Lockton is advising digital asset platforms to review their professional indemnity (PI) and broader financial lines insurance as Australia moves to bring key crypto intermediaries within the Australian Financial Services Licence (AFSL) regime. The broker’s Emerging Assets Protection (LEAP) team has identified the new framework as a substantial change for operators of digital asset platforms (DAPs) and tokenised custody platforms (TCPs), with consequences for licence preparation, compensation arrangements, and custody risk.
The Corporations Amendment (Digital Assets Framework) Act 2026 passed Parliament on April 1, 2026, received Royal Assent on April 8, 2026, and is scheduled to commence on Aprill 9, 2027. The legislation amends the Corporations Act 2001 and the Australian Securities and Investments Commission Act 2001 to bring DAPs and TCPs into the existing financial services law. Under the regime, operators of covered platforms will be treated as providers of financial products and will be required to operate under an AFSL, rather than outside the licensing perimeter. The policy approach focuses on the entities that hold or control customer assets and execute transactions, instead of regulating cryptocurrencies or tokens as a separate asset class.
According to Lockton’s briefing, the framework targets the points in the digital asset ecosystem where past incidents have occurred, including custody failures, weak governance, gaps in disclosures, misleading conduct, inadequate protection of client assets, and limited avenues for recourse when failures occur. Treasury has linked the reforms to a broader digital finance policy agenda and has cited research suggesting Australia could realise up to $24 billion a year in productivity and cost savings if digital finance innovation is supported by appropriate market structures and regulatory settings. Smaller operators assessed as low risk may be exempt where they do not exceed specified thresholds. ASIC will be responsible for licensing in‑scope platforms, supervising compliance, and enforcing the new requirements over an 18‑month implementation period.
On April 20, 2026, ASIC released a roadmap setting out how it plans to implement the digital assets law reform and support industry transition. In the first six months, ASIC intends to conduct stakeholder roundtables and discussions, including through its Fintech Liaison Meetings, and to establish an industry advisory group. It will consult on regulatory guidance and on operational standards that are expected to be set out in legislative instruments. During this period, access to the INFO 225 class no‑action position will expire in June, after which entities will need to rely on existing licensing requirements while reforms are phased in. From months six to 12, ASIC plans to issue a new regulatory guide for DAPs and TCPs explaining how the law operates and who is likely to require a licence. The regulator also expects to make instruments establishing standards for asset‑holding, transactional and settlement arrangements, and financial requirements for platform operators.
In the final six months of the implementation window, DAP and TCP operators will be able to lodge AFSL applications and may operate under regulatory relief while those applications are processed. From month 18 onwards, the new regime will be fully in force, with ASIC supervision and enforcement applying to in‑scope entities. ASIC has previously indicated that it is taking a functional and technology‑neutral approach to digital assets, with particular attention on intermediaries that exercise practical control over client assets and transaction flows.
Lockton’s analysis focuses on how the new licensing settings intersect with ASIC’s expectations for PI insurance, particularly for firms with retail clients. ASIC guidance requires businesses that provide financial services to retail clients to have compensation arrangements in place, with PI insurance generally being the primary method of compliance unless the regulator approves an alternative arrangement. Retail‑facing licensees must also maintain internal dispute resolution processes and hold membership of the Australian Financial Complaints Authority (AFCA).
Regulatory Guide 126 (RG 126) states that PI policies should respond to retail client losses arising from Chapter 7 breaches, including losses caused by negligent, fraudulent, or dishonest conduct by the licensee or its representatives. The guide also indicates that exclusions which significantly narrow this minimum scope may lead to concerns about adequacy. In addition, RG 126 expects cover for representatives, at least one automatic reinstatement in most cases, retroactive continuity where there is an existing policy history, defence costs structured in a way that is consistent with the risk profile, and cover for AFCA awards. Lockton notes that, for DAP and TCP operators transitioning into the AFSL environment, PI adequacy is likely to be assessed in the context of AFSL authorisations, client mix, and service offerings, rather than against generic market benchmarks for PI limits and wordings.
The LEAP team points out that digital asset custody risk differs in several respects from custody of traditional financial assets or fiat currency. Because many digital assets are decentralised and may not be recoverable once private keys are compromised or assets are transferred, losses from theft, fraud, social engineering, or data loss are more likely to be borne by the firm’s balance sheet or by insurance, rather than through recovery of assets from other institutions.
Lockton links this risk profile to ASIC’s focus on client asset protection, particularly for retail customers. Where an operator has control over client tokens, the structure and scope of insurance arrangements may be a practical element of how compensation and recourse are delivered in the event of incidents affecting custody, governance, or system integrity. From an insurance placement standpoint, Lockton suggests that impacted organisations consider whether their PI policies and related financial lines covers are aligned with:
A generic PI placement that does not reflect these factors may not match the expectations implied by the AFSL regime and RG 126.
Lockton recommends that organisations potentially in scope of the digital asset framework undertake an early review of both licensing needs and insurance programs, rather than waiting until the formal commencement date. Key steps include confirming whether current or planned activities fall within DAP or TCP categories as defined in the legislation, mapping the AFSL authorisations likely to be required for the full-service range, and assessing PI and related financial lines policies against RG 126 adequacy criteria.
The review would typically extend to policy wording, limits, deductibles, retroactive dates, cover for representatives, and the handling of AFCA‑related awards and costs, with a view to aligning insurance arrangements with an AFSL‑regulated business profile. For operators that service, or intend to service, retail clients, Lockton indicates that PI insurance is likely to be considered part of licence preparation rather than an issue to be addressed only after an AFSL has been granted.
