Australian Fintech Risk
Landscape 2026
The Australian fintech sector entered 2026 structurally smaller and more concentrated than it was two years ago.
The number of independent Australian-owned fintechs fell 2% to 801 companies in 2025[KPMG Landscape], while one company — Airwallex — absorbed 84% of total fintech venture funding in the same year with a $730 million raise[KPMG Landscape]. This is not a sign of a thriving sector. It is a sign of a sector consolidating under pressure, where capital has moved decisively toward proven scale and away from early-stage experimentation.
The risks facing this sector in 2026 are not evenly distributed. Regulatory risk is real and immediate: APRA's CPS 230 operational risk standard took effect in July 2025, the Payment System Modernisation Bill 2025 is bringing new licensing requirements for payment providers, and the AML/CTF Tranche 2 reforms come into force on 1 July 2026[ASIC Digital Assets]. For smaller fintechs without the compliance infrastructure of a major bank, these are not abstract obligations — they are structural costs that arrive at exactly the moment when early-stage funding has dried up. The combination of concentrated capital, rising compliance costs, and an underfunded cyber threat environment makes this the most consequential risk period the sector has faced.
Australian fintech venture funding totalled approximately $868 million in 2025[KPMG Landscape] — a figure that sounds like health but hides a structural problem. Airwallex's two rounds totalling $730 million[KPMG Landscape] accounted for 84% of that total, leaving every other fintech in Australia splitting roughly $138 million. For context, Q2 2024 alone produced $475 million in deals. By Q2 2025, that figure had collapsed to $166 million — down 65% year-on-year — with the average deal size falling to $11.1 million.[fintech.global]
This is not a correction — it is a structural funding drought for companies below scale. The KPMG Fintech Landscape report notes that early-stage funding scarcity, limited local market size, and few exits are the three defining constraints for smaller Australian fintechs right now.[KPMG Landscape] The investor base has moved decisively toward companies with proven compliance infrastructure and revenue, which means smaller fintechs face rising compliance costs (see Regulatory Risk section) without access to the capital that would let them absorb those costs.
The sector also shrank in absolute terms. The number of independent Australian-owned fintechs fell 2% to 801 in 2025[KPMG Landscape], driven by M&A consolidation and exits. Blockchain-focused fintechs fell 6% to 72 firms; fundraising-platform fintechs fell 7% to 14 firms. For investors with early-stage exposure across the portfolio, the risk is not just that individual companies underperform — it is that the exit environment remains closed, extending the holding period on positions that were underwritten at higher valuations.
Three overlapping regulatory reforms arrive at once, and smaller fintechs face all the costs without the compliance teams of major banks.
CPS 230, the Payments Bill, and AML/CTF Tranche 2 do not give fintechs a sequenced runway — they land in the same 12-month window.
APRA's CPS 230 Operational Risk Management standard came into force in July 2025, raising the bar for service continuity, board accountability, and outsourcing governance.[APRA Corporate Plan] This applies to banks and major stablecoin issuers but sets the benchmark against which APRA will increasingly judge all regulated entities. For fintechs seeking or holding an Authorised Deposit-Taking Institution (ADI) licence — including those operating under the Restricted ADI framework — it is a direct compliance obligation, not a background standard.
Effective July 2025. Raises standards for service continuity, board accountability, and outsourcing. Applies to banks, major stablecoin issuers, and ADI-licensed fintechs. Sets the floor for APRA supervisory expectations across the sector.
Introduces AFSL requirements for intermediary payment service providers. Creates a 'major SVF' category (>$200M aggregate credit) requiring APRA registration under prudential standards. Grants ASIC expanded information-gathering powers for unlicensed activity.
Expands Corporations Act to cover digital asset platforms, tokenised custody, stablecoin issuance, and payment services. Mandates AFSL for entities holding client assets on digital asset facilities. Government statement released March 2025.
Extends anti-money-laundering obligations to previously unregulated fintech categories. AUSTRAC's expanded enforcement powers accompany the reforms. Fintechs operating in regulatory grey zones face a hard compliance deadline.
The Payment System Modernisation Bill 2025 introduces Australian Financial Services Licence (AFSL) requirements for a broader set of payment service providers, including intermediary payment service providers, and creates a new 'major stored value facility' category for providers with more than $200 million in aggregate credit, which must register with APRA.[ASIC Digital Assets] Separately, the Treasury Laws Amendment Bill 2025 (Digital Assets and Tokenised Custody Platforms) brings digital asset platforms, tokenised custody providers, and stablecoin issuers under the Corporations Act — requiring an AFSL for the first time.[ASIC Digital Assets]
AML/CTF Tranche 2 reforms, effective 1 July 2026, extend anti-money-laundering obligations to previously unregulated categories that include a number of fintech business models.[GT Law] AUSTRAC's expanded enforcement powers accompany these reforms. For any fintech that has been operating in a regulatory grey zone — relying on the existing framework's gaps — 1 July 2026 is the hard deadline. The risk for investors is straightforward: compliance costs that were not built into the original financial model, arriving at a time when the funding market is not providing the capital to absorb them.
Cyber threats are growing faster than fintech-specific defences, and proposed fee cuts could make the gap worse.
When revenue per transaction falls, the cybersecurity budget is often the first line item to compress.
No named Australian fintech has publicly disclosed a major cybersecurity breach between 2023 and early 2026 — but the absence of a named incident does not mean the threat is theoretical. The Australian Cyber Security Centre recorded approximately 94,000 cybercrime reports in FY2023, up from 76,000 in FY2022[Statista ACSC], with an average data breach cost of approximately USD 2.9 million. Globally, 46% of financial institutions experienced a data breach in the 24 months to 2026, and 45% reported AI-powered attacks — including deepfakes, AI-generated phishing, and synthetic identity fraud — in 2025 alone.[KPMG Pulse H2'25]
APRA's Corporate Plan 2025–26 explicitly flags operational systems' vulnerability to 'malicious cyber-attacks' as a priority supervisory concern, worsened by geopolitical tensions and accelerating digitalisation.[APRA Corporate Plan] APRA has announced targeted AI risk assessments for larger financial entities in H1 2025–26, focused on whether AI risk management practices are keeping pace with deployment. For fintechs that have adopted AI-driven credit decisioning, fraud detection, or customer onboarding, the regulatory expectation of documented, auditable AI governance is now explicit — not aspirational.
The most concrete near-term threat to cybersecurity investment capacity is the RBA's 2025 Review of Retail Payments Regulation, which proposes reducing domestic interchange fees. Fintech Australia and the Small Business Association of Australia warned in their July 2025 submission that interchange cuts would constrain smaller issuers' ability to fund cybersecurity upgrades at precisely the moment when threats are escalating.[RBA Fintech Submission] If the RBA finalises these cuts without carve-outs for smaller issuers, the practical effect is a forced trade-off between compliance and security spending for fintechs operating on thin margins.
The RBA's proposed interchange fee cuts could reshape fintech revenue models before companies have had time to adapt.
A regulatory change that looks like consumer protection can function as a revenue shock for the fintechs that built their models on interchange income.
The RBA's 2025 Review of Retail Payments Regulation proposes reducing domestic interchange fees — the per-transaction fees that card issuers charge merchants. For fintechs that built their revenue models around interchange income (a design common in neobanks and challenger card issuers globally), this is not a peripheral regulatory development. It is a direct hit to unit economics.
Fintech Australia and the Small Business Association of Australia argued in their joint July 2025 submission that the proposed cuts would deter new entrants to the payments market, force exits among existing smaller issuers, and narrow consumer card choices — outcomes that contradict the stated policy intent of the Payment Services Regulation Act 1998.[RBA Fintech Submission] The submission noted the possibility that the RBA's proposed instruments could be subject to parliamentary disallowance — a sign that the policy is contested, not settled.
No quantified impact data is publicly available for named Australian fintechs such as Tyro Payments or Zip Co. What is known is that these companies operate with materially thinner margins than the major banks, have less diversified revenue, and face the same compliance cost stack from CPS 230 and the Payments Bill that the major banks are absorbing from a position of capital strength. If interchange income falls and compliance costs rise simultaneously, the pressure on profitability is straightforward — even without a specific company-level figure to cite.
AI adoption is accelerating inside Australian fintechs, but the regulatory framework to govern it is still being written.
APRA is running AI risk assessments in 2025–26 before the rules are finalised — that gap is a live risk.
APRA has announced targeted AI risk assessments for larger financial entities in the first half of 2025–26[APRA Corporate Plan], focused on whether AI governance practices are keeping pace with deployment. These assessments will produce published findings — expected in late 2026 — that will set the de facto standard against which all regulated entities will subsequently be measured. Fintechs that have deployed AI in credit decisioning, fraud detection, or customer communications without documented governance frameworks face a significant remediation risk when those standards are published.
The risk is not hypothetical. Globally, AI-powered attacks — deepfake voice fraud, AI-generated phishing, synthetic identity creation — affected 45% of financial institutions in 2025.[KPMG Pulse H2'25] For Australian fintechs with digital-only customer onboarding (no branch verification, no face-to-face identity check), the attack surface is materially wider than for hybrid-channel banks. There is no named Australian fintech breach linked to AI-enabled fraud available from the research. The absence of a named incident should not be read as evidence of resilience — it reflects the early stage of public disclosure norms in this area.
ASIC's Information Sheet 225, updated in 2025, clarifies how existing financial services laws apply to AI-driven crypto-asset services and digital wallets.[ASIC Digital Assets] The practical effect is that fintechs using AI to determine product eligibility or pricing in digital asset contexts now face the same responsible lending and conduct obligations that apply to human advisers. For fintechs that assumed AI-driven decisions were outside the regulatory perimeter, this is a compliance liability that was not in their original operating model.
Geopolitical pressure and interest rate movements create the external conditions that make every other risk harder to manage.
Rate cuts help growth-stage fintechs raise at better terms — but they also increase household leverage, which APRA is watching closely.
APRA's 2025–26 Corporate Plan identifies geopolitical tensions as a source of market volatility, liquidity strain, and cyber escalation risk for Australian financial services.[APRA Corporate Plan] For fintechs specifically, the most direct transmission mechanism is through investor sentiment and valuations. KPMG's 2025 Fintech Landscape noted that modest sentiment improvement from 2025 RBA rate cuts boosted growth-stage prospects — which implies that any reversal of those cuts, or any macro shock that drives risk-off behaviour, would disproportionately affect the fintech segment of the market relative to diversified financials.[KPMG Landscape]
- RBA completes interchange review with fintech-friendly carve-outs by Q4 2026
- APRA's AI risk assessment findings are published and prove manageable for mid-tier fintechs
- Global risk-on sentiment drives Series B and C activity back toward 2023 levels
- AML/CTF Tranche 2 implementation is smooth with AUSTRAC guidance issued early
- Fintech count falls further below 800 as M&A absorbs under-capitalised players
- Interchange fee cuts proceed in modified form, hurting neobank unit economics
- AML/CTF Tranche 2 compliance costs cause 10–15% of affected fintechs to exit or restructure
- Airwallex-scale deal remains an outlier; Series A/B market stays thin through 2026
- A named Australian fintech experiences a major data breach or AI fraud event and fails to notify ASIC within required timeframes
- AUSTRAC enforcement action under Tranche 2 against a mid-sized fintech signals broad supervisory intent
- Geopolitical shock drives AUD weakness and RBA rate reversal, compressing fintech valuations sharply
- APRA's AI risk assessments reveal widespread governance failures, triggering mandatory remediation across the sector
The second transmission mechanism is credit quality. APRA is monitoring domestic risks including interest rate cuts that are boosting housing leverage and credit growth.[APRA Corporate Plan] Fintechs with lending books — neobanks, BNPL operators, SME lenders — have underwritten their credit models in an environment of relatively high rates. As rates fall and household leverage rises, credit quality assumptions built into those models may no longer hold. No named fintech's credit book deterioration is documented in the available research, so this remains a structural concern rather than a confirmed materialising risk.
These are the specific events and thresholds that would signal the risk environment is shifting — for better or worse.
A risk assessment without observable signals is just a list of worries. These are the concrete triggers to monitor.
The most important signal to watch between now and Q3 2026 is AUSTRAC's posture on AML/CTF Tranche 2 enforcement. The reforms take effect 1 July 2026. If AUSTRAC issues detailed compliance guidance early and signals a phased enforcement approach, smaller fintechs have a path to orderly compliance. If the first public communication is an enforcement action — as occurred in the 2018 CBA case, the largest AML penalty in Australian history at $700 million — it will set a very different tone for the sector and accelerate M&A among compliance-vulnerable players.
The second most important signal is the RBA's final decision on interchange fee reductions. Fintech Australia's submission flagged parliamentary disallowance as a possible outcome if the proposed instruments are not modified[RBA Fintech Submission] — which signals the policy is politically contested. Investors with exposure to card-issuing fintechs should treat the RBA's final published decision as a binary event: either the cuts are modified with carve-outs for smaller issuers, or unit economics for challenger card products deteriorate materially.
APRA's published findings from its H1 2025–26 AI risk assessments — expected by late 2026 — will function as the de facto AI governance standard for the sector. Any fintech that has deployed AI in credit decisioning or fraud detection without documented explainability controls will face a defined remediation window once those findings are public. Investors should request AI governance disclosures from portfolio companies before the APRA findings are published, not after.
Key things to remember
About About this report
This report assesses the specific, evidenced risks facing the Australian fintech sector in 2025–2026, distinguishing between risks that are already materialising and those that remain theoretical.
It is for investors with exposure to Australian fintech — whether directly in venture positions, listed equities, or through funds with fintech concentration — who need a live reading of the risk environment.
Ren compiled and evaluated research from APRA, ASIC, KPMG, and the Reserve Bank of Australia, supplemented by Fintech Australia regulatory submissions and global fintech benchmarks.
Core funding data reflects 2025 full-year figures; regulatory timelines are current as of April 2026; no 2026 company-level financial data was available at time of publication.
Sources Sources & Methodology
Research conducted . All statistics carry inline citation markers.
Total Australian fintech funding 2025 — KPMG Australian Fintech Landscape: $868M total, Airwallex $730M vs fintech.global Q2 2025 data implies full-year run rate significantly lower than $868M when H2 data is applied. KPMG full-year figure used as the primary number, with KPMG H2 2025 supplementary data ($250M in H2) confirming the front-loaded year dynamic. The two are consistent when combined.
No company-level financial data — capital ratios, credit loss rates, margin trends — is publicly available for named private Australian fintechs including Airwallex, Up Bank, or Beforepay. Investor-facing risk signals for these companies cannot be constructed from public sources.
No named ASIC or APRA enforcement actions against Australian fintech companies were identified in the research covering 2023–2026. This may reflect genuine absence of enforcement activity or gaps in the research coverage of ASIC's enforcement register.
No evidence of specific market entry strategies, Australian regulatory filings, or product launches by Revolut or Wise that would substantiate a near-term competitive threat in the Australian market. The risk is noted as structural but not evidenced as imminent.
Open banking (Consumer Data Right) breach data specific to Australian fintechs was not available. CDR adoption rates and security incidents are tracked by the ACCC, but no fintech-specific incident data was accessible in the research.
2026 year-to-date funding data (Q1 2026) was not available at time of publication. The funding environment assessment is based on 2025 full-year and H2 2025 data from KPMG.
This report is produced for informational purposes only. It does not constitute financial, legal, or investment advice. All data is sourced from publicly available information as at the date of research. Renatus Ventures makes no representations as to the completeness or accuracy of third-party data.