Treasury's payments modernisation reforms: what it really takes to be ready
Compliance is not just a legal exercise - it demands a wholesale operational and risk uplift.
What you need to know
- In March 2026, Treasury released draft Tranche 1 legislation proposing an overhaul of Australia's payments regulation. The draft legislation replaces the existing product-based framework with a unified, activity-based regime that will draw a significantly broader range of entities and activities into the regulatory perimeter. To find out more about what is changing and who is captured, read this article.
- For many affected entities, the immediate instinct will be to treat this as a licensing question: do we need (or need to vary) an Australian financial services licence (AFSL) or APRA registration, and if so, how do we get one? But that framing understates the scale of what is required.
- The proposed reforms touch every layer of an affected entity's operations, from board accountability and risk governance, to prudential capital requirements, safeguarding of funds, third-party contracting, technology resilience, processes for offering products and organisational culture. Entities that have historically operated outside, or on the margins of, financial services regulation will need to build capabilities that are not merely adequate on paper, but genuinely embedded in how the business is run. Compliance, in this context, is not just a legal exercise — it demands a wholesale operational and risk uplift.
Operational, Risk and Governance Implications?
The reforms will require affected entities to address challenges across multiple fronts. Below, we outline what each means in practice, and what you should be doing now.
Licensing and regulatory entry
Licensing and Authorisation
If you do not currently hold an AFSL, you will need to assess whether one is required. This means demonstrating that you meet fit and proper person requirements, have adequate financial resources, maintain robust risk management practices, and can establish compliant organisational competencies. Even if you already hold an AFSL for payments, you will need to vary your authorisations to cover newly regulated payment activities.
Major SVF providers exceeding the proposed AUD 200 million threshold, and designated systemic payment facilitation service providers, will need to register with APRA under a new standalone framework. This replaces the existing purchased payment facility (PPF) regime and brings recalibrated prudential standards covering capital adequacy, liquidity, safeguarding of customer funds, and operational resilience. Unlike the PPF regime, this will not be a limited ADI (authorised deposit taking institution) authorisation.
The licensing process can be time-intensive, and delays in commencing applications could leave entities unable to operate lawfully once the regime takes effect.
What to do now: Undertake a comprehensive scoping and impact assessment. Map your current payment-related activities against the proposed definitions of payment instrument, stored value facilities, and payment services. Identify which activities will require AFSL authorisations, which may attract APRA registration, and which fall outside the regime. If you currently rely on exemptions, assess whether those exemptions will survive the transition.
Governance and accountability
Board and Senior Management Accountability
If you require an AFSL or are moving into APRA supervision, your board and senior management must be actively engaged in overseeing compliance. Under the Financial Accountability Regime (relevant to APRA-supervised entities), this means establishing clear lines of responsibility for payment services activities and embedding regulatory risk into board reporting and oversight mechanisms.
If you have previously treated payment activities as ancillary to your core business, as many telcos, retailers, and marketplaces have, you may need to establish dedicated governance arrangements. This could include risk committees or sub-committees with payments regulation expertise. Policies around conflicts of interest, risk appetite, resilience and escalation protocols will need to be reviewed and, in many cases, built from scratch.
Risk Management and Compliance Framework Development
If your entity has not previously operated under an AFSL, you may need to build dispute resolution, breach reporting, and design and distribution obligations from the ground up. For those moving to APRA supervision, the requirements are more acute.
You will be expected to maintain risk management frameworks commensurate with the nature, scale, and complexity of your payment services activities. In practice, this means documented risk appetite statements addressing regulatory, operational, and conduct risk, together with appropriate first, second, and third line of defence structures. Where prudential obligations apply, dedicated risk and compliance functions with direct reporting lines to the board may be required.
What to do now: Commence a gap analysis of your existing risk management, compliance, and technology frameworks against anticipated AFSL and APRA obligations. Review dispute resolution processes, breach reporting capabilities, conduct and culture settings, and outsourcing arrangements. Where gaps are identified, begin developing remediation plans, prioritising foundational elements unlikely to change between draft and final legislation, such as internal dispute resolution procedures and risk appetite frameworks.
Culture and Conduct
Operating under the AFSL or APRA regimes brings heightened expectations around organisational culture and conduct, including obligations to act efficiently, honestly, and fairly. You will need to assess whether your existing culture, incentive structures, and conduct frameworks align with these expectations. For entities transitioning from less regulated environments, the cultural shift should not be underestimated. A retailer accustomed to consumer law standards, for example, may find the financial services expectation of proactive conduct monitoring and individual accountability a significant step change. You will also need to appoint individuals as responsible managers who have requisite expertise, experience, competency and oversight for the organisation to carry out the financial services. Responsible managers, board members and senior management will also need to be 'fit and proper'.
What to do now: Engage your board and senior leadership team to ensure awareness of the reforms and their implications. Secure board-level sponsorship for the resources, budget, and organisational commitment needed. Establish or enhance governance structures, such as dedicated project steering committees and regulatory working groups — with clear accountability for delivery milestones. Identify individuals who meet expertise, experience, competency and oversight requirements to be appointed as responsible managers and, if necessary, hire to fulfil that role. For entities subject to the Financial Accountability Regime, begin identifying and documenting accountabilities related to payment services.
Capital, contracts and operations
Prudential and Capital Requirements
For major SVFs and other prudentially regulated payment providers, prudential obligations may introduce requirements around capital adequacy, operational resilience, and ring-fencing of customer funds. You will need to assess your balance sheet exposure and may need to restructure how you hold and manage stored value to meet prudential standards.
Safeguarding
Other payment service providers will need to safeguard money they holds in trust for the end user. In most cases this will require holding money in a segregated safeguarding account with an Australian ADI. Regulations will impose further obligations including how money can be invested, and how end users can make payments and authorise fees and charges. Regulations will also prescribe requirements to report, reconcile, and keep records of information.
Exemption and Structuring Analysis
If you currently rely on exemptions, be aware that equivalent carve-outs may not exist under the new regime. As discussed in our earlier article, telcos, energy companies, and retailers are particularly exposed. Others, such as loyalty providers, gift facility providers, and e-tag providers, should assess the proposed exemptions as subtle differences may impact you. The key question is whether your current business model remains viable or whether restructuring is needed, for example, operating as an authorised representative under another AFSL holder or modifying the service offering to fall outside the regulatory perimeter. Once you hold an AFSL, you may not be able to rely on authorised representative exemptions for other financial services you provide so you should examine your broader financial services activities.
Third-Party and Contractual Risk
Many payment ecosystem participants rely on complex arrangements with upstream and downstream counterparties. The reforms may require you to renegotiate contractual arrangements to reflect new regulatory responsibilities and clarify liability allocation. For example, a payment facilitator relying on outsourced transaction processing will need to ensure those arrangements comply with AFSL or APRA obligations around delegation and oversight. You should also assess counterparty risk where key partners may themselves be affected by the reforms.
Operational Resilience and Technology
An activity-based regime places emphasis on the service being provided rather than the product. This may require you to reassess how your technology platforms, data governance, and operational processes align with regulatory expectations. All payment service providers will need to demonstrate robust business continuity planning, cyber resilience, and incident management capabilities.
What to do now: For major SVF providers and prudentially regulated payment providers, assess your balance sheet exposure and consider whether any restructuring is required. For others, consider how you will comply with safeguarding requirements and liaise with your bank (or other approved safeguarding provider) to enable this. For those relying on exemptions, map out your payments-related activities and assess if, and how, the proposed revised exemptions apply. Examine technology, systems and relationships with third parties and, where necessary, enter into new arrangements or renegotiate existing ones to align with your new regulated obligations.
Managing the transition
Transitional Risk Management
While transitional periods and a streamlined licensing approach for existing licence holders are expected, you need to develop a detailed implementation roadmap. This should cover meeting timelines to apply for new authorisations, regulatory engagement priorities, compliance costs, and governance structures to oversee the transition. A key challenge is that supporting regulations and regulatory instruments will be finalised after the legislation passes, meaning you will need to plan against a partially uncertain landscape and build in flexibility to adapt.
Regulatory Engagement and Change Governance
With the reforms still subject to consultation and supporting regulations yet to be finalised, you need governance mechanisms for tracking and responding to regulatory developments. Assign responsibility for regulatory horizon scanning, create internal working groups to assess emerging rules, and ensure the board receives timely updates on implementation progress and residual uncertainty. Proactive engagement with Treasury and regulators during consultation is also important. It provides an opportunity to shape outcomes and gain early visibility into regulatory expectations.
What to do now: Actively participate in the consultation process and engage with Treasury, ASIC, and APRA to provide feedback and seek clarity on areas of uncertainty. Monitor developments closely as supporting regulations are drafted, and maintain flexibility to adjust your implementation plans as the regulatory landscape crystallises.
Your immediate priorities
Despite the draft legislation still being subject to consultation, do not wait for final legislation before taking action. The scope of changes, complexity of requirements, and lead times involved all point to the need for early and decisive engagement. Those who move quickly will be better positioned to influence the regime through consultation, avoid licensing bottlenecks, and ensure continuity of operations.
In summary, your checklist should include:
- Scope your exposure - map payment activities against proposed definitions and assess whether exemptions survive the transition
- Engage your board - secure sponsorship, establish steering committees, and document Financial Accountability Regime accountabilities
- Run your gap analysis - review risk management, compliance, technology, and outsourcing frameworks against anticipated obligations and begin remediation
- Engage with regulators - participate in consultation, seek clarity on uncertainty, and monitor supporting regulations as they are drafted
