More than $3.5 billion. That is the floor of what Australians reported losing to investment and crypto-related scams in the most recent joint reporting period covered by ASIC and the Australian Competition and Consumer Commission (ACCC) [1][2]. Roughly one million Australian adults now hold or have held a crypto-asset, according to Australian Taxation Office (ATO) and Treasury household surveys. The platforms sitting on those balances operate inside a regulatory architecture that was drafted for managed funds, derivatives and non-cash payment facilities, not for tokens, staking, or tokenised custody. The result, as of mid-2026, is a regulatory position that every participant in the debate agrees exists, and that nobody is satisfied with.

A position, not a framework

The most recent public line from ASIC Chair Joe Longo, on the regulator's current position, is that existing law already applies to crypto products and services where they meet the legal definition of a financial product, and that ASIC will continue to act against harmful conduct in the meantime [3]. The legal hook for that line is Information Sheet 225 (INFO 225), ASIC's standing guidance on digital assets and financial products and services, last modified on the regulator's digital transformation register and in force as of mid-2026 [4].

INFO 225 does two things at once. It tells issuers and platforms that whether a particular crypto-asset is a financial product depends on its substance, not on the label attached to it [4]. It also makes clear that initial coin offerings and token sales are not exempt from the Corporations Act 2001 simply because they use distributed-ledger technology [4]. The sheet is not legislation. It is the regulator's interpretation of a law that has been on the books for more than two decades.

The "position not a framework" problem is that Treasury's purpose-built regime for digital asset platforms, the exposure draft titled "Regulating digital asset platforms" released in 2024, has not, on the public consultation record, been finalised [5]. Treasury has signalled further consultation. The proposed licensing regime is meant to cover custody, disclosure, capital, dispute resolution and consumer redress for custodial and non-custodial token platforms and tokenised custody platforms, sitting alongside the Corporations Act and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) rather than replacing them [5]. While that legislation is in limbo, the only enforceable law is the old one, read through INFO 225 and through ASIC's enforcement record.

What the Corporations Act and ASIC Act already cover

Section 763A of the Corporations Act 2001 defines a "financial product" as a facility through which a person makes a financial investment, manages a financial risk, or makes non-cash payments [6]. Tokens that fall inside that definition, because they are managed investment scheme interests, derivatives, or non-cash payment facilities, are subject to the full Corporations Act regime regardless of the "crypto" label [4][6]. Providers of financial services in relation to those products must hold an Australian Financial Services Licence (AFSL) under Part 7.6 of the Act and provide a Product Disclosure Statement (PDS) under Part 7.9 [6].

The ASIC Act 2001 adds a second, broader layer. Sections 12DA, 12DB and 12GF prohibit misleading or deceptive conduct in trade or commerce, and unconscionable conduct, and apply regardless of whether the underlying conduct involves a financial product [6]. That means a token that is not a financial product can still be the subject of an ASIC civil penalty proceeding if the marketing crosses the misleading-conduct line. ASIC has standing to bring proceedings under both Acts, and the maximum penalties for corporations run into the hundreds of millions of dollars under the current penalty regime [6].

In practice, the existing framework does three things well. The Corporations Act captures tokens that look like managed funds or derivatives. The ASIC Act gives ASIC a misleading-conduct backstop that reaches non-product tokens. The current penalty regime allows civil penalties large enough to outpace the assets of a small issuer. What the existing framework does not, on its own, do is give consumers any right of redress when an exchange collapses, is hacked, or simply disappears with client funds. That gap is what the Treasury exposure draft is meant to close, and it is the gap that critics point to when they describe the current system as a "position, not a framework."

What the Treasury exposure draft would add

Treasury's exposure draft proposes a new licensing regime that would sit alongside the Corporations Act and the AML/CTF Act rather than replace them [5]. The framework covers custodial and non-custodial token platforms, and tokenised custody platforms, and imposes obligations on custody, disclosure, capital, dispute resolution and consumer redress [5]. It draws on comparable overseas regimes, including the European Union's Markets in Crypto-Assets Regulation (MiCA), the United Kingdom's Financial Services and Markets Act (FSMA) crypto-asset promotion rules, and the Monetary Authority of Singapore's Digital Payment Token regime, while tailoring the obligations to Australian market structure [5].

The exposure draft does three things the existing law does not. The proposed framework creates a single licensing category for digital asset platforms, replacing the current patchwork where some platforms hold an AFSL, some hold only an AUSTRAC registration, and some hold neither. The proposed custody and capital requirements are calibrated to crypto-specific risks, including hot-wallet exposure and staking. And the new consumer-redress pathway is the piece that consumer advocates have pushed hardest for [7].

The reason this matters, as of mid-2026, is that the framework is not law. Treasury has not, on the public consultation record, named a finalisation date, and the draft has been the subject of competing industry and consumer-advocate submissions [5]. The Shadow Assistant Treasurer and other shadow ministers have argued that existing frameworks are sufficient and that new licensing would push activity offshore, a position documented in Treasury second-reading materials. CHOICE and other consumer advocates have argued the opposite: that a purpose-built regime is the only way to address gaps in custody, staking and consumer redress that the Corporations Act and the AML/CTF Act do not cover [5][7]. Until Treasury makes a final call, the consumer-protection vacuum remains, and the stalemate is itself a form of consumer risk, because platforms continue to onboard Australian retail clients under rules that were not drafted for the products they offer.

AUSTRAC, the scam problem and the consumer-protection vacuum

The one regime that does apply to every digital currency exchange (DCE) operating in Australia is the AML/CTF Act 2006, administered by AUSTRAC [8]. AUSTRAC's digital-currency-exchange sector guidance requires exchanges providing services in Australia to enrol and register, maintain a compliant AML/CTF program, report suspicious matters and threshold transactions, and keep customer identification records [8]. AUSTRAC has registered more than 1,000 DCEs since 2018 on its current public count, a figure that should be read as approximate and re-verified against the live AUSTRAC register [8].

The AUSTRAC floor is a real control. It means an exchange that wants to operate in Australia has to satisfy know-your-customer, transaction-monitoring and reporting obligations that an unregistered offshore exchange does not. AUSTRAC can suspend or cancel a DCE registration and refer matters to ASIC and the Australian Federal Police where conduct crosses into corporations-law or criminal territory [8]. What the AML/CTF floor does not do is give consumers a compensation scheme, require a PDS, or impose capital-adequacy rules on the platform. As AUSTRAC's own guidance makes clear, registration is a baseline AML/CTF control, not authorisation to provide financial product advice or deal in financial products; that requires an AFSL [8]. For the consumer, the difference between "registered with AUSTRAC" and "licensed by ASIC" is the difference between a smoke alarm and a fire-service subscription.

The practical consequence of that gap shows up in the joint ASIC and ACCC reporting that produces the $3.5 billion figure. The data combines Scamwatch, ReportCyber, ASIC's scam reporting, the major banks and other agencies [1][2]. Investment scams, including crypto-related investment scams, are consistently among the highest-loss categories by dollars reported [2]. ASIC's Scamwatch and investor-alert feeds catalogue fake-exchange websites, pig-butchering-style relationship-investment frauds, and token-sale frauds that route through cryptocurrency [1]. ASIC has repeatedly observed that once funds are sent to a crypto address, recovery is generally not possible, because transactions are irreversible and largely pseudonymous [1].

The consumer-protection vacuum is the structural version of the same problem. CHOICE has argued, in submissions to Treasury, that consumers who lose money on a crypto platform that collapses, is hacked, or scams them have limited practical recourse under the current framework, because no Australian compensation scheme covers those scenarios [7]. CHOICE's submissions to Treasury on the digital-asset-platform exposure draft have called for mandatory cooling-off periods, clearer risk disclosure, and a statutory compensation scheme along the lines of the Financial Claims Scheme that covers depositors in Authorised Deposit-taking Institutions [7]. The proposed Treasury regime is meant to address that gap, but only if it is enacted.

The political geometry matters here. Treasury, CHOICE and consumer advocates are pushing for a purpose-built licensing regime. The Coalition has argued that existing frameworks are sufficient and that new licensing would push activity offshore, a position that has been stated in multiple media reports and in Treasury second-reading materials. The debate is unresolved. A platform that an Australian retail client used yesterday to buy a token may, depending on the outcome of that debate, be on the right side of the law in twelve months, or it may be on the wrong side. The consumer cannot tell, and that is the problem.

What consumers can actually do

Until Treasury's exposure draft is enacted and a digital-asset-platform licensing regime is in force, the consumer-protection floor is what the existing law provides, applied case by case. Consumers can do six concrete things, all of which sit within the current framework.

First, check whether the platform holds an AFSL on ASIC's professional registers, and read the PDS if a financial product is on offer. A platform that is dealing in or advising on a financial product without an AFSL is breaking the Corporations Act [4][6]. ASIC's "professional registers" search on its website is the public way to verify this.

Second, check AUSTRAC's DCE register to confirm the exchange is registered for AML/CTF purposes, which is the floor of regulatory visibility [8]. Registration is not a quality mark, but the absence of registration is a serious warning sign.

Third, treat any "guaranteed return" or "high-yield" crypto product as a scam signal. ASIC's investor-alert feed catalogues the current pattern of fake exchanges and pig-butchering relationship-investment frauds [1]. No legitimate product guarantees a return.

Fourth, recognise that sending funds to a crypto address is, in practical terms, irreversible. ASIC's standing guidance is that recovery is generally not possible once funds have been sent to a blockchain address [1]. Treat any transfer as final.

Fifth, if a platform that holds an AFSL collapses, lodge a complaint with the Australian Financial Complaints Authority (AFCA), which is the external dispute-resolution scheme for AFSL holders. If a platform does not hold an AFSL, AFCA will generally have no jurisdiction, and the consumer is left to civil recovery, an ASIC enforcement outcome, or both.

Sixth, report scams to Scamwatch and to ReportCyber. ASIC and the ACCC's joint reporting depends on these data feeds, and the $3.5 billion figure that opened this article is built on them [1][2]. Under-reporting is part of what keeps the regulatory gap open.

The structural answer to Australia's crypto regulatory gap, a digital-asset-platform licensing regime with custody, capital and consumer-redress obligations, has been on Treasury's desk since 2024. As of mid-2026, it remains an exposure draft, and on the regulator's current position, no finalisation date has been published. The consumer-actionable answer, in the meantime, is the six-point check above. It is not a substitute for a proper framework, and consumer advocates are right that it should not have to be. But it is what the law provides, today, for the roughly one million Australians holding crypto on platforms that sit inside a position rather than a framework.