---
title: "Trust & Regulatory — NexPay"
description: "NexPay operates through regulated and registered group entities in Australia, the United Kingdom, and Canada. AFSL 560782 (ASIC), AUSTRAC remittance registration, FCA Authorised Payment Institution (FRN 792784), and FINTRAC MSB (M18421670). View our credentials, corporate details, and compliance posture."
lastModified: "2026-06-02"
lang: "en"
url: https://nexpay.com.au/trust
---
## Site navigation
- For businesses
- [For ed. agents](/for-education-agents.md)
- [For schools & colleges](/for-schools.md)
- [For universities](/for-universities.md)
- [For accommodation](/for-accommodation.md)
- [Why NexPay?](/about.md)
- [Pricing](/pricing.md)
- [AI automation](/payments-ai-automation.md)
- [For students & parents](/for-students-and-parents.md)
- Help & resources
- [Training](/training.md)
- [Blog](/blog.md)
- [Events](/events.md)
- [Zapier integration](/zapier.md)
- [Claude & ChatGPT](/mcp.md) — Claude & ChatGPT integration
- [Contact](/contact-us.md)
- [Login](https://portal.nexpay.com.au/login)
# Trust & Regulatory — NexPay
> NexPay operates through regulated and registered group entities in Australia, the United Kingdom, and Canada. AFSL 560782 (ASIC), AUSTRAC remittance registration, FCA Authorised Payment Institution (FRN 792784), and FINTRAC MSB (M18421670). View our credentials, corporate details, and compliance posture.
## Breadcrumb
- [Trust & Regulatory](/trust.md)
## We answer to regulators. Not just to ourselves.
NexPay operates through regulated and registered group entities in Australia, the United Kingdom, and Canada, supported by regulated banking and payment partners where required. Our key licences and registrations are listed below and can be independently verified through public registers. To check which entity serves you and under which licence, see our [Group Regulatory Disclosure](/group-regulatory-disclosure/).
- **Regulated.** Key licences & registrations — Held directly by NexPay entities
- **Open.** Public registers — Verify us in every country
- **Audited.** Every action — Timestamped and retained
- **Honest.** All-in pricing — Disclosed before you confirm
## Australia, United Kingdom, and Canada.
NexPay is responsible for the payment service and compliance controls it provides, supported by regulated banking and payment partners. Click any registry link to verify with the regulator directly.
#### Australia — NexPay Pty Ltd _(active)_
NexPay Pty Ltd holds Australian Financial Services Licence No. 560782 and is authorised to provide non-cash payment services to retail and wholesale clients in Australia. NexPay Pty Ltd is also registered with AUSTRAC as a remittance service provider and is an AUSTRAC reporting entity for its remittance and foreign exchange services.
- **ABN:** 56 153 910 984
- **ACN:** 153 910 984
- **AFSL:** 560782
- **EDR:** AFCA member
##### Australian Financial Services Licence (ASIC)
- **AFSL Number:** 560782
- **Authorisation:** Non-cash payment services to retail and wholesale clients
- **Regulator:** Australian Securities & Investments Commission
- **Framework:** Corporations Act 2001 (Cth)
- [Verify on ASIC Professional Registers](https://www.asic.gov.au/online-services/search-asic-registers/professional-registers-search/) _(Search 'NexPay' or 560782)_
##### Remittance Service Provider Registration (AUSTRAC)
- **Registration:** Registered
- **Authorisation:** Remittance and foreign exchange services (reporting entity)
- **Regulator:** Australian Transaction Reports & Analysis Centre
- **Framework:** AML/CTF Act 2006 (Cth)
- [Verify on AUSTRAC Remittance Sector Register](https://online.apps.austrac.gov.au/rsr) _(Search 'NexPay')_
#### United Kingdom — NexPay Limited _(active)_
NexPay Limited is authorised by the Financial Conduct Authority as an Authorised Payment Institution.
- **FRN:** 792784
- **Regulator:** FCA
- **Type:** Authorised Payment Institution
- **Framework:** PSRs 2017
##### Authorised Payment Institution (FCA)
- **Firm Reference Number:** 792784
- **Authorisation:** Payment services
- **Regulator:** Financial Conduct Authority
- **Framework:** Payment Services Regulations 2017
- [Verify on FCA Register](https://register.fca.org.uk/s/?q=792784) _(Search 'NexPay Limited' or FRN 792784)_
#### Canada — NexPay Canada Inc. _(active)_
NexPay Canada Inc. is registered with FINTRAC as a Money Services Business and registered with the Bank of Canada as a Payment Service Provider under the Retail Payment Activities Act.
- **MSB Number:** M18421670
- **Regulator:** FINTRAC
- **PSP Registry:** Bank of Canada
- **Framework:** PCMLTFA / RPAA
##### Money Services Business Registration (FINTRAC)
- **MSB Registration Number:** M18421670
- **Authorisation:** Foreign exchange and money transferring
- **Regulator:** Financial Transactions and Reports Analysis Centre of Canada
- **Framework:** PCMLTFA
- [FINTRAC MSB Registry](https://www10.fintrac-canafe.gc.ca/msb-esm/public/msb-search/) _(Search 'NexPay Canada')_
##### Payment Service Provider Registration (Bank of Canada)
- **PSP Registration:** Registered
- **Authorisation:** Retail payment activities under the RPAA
- **Regulator:** Bank of Canada
- **Framework:** Retail Payment Activities Act
- [Bank of Canada PSP Registry](https://www.bankofcanada.ca/core-functions/retail-payments-supervision/psp-registry/) _(Search 'NexPay Canada')_
## Regulated partners we work with.
NexPay handles the customer-facing payment service and compliance controls. The role each partner plays depends on the corridor — banking, FX, card processing, or local rails. Specific partner details for a given flow are available on request to qualified procurement and risk reviewers.
- **Xe** — Multi-currency FX & global remittance
- **EBANX** — LATAM local rails & settlement
- **Santander** — Banking & settlement
- **dLocal** — LATAM cross-border payments
- **Banking Circle** — Cross-border banking & settlement
- **Bradesco** — Banking & local rails (Brazil)
- **Bancolombia** — Banking & local rails (Colombia)
- **Banco de Bogotá** — Banking & local rails (Colombia)
- **BBVA** — Banking & cross-border settlement
- **BICE** — Banking & local rails (Chile)
- **Barclays** — Banking & UK settlement
- **Volt.io** — Real-time payments & open banking
- **Liquid Group** — APAC cross-border payments
- **Checkout.com** — Card processing & acquiring
- **Monoova** — Real-time payments & PayID (Australia)
- **NIUM** — Global payouts & cross-border infrastructure
- **9Pay** — Local rails (Vietnam)
- **Worldline** — Card processing & acquiring
## Built for audit.
Every licence above carries obligations. Here's how we meet them — operationally, technically, and across the data we touch.
#### AML & Sanctions
- **Customer Due Diligence on every payment:** KYC, identity verification, and beneficial-owner checks before funds move.
- **Real-time sanctions screening:** OFAC, EU, UN, AU/DFAT, and Canadian consolidated lists; rescreened on every transaction.
- **Ongoing transaction monitoring:** Behavioural rules surface unusual patterns; suspicious matters reported to the relevant FIU.
- **Audit-ready logs:** Every payment, decision, and override timestamped and retained per statutory periods.
#### Data Protection
- **AES-256 encryption at rest:** Per-tenant keys, plus field-level encryption on banking data — DBAs cannot read account numbers.
- **TLS 1.2+ in transit, HSTS enforced:** All connections terminate on validated certificates; downgrade attacks blocked at the edge.
- **GDPR · Privacy Act · PIPEDA:** Documented lawful bases, DSAR support, and regional data-handling for AU, EU/UK, and Canada.
- **PII redaction in logs:** Passwords, tokens, account numbers, and government IDs scrubbed before any log is written.
#### Funds Safeguarding
- **Segregated client accounts:** Customer funds held in trust accounts separate from NexPay operating capital.
- **PCI DSS compliant rails:** Card data handled exclusively by PCI DSS-certified processors; we never store PANs.
- **3D Secure by default:** Liability shift on card transactions; step-up authentication on high-risk profiles.
- **Duplicate-payment protection:** Idempotent payment APIs prevent double-charging on retries or network failures.
#### Platform Security
- **Google Cloud · Cloudflare:** Hosted on GCP with automated failover; DDoS, WAF, and bot mitigation at Cloudflare's edge.
- **Zero standing privileges:** No permanent production access. Every elevation is time-bounded, justified, and audited.
- **Application-layer tenant isolation:** Every query is scoped to a tenant context at the application layer.
- **DNSSEC · DMARC reject:** Domain integrity end-to-end; no spoofed email reaches recipients claiming to be NexPay.
## What we actually do, in detail.
The four pillars above are the headline. Below is the full operational checklist — what regulators see, what auditors test, and what we hold ourselves to every day.
#### Payments
- **Segregated client funds:** Customer funds held in trust accounts separated from NexPay operating capital. Your money is never co-mingled with ours.
- **Licensed counterparties only:** Settlement and FX rails operated through regulated banking partners with active local authorisations.
- **Same-day disbursement on cleared funds:** Once funds clear, we move them. No idle float, no surprise holds — minimising exposure window.
- **Full payment audit trail:** Every state change — initiated, screened, paid, cleared, disbursed — is timestamped and retained for statutory periods.
- **PCI DSS rails:** Card data handled exclusively by PCI DSS-certified processors. NexPay never stores or sees PANs.
- **3D Secure by default:** Strong customer authentication on card transactions; liability shifts to the issuer where supported.
- **Idempotent payment APIs:** Duplicate-payment protection at the protocol level. Network retries can never charge a payer twice.
- **Verified webhook architecture:** Inbound payment notifications cryptographically verified before they touch any business logic.
#### Technology
- **Hosted on Google Cloud:** Tier-1 infrastructure with regional redundancy, automated failover, and continuous backups.
- **Encryption at rest (AES-256):** Per-tenant encryption keys plus field-level encryption on banking details — DBAs cannot read account numbers in plaintext.
- **TLS 1.2+ in transit, HSTS preload:** All traffic terminates on validated certificates. Downgrade attacks are blocked at the edge.
- **Application-layer tenant isolation:** Every query is scoped to a tenant context at the application layer.
- **Cloudflare edge protection:** DDoS mitigation, WAF rules, bot detection (Turnstile), and rate-limiting before traffic reaches our origin.
- **DNSSEC + strict DMARC:** Domain integrity end-to-end. Spoofed mail claiming to be NexPay is rejected by recipient mail servers.
- **Zero standing privileges:** No permanent production access for engineers. Every elevation is time-bounded, justified, and audited.
- **Multi-layer rate limiting:** Endpoint-level throttling, smart login back-off, and account lockouts that escalate on repeated failures.
- **Automatic PII redaction in logs:** Tokens, passwords, account numbers, and government IDs are scrubbed before any log is written.
- **Distributed tracing (OpenTelemetry):** Every request traceable end-to-end across services. Investigations are minutes, not days.
#### People
- **Background checks for sensitive roles:** Anyone touching production systems, funds movement, or customer data passes a verified background check.
- **Mandatory security training:** All staff complete recurring AML/CTF, privacy, and information-security training; results are logged.
- **Role-based access (least privilege):** Internal access scoped to job function. No-one has more than they need to do their work today.
- **Mandatory 2FA on internal systems:** All employee access — admin tools, code repos, cloud — is gated by hardware-backed multi-factor authentication.
- **Time-bounded support access:** When support views a customer account, the session is time-limited, audited, and tied to a documented reason.
#### Compliance
- **AFSL holder, AUSTRAC remittance registered (Australia):** Held directly by NexPay Pty Ltd. Independently verifiable on the ASIC and AUSTRAC public registers.
- **FCA Authorised Payment Institution (United Kingdom):** NexPay Limited authorised by the FCA. Verifiable on the FCA Financial Services Register (FRN 792784).
- **FINTRAC MSB & Bank of Canada PSP (Canada):** NexPay Canada Inc. registered with FINTRAC as an MSB (M18421670) and with the Bank of Canada as a PSP under the RPAA. These are registrations, not regulator endorsements.
- **Customer Due Diligence on every payment:** KYC, identity verification, and beneficial-owner checks before funds move. No exceptions.
- **Real-time sanctions screening:** OFAC, EU, UN, AU/DFAT, and Canadian consolidated lists. Every transaction, every time.
- **Ongoing transaction monitoring:** Behavioural rules and pattern detection surface unusual activity for human review and FIU reporting.
- **GDPR, Australian Privacy Act, PIPEDA:** Documented lawful bases, DSAR support, and regional data-handling for AU, EU/UK, and Canada.
- **AFCA member (external dispute resolution):** Required by our AFSL. Customers have an independent path to resolution beyond NexPay's own complaints process.
#### Operations
- **Automated failover:** Multi-zone deployment with health-checked traffic routing. Outages route around themselves.
- **Continuous backups + tested restores:** Backups aren't useful unless you've tested them. Restore drills run on a recurring schedule.
- **Reliable message queues:** Payments and downstream processes flow through durable queues with retry semantics. Nothing falls on the floor.
- **Release freeze windows:** No production releases during high-risk periods (intake peaks, holiday cycles, regulatory deadlines).
- **24/7 monitoring + on-call rotation:** Every critical signal pages a human. Mean-time-to-acknowledge is measured and improved every quarter.
- **Documented incident response plan:** Roles, comms templates, and external contacts pre-defined. Tested in tabletop exercises, not invented mid-incident.
#### Transparency
- **Public regulatory registers:** Every licence above links directly to the official register. Verify it yourself, no NexPay account required.
- **Named human on every payment:** Customers always know who is handling their transaction. No black-box ticket queues for tuition flows.
- **Honest pricing:** FX margins, fees, and timing disclosed before the payer confirms. No surprise mark-ups at settlement.
- **Open about partners:** We don't hide our upstream banking and FX partners. Ask and we'll tell you exactly who handles your funds.
- **Public status page:** Real-time system health, incidents, and scheduled maintenance — published, not buried.
- **Compliance pack on request:** SIG Lite, security overview, AML/CTF programme summary, PDS, FSG — sent within one business day to any qualified requester.
## Trust & compliance questions
#### Is NexPay licensed to operate in Australia?
Yes. NexPay Pty Ltd holds Australian Financial Services Licence 560782 (ASIC) for non-cash payment services to retail and wholesale clients, and is registered with AUSTRAC as a remittance service provider. Both are independently verifiable on the respective public registers.
#### Who holds the licences and registrations — NexPay or a partner?
NexPay group entities hold their own licences and registrations directly in each jurisdiction. NexPay Pty Ltd (Australia), NexPay Limited (United Kingdom), and NexPay Canada Inc. (Canada) are each responsible for compliance in their respective markets, supported by regulated banking and payment partners where required.
#### How are client funds protected?
Customer funds are held in segregated trust accounts, separate from NexPay's operating capital. Your money is never co-mingled with ours. Card data is handled exclusively by PCI DSS-certified processors — NexPay never stores or sees PANs.
#### What AML and sanctions screening does NexPay perform?
Every transaction is screened in real time against OFAC, EU, UN, AU/DFAT, and Canadian consolidated sanctions lists. Customer Due Diligence (KYC, identity verification, beneficial-owner checks) runs on every payment before funds move. Suspicious matters are reported to the relevant Financial Intelligence Unit.
#### Can I verify NexPay's credentials independently?
Absolutely. Search 'NexPay' or licence number 560782 on the ASIC Professional Registers, 'NexPay' on the AUSTRAC Remittance Sector Register, 'NexPay Limited' or FRN 792784 on the FCA Register, and 'NexPay Canada' on the FINTRAC MSB Registry and Bank of Canada PSP Registry. All are public, no NexPay account required.
#### What data protection standards does NexPay follow?
AES-256 encryption at rest with per-tenant keys, TLS 1.2+ in transit with HSTS enforced, PII redacted from all logs, and documented compliance with the GDPR, Australian Privacy Act, and Canadian PIPEDA. Application-layer tenant isolation scopes every query to a tenant context.
#### Does NexPay have an external dispute resolution scheme?
Yes. As required by our AFSL, NexPay is a member of the Australian Financial Complaints Authority (AFCA). Customers have an independent path to resolution beyond our own complaints process.
#### Is NexPay authorised in the United Kingdom?
Yes. NexPay Limited is authorised by the UK Financial Conduct Authority as an Authorised Payment Institution under the Payment Services Regulations 2017. Firm Reference Number 792784, verifiable on the FCA Financial Services Register.
#### Is NexPay registered in Canada?
Yes. NexPay Canada Inc. is registered with FINTRAC as an MSB (Registration Number M18421670) and registered with the Bank of Canada as a Payment Service Provider under the Retail Payment Activities Act. These are registrations, not regulator endorsements.
## Subprocessors & data residency.
We list the third-party vendors that process customer data on our behalf, the data they touch, and where it lives. Required reading for procurement, GDPR Article 28 reviewers, and PIPEDA / Australian Privacy Act compliance teams. _(Last updated: 5 May 2026.)_
Subprocessor changes are notified to enterprise customers via email at least 30 days before they take effect, where contractually required.
#### Google Cloud Platform
- **Purpose:** Primary application hosting, databases, object storage
- **Data shared:** All application data, encrypted at rest with per-tenant keys
- **Region:** australia-southeast1 (Sydney)
- **Transfer mechanism:** Australian Privacy Principles · GDPR SCCs
#### Firebase Authentication (Google)
- **Purpose:** User authentication and identity management
- **Data shared:** Email, phone number, hashed credentials, auth tokens
- **Region:** Global (Google managed)
- **Transfer mechanism:** Australian Privacy Principles · GDPR SCCs
#### Microsoft Azure
- **Purpose:** Legacy application hosting (migration to GCP in progress)
- **Data shared:** All application data, encrypted at rest
- **Region:** Australia East (Sydney)
- **Transfer mechanism:** Australian Privacy Principles · GDPR SCCs
#### Cloudflare
- **Purpose:** Edge network, WAF, DDoS mitigation, bot detection (Turnstile), Workers, AI Search, AI Gateway
- **Data shared:** IP addresses, request metadata, headers; LLM prompts/responses routed through AI Gateway
- **Region:** Global anycast
- **Transfer mechanism:** GDPR SCCs · UK IDTA
#### Atlassian Statuspage
- **Purpose:** Public service-status communication
- **Data shared:** Subscriber email addresses (opt-in only)
- **Region:** United States
- **Transfer mechanism:** GDPR SCCs
#### Postmark
- **Purpose:** Transactional email delivery (receipts, notifications)
- **Data shared:** Recipient email, name, transaction reference
- **Region:** United States
- **Transfer mechanism:** GDPR SCCs
#### SendGrid (Twilio)
- **Purpose:** Transactional & bulk email delivery
- **Data shared:** Recipient email, name, message content
- **Region:** United States
- **Transfer mechanism:** GDPR SCCs
#### Google Analytics 4
- **Purpose:** Website analytics
- **Data shared:** Anonymised usage events, IP-truncated
- **Region:** United States · EU
- **Transfer mechanism:** GDPR SCCs · IP anonymisation
#### ProveSource
- **Purpose:** Social-proof notifications on marketing pages
- **Data shared:** First name, approximate city, public event type (e.g. signup)
- **Region:** United States (per ProveSource privacy policy)
- **Transfer mechanism:** GDPR SCCs
#### PostHog
- **Purpose:** Product analytics, session replay, conversion funnels
- **Data shared:** Identified user data (ID, email, full name, tenant ID, organisation name, roles, locale, time zone); pageviews and click events; conversion-funnel event properties including currencies, country pairs, payment amounts, settlement methods, and document upload counts (these enable funnel breakdowns but mean transaction-level value data reaches PostHog); session recordings with form inputs and chat content masked; IP address for geo only
- **Region:** European Union (Frankfurt) via reverse proxy at pipe.nexpay.com.au
- **Transfer mechanism:** GDPR SCCs · explicit opt-in for EU/UK/EEA/CH visitors via cookie banner · recordings restricted to a named PostHog access group internally
#### Google Cloud Logging & Error Reporting
- **Purpose:** Application error monitoring & observability
- **Data shared:** Stack traces, request IDs; PII redacted at source
- **Region:** australia-southeast1 (Sydney)
- **Transfer mechanism:** Australian Privacy Principles · GDPR SCCs
#### Algolia
- **Purpose:** Search index for in-app and on-site search
- **Data shared:** Indexed content (e.g. school/agent records); no banking data
- **Region:** Australia (Sydney)
- **Transfer mechanism:** Australian Privacy Principles · GDPR SCCs
#### Twilio
- **Purpose:** In-app chat and messaging infrastructure
- **Data shared:** Phone number, message content, delivery metadata
- **Region:** United States
- **Transfer mechanism:** GDPR SCCs
#### Groq
- **Purpose:** LLM inference for AI-assisted features
- **Data shared:** Prompt content; PII redacted before transmission
- **Region:** United States
- **Transfer mechanism:** GDPR SCCs · zero-retention API
#### Google Gemini
- **Purpose:** LLM inference for AI-assisted features
- **Data shared:** Prompt content; PII redacted before transmission
- **Region:** Global (Google managed)
- **Transfer mechanism:** Australian Privacy Principles · GDPR SCCs
#### Identity verification provider _(pending disclosure)_
- **Purpose:** KYC / identity verification on customer onboarding
- **Data shared:** Government ID, selfie, biometric template
- **Region:** Pending disclosure
- **Transfer mechanism:** Pending disclosure
#### Sanctions & PEP screening provider _(pending disclosure)_
- **Purpose:** Real-time sanctions, PEP & adverse-media screening
- **Data shared:** Customer name, DOB, country, transaction context
- **Region:** Pending disclosure
- **Transfer mechanism:** Pending disclosure
#### Card processor _(pending disclosure)_
- **Purpose:** PCI DSS-certified card acquiring & 3DS
- **Data shared:** Card data tokenised at processor; NexPay never stores PANs
- **Region:** Pending disclosure
- **Transfer mechanism:** PCI DSS Level 1 · GDPR SCCs
#### HubSpot
- **Purpose:** CRM, sales & account management
- **Data shared:** Contact details, communication history
- **Region:** United States · European Union
- **Transfer mechanism:** GDPR SCCs
#### Microsoft 365 (Teams, Office)
- **Purpose:** Internal collaboration and document handling
- **Data shared:** Internal communications; customer data only when shared via support channels
- **Region:** Australia (Sydney)
- **Transfer mechanism:** Australian Privacy Principles · GDPR SCCs
#### Google Workspace
- **Purpose:** Internal collaboration, email, document handling
- **Data shared:** Internal communications; customer data only when shared via support channels
- **Region:** Australia (Sydney) · Global (Google managed)
- **Transfer mechanism:** Australian Privacy Principles · GDPR SCCs
## Found something? Tell us.
We welcome reports from security researchers. If you've found a vulnerability in NexPay infrastructure, products, or websites, write to us — and we'll get back to you fast.
**Contact: security@nexpay.com.au · Disclosure policy: /.well-known/security.txt**
Acting in good faith and within our published scope, we will not pursue legal action against researchers reporting vulnerabilities. Please give us reasonable time to remediate before public disclosure.
### SLA
- **Within 1 business day** — Acknowledge
- **Within 5 business days** — Triage update
### In Scope
- **nexpay.com.au:** and subdomains
- **app.nexpay.com.au:** Customer dashboard
- **api.nexpay.com.au:** API endpoints
### Out Of Scope
- **Denial of service:** Volumetric or load-based attacks
- **Social engineering:** Of NexPay staff, customers, or partners
- **Physical access:** Reports requiring physical access to a user's device
## Public documents & disclosures.
Our customer agreements and regulatory disclosures, available without an account, NDA, or sales call. For SIG Lite, security overviews, AML/CTF programme summary, or other procurement materials, request the compliance pack below.
- [**Terms and Conditions**](/terms-and-conditions/) _(PDF)_: The contract you accept when using NexPay services — payer and recipient obligations, fees, liability and dispute pathways.
- [**Privacy Policy**](/privacy-policy/) _(PDF)_: How NexPay collects, uses, stores and discloses personal information under the Australian Privacy Act, GDPR and PIPEDA.
- [**Cookie Policy**](/cookie-policy/) _(PDF)_: What cookies and similar technologies NexPay uses, the categories you can accept or reject, and how to change your preferences.
- [**Complaints & Dispute Resolution Policy**](/complaints-policy/) _(PDF)_: How to raise a complaint, what to expect, response timeframes, and how to escalate to AFCA if you are not satisfied.
- [**Financial Services Guide (FSG)**](/financial-services-guide/) _(PDF)_: Required under our AFSL. Tells you who we are, what we are authorised to do, how we are paid, and how we handle complaints.
- [**Product Disclosure Statement (PDS)**](/product-disclosure-statement/) _(PDF)_: Key features, benefits, risks, fees and terms of NexPay’s non-cash payment service. Read before you transact.
- [**AML/CTF Policy**](/aml-policy/) _(PDF)_: Summary of NexPay’s AML/CTF programme — customer due diligence, sanctions screening, transaction monitoring and reporting.
- [**Target Market Determination (TMD)**](/target-market-determination/) _(PDF)_: The class of consumers our non-cash payment product is designed for, distribution conditions, review triggers, and reporting obligations under the Design and Distribution Obligations regime.
- [**Group Regulatory Disclosure**](/group-regulatory-disclosure/) _(PDF)_: Which NexPay entity serves you, in which jurisdiction, under which licence — the contractual and regulatory map of the group.
- [**Fees & FX Schedule**](/fees-and-fx/) _(PDF)_: The actual fee bands, FX margin policy, and route-by-route variations applied to every NexPay payment — the disclosure behind the all-in rate quoted at checkout.
- [**Developer & API Terms**](/developer-terms/) _(PDF)_: Terms governing the NexPay REST API, the Zapier integration, and the MCP server for Claude / ChatGPT — credentials, rate limits, allowed use, support and termination.
## Regulation is the baseline. People are the difference.
- [Why NexPay](/about.md)
## Need a compliance pack?
- [Request the compliance pack](mailto:support@nexpay.com.au?subject=Compliance%20pack%20request)
- [Talk to us](/contact-us.md)
- [Request the compliance pack](mailto:support@nexpay.com.au?subject=Compliance%20pack%20request)
- [Talk to us](/contact-us.md)
## More on NexPay
**Platform**
- [For students & parents](/for-students-and-parents.md)
- [For ed. agents](/for-education-agents.md)
- [For universities](/for-universities.md)
- [For schools](/for-schools.md)
- [For accommodation](/for-accommodation.md)
- [AI automation](/payments-ai-automation.md)
- [Pricing](/pricing.md)
**Help & resources**
- [Training](/training.md)
- [Contact](/contact-us.md)
- [Developers](/api.md)
- [Zapier integration](/zapier.md)
- [Claude & ChatGPT](/mcp.md) — Claude & ChatGPT integration
**Company**
- [About](/about.md) — About NexPay
- [Jobs](/about.md#jobs)
- [Blog](/blog.md)
- [Media](/media.md)
- [Events](/events.md)
**Trust & locations**
- [Trust & Regulatory](/trust.md)
- [Our offices](/locations.md)
**Legal**
- [Terms and Conditions](/terms-and-conditions/)
- [Privacy policy](/privacy-policy/)
- [Cookie Policy](/cookie-policy/)
- [Complaints Policy](/complaints-policy/)
- [Financial Services Guide](/financial-services-guide/)
- [Product Disclosure Statement](/product-disclosure-statement/)
- [AML Policy](/aml-policy/)
- [Target Market Determination](/target-market-determination/)
- [Group Regulatory Disclosure](/group-regulatory-disclosure/)
- [Fees & FX Schedule](/fees-and-fx/)
- [Developer & API Terms](/developer-terms/)
## NexPay
NexPay Pty Ltd (ABN 56 153 910 984) holds Australian Financial Services Licence No. 560782 and is authorised to provide non-cash payment services to retail and wholesale clients in Australia.
- **Address:** Level 12, 64 York St, Sydney NSW 2000, Australia
- **Support:** [support@nexpay.com.au](mailto:support@nexpay.com.au)
- **Status:** [https://nexpay1.statuspage.io/](https://nexpay1.statuspage.io/)
**Follow NexPay**
- [LinkedIn](https://au.linkedin.com/company/nexpay)
- [Instagram](https://www.instagram.com/nexpayau/)
- [Facebook](https://www.facebook.com/NexPayAU)
© NexPay Pty Ltd