Australia's Crypto Regulation: What ASIC INFO 225 Means for Digital Asset Businesses

Australia’s approach to crypto regulation is built on a foundational question: when is a crypto-asset a financial product? The answer determines whether a business needs an Australian Financial Services (AFS) licence, who regulates it, and what compliance obligations apply.

ASIC Information Sheet 225 (INFO 225) provides that answer. Published and updated by the Australian Securities and Investments Commission, INFO 225 is the primary guidance for digital asset businesses operating in Australia. Combined with Treasury’s Token Mapping framework, it forms the regulatory architecture that every Australian crypto business must navigate.

The core question: is it a financial product?

Under the Corporations Act 2001, a financial product is a facility through which a person makes a financial investment, manages financial risk, or makes non-cash payments. ASIC’s position in INFO 225 is that existing financial services law applies to crypto-assets that meet this definition — no new legislation is needed.

This means the same legal tests that apply to traditional financial products apply to crypto-assets. The crypto-specific analysis is in applying those tests to token structures.

When crypto-assets ARE financial products

INFO 225 identifies several scenarios where crypto-assets are likely to be financial products:

Financial investment (the Howey-equivalent test)

A crypto-asset is a financial product if:

• A person contributes money or money’s worth to acquire the asset
• The contribution is pooled or used in a common enterprise
• The person intends to receive a financial benefit from the arrangement
• The person does not have day-to-day control over the arrangement

This captures most investment-oriented tokens, yield-bearing DeFi protocols, and tokenised investment schemes. If token holders are investing with an expectation of returns generated by the efforts of others, the token is very likely a financial product.

Managed investment schemes

A crypto-asset arrangement is a managed investment scheme if:

• People contribute money or money’s worth to acquire rights (tokens)
• The contributions are pooled or used in a common enterprise
• Members don’t have day-to-day control over the operation of the scheme

Many DeFi protocols, liquidity pools, and yield aggregators meet this definition. The operator of a managed investment scheme must be a registered managed investment scheme operator.

Derivatives

Crypto-assets that derive their value from an underlying asset or reference price — including crypto futures, options, and leveraged tokens — are derivatives under the Corporations Act. Issuers need an AFS licence, and trading platforms need an Australian Market Licence or exemption.

Non-cash payment facilities

Crypto-assets used to make payments (other than through physical delivery of currency) may be non-cash payment facilities. This potentially captures payment tokens and stablecoins used for transaction purposes, though ASIC has indicated a pragmatic approach to tokens primarily used for payment rather than investment.

When crypto-assets are NOT financial products

INFO 225 acknowledges that not all crypto-assets are financial products:

• Pure utility tokens: Tokens that provide access to a specific service or platform and have no investment characteristics may not be financial products. But the analysis depends on substance, not labelling — a token marketed as “utility” but purchased for investment purposes may still be caught.
• Bitcoin and similar: ASIC has generally taken the position that Bitcoin and similar crypto-assets, when used purely as a medium of exchange, are not financial products. However, services relating to them (exchange, custody, lending) may still trigger licensing requirements.

The critical point: the classification depends on the substance of the arrangement, not the technology used or the label applied. Every token structure requires individual analysis.

AFS licence obligations

If your crypto-asset is a financial product, or if you provide financial services relating to crypto-assets that are financial products, you need an AFS licence (or a valid exemption). The AFS licence framework imposes significant obligations:

General obligations

• Efficient, honest, and fair conduct: The overarching obligation that applies to all financial services
• Organisational competence: Adequate resources, risk management systems, and competent personnel
• Compliance arrangements: Documented compliance measures and regular review

Specific obligations for crypto businesses

• Disclosure: Product Disclosure Statements (PDS) for retail clients, including clear description of the crypto-asset, risks, fees, and cooling-off rights where applicable
• Client money and property: Segregation and handling of client crypto-assets under the client money rules in Part 7.8 of the Corporations Act
• Dispute resolution: Internal dispute resolution procedures and membership of an external dispute resolution scheme (AFCA)
• Reporting: Regular reporting to ASIC on financial position, compliance breaches, and significant dealings
• Record keeping: Maintenance of financial and compliance records for seven years

The practical challenge

Obtaining an AFS licence is a substantial undertaking. ASIC’s assessment process typically takes 6-12 months, requires detailed documentation of systems, processes, and competencies, and imposes ongoing compliance costs. For crypto businesses accustomed to moving quickly, the AFS licence framework requires a fundamental shift in operational approach.

Treasury’s Token Mapping framework

In parallel with ASIC’s existing-law approach, the Australian Treasury has been developing a Token Mapping framework to create a more systematic classification of crypto-assets. The framework emerged from the 2023 consultation paper and aims to:

Map tokens to regulatory treatment

Token Mapping creates a taxonomy that classifies crypto-assets based on their function and characteristics:

• Network tokens: Tokens intrinsic to a blockchain network’s operation (like ETH for gas fees). These have a primarily technical function.
• Intermediated tokens: Tokens where an intermediary plays a material role — issuing the token, managing a reserve, operating a platform, or providing services that generate value. Most tokens with compliance implications fall here.
• Smart contract tokens: Tokens created and managed by autonomous smart contracts without a material intermediary role.

Bridge to licensing

The Token Mapping framework is designed to bridge the gap between crypto-asset structures and existing regulatory categories. By mapping token characteristics to functional equivalents in traditional finance, the framework helps determine:

• Which existing licence category applies
• What disclosure obligations are triggered
• What consumer protection rules apply
• Whether bespoke crypto-specific rules are needed

Current status

Token Mapping remains a policy framework rather than binding legislation. However, ASIC references it in its regulatory approach, and it informs Treasury’s ongoing work on comprehensive crypto legislation. Digital asset businesses should treat Token Mapping as indicative of the regulatory direction — the classifications it creates will likely influence future legislative requirements.

ASIC’s enforcement posture

ASIC has been active in crypto enforcement, and its actions illustrate how INFO 225 operates in practice:

• Unlicensed conduct: ASIC has taken action against crypto businesses providing financial services without an AFS licence, particularly where tokens are classified as financial products
• Misleading conduct: Actions against crypto businesses making misleading representations about returns, risks, or the nature of their products
• Market integrity: Monitoring crypto markets for manipulative trading practices, particularly on platforms offering derivative products

ASIC’s approach is technology-neutral and substance-based. The commission has repeatedly stated that the use of blockchain technology does not change the fundamental character of a financial product or service.

Compliance roadmap for digital asset businesses

Step 1: Classify your tokens

Apply the INFO 225 framework to every token you issue, list, or provide services for. Determine whether each token is a financial product, and if so, which category it falls into. Document your analysis — ASIC expects defensible reasoning, not just conclusions.

Step 2: Identify your financial services

Map every service you provide (exchange, custody, advisory, dealing) against the financial services definitions in the Corporations Act. Each service may trigger separate licensing requirements.

Step 3: Assess licence requirements

Determine whether you need an AFS licence, what authorisations you need on that licence, and whether any exemptions apply. Consider both the services you provide now and those you plan to offer.

Step 4: Implement compliance infrastructure

Build the compliance framework required for your licence category: disclosure documents, client money procedures, dispute resolution, reporting, and record keeping. This infrastructure must be in place before you begin providing services.

Step 5: Monitor regulatory development

Australia’s crypto regulatory framework is evolving. Treasury’s work on comprehensive crypto legislation, ASIC’s updated guidance, and the Token Mapping framework will all affect your obligations. Build regulatory monitoring into your compliance programme.

The broader regulatory landscape

Australian crypto businesses operating internationally face additional frameworks: the EU’s MiCA regulation, Singapore’s Payment Services Act, Hong Kong’s VASP licensing regime, and others. Each jurisdiction takes a different approach to classification, licensing, and ongoing obligations.

The compliance challenge is understanding where these frameworks overlap, where they diverge, and how to maintain compliance across all jurisdictions you operate in.

---

AuditDSS covers both ASIC INFO 225 and Treasury’s Token Mapping framework alongside international crypto regulations including MiCA, Singapore PSA, and Hong Kong VASP. Assess your obligations across every jurisdiction you operate in with obligation-level analysis. Start your assessment.