In force
15 Mar 2024
FAR for ADIs & NOHCs
Personal liability for accountable persons applies to AI governance failures in banking.
AI compliance built for five regulators on one risk register.
Australia has no single AI regulator. APRA, ASIC, OAIC, TGA, and AHPRA each apply technology-neutral law to AI with different expectations. We build defensible compliance strategies that satisfy every applicable obligation across financial services, healthcare, and government.
Built for
Chief compliance officers ยท Chief risk officers ยท General counsel ยท FAR accountable persons ยท Healthcare boards
Aligned to: APRA CPS 230 / ASIC REP 798 / FAR / Privacy Act 1988 / TGA SaMD / AHPRA / Voluntary AI Safety Standard
What a compliance engagement delivers.
Full engagement methodologyRegulatory obligations register
Every applicable regulation across APRA, ASIC, OAIC, TGA, AHPRA, and the ACCC mapped against each AI system in production.
Compliance control framework
Integrated controls mapped to CPS 230, ASIC REP 798, FAR, Privacy Act ADM, and the Voluntary AI Safety Standard.
Horizon scanning process
A standing process to track APRA, ASIC, OAIC, and ACCC publications, enforcement actions, and consultation papers.
Remediation roadmap
A prioritised remediation plan with timelines and named owners. Sized for board approval and audit scrutiny.
Why AI compliance in Australia is uniquely complex.
Technology-neutral regulation means existing laws apply to AI without dedicated legislation. The result is overlapping obligations from multiple regulators, escalating deadlines, and personal liability frameworks with no parallel in most jurisdictions.
- 01Structural
No single AI regulator. Five active ones.
Unlike the EU AI Act's horizontal framework, Australia relies on multiple regulators applying technology-neutral law. APRA enforces prudential standards. ASIC enforces consumer protection and market conduct. OAIC enforces data privacy. TGA regulates AI-powered medical devices. AHPRA governs practitioner obligations. The ACCC enforces consumer law. For cross-sector businesses, the result is overlapping and at times conflicting compliance obligations no other jurisdiction replicates at this scale.
- 02Dec 2026
Deadlines are tightening.
APRA CPS 230 took effect 1 July 2025, with pre-existing service provider contracts requiring compliance by 1 July 2026. FAR is now fully in force for banks, insurers, and superannuation funds. Privacy Act automated decision-making transparency under APP 1.7 to 1.9 commences 10 December 2026. The government's proposed mandatory guardrails for high-risk AI received 275 consultation submissions, with a response expected in 2026 to 2027.
- 03In force
FAR puts personal liability on the table.
Australia's Financial Accountability Regime introduces a personal liability framework that has no parallel in most jurisdictions. Accountable persons including CEOs, CROs, CTOs, and directors face penalties up to $1.565 million individually and corporate penalties up to $782.5 million for failing to take reasonable steps to prevent breaches. ASIC's REP 798 review found that nearly half of licensees lacked fairness and bias policies for their algorithmic systems.
- 04In force
ASIC REP 798 documented the gap.
ASIC examined 624 AI use cases across 23 licensees in banking, credit, insurance, and financial advisory. 57% of use cases were less than two years old or still in development. Nearly half of the licensees lacked policies addressing consumer fairness or bias in algorithmic systems. Only 43% had policies governing disclosure of AI use to consumers. 30% of all AI use cases involved third-party developed models, and most licensees relied on external providers for at least 50% of their machine learning solutions, with many lacking formal third-party management.
Run the REP 798 11-question assessment
The Australian AI compliance timeline.
Critical deadlines for compliance officers, CROs, and directors. From obligations already in force to upcoming mandatory requirements that will reset baseline expectations.
In force
Sep 2024
Voluntary AI Safety Standard
10 guardrails covering accountability, risk, data, testing, transparency, oversight, fairness, privacy, monitoring, redress.
In force
Oct 2024
ASIC REP 798
Governance gaps identified across 23 licensees and 624 use cases. Sets ASIC's enforcement direction.
In force
15 Mar 2025
FAR extension
Extended to insurers and RSE licensees. Superannuation and insurance now under personal executive accountability.
In force
1 Jul 2025
APRA CPS 230
Operational risk management. All APRA-regulated entities must identify AI in critical operations and set tolerance levels.
Upcoming
Early 2026
AI Safety Institute
Australian AI Safety Institute operational, backed by $29.9 million. Risk monitoring and regulator coordination.
Upcoming
1 Jul 2026
CPS 230 legacy contracts
Pre-existing service provider contracts must comply. All Material Service Provider arrangements for AI vendors in scope.
Upcoming
10 Dec 2026
Privacy Act ADM
APP 1.7 to 1.9 transparency requirements commence. Privacy policies must disclose ADM use and decisions made.
Sector-specific compliance work.
Each sector faces distinct AI obligations. Engagements are scoped against the prudential, conduct, privacy, and clinical frameworks that apply.
Domain A
Financial services
CPS 230 operational risk, Material Service Provider assessment, FAR accountability mapping, ASIC REP 798 governance, Privacy Act ADM readiness, and CPS 234 information security integration for AI systems.
- APRA CPS 230 mapping (in force 1 Jul 2025)
- FAR accountability statements (up to $1.565M / $210M)
- ASIC REP 798 11-question assessment
- Consumer fairness and bias policy
- Generative AI governance
- Third-party AI vendor due diligence
Domain B
Healthcare
TGA Software as a Medical Device classification, ARTG registration, AHPRA practitioner accountability for AI-assisted clinical decisions, and informed consent for AI use in clinical care.
- SaMD classification (Class I to III)
- ARTG registration application
- Adaptive AI change control
- AHPRA practitioner obligations
- Patient consent and AI scribes
- Clinical AI output verification
Domain C
Government
Australia's 8 AI Ethics Principles in practice, National Framework for AI Assurance (June 2024), Voluntary AI Safety Standard 10 guardrails, and the lessons of Robodebt ($1.73 billion wrongfully recovered) applied to ADM oversight.
- AI Ethics Principles mapping
- Fairness and non-discrimination testing
- Transparency and explainability
- Contestability and appeals
- High-risk AI classification
- NSW Mandatory Ethical Principles
How Australia compares to global AI frameworks.
Understanding where Australia sits relative to the EU AI Act, NIST AI RMF, and OECD AI Principles helps organisations build compliance programmes that anticipate regulatory convergence.
- 01
Australia vs EU AI Act.
The EU AI Act sets a horizontal framework with four-tier risk classification, prohibited practices, and penalties up to 7% of global turnover. Australia takes a different path, relying on existing laws applied by sector-specific regulators. Mandatory Australian requirements currently apply primarily to financial services and will expand to privacy by December 2026. For businesses with European operations, dual compliance is essential.
- 02
Australia vs NIST AI RMF.
The NIST AI RMF provides a voluntary, process-oriented approach emphasising governance, mapping, measuring, and managing AI risks. Australia's Voluntary AI Safety Standard and the proposed mandatory guardrails share significant conceptual alignment with NIST. Australia layers voluntary guidance on top of mandatory sector-specific requirements, creating a hybrid model that can be mapped to both NIST and the OECD AI Principles Australia endorsed as a founding signatory.
- 03
Australia's distinctive position.
Australia holds the most stringent mandatory requirements in the Asia-Pacific region for financial services, with CPS 230, FAR personal liability, and active ASIC surveillance. The proposed mandatory guardrails for high-risk AI signal a shift toward formal regulation. Australia's 8 AI Ethics Principles align with OECD AI Principles, and the AI Safety Institute (backed by $29.9 million) joins the International Network of AI Safety Institutes.
Core compliance services.
Regulatory compliance assessment
Identify every applicable regulation across APRA, ASIC, OAIC, TGA, AHPRA, and the ACCC. Map current systems against each. Quantify gaps and produce a prioritised remediation plan.
Compliance programme development
Integrated policies, processes, and controls mapped to CPS 230, FAR, ASIC, Privacy Act, and sector standards. Includes obligations register, control framework, horizon scanning, and board reporting templates.
Third-party AI vendor compliance
Structured due diligence covering governance, technical controls, compliance, model performance, contracts, privacy, and concentration risk. Material Service Provider assessment for APRA-regulated entities.
Ongoing compliance advisory
Retainer-based regulatory support. Horizon scanning, programme maintenance, regulator relationship support, incident notification, and preparation for mandatory guardrails and Privacy Act Tranche 2.
Navigate five regulators with one defensible programme.
With CPS 230 in force, FAR personal liability applying to governance failures, ASIC monitoring 624 use cases, and the 10 December 2026 ADM deadline approaching, the window for proactive compliance is narrowing. Initial assessment identifies every applicable regulation, prioritises gaps, and delivers a remediation roadmap with named owners.