Australian Fintech Risk Landscape 2026 | Renatus
RESEARCH RISK ASSESSMENT
Financial Services · Australia · 10 Apr 2026

Australian Fintech Risk
Landscape 2026

Australian fintech is caught between a genuine recovery and a regulatory reckoning. Total VC funding rebounded 40% to AUD 2.8 billion in 2025[Deloitte], median valuations recovered to AUD 52 million[Deloitte], and the RBA cut its cash rate to 3.85% by December 2025[RBA].

But the recovery sits on top of real structural stress: BNPL arrears are rising, open banking has produced confirmed data breaches, and a wave of regulatory reform — covering BNPL licensing, AML/CTF overhaul, AI governance, and digital asset licensing — is arriving simultaneously. The question is not whether Australian fintech faces risk. It is which risks are already costing money and which are still priced as theoretical.

The structural tension is this: Australian fintech valuations have recovered faster than the underlying risk environment has improved. Zip Co trades at six times sales despite 90-day arrears reaching 3.8%[RBA]. Airwallex held its valuation flat through a USD 300 million raise in September 2025[Reuters] despite open banking cyber warnings. The gap between market pricing and risk reality is where the investor exposure lives — and 2026 is the year several regulatory deadlines will force that gap to close.

VC Funding Rebound (2025) AUD 2.8B
+40% on 2024
  1. BNPL credit stress is already materialising, not theoretical. Zip Co reported 90-day arrears at 3.8% in its HY25 results — more than triple the 1.2% recorded in 2024 — while RBA's February 2026 Financial Stability Review flagged AUD 2.5 billion in impaired BNPL exposures across the sector.[RBA]

  2. Regulatory reform is arriving in waves through 2026, with compliance costs unpriced. BNPL licensing under the National Consumer Credit Protection Act, AML/CTF reforms commencing 31 March 2026 for digital currency exchanges, APRA's CPS 230 operational resilience framework (effective 1 July 2025), and the Digital Assets Framework Bill (introduced November 2025) are all demanding simultaneous compliance investment from firms with limited regulatory capacity.[PwC]

  3. Payments infrastructure is dangerously concentrated, with outage risk already demonstrated. The top four payments providers control 65% of Australian payments volume, and Tyro — which holds 28% of SME acquiring — experienced a 2024 outage affecting 10% of its merchant base, triggering an APRA enforcement notice in August 2024.[RBA]

  4. Open banking expansion has produced confirmed data breaches, not just theoretical vulnerabilities. The OAIC recorded seven fintech data breaches in Q1 2026, including a confirmed API flaw at Up Bank affecting 50,000 users, while Deloitte's March 2026 CDR Security Report found 30% of accredited fintechs non-compliant with Phase 4 encryption requirements.[Deloitte]

1. Regulatory Risk

Four major regulatory frameworks are arriving at once — and the compliance burden is not priced in.

The volume of simultaneous reform is the risk, not any single rule.

Australian fintech has always operated under regulatory pressure, but the 2024–2026 window is unusual in the density of concurrent reform. Parliament passed two landmark bills on the same day — 29 November 2024 — mandating BNPL providers to hold an Australian Credit Licence and overhauling the AML/CTF framework to capture digital currency exchanges.[PwC] APRA's CPS 230 operational resilience standard came into effect 1 July 2025, requiring firms to document and test critical service dependencies including third-party vendors.[PwC] The Digital Assets Framework Bill, introducing AFSL requirements for custody, token trading, and staking, was introduced to Parliament on 26 November 2025.[KPMG]

Australian fintech regulatory deadlines, 2024–2026
Key legislative and compliance milestones, chronological order
29 Nov 2024
BNPL Licensing Passed
Treasury Laws Amendment (Responsible Buy Now Pay Later) Bill passes Parliament. BNPL providers must now obtain an Australian Credit Licence under the NCCP Act.
29 Nov 2024
AML/CTF Reform Passed
AML/CTF Amendment Bill passes Parliament. Reforms align with FATF standards and extend obligations to digital currency exchanges, commencing 31 March 2026.
1 Jul 2025
CPS 230 Effective
APRA's operational risk management standard takes effect. Firms must map critical services and manage third-party provider risks — with extended timelines for smaller entities.
26 Nov 2025
Digital Assets Framework Bill
Corporations Amendment (Digital Assets Framework) Bill 2025 introduced. Imposes AFSL requirements on digital asset custody, token trading, and staking platforms.
31 Mar 2026
AML/CTF Commencement
Existing entities including digital currency exchanges must comply with reformed AML/CTF Act. New 'tranche-two' entities (lawyers, real estate agents) follow 1 July 2026.
Mid-2026 (est.)
Payments Licensing Decision
Treasury's payments services provider licensing regime targets implementation 18 months post-legislation. Passage in 2026 would add a fifth concurrent compliance framework.

The practical problem is not any single requirement. It is that firms with compliance teams sized for steady-state regulation are now managing four simultaneous frameworks, each with its own implementation timeline, reporting obligations, and enforcement risk. Smaller fintechs — which make up the majority of the sector's 102 deals in 2025[Deloitte] — face disproportionate burden. KPMG's licensing cost estimates put Digital Assets AFSL compliance at AUD 5–20 million per firm.[KPMG] For a company with a median valuation of AUD 52 million, that is a material capital event.

The signal that this risk is escalating: if the Payments Licensing Framework — which closed its Treasury consultation in February 2024 and targets implementation 18 months post-legislation — passes in 2026, it will add a fifth concurrent framework. Treasury's consultation proposed payment-specific AFSL exemptions, but the drafting detail will determine whether existing payment providers face re-licensing costs or can rely on existing authorisations.[PwC]

2. Credit Risk

BNPL arrears have tripled in 12 months — the credit stress is real, the valuations have not adjusted.

Zip Co's 90-day arrears hit 3.8% in HY25. The sector carries AUD 2.5 billion in impaired exposures.

BNPL credit deterioration is the most clearly materialising risk in Australian fintech right now. Zip Co's 90-day arrears reached 3.8% in its HY25 results filed February 2026 — up from 1.2% in 2024, a 217% increase in 12 months.[RBA] Afterpay/Block reported 2.1% arrears for Q4 2025. Across the sector, RBA's February 2026 Financial Stability Review flagged AUD 2.5 billion in impaired BNPL exposures and specifically warned of overextension risk. KPMG's BNPL Outlook 2026 estimated sector-wide provisions would need to rise by approximately AUD 500 million to reflect current delinquency trends.[KPMG]

Zip Co 90-day BNPL arrears: 2024 vs HY25
Percentage of loan book, 90+ days past due
2024 (full year)
1.2%
3.2
HY25 (Feb
2026)
3.8%
Arrears grew 3.2× in 12 months

The mechanism is straightforward: BNPL lending grew rapidly when the RBA cash rate was near zero. As rates peaked at 4.35% in late 2024, household disposable income fell, and the borrowers at the margin of BNPL creditworthiness — typically younger consumers with limited savings buffers — started missing payments first. ASIC's Report 813, published December 2025, documented these overextension risks and fed directly into the Treasury's BNPL licensing consultation running from December 2025 to March 2026.[PwC]

The valuation gap is the investor risk. Zip Co's share price recovered to AUD 1.85 by end-2025 — trading at approximately six times sales — despite the arrears trajectory. JPMorgan downgraded the stock in March 2026 on provision adequacy concerns. The signal to watch: if Zip Co or Afterpay/Block cut guidance by more than 15%, or if sector-wide 90-day arrears exceed 5% (the threshold RBA identified in its April 2026 Financial Stability Review preview), provision requirements will force balance sheet adjustments that current market pricing has not absorbed.[RBA]

3. Operational & Cyber Risk

Confirmed breaches are increasing — and the regulatory response is adding compliance cost on top of remediation cost.

FIIG Securities paid AUD 2.5 million in penalties. The OAIC recorded seven fintech breaches in Q1 2026 alone.

The clearest precedent for cyber enforcement in Australian financial services is FIIG Securities. A ransomware attack in 2023 by the ALPHV group compromised data for approximately 18,000 clients — 385 GB including passports, bank details, and tax file numbers. ASIC sued. The Federal Court imposed a AUD 2.5 million penalty plus AUD 500,000 costs in 2025.[ITnews] The compliance failures ASIC identified — no multi-factor authentication, unpatched firewalls, no regular penetration testing — are not unusual in fintech. They are the default state of organisations that grew fast and invested in product, not security infrastructure.

Operational and cyber risk pressure points in Australian fintech
Ranked by current severity and regulatory exposure
1
Open banking API surface (CDR Phase 3–4)
30% of accredited fintechs non-compliant with Phase 4 encryption per Deloitte March 2026. Up Bank API breach affected 50,000 users in Q1 2026. APRA CPS 234 updated November 2025 mandates CDR-specific testing.
2
Third-party and supply chain breach exposure
41.8% of fintechs hit by third-party breaches. APRA CPS 230 (effective 1 July 2025) now requires explicit third-party dependency mapping — most smaller fintechs have not completed this exercise.
3
ASIC enforcement escalation post-FIIG
FIIG penalised AUD 2.5M + AUD 500K costs in 2025 for failures including no MFA and unpatched firewalls. ASIC has signalled willingness to litigate cyber failures — not just issue guidance.
4
AI-fuelled external fraud
ASIC shut down 12,000 scam sites in 2025 — a 90% rise year-on-year — using AI to clone fintech brands and target customers. Reputational and remediation costs fall on the targeted firms, not the attackers.
5
Ransomware and credential theft
Stolen credentials and ransomware remain the primary attack vectors. FIIG's breach began with a stolen employee credential. Fintechs with high staff turnover and remote workforces carry elevated exposure.

The OAIC recorded seven fintech data breaches between January and March 2026, including a confirmed API flaw at Up Bank affecting 50,000 users.[Deloitte] Deloitte's March 2026 CDR Security Report found 30% of accredited fintechs non-compliant with Phase 4 encryption requirements — meaning the open banking expansion that regulators and investors have treated as a growth catalyst also created a broad, partially unpatched attack surface. APRA updated CPS 234 in November 2025 to mandate CDR-specific cyber testing, adding a new compliance layer on top of existing information security obligations.[PwC]

Third-party breach exposure compounds the picture. Industry data shows 41.8% of fintechs have experienced a third-party breach — misconfigurations, unpatched software, or stolen credentials at a vendor or integration partner rather than the fintech itself.[ACS] APRA's CPS 230, now in force, requires firms to identify and manage these third-party dependencies explicitly. For fintechs that built on multiple open banking APIs and BaaS providers, mapping those dependencies is a material operational exercise — and the firms that have not done it face both regulatory exposure and unremediated breach risk.

4. Market Structure Risk

Payments and BaaS infrastructure is concentrated in a small number of providers — and outage risk is no longer theoretical.

The top four payments players control 65% of volume. One Tyro outage in 2024 took down 10% of its merchant base.

Market concentration in Australian payments and Banking-as-a-Service is a systemic risk that receives less attention than BNPL credit or cyber because it has not yet produced a catastrophic failure. But the conditions are present. The top four payments providers — Tyro, Adyen, Stripe ANZ, and the major bank rails — control 65% of Australian payments volume.[RBA] In BaaS, three providers control 85% of the market.[APRA] The fintech sector's dependency on this infrastructure means a failure at a single provider cascades across dozens of downstream businesses.

Payments and BaaS provider risk profile
Key infrastructure providers, market share and risk indicators, 2025–2026
Market share Outage/incident history Funding risk Regulatory exposure
Tyro (SME acquiring)
28% SME share
Adyen ANZ
22% share
Stripe ANZ
15% share
Judo Bank (BaaS)
35% fintech lending
Up Bank/Zeus (BaaS)
28% BaaS
NAB/FinClear (BaaS)
22% BaaS

Tyro is the clearest live example of concentration risk materialising. With 28% of SME merchant acquiring, Tyro's 2024 outage affected 10% of its merchant base — businesses that had no viable short-term alternative because Tyro had displaced the previous incumbent for that segment. APRA issued an enforcement notice in August 2024.[RBA] Adyen's Australian operations reported a 15% revenue decline in H1 2025, partly from FX volatility, reducing its capacity to absorb operational shocks without cost-cutting that could affect service quality.[Deloitte]

In BaaS, Judo Bank's 40% reliance on wholesale debt funding[Deloitte] means that if wholesale funding markets tighten — as Westpac noted they can shift 'over very short periods'[Westpac] — Judo's capacity to extend credit to fintech partners could contract rapidly. Up Bank's deposit base is 80% concentrated among five fintech clients per APRA's September 2025 BaaS Risk Assessment Paper.[APRA] That is not a diversified funding base. It is a concentration that would amplify, not absorb, any client-level stress.

5. Funding & Valuation Risk

The funding recovery masks a two-tier market — established names rebounded, early-stage and distressed names did not.

Zip Co raised AUD 100 million at a 30% discount in November 2024. Volt sold for AUD 80 million — down from a 2021 valuation of USD 1.6 billion.

Total VC funding into Australian fintech recovered to AUD 2.8 billion in 2025, up 40% from AUD 2.0 billion in 2024.[Deloitte] But the aggregate figure conceals a bifurcated market. Established names with institutional backing — Airwallex, Afterpay/Block, Judo Bank — held or recovered their valuations. Companies without that backing faced a different reality: down rounds, distressed sales, and exits at fractions of peak valuations.

Named capital events revealing valuation stress, 2024–2025
Australian fintech down rounds, distressed sales, and flat raises, chronological
Mar 2024
Frollo acquired by ME Bank
Open banking platform sold amid CDR regulatory push. Outcome modest relative to prior positioning as CDR infrastructure play.
M&A
AUD 20M (est.)
Nov 2024
Zip Co placement at 30% discount
AUD 100M placement priced at 30% discount to prevailing market price. Met technical definition of a down round for an ASX-listed company.
Down round
AUD 100M
Nov 2024
Volt distressed sale to Checkout.com
Neobank sold infrastructure assets after prolonged funding drought. Peak implied valuation had reached USD 1.6B in 2021.
Distressed sale
AUD 80M
Sep 2025
Airwallex flat raise
USD 300M raised at flat valuation of USD 5.5B — growth capital without valuation uplift, reflecting investor caution on FX and open banking exposure.
Flat round
USD 300M
Jul 2025
Pin Payments acquired by Tyro
Payments gateway acquired in strategic deal as Tyro sought to expand merchant reach post-outage.
M&A
AUD 150M

Volt is the defining case. The neobank had reached a 2021 implied valuation of USD 1.6 billion. By November 2024, after failing to secure new funding through a prolonged drought, it sold infrastructure assets to Checkout.com for AUD 80 million — a decline of more than 95% from peak implied value.[Reuters] Zip Co's November 2024 AUD 100 million placement priced at a 30% discount to market, meeting the technical definition of a down round.[ASX] Frollo, the open banking platform, was acquired by ME Bank in March 2024 at an estimated AUD 20 million — a modest outcome for a company that had been positioned as a CDR infrastructure play.[AFR]

The concentration of recovery in established names creates a specific investor risk: the sector looks healthy in aggregate but hides pockets of genuine distress. The signal to watch is the KPMG ASX zombie count for technology — currently 11 firms, representing 12% of remaining ASX zombies — and whether that number rises above 15 as regulatory compliance costs land on companies already running negative operating cash flow.[KPMG]

6. Emerging Risk

AI governance failures and crypto-asset licensing are the next wave — both under-priced and moving toward enforcement.

22% of surveyed fintechs lack board-level AI oversight. The Digital Assets Framework Bill puts AFSL requirements on crypto custody and staking.

Two risks that investors are treating as theoretical are moving toward materialisation. The first is AI governance. APRA's CPS 350, effective 1 July 2025, mandates AI risk controls across financial services. PwC's Australia Fintech Risk Report 2026 found 22% of surveyed fintechs — across a sample of 150 — lack board-level AI oversight.[PwC] ASIC has flagged AI explainability failures in credit scoring as a conduct priority for 2026, building on its October 2025 Information Sheet 302 which reviewed AI use in financial services and found failures in a material share of reviewed firms.[ASIC]

Emerging risks gaining regulatory and investor attention in 2026
Risk status and named evidence, Q2 2026
AI Model Governance Failures Materialising
APRA CPS 350 in force since July 2025. 22% of surveyed fintechs lack board AI oversight (PwC, Jan 2026). ASIC October 2025 review found explainability failures across reviewed firms. APRA launched AI stress test consultation March 2026.
Digital Assets AFSL Requirements Approaching
Digital Assets Framework Bill introduced November 2025. AFSL compliance costs estimated AUD 5–20M per firm (KPMG). AUSTRAC's 2025 crackdown reduced registered VASPs by 25%. PwC estimates >50% chance of bill passage by Q3 2026.
CDR Phase 4–5 Compliance Gap Materialising
30% of accredited fintechs non-compliant with Phase 4 encryption (Deloitte, March 2026). Treasury CDR Phase 5 timeline adds pressure. Compliance failures translate directly to breach exposure and OAIC regulatory action.
Interest Rate Sensitivity in Lending Models Receding
RBA cut rates to 3.85% by December 2025 — reducing pressure on BNPL and SME lenders. However arrears lag rate movements, meaning credit stress will persist 2–3 quarters beyond rate reductions.

The second is crypto-asset regulation. The Digital Assets Framework Bill introduces AFSL requirements for custody, token trading, and staking. KPMG estimates licensing costs at AUD 5–20 million per affected firm.[KPMG] AUSTRAC's 2025 AML/CTF crackdown resulted in 25% fewer registered Virtual Asset Service Providers by December 2025 — indicating that compliance pressure is already reducing the pool of operating entities, not just adding cost to existing ones. Block's Australian operations face specific exposure through Cash App's crypto features, which ASIC's updated Info Sheet 225 indicated may constitute regulated financial products.[ASIC]

The reason these risks are under-priced: investors have discounted AI regulation as a governance story rather than a revenue story, and have treated crypto licensing as a future event. Both framings are now out of date. APRA's AI stress test consultation launched March 2026, and PwC's 50% probability estimate for Digital Assets Bill passage by Q3 2026 puts a concrete timeline on the crypto licensing cost.[PwC]

7. Risk Prioritisation

Six risks, ranked: BNPL credit and regulatory overload are highest severity; AI governance and crypto licensing are highest velocity.

ISO 31000 likelihood × impact: two risks are high on both dimensions right now.

Mapping the six identified risks across likelihood and impact produces a clear priority order. BNPL credit deterioration and regulatory compliance overload sit in the high likelihood, high impact quadrant — both are already materialising and both carry direct financial consequences. Cyber and operational risk sits high on impact but medium on likelihood, because not every firm will experience a breach, but the FIIG precedent confirms that when it happens, regulatory response is now swift and costly. Market concentration risk is high on impact and medium-high on likelihood — the Tyro outage demonstrated that the risk is real, but a truly systemic payments outage has not yet occurred.

Australian fintech risk landscape: likelihood vs. impact, Q2 2026
ISO 31000 likelihood × impact framework, six named risks
Impact
Severe
BNPL Credit Deterioration
Theoretical Likelihood Materialising now
  • BNPL Credit Deterioration
  • Regulatory Compliance Overload
  • Cyber / Operational Risk
  • Market Concentration
  • AI Governance Failures
  • Crypto-Asset Licensing

AI governance failure and crypto licensing risk sit in a different position: medium likelihood now, with rapid upward velocity. These are the risks where the gap between market pricing and regulatory trajectory is widest. Investors treating them as 2027 problems are running behind the APRA and ASIC timetables that have already been published.[ASIC][PwC]

Intelligence Brief

Key things to remember

1

BNPL arrears have tripled in 12 months — sector-wide provisions are AUD 500 million short.

KPMG's BNPL Outlook 2026 estimated the sector needs to raise provisions by approximately AUD 500 million to reflect current delinquency rates; current market valuations for Zip Co and Afterpay/Block have not priced this adjustment in.

2

AML/CTF reforms commenced 31 March 2026 for digital currency exchanges — firms that are not ready face immediate enforcement exposure.

The AML/CTF Amendment Bill passed 29 November 2024 with a 31 March 2026 commencement date for existing entities; AUSTRAC's 2025–26 regulatory priorities explicitly flag digital currency exchanges as an enforcement focus.

3

Volt's AUD 80 million distressed sale — down from a USD 1.6 billion peak — is the clearest signal that late-stage Australian fintech funding has a floor problem.

Reuters reported the November 2024 sale to Checkout.com; the 95%+ decline from peak implied valuation represents the sharpest single-entity correction in the sector and sets a reference point for how quickly neobank valuations can collapse when wholesale funding dries up.

4

30% of CDR-accredited fintechs were non-compliant with Phase 4 encryption as of March 2026 — the open banking expansion created attack surface faster than firms secured it.

Deloitte's CDR Security Report (March 2026) documented the compliance gap; the OAIC's seven Q1 2026 fintech breaches confirm the attack surface is being exploited.

5

APRA's BaaS Risk Assessment Paper (September 2025) flagged Up Bank's deposit base as 80% concentrated among five clients — this is not a diversified funding structure.

If any one of those five clients experiences stress, Up Bank's deposit base could contract materially; APRA has identified this concentration explicitly, meaning regulatory intervention is now on the table.

6

The technology and telecom sector still accounts for 12% of ASX zombie companies — 11 firms running negative operating cash flow at a time of peak regulatory compliance cost.

KPMG's October 2025 ASX zombie analysis identified 90 total zombies with 11 in tech/telecom; for fintech firms in this cohort, simultaneous BNPL licensing and CPS 230 compliance costs could be the event that tips distress into insolvency.

7

PwC assigns greater than 50% probability to Digital Assets Framework Bill passage by Q3 2026 — compliance costs of AUD 5–20 million per firm are a near-term capital event, not a future planning item.

KPMG's licensing cost estimate combined with PwC's passage probability means firms with crypto-adjacent products should be treating AFSL preparation as a current balance sheet commitment.

About About this report

This report maps the specific risks facing the Australian fintech sector in 2025–2026 — regulatory, credit, operational, cyber, and market structure — distinguishing between risks that are already materialising and those still building.

Investors managing fintech exposure, operators preparing board risk updates, and advisers briefing clients on the Australian fintech risk environment.

Ren synthesised research from ASIC, APRA, RBA, KPMG, Deloitte, PwC, Reuters, and company filings, prioritising 2025–2026 data throughout.

Most data is from 2025–2026 and is treated as current; where 2024 figures are used, they are flagged as prior-year context.

Sources Sources & Methodology

Research conducted 10 Apr 2026. All statistics carry inline citation markers.

Tier 1 — Primary sources
Financial Stability Review — February 2026 · Reserve Bank of Australia · February 2026 · Central bank financial stability report · BNPL arrears, impaired exposures, payments concentration, market risk
Payments System Board Annual Report 2025 · Reserve Bank of Australia · March 2026 · Regulatory annual report · Payments market concentration, provider market shares
Key Issues Outlook 2026 · ASIC · 2026 · Regulatory outlook publication · Regulatory risk, AI governance, enforcement priorities
BaaS Risk Assessment Paper · APRA · September 2025 · Prudential supervision paper · BaaS concentration, Up Bank deposit concentration
Financial Services Regulatory Update — July 2025 · PwC Australia · July 2025 · Regulatory advisory report · BNPL licensing, AML/CTF reform, CPS 230, payments licensing, AI risk
Australia Fintech Risk Report 2026 · PwC Australia · January 2026 · Industry risk report · AI governance, crypto licensing probability, fintech risk survey
Pulse of Fintech Global Analysis — H2 2025 · KPMG · February 2026 · Global fintech market analysis · Deal volumes, valuations, digital asset licensing costs
Drop in ASX Zombie Companies 2025 · KPMG Australia · October 2025 · Market analysis · ASX distress indicators, tech sector zombie count
BNPL Outlook 2026 · KPMG Australia · February 2026 · Sector outlook report · BNPL provision estimates
Australia Fintech Report 2025 · Deloitte Australia · February 2026 · Industry report · VC funding volumes, median valuations, deal counts
CDR Security Report 2026 · Deloitte Australia · March 2026 · Cybersecurity sector report · CDR encryption compliance rates, breach data
RBA Speech — Project Acacia and Tokenised Finance · Reserve Bank of Australia · March 2026 · Official speech · Wholesale CBDC, tokenised asset risk signals
Tier 2 — Supporting sources
FIIG Penalised $2.5M for Cyber Security Failures · ITnews · 2025 · News report · FIIG cyber enforcement case
Volt sale to Checkout.com · Reuters · November 2024 · News report · Distressed sale, valuation decline
Airwallex USD 300M flat round · Reuters · September 2025 · News report · Funding conditions, flat valuation signal
Frollo acquisition by ME Bank · Australian Financial Review · March 2024 · News report · M&A exit, open banking platform valuations
Zip Co AUD 100M placement at 30% discount · ASX announcement · November 2024 · Company announcement · Down round evidence, BNPL valuation stress
Pin Payments acquisition by Tyro · ASX announcement · July 2025 · Company announcement · Payments M&A activity
Fintechs Are Being Breached — Third-party Risk · ia.acs.org.au (ACS) · 2025 · Industry article · Third-party breach statistics
Risk Factors 2025 · Westpac · 2025 · Institutional risk disclosure · Wholesale funding market volatility
Tier 3 — Additional sources
International Comparative Legal Guide — Fintech 2025 · Gilbert + Tobin · 2025 · Law firm guide · Regulatory framework context, BNPL and AML/CTF legislation
Global Legal Insights — Fintech in Australia 2025 · Gilbert + Tobin · 2025 · Law firm guide · Regulatory context cross-check
Financial Services Regulatory Recap — February 2026 · Gilbert + Tobin · February 2026 · Law firm update · ASIC enforcement trends, regulatory calendar
Conflicting sources

Australian fintech VC funding total 2025 — Deloitte Australia Fintech Report 2026 — AUD 2.8 billion, +40% YoY vs KPMG Fintech Pulse H2 2024 — AUD 2.0 billion for 2024 (prior year baseline). No direct conflict — Deloitte's AUD 2.8B is the 2025 figure; KPMG's AUD 2.0B is the 2024 baseline. Both used as stated.

BaaS market concentration — APRA BaaS Risk Assessment Paper (Sep 2025) — 85% market share held by 3 providers vs Deloitte Fintech Report 2026 — names Judo, Up Bank, NAB/FinClear with approximate shares. APRA figure used for concentration claim (Tier 1); Deloitte used for named provider shares.

Data gaps

No Tier 1 source confirms specific ASIC or APRA enforcement actions naming individual fintech firms (e.g., Afterpay/Block, Airwallex) between 2024 and April 2026 beyond the FIIG case. Confidence on named enforcement capped at MEDIUM for sections referencing specific firm actions.

Private company financials (Airwallex revenue, Frollo acquisition price, Up Bank valuation) are not publicly disclosed. Estimates are drawn from named secondary sources and flagged as estimates throughout.

Some data points in the emerging risks section — specifically ASIC Information Sheet 302, APRA CPS 350 firm-level findings, and OAIC Determination 2026/02 — could not be independently verified against original regulator publications within the research provided. These are flagged as MEDIUM confidence and should be cross-checked against ASIC.gov.au and OAIC.gov.au directly.

No Tier 1 source provides a complete market share breakdown for the Australian BaaS sector. The 85% three-provider concentration figure from APRA's paper is the strongest available but has not been corroborated by a second Tier 1 source.

This report is produced for informational purposes only. It does not constitute financial, legal, or investment advice. All data is sourced from publicly available information as at the date of research. Renatus Ventures makes no representations as to the completeness or accuracy of third-party data.