Am I required to comply with AML/CTF as a mortgage broker?

It depends on your service scope. Brokers who introduce clients to credit providers without providing credit themselves may not be reporting entities under Tranche 2. However, the line is not always clear - if your services include any of the designated activities, you may be caught. Seek AUSTRAC guidance or legal advice if your scope is borderline.

What does best interests duty mean practically for my file notes?

Your file must demonstrate that you considered the client's objectives, financial situation, and needs - and that your recommendation is in their best interests, not just not unsuitable. ASIC's current review focus is on documentation quality: is the file evidence sufficient to reconstruct your reasoning if questioned?

How do I respond to a client's erasure request under the Privacy Act reforms?

Under the right to erasure (effective 10 December 2026), clients can request deletion of their personal data. You need a documented response process - but this must be balanced against NCCP and ASIC record-keeping requirements, which may override the erasure right for certain categories of information. Both obligations need to be addressed together.

What cyber threats are specific to mortgage brokers?

Loan application data - income verification, identity documents, asset details - is high-value for identity theft and fraud. Business email compromise targeting settlement instructions is the most common financial attack. Client portals (Simpology, ApplyOnline) are targeted for credential theft. Strong MFA on all portal access is the highest-priority control.

Compliance Readiness 2026

Mortgage Brokers: 2026 Compliance Readiness in Australia

Mortgage brokers face significant obligations in 2026 across best interests duty, AML/CTF Tranche 2 scope questions, Privacy Act reforms, and growing cyber targeting of loan application data.

What is changing for mortgage brokers in 2026?

NCCP/BID: ASIC's 2026 review cycle is focusing on best interests duty documentation quality - not just the recommendation, but the file evidence supporting it.
AML/CTF Tranche 2: Brokers who introduce clients to lenders may or may not be caught depending on service scope - AUSTRAC guidance is the reference point.
Privacy Act reforms: Loan applicant data (income, assets, identity documents) is among the most sensitive PII categories - enhanced collection, storage, and erasure obligations apply from 10 December 2026.
ASIC 2025 broker review findings: Disclosure gaps and inadequate record keeping flagged as systemic risks.

Mortgage Brokers

Common blind spots

Check your readiness

Use our free self-assessment tool to identify gaps in your BID documentation, AML/CTF obligations, and cyber controls.

Mortgage Broker Compliance Quiz

Written by Tim Jones, Founder & Principal Consultant, Nifty Computing

Published 30 April 2026 · Last reviewed 5 May 2026

Applies to: Australia (all states and territories)

Sources: NCCP Act 2009, ASIC RG 209, AUSTRAC AML/CTF Act 2006, Privacy Act 1988 (Cth)

Not sure where your brokerage stands?

Book a free walkthrough with Nifty Computing - we'll review your BID documentation, AML/CTF obligations, and cyber controls and map out practical next steps.