Corporations (FinTech Sandbox Australian Financial Services Licence Exemption) Regulations 2020

The Corporations (FinTech Sandbox Australian Financial Services Licence Exemption) Regulations 2020 create a limited exemption from the usual requirement to hold an Australian Financial Services Licence when providing certain financial services. The exemption is designed for testing eligible financial services in a controlled environment.

The exemption is not automatic. A provider must be an eligible person for the relevant eligible financial service, must lodge a notification with ASIC that complies with the regulations, and must then get through a 30-day waiting period without ASIC giving written notice that the exemption is not available. Only then can the provider rely on the exemption.

The regulations also make clear that this is a temporary testing pathway, not a long-term substitute for licensing. Each exemption lasts for a defined testing period of up to 24 months, can end earlier, and is subject to detailed limits and conditions.

An entity can only use the sandbox if it is an eligible person for the eligible financial service it wants to test. The regulations exclude several categories of person. In broad terms, the exemption is not available to a person already authorised by an AFSL to provide that eligible financial service, an authorised representative for that service, or a related body corporate of a body corporate in those categories. It is also not available to an operator of a financial market or a clearing and settlement facility.

There are also nationality and registration rules. A natural person who is neither an Australian citizen nor a permanent resident is excluded. If the provider is a foreign company, it must be registered under Division 2 of Part 5B.2 of the Corporations Act. That means a foreign company cannot simply test in Australia on an unregistered basis and rely on the sandbox.

Group restrictions are a major practical issue. Only one member of a group of related bodies corporate can use the exemption at any one time. A valid notification also requires that no related body corporate currently has a financial services sandbox exemption or the related credit sandbox exemption, and that no related body corporate has lodged a qualifying notification under either regime during the previous 30 days.

The regulations define the kinds of financial services that can potentially be tested. These include providing financial product advice in relation to a particular kind of financial product, applying for or acquiring a particular kind of financial product, issuing varying or disposing of a non-cash payment facility, arranging for the issuing varying or disposing of a particular kind of financial product, and providing a crowd-funding service.

That does not mean every financial product can be tested. For wholesale clients, the service must relate to neither a derivative nor a margin lending facility. This is an important exclusion for businesses developing more complex investment, trading or leveraged products.

For retail clients, the service must either involve issuing, varying or disposing of a non-cash payment facility, or relate only to one or more of the product categories listed in the regulations. Those categories include certain ADI deposit-taking facilities, certain ADI non-cash payment facilities, general insurance products other than consumer credit insurance, life risk insurance products that are life policies, superannuation products in a regulated superannuation fund, interests in a simple managed investment scheme, Commonwealth debentures stock or bonds, certain listed securities, certain approved foreign market securities, and specified crowd-sourced funding securities.

Businesses should map their proposed model against both the service category and the product category. A service may look innovative and still fall outside the sandbox if the underlying product is not one of the permitted categories for the client type you want to target.

The exemption only starts if three core elements line up. First, the provider must be an eligible person for the relevant eligible financial service. Second, the provider must lodge a notification with ASIC in the prescribed form that complies with the regulations. Third, the 30-day period starting on the day the notification is lodged must end without ASIC giving written notice that the exemption is not available.

The timing point is easy to miss. The testing period is not the 24 months after lodgement. It is the 24 months starting on the day after the last day of that 30-day period. A business should not assume it can begin relying on the exemption immediately after filing.

The notification itself must contain substantial information. It must identify the provider, describe each eligible financial service and any related kind of financial product, explain why exempting the service will produce a public benefit that outweighs likely detriment, and explain why the service is new or a new adaptation or improvement of another financial service. The regulations also require other specified information about the provider and relevant decision-makers.

For a product-type service, the notification must also state that no earlier exemption has been obtained by the provider or a related body corporate for the same kind of financial service that is wholly or partly related to the same kind of financial product. This is a key anti-repeat rule. A group cannot keep returning to the sandbox for the same kind of product-type service and product combination.

ASIC has an active gatekeeping role during the 30-day period. After considering the notification, ASIC may decide that the exemption is not available on several grounds set out in the regulations.

Those grounds include ASIC not being satisfied that the eligibility and notification requirements are met, not being satisfied that exempting the service will result or be likely to result in a public benefit that outweighs public detriment, and not being satisfied that the financial service is new or is a new adaptation or improvement of another financial service.

ASIC may also refuse where it reasonably believes there are other listed concerns. These include concerns that conditions were not met for another sandbox service, fit and proper person concerns if the service were assumed to be licensed, failures to act fairly, efficiently or honestly in financial services or credit activities, attempts to continue or recommence an earlier exemption obtained by another person, failures to comply with best interests obligations in relation to another eligible financial service, likely significant detriment to clients, or cancellation of the provider's credit sandbox exemption under the separate credit regulations.

In practice, a notification should be treated as a substantive regulatory document. It needs to explain novelty, public benefit and governance clearly enough for ASIC to assess those issues within the statutory framework.

The exemption is tightly limited by exposure caps. For each retail client, the provider must ensure the client may commit no more than $10,000 in total to financial products as a result of the relevant eligible financial service and any other eligible financial service for which the provider has or has had a sandbox exemption. There are carve-outs from that per-client cap for eligible general insurance products, eligible life risk insurance products, eligible superannuation products, certain ADI deposit-taking facilities and certain ADI non-cash payment facilities.

There is also a broader total cap. The provider must ensure that no more than a total of $5 million arises across the categories listed in the regulations, including gross written premiums for eligible insurance products, contributions in eligible superannuation products, commitments to other kinds of financial product, and the value of credit contracts entered into in relation to eligible credit activities. This total can aggregate activity by the provider and related bodies corporate, and can also take into account activity under the separate credit sandbox regime.

If the provider fails to meet the limits in Division 1 of Part 3, the exemption ceases automatically. The regulations also indicate that the exemption will automatically cease if the provider becomes licensed to provide the eligible financial service or otherwise ceases to be an eligible person.

Part 5 of the regulations imposes ongoing conditions for the exemption. These include notifying all clients before providing an exempt financial service, notifying retail clients before providing an exempt financial service, and notifying clients while providing an exempt financial service. The regulations also require the provider to maintain certain procedures, memberships and arrangements.

Other conditions deal with statements of advice, client money obligations, financial product disclosure and make good orders. The simplified outline notes that failing to meet these conditions may result in ASIC cancelling the exemption or applying to the Court for an order that the provider comply with the conditions.

The regulations also connect the sandbox to broader conduct standards. ASIC may refuse or cancel an exemption where there are failures relating to best interests obligations, or where it reasonably believes the provider has failed to act fairly, efficiently or honestly in providing financial services or engaging in credit activities.

For businesses, the practical point is that the sandbox is not a low-compliance zone. It is a temporary licensing exemption with continuing consumer protection obligations built around it.

Even if the 24-month testing period has started, the exemption can end before the end of that period. Some endings are automatic, such as failing the service or exposure limits in Division 1 of Part 3, or ceasing to be an eligible person.

ASIC may also cancel the exemption by written notice for an eligible financial service if one or more of the refusal grounds in paragraphs 8(c) to (j) now apply, if a condition in sections 17 to 24 is not met, if the provider has failed to comply with best interests obligations in relation to the service, or if ASIC reasonably believes the provision of the service has resulted in significant detriment to one or more retail or wholesale clients for the service or a related financial product.

The provider can also end the exemption voluntarily by lodging written notice with ASIC. In either case, the cancellation takes effect on the day specified in the notice, which cannot be earlier than the day the notice is given or lodged.

Businesses should have an exit plan before testing starts. If the product succeeds, the business may need to move to a licensed structure. If the test does not proceed, it should know how to stop offering the service cleanly and notify ASIC where required.

These regulations are a Commonwealth legislative instrument made under the Corporations Act 2001. The current compilation referenced here is Compilation No. 2, dated 26 October 2024, and includes amendments up to F2024L01357. The instrument is shown as in force on the Federal Register of Legislation.

Before relying on this page, businesses should confirm they are looking at the latest compilation. They should also check whether any uncommenced amendments or other modifications affect the law, because those may not appear in the compiled text itself.