Regulatory Compliance FAQ

The main regulators are ASIC (corporations and financial services), APRA (prudential), the ACCC (competition and consumer), AUSTRAC (AML/CTF), the OAIC (privacy), the ATO (tax), Fair Work (workplace), and industry regulators such as AHPRA and TGA.

An Australian Financial Services Licence is required to carry on a financial services business in Australia — providing financial product advice, dealing, making a market, operating a registered scheme, providing custodial services, or providing a traditional trustee service.

Licensees must do all things necessary to ensure services are provided efficiently, honestly and fairly; maintain competence; have adequate resources; comply with financial services laws; manage conflicts; have dispute resolution arrangements; and maintain adequate risk management systems.

The AML/CTF Act requires reporting entities (banks, remittance providers, gambling operators, bullion dealers) to identify customers, conduct ongoing due diligence, report suspicious matters and threshold transactions, and maintain an AML/CTF program. AUSTRAC is the regulator.

At present lawyers, accountants, and real estate agents are not reporting entities under the AML/CTF Act, but Tranche 2 reforms expanding the regime to these gatekeeper professions have been announced. Firms should be preparing systems and client due diligence processes now.

The Privacy Act regulates how personal information is handled. It applies to Australian government agencies, private sector organisations with annual turnover over $3 million, and all health service providers, regardless of turnover. The 13 Australian Privacy Principles set the core obligations.

Under the Notifiable Data Breaches scheme, organisations must notify affected individuals and the OAIC of a data breach that is likely to result in serious harm and cannot be effectively remediated. Reforms have increased maximum penalties and expanded the Commissioner's powers.

The ACL prohibits misleading or deceptive conduct, unconscionable conduct, unfair contract terms, and false representations. It also provides consumer guarantees for goods and services, and specific product safety rules. It applies nationally and is administered by the ACCC and state regulators.

Section 18 of the ACL prohibits a person, in trade or commerce, from engaging in conduct that is misleading or deceptive or is likely to mislead or deceive. It is a strict liability provision — there is no need to prove intention or fault to obtain remedies.

The unfair contract terms regime voids unfair terms in standard form small business and consumer contracts. A term is unfair if it creates a significant imbalance, is not reasonably necessary, and would cause detriment. Since 9 November 2023 proposing unfair terms attracts civil penalties.

ASIC can issue notices under section 19 requiring attendance at an examination, and under section 30-33 for production of documents. Non-compliance is an offence. Examinations are compulsory and answers can be used in some proceedings; claims of privilege must be made contemporaneously.

Legal professional privilege is recognised at common law and protects confidential communications made for the dominant purpose of obtaining or providing legal advice or for use in anticipated litigation. Regulators must respect privilege but may test claims strictly.

The Corporations Act and Taxation Administration Act provide protections for eligible whistleblowers who make disclosures about misconduct to eligible recipients. Protections include criminal and civil immunity, compensation, and confidentiality. Public and large private companies must have a whistleblower policy.

Entities with annual consolidated revenue of $100 million or more must publish annual modern slavery statements describing the risks of modern slavery in their operations and supply chains and actions taken to address them. Statements are lodged on a central register.

Bribery of foreign public officials is a criminal offence under division 70 of the Commonwealth Criminal Code. The offence applies extra-territorially to Australian citizens, residents, and companies. Pending reforms include a new failure to prevent offence with an adequate procedures defence.

Listed entities must immediately disclose price-sensitive information to the market unless it falls within a carve-out. Since 2020 reforms require proof of knowledge, recklessness, or negligence for civil penalty and class action liability — but the obligation itself remains strict.

Under harmonised WHS laws, a person conducting a business or undertaking (PCBU) must ensure, so far as is reasonably practicable, the health and safety of workers. Officers have a parallel duty of due diligence. Failures can lead to category 1-3 offences and civil penalties.

The Consumer Data Right (CDR) gives consumers the right to safely access specified data about them held by businesses, and to direct that it be shared with accredited recipients. It is live in banking and energy, with phased rollout to other sectors.

Directors must exercise due diligence to ensure compliance with laws affecting the company (for example WHS, environmental, financial services, competition). Regulators increasingly focus on director accountability, supported by the FAR/BEAR accountability regimes for financial institutions.

One-off compliance reviews typically cost $10,000-$75,000. AFSL or CDR accreditation projects are larger. Many firms engage external compliance advisers on retainers of $3,000-$20,000 per month. The cost of non-compliance vastly exceeds the cost of prevention.