warranted, on a case-by-case basis to ensure the regime remains agile and adaptable.

    It is also intended that regulatory guidance will be published to provide additional clarity about the application of obligations. The regime would also likely rely on similar supervisory and enforcement mechanisms to the AFSL regime, including compulsory information gathering powers, civil and criminal penalty provisions.

    Interaction with existing AML/CTF regime

     The Consultation Paper confirms that AUSTRAC will remain the AML/CTF supervisor for CASSPrs that provide designated services under the AML/CTF Act. Consideration will be given to how the existing AUSTRAC registration requirements may be integrated with the proposed new regulatory model in order to achieve regulatory efficiencies and minimise duplication.

    It should be noted that the need to register under the AML/CTF Act presently applies only to digital currency exchanges that exchange fiat to crypto and vice versa (i.e. not crypto to crypto). It is unclear whether, and if so the extent to which, the AML/CTF Act will be amended to align with the broader definition for "CASSPr" in the Consultation Paper.

    In any case, to the extent that a self-regulation model were to be adopted with respect to the broader licensing proposals or otherwise with respect to the custody obligations only, the obligations under the AML/CTF Act would continue to apply given that self-regulation cannot be extended for AML/CTF purposes.


    Token Mapping

    In addition to the proposed obligations outlined above, Treasury is also seeking early views on the various types of crypto assets to inform the token mapping exercise to be completed by the end of 2022.  This significant exercise is being undertaken on the basis that crypto assets, and the networks they operate on, can provide a range of contractual rights and functions, as it may be necessary for the licensing regime to apply differently to different types of crypto assets.

    It is noted in the Consultation Paper that further consultation on the token mapping exercise will follow.

    Next Steps

    The closing date for submissions on the Consultation Paper is 27 May 2022, with specific feedback requested on the proposals and options outlined in the paper to support minimum standards of conduct by CASSPrs and safeguards for consumers.

    It is expected that these submissions will respond directly to the questions asked throughout the Consultation Paper. 

    AuthorsNarelle Smythe (Partner); Caroline Ord (Counsel); Jack Collins (Associate); and Nandini Kaushik (Graduate).

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.


    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest