Australia 2026 Payments Deep Dive: How NPP, PayTo & the RBA’s Retail Payments Review Reshape High-Risk Merchant Strategy

Australia is quietly becoming one of the most important payment laboratories in the world. While many markets are still debating the future of cards, bank rails and surcharging, Australia is actively re-engineering all three at once. Real-time payments are now mainstream, account-to-account rails are being redesigned for commercial use, and regulators are directly intervening in how card costs are set and passed on.

For high-risk merchants, this matters more than it might first appear. Sectors like online gambling, FX and trading, digital services, adult content, and travel tend to feel payments change earlier and more sharply than low-risk commerce. Margins are tighter, dispute exposure is higher, and acquirer tolerance is far more sensitive to cost, fraud, and reputational risk. When payment economics shift, high-risk models are usually the first to be forced to adapt.

By 2026, Australia’s payments environment will look materially different from just a few years earlier. The New Payments Platform (NPP) has moved beyond a consumer convenience rail into something merchants can actively design around. PayTo is emerging as a modern, mandate-based alternative to both cards and legacy direct debit. At the same time, the Reserve Bank of Australia’s review of retail payments regulation is putting sustained pressure on card pricing, surcharging, and routing practices.

This combination makes Australia a forward indicator for what high-risk payment strategy may look like elsewhere. Understanding how these rails, rules, and risk controls interact is no longer optional for merchants and PSPs operating or planning to operate in the Australian market.

Australia’s NPP: Moving from “New Tech” to Critical Infrastructure

By 2026, the honeymoon phase for Australia’s New Payments Platform (NPP) is officially over. It has graduated from consumer convenience to the absolute plumbing of the Australian economy. For merchants and PSPs especially those navigating high-risk sectors the NPP isn’t just an “option” at checkout anymore; it is the core rail that determines whether your treasury stays liquid or drowns in settlement delays.2

The Shift from Authorization to Certainty

At its heart, the NPP offers something card schemes never could: instant finality.

In high-risk environments, we often see merchants fall into the “authorization trap.” A card payment looks successful the moment it’s authorized, but that’s just a promise. The actual money might not hit your account for days, leaving you exposed to “friendly fraud” or liquidity gaps.

With the NPP powered by Osko and PayID the technical friction is gone. We’re talking about 24/7, account-to-account transfers that settle in seconds. For a high-risk merchant, this shifts the needle from hoping for funds to knowing you have them.

Where the NPP Wins (And Where it Bites)

If you’re running a high-volume or high-risk model in 2026, the NPP is your best friend for payout-heavy flows. Think gambling withdrawals or affiliate commissions. Being able to push a refund or a payout instantly doesn’t just make customers happy; it pulls you out of the messy, slow card-settlement cycle.

However and this is the “mentor” advice you need to hear, instant settlement is a double-edged sword.

Because NPP payments are near-impossible to reverse once they hit the rail, the risk moves “upstream.” You can no longer rely on post-transaction recovery. If you send a payout to the wrong person, or a fraudster tricks your system into an NPP deposit, that money is effectively gone.

The New Risk Playbook for 2026

In this real-time world, your “wait and see” risk models are obsolete. To survive the NPP landscape, your strategy must pivot toward:

• Pre-emptive Payee Validation: You have to be 100% sure of the “who” before the “go” button is pressed.
• Velocity as a Warning Bell: Since you can’t get the money back, your systems need to be hyper-sensitive to “burst” activity that signals an account takeover or a mule at work.
• Operational Reconciliation: Real-time payments require real-time accounting. If your back office is still reconciling weekly, the NPP will break your reporting.

The NPP is the gold standard for domestic Australian flows, but it isn’t a silver bullet. It doesn’t replace cards for your international reach, but it should be the foundation of your domestic strategy. It’s about using the right tool for the right job balancing the speed of the NPP with the protection of traditional rails.

PayTo: Mandated, API-Driven Account Debits

PayTo is one of the most structurally important developments in Australia’s payments ecosystem, especially for merchants that rely on recurring, agreement-based, or repeat payments. Built on top of the NPP, PayTo modernises how businesses initiate account debits by replacing legacy direct debit (BECS) with a real-time, consent-driven, API-based model.

In practice, PayTo allows customers to approve a payment agreement directly from their bank. That agreement clearly defines who can be paid, how much, how often, and under what conditions. Once authorised, payments can be executed in real time, with significantly more transparency and customer control than traditional direct debit models.

For high-risk merchants, this is a meaningful shift. Legacy direct debit has long suffered from slow setup, poor customer visibility, and dispute friction driven by confusion rather than fraud. Cards, while flexible, bring scheme fees, chargebacks, and increasing margin pressure. PayTo sits between these two, offering a structured alternative that reduces card dependency without inheriting BECS’s operational weaknesses.

Where PayTo is strategically attractive for high-risk merchants:

• Subscriptions and instalment plans, where clear mandates reduce billing disputes
• Predictable re-billing models, such as membership or service agreements
• Domestic recurring deposits, where card declines or chargebacks are costly
• Customer-present relationships, where trust and transparency can be established

Adoption is expected to accelerate from 2025 onward as banks, billers, and platforms standardise PayTo integrations. PSPs increasingly view PayTo as a strategic rail, not an experimental one, particularly for merchants seeking to stabilise recurring revenue.

That said, PayTo introduces a different risk surface. Instead of chargebacks, the primary exposure shifts to mandate lifecycle management. High-risk merchants must demonstrate clear controls around how mandates are created, amended, paused, and cancelled, and how customer consent is recorded and auditable.

Operational risks merchants must plan for include:

• Poorly designed mandate UX leading to complaints
• Weak refund processes for partial or mistaken debits
• Inadequate audit trails during disputes or regulator reviews

Unlike cards, PayTo does not provide a standardised dispute framework. Refunds are typically handled as push payments, which places greater responsibility on the merchant to act quickly and transparently. In high-risk categories, where trust is already fragile, this operational maturity is often the difference between PSP acceptance and rejection.

In practice, PayTo works best as a relationship-based rail. It is well-suited to domestic recurring payments and controlled deposit flows, but poorly suited to anonymous, one-off, or cross-border transactions. High-risk merchants that succeed with PayTo treat it as a long-term payment relationship, supported by strong compliance, customer communication, and reconciliation processes.

RBA’s Review of Retail Payments Regulation

Alongside the rollout of real-time rails, the Reserve Bank of Australia (RBA) is reshaping the economics of card payments through its Review of Retail Payments Regulation. For high-risk merchants, this review is just as consequential as NPP or PayTo, because it directly affects cost, pricing flexibility, and acceptance strategy.

The RBA’s 2024–2025 review focuses on whether Australia’s card payment system remains efficient, competitive, and fair for merchants. A central theme is merchant cost: how interchange, scheme fees, and surcharging rules interact, and whether current settings still serve their intended purpose. While the review applies to all merchants, its impact is uneven, and high-risk MCCs tend to feel the pressure first.

For many high-risk businesses, card margins are already tight. Fraud tooling, dispute handling, reserves, and higher processing fees leave little room for error. Any tightening around surcharging or changes to how costs can be passed on to customers forces merchants to rethink pricing models that may have worked for years.

Key areas of the review that matter most to high-risk merchants include:

• Surcharging rules, and whether current practices over- or under-compensate merchants for card acceptance costs
  
• Interchange and scheme fee dynamics, particularly for debit and premium card products
  
• Routing transparency, including how much control merchants and PSPs have over where transactions are sent

One practical consequence is that “just surcharge more” becomes a less reliable strategy. If surcharging flexibility is reduced or more tightly policed, high-risk merchants lose a blunt tool they’ve historically used to protect margins. That pushes strategy toward smarter routing, rail diversification, and cost-aware payment design, rather than reactive pricing.

Another implication is how acquirers assess merchant sustainability. Under tighter regulatory scrutiny, acquirers are less tolerant of merchants whose economics depend on aggressive surcharging or opaque fee recovery. In 2026, merchants that can demonstrate cost discipline through routing, rail choice, and dispute reduction are generally viewed as lower-risk counterparts to those relying on surcharges to compensate for inefficiencies.

For high-risk merchants, the RBA’s review is not about predicting the exact regulatory outcome. It’s about recognising the direction of travel. Card acceptance in Australia is being pushed toward greater transparency and efficiency, which narrows the margin for poorly optimised models. Merchants that adapt early by balancing cards with NPP and PayTo are far better positioned than those that wait for rules to change before reacting.

Confirmation of Payee on NPP & BECS

Confirmation of Payee (CoP) is not a “nice-to-have” control in Australia’s real-time payments ecosystem. By 2026, it becomes a baseline expectation for any merchant or PSP moving serious volume over NPP or legacy BECS rails, especially in high-risk categories.

Unlike cards, where disputes and reversals create a delayed safety net, account-to-account payments move value instantly. Once funds are sent, recovery is difficult and often impossible. CoP exists to catch problems before money moves, not after.

From a merchant perspective, this fundamentally changes where risk sits in the payment flow.

Why CoP matters more for high-risk merchants than low-risk ones

High-risk merchants are disproportionately exposed to:

• Authorised Push Payment (APP) scams
• Account takeover combined with rapid withdrawals
• Mule activity exploiting fast settlement windows
• “Friendly fraud” claims framed as payment mistakes

CoP directly targets these failure modes by validating the recipient name against bank records before a payment is executed. If the details don’t align, the customer is warned or blocked, depending on implementation.

For high-risk merchants, this has two immediate consequences:

1. Lower downstream fraud losses
2. Higher responsibility for front-end payment design

The trade-off: protection vs conversion

CoP is not friction-free. Poorly implemented, it can:

• Trigger false mismatches for legitimate customers
• Increase payment abandonment
• Generate customer support load when warnings are unclear

This is where low-risk and high-risk merchants diverge.
Low-risk merchants can afford softer controls. High-risk merchants cannot.

In 2026, acquirers and PSPs increasingly expect high-risk merchants to:

• Accept some conversion friction in exchange for loss prevention
• Demonstrate clear CoP handling logic
• Show how warnings, retries, and fallbacks are managed

What acquirers and PSPs look for in practice

When reviewing high-risk merchants using NPP or BECS, providers increasingly ask:

• How payee names are presented to customers
• How mismatches are handled (block, warn, retry)
• Whether CoP signals feed into fraud scoring
• How quickly misdirected payment complaints are resolved

Merchants that treat CoP as a box-ticking exercise often struggle to scale. Those that integrate it into their risk decisioning layer tend to see stronger PSP confidence and lower intervention rates.

The operational reality

CoP does not eliminate scams, and it does not replace behavioural monitoring. What it does is shift failure earlier in the flow, where it is cheaper and more controllable.

For high-risk merchants, the strategic takeaway is simple:
real-time rails demand real-time controls. CoP is one of the first signals acquirers look for to assess whether a merchant understands that trade-off.

Acquirer & PSP Appetite in Australia (High-Risk Lens)

In Australia, high-risk payment acceptance is less about what the rules say and more about who is willing to carry the risk. By 2026, the gap between traditional banks and fintech-led PSPs has widened, and merchants that don’t understand this divide tend to waste months pursuing the wrong partners.

Australian banks remain conservative by design. Their primary exposure is reputational and regulatory, not merchant growth. As a result, entire categories are often treated as binary decisions rather than risk-managed portfolios.

In practice, traditional banks are most cautious around:

• Online gambling and betting, particularly cross-border operators
• Adult content, even where activity is legal and licensed
• FX and trading platforms, especially retail-facing models
• Travel and ticketing, where refund exposure and customer complaints are high

For these sectors, rejection is rarely about documentation quality alone. It’s about the bank’s internal tolerance for volatility, complaints, and scheme scrutiny.

This is where fintech PSPs and alternative acquiring models step in. Unlike banks, specialist PSPs are structured to manage complex merchant risk, not avoid it. They invest in fraud tooling, monitoring, and operational controls precisely because they expect higher-risk flows.

Where fintech PSPs show more appetite:

• Merchants with clear rail-mix strategies, not card-only dependence
• Businesses that actively use NPP and PayTo to control settlement risk
• Operators with documented scam, refund, and dispute processes
• Merchants that understand their own risk metrics, not just their revenue

The key difference is not leniency, but expectation. Fintech PSPs demand more from high-risk merchants operationally, even while offering broader acceptance.

Acquirers in 2026 increasingly assess merchants less by category labels and more by risk behaviour. Two gambling operators can receive very different outcomes based on how they handle withdrawals, refunds, and customer verification. Similarly, two FX platforms may be treated differently depending on their payment flows, not their marketing language.

From a practical standpoint, high-risk merchants that succeed in Australia tend to:

• Avoid relying on a single acquiring relationship
• Separate domestic A2A flows from international card traffic
• Design payout logic that reduces post-transaction disputes
• Treat PSP onboarding as a risk review, not a sales process

The uncomfortable reality is that Australia does not offer a “one size fits all” high-risk acquiring path. Merchants who approach banks expecting flexibility are often disappointed. Merchants who approach specialist PSPs without operational maturity are equally unsuccessful.

In 2026, acceptance in Australia is earned through structure, discipline, and realism. High-risk merchants that demonstrate control over rails, risk, and customer outcomes are the ones that remain boardable, even as scrutiny increases.

Designing an AU-Specific Rail Mix: Cards + NPP + PayTo

By 2026, high-risk merchants operating in Australia are no longer evaluated on whether they support cards, NPP, or PayTo individually. They’re assessed on how intelligently those rails are combined. A single-rail strategy is now a red flag, not a simplification.

The goal is not to replace cards or force customers onto bank rails. The goal is to route the right transaction to the right rail, based on risk, customer profile, and operational impact.

When cards still make sense

Despite regulatory pressure and margin tightening, cards remain essential in specific scenarios. For many high-risk merchants, removing cards entirely would damage conversion and revenue.

Cards continue to work best when:

• Customers are international or cross-border
• The transaction is one-off or discretionary
• The customer expects scheme-backed dispute rights
• Currency conversion or card tokenisation improves UX

For these flows, cards remain the most familiar and trusted option, even if they are no longer the cheapest or safest rail.

When NPP is the better option

NPP excels in situations where speed, certainty, and control matter more than global reach.

NPP is typically the right choice for:

• Domestic deposits and top-ups, where instant confirmation reduces friction
• Withdrawals and payouts, especially in gambling, trading, or marketplace models
• Refunds issued as push payments, avoiding card settlement delays
• Liquidity-sensitive operations, where cash visibility matters

However, NPP should be treated as a controlled rail. Real-time settlement demands real-time fraud checks, beneficiary validation, and velocity limits to prevent rapid loss escalation.

Where PayTo fits into the mix

PayTo is not a general-purpose rail. It is most effective when used for relationship-based payments, where customers understand and accept ongoing authorisation.

PayTo works best for:

• Subscriptions and instalment plans
• Predictable re-billing models
• Domestic recurring deposits
• Customer-present relationships, where consent is explicit

It is poorly suited to:

• Anonymous, one-off purchases
• High-friction onboarding flows
• Cross-border or multi-currency use cases

High-risk merchants that treat PayTo as a drop-in card replacement often struggle. Those that design it as a long-term agreement rail tend to see better outcomes.

What acquirers and PSPs expect to see in 2026

By 2026, Australian acquirers and PSPs increasingly look for intentional rail design, not accidental sprawl.

Common acceptance signals include:

• Clear logic explaining why a transaction is routed to a specific rail
• Separation of domestic A2A flows from international card traffic
• Evidence that PayTo mandates are actively managed, not passively stored
• Demonstrated understanding of how rail choice affects disputes and refunds

Merchants that can articulate this logic during onboarding are consistently easier to board and less likely to face sudden restrictions later.

The strategic takeaway

In Australia, rail mix is no longer an optimisation exercise. It’s an acceptance strategy.

High-risk merchants that survive and scale in 2026 are the ones that:

• Use cards where cards make sense
• Use NPP where speed and certainty matter
• Use PayTo where relationships justify mandates
• And can explain why they made those choices

That clarity is what acquirers, PSPs, and regulators increasingly reward.

Merchant Checklist – How to Be 2026-Ready in Australia

Preparing for Australia’s 2026 payments environment is less about adopting every new rail and more about showing control, intent, and operational maturity. For high-risk merchants, acquirers and PSPs are no longer impressed by feature lists. They look for evidence that payments are designed deliberately around risk, regulation, and customer behaviour.

The first priority is local alignment. Merchants operating in or targeting Australia must be able to demonstrate that their business model fits local regulatory and consumer-protection expectations. This includes working with Australia-capable PSPs, understanding domestic settlement norms, and ensuring that compliance documentation reflects Australian requirements rather than being copied from other markets.

Next comes rail clarity. High-risk merchants should be able to clearly explain why they use cards, NPP, or PayTo in different situations. This is not about having every option switched on, but about having a rationale. Acquirers increasingly ask how domestic deposits are handled, how withdrawals are executed, and why certain flows remain card-based. Vague or inconsistent answers often trigger deeper scrutiny.

Pricing and surcharging strategy also requires attention. With regulatory pressure on card costs and surcharging practices, merchants need to move away from reactive fee pass-through and toward structurally sound pricing. That typically means improving routing, reducing avoidable disputes, and using bank rails where they genuinely lower cost and risk, rather than relying on surcharges to protect margins.

Operational readiness around fraud, scams, and disputes is another critical signal. Merchants should be able to show how Confirmation of Payee is handled, how unusual payment behaviour is flagged in real time, and how quickly customer issues are resolved when something goes wrong. In a real-time payments environment, delays and ambiguity escalate problems faster than in card-only models.

Finally, acquirers expect forward-looking discipline. High-risk merchants that plan controlled rollouts, test new rails gradually, and monitor outcomes closely are viewed as safer partners than those that scale aggressively without feedback loops. Being “2026-ready” in Australia is less about technology adoption and more about demonstrating that payments, risk, and operations move together.

This checklist is not about ticking boxes. It’s about proving that your payments strategy is intentional, defensible, and aligned with how Australia’s ecosystem is evolving.

Conclusion

Australia’s payments ecosystem is moving faster than most markets, and for high-risk merchants, that speed changes the rules of engagement. Real-time account-to-account rails are no longer peripheral, card economics are under sustained regulatory pressure, and fraud and scam controls are shifting earlier into the payment flow. Together, these changes redefine what a “sound” payment strategy looks like.

By 2026, success in Australia will not come from choosing the cheapest rail or the most familiar one. It will come from intentional design: using cards where customer expectations demand them, using NPP where settlement certainty and speed matter, and using PayTo where long-term customer relationships justify mandates. Merchants that treat rail choice as a strategic decision rather than a technical setting are consistently better positioned with acquirers and PSPs.

The broader lesson is that Australia is acting as a preview of where other regulated markets are heading. Payment systems are becoming faster, more transparent, and less forgiving of operational weakness. High-risk merchants that invest early in clarity, control, and risk-aware payment design will not only remain boardable in Australia, but will be better prepared for similar shifts elsewhere.

In 2026, Australia will not reward experimentation without discipline. It rewards merchants who understand how money moves, where risk sits, and how regulation reshapes both. For high-risk operators willing to adapt, it remains a demanding but highly valuable market.

---

FAQs