N
    Nifty Computing
    2026 Compliance Readiness Assessment
    Last reviewed

    Is your brokerage ready for the 2026 regulatory landscape?

    A quick diagnostic for Australian mortgage brokers - whether you hold your own ACL or operate as a Credit Representative under an aggregator. See where you stand against the Best Interests Duty, Responsible Lending, IDR/AFCA timeframes, conflicted-remuneration rules, and the cyber and privacy expectations ASIC and the OAIC are actively enforcing.

    What's changing (and already in force) for Australian mortgage brokers
    • CURRENTBID (s158LA), RG 271 IDR (24h ack / 30d response), and RG 78 reportable situations are all in force
    • 2025+ASIC has resumed BID compliance surveillance through aggregators
    • 10 JUN 2025Statutory tort of serious invasion of privacy commenced; BNPL became regulated credit (LCCC)
    • 1 JUL 2026AML/CTF Tranche 2 commences - captures brokers with conveyancing, real-estate or trust-services arms
    • 1 JAN 2027Next AFCA monetary-cap indexation review

    Standalone mortgage broking is NOT a Tranche 2 designated service in the 2024 AML/CTF Amendment. But brokerages with adjacent services (buyer's agent, conveyancing, accounting, trust/company services) will be captured for those services.

    Your privacy. Your individual answers stay on your device - we don't store them. When you finish, we save an anonymous record of your scores (industry, overall and per-category percentages, business mix) so we can show how you compare to others in your industry. We also log anonymous counts for when a quiz is started, when a report is downloaded, and (if you later request it) when one is emailed - no identifying information is attached to any of these. We never capture your name, email, IP address, or any business identity.

    20Questions
    LiveAverage time
    10Risk Areas

    Full quiz content - Mortgage Broker Compliance Quiz 2026 - BID, RG 209, AFCA | Nifty Computing

    This index lists every question, every answer option with its score, every tier band, every recommendation, and every regulatory source used by the mortgage-broker compliance readiness quiz. Last reviewed .

    Tier scoring

    • Compliance Ready - score ≥ 85/100, review every 12 months. Your brokerage demonstrates strong compliance maturity across BID, Responsible Lending, IDR/AFCA, conflicted remuneration, privacy and cyber. Maintain annual reviews, keep ahead of aggregator audit findings, and watch the 1 July 2026 AML/CTF Tranche 2 commencement for any adjacent services. Recommended next review: 12 months.
    • Good - Minor Gaps - score ≥ 70/100, review every 12 months. Solid foundations with targeted gaps to close. ASIC's 2025 resumed BID surveillance through aggregators makes file quality the main 12-month focus. Work through the priority findings below; pay particular attention to BID file evidence, RG 271 IDR timeframes, and PI run-off cover. Recommended next review: 12 months.
    • Moderate Risk - Action Needed - score ≥ 50/100, review every 6 months. Several material gaps across regulatory obligations. With BID, RL, RG 271 IDR and RG 78 reportable situations all in force, prioritise the findings below over the next 1–3 months and engage your aggregator's compliance team or an external credit-compliance reviewer. Recommended next review: 6 months.
    • High Risk - Urgent Action - score ≥ 30/100, review every 1 months. Significant exposure across multiple obligations. At this readiness level, an aggregator audit finding, an AFCA determination, or an ASIC reportable-situation notification is a material risk - and individual broker bans under s80 NCCP Act are increasingly common. Engage qualified credit-compliance and PI advice without delay. Recommended next review: 1 month.
    • Critical - Immediate Intervention - score ≥ 0/100, review every 1 months. Your brokerage has substantial non-compliance with core regulatory obligations. Engage qualified credit-compliance and PI advisers, your aggregator (if applicable), and (where adjacent services bring AML/CTF in scope) an AUSTRAC-aware specialist as soon as practicable. Recommended next review: 1 month.

    Categories assessed

    • LIC - Licensing & Authorisation
    • BID - Best Interests Duty
    • RL - Responsible Lending
    • DSC - Disclosure Documents
    • CMM - Commissions & Clawbacks
    • PRV - Privacy & Credit Reporting
    • DSP - IDR, AFCA & Reportable Situations
    • REC - Records, PI & Aggregator
    • CYB - Cyber & Data Security
    • PRD - Products & Marketing

    Questions

    1. Q1 (LIC, weight 3): Is your authorisation pathway clear and current - either your own ACL, or a Credit Representative authorisation under your aggregator's ACL - with the CR Register entry up to date?

      • Yes - confirmed in writing, CR Register checked annually (score 5)
      • Yes, but we don't actively check the CR Register (score 3)
      • Not sure of current authorisation status (score 1)
      • No - or unaware authorisation is required (score 0)

      If a weak option is selected: Every person providing credit assistance must hold an ACL or be a CR of an ACL holder (s35 + Div 2 Pt 2-3 NCCP Act). The CR Register is a public ASIC record - check that your name, authorising licensee and authorisation scope are current, and that no expired authorisation remains. Loss of authorisation while still acting is an unlicensed-conduct offence.

    2. Q2 (LIC, weight 3): Does every loan-writer in the business meet the RG 206 minimum education standard (Cert IV in Finance and Mortgage Broking) and meet your industry-body CPD hours each year?

      • Yes - Cert IV held by all writers, CPD tracked and on target (score 5)
      • Cert IV held, CPD informally tracked (score 3)
      • Education met but CPD behind (score 1)
      • Not all loan-writers meet Cert IV (score 0)
      • N/A - sole broker, education and CPD current (score 5)

      If a weak option is selected: RG 206 sets minimum competence - Cert IV in Finance and Mortgage Broking is the baseline for residential broking, with 20 hrs/yr CPD. MFAA members must hit 30 hrs/yr (with the AML refresher every second renewal); FBAA Core requires 25 hrs/yr. Track per writer against the relevant body's portal - non-completion suspends membership and cascades to lender accreditations.

    3. Q3 (LIC, weight 3): Are you a current member of AFCA (or covered by your aggregator's AFCA membership) with no lapse?

      • Yes - confirmed current (score 5)
      • Believed current but not actively confirmed (score 3)
      • Lapsed at some point this year (score 0)
      • Unaware AFCA membership is mandatory (score 0)

      If a weak option is selected: AFCA membership is mandatory for every ACL holder (s47(1)(h)). Loss of membership is an immediate ACL non-compliance - ASIC has cancelled multiple ACLs in 2025 specifically for lapsed AFCA membership. CR brokers are covered by their authorising licensee's membership; confirm the licensee is current at every renewal cycle.

    4. Q4 (LIC, weight 3): Do you hold compliant PI insurance with the RG 210 minimums ($2M per claim, adequate aggregate) and 7-year run-off cover written in?

      • Yes - confirmed in writing at renewal, run-off included (score 5)
      • Yes, but run-off not specifically confirmed (score 3)
      • PI in place but not measured against RG 210 (score 1)
      • No PI, or expired (score 0)
      • N/A - covered by aggregator scheme PI, run-off confirmed (score 5)

      If a weak option is selected: RG 210 sets minimum PI cover at $2M per claim with adequate aggregate. The run-off requirement on exit (sale, surrender, switching aggregator) typically aligns to the 7-year retention obligation. Run-off gaps are the single most common PI failure - get it on the certificate at every renewal, including when you switch aggregator.

    5. Q5 (LIC, weight 2): If you have new-to-industry brokers, are they operating under a documented mentor arrangement that meets MFAA / FBAA / lender provisional-accreditation standards?

      • Yes - documented mentor plan, sign-off on first deals (score 5)
      • Informal mentoring (score 2)
      • No - new brokers operate independently from day one (score 0)
      • N/A - no new-to-industry brokers (score 5)

      If a weak option is selected: MFAA mentoring requirements (typically 2 years) and lender provisional accreditations (~10 deals co-signed with a mentor) sit on top of the legal supervision obligation. Document the mentoring plan, the first-deal co-sign log, and the transition to independent submission. Aggregator audits and lender QA both look for this evidence.

    6. Q6 (LIC, weight 2): Have you completed (or are you scheduled for) reference-checking on incoming brokers, including 5-year aggregator audit history under the ASIC reference-checking protocol?

      • Yes - protocol followed for every recruit (score 5)
      • Background checks done but not the formal 5-year compliance reference (score 3)
      • No formal reference-check protocol (score 1)
      • N/A - no broker recruitment in last 12 months (score 5)
      • Unaware of the reference-checking protocol (score 0)

      If a weak option is selected: ASIC's reference-checking and information-sharing protocol (originally for AFSLs) was extended to mortgage aggregators and credit licensees. Licensees can - and should - request 5-year compliance audit history from the candidate's previous aggregator. Skipping this exposes you to inheriting another firm's BID/RL deficiencies.

    7. Q7 (BID, weight 3): Does every credit-assistance file contain a genuine, individualised needs analysis (not a templated 'objectives' paragraph repeated across files)?

      • Yes - fact-find tailored to the consumer, reviewed by a senior broker (score 5)
      • Mostly tailored, occasional repetition (score 3)
      • Standard template used with light edits (score 1)
      • Templated 'objectives' identical across files (score 0)

      If a weak option is selected: RG 273 expects genuine individual inquiry - formulaic discovery text is the textbook BID audit finding. Build the fact-find in your CRM with mandatory free-text fields covering objectives, needs and circumstances. Senior-broker file reviews should specifically flag identical objectives copy across pipeline.

    8. Q8 (BID, weight 3): For every recommendation, do your files document the alternatives considered and the reason the recommended product is in the consumer's best interests (not just 'cheapest available')?

      • Yes - documented comparison and 'why this product / why not the alternatives' reasoning (score 5)
      • Comparison printed but reasoning thin (score 3)
      • Recommendation reasoning verbal only (score 1)
      • No comparison documentation (score 0)

      If a weak option is selected: RG 273 requires traceable reasoning - why this product, why not the alternatives, and what features beyond rate were weighed. 'Cheapest' alone is not 'best interests'. Use your CRM's BID worksheet (or build one) so the reasoning attaches to the file as a living artefact, not a tick-box.

    9. Q9 (BID, weight 3): Do you handle lender cash-back and incentive offers in BID-compliant fashion (net benefit over loan life, not just headline cash)?

      • Yes - net-benefit analysis on file when cash-back recommended (score 5)
      • Cash-back considered but analysis informal (score 2)
      • Cash-back attribution drives recommendations without analysis (score 0)
      • N/A - we don't recommend cash-back products (score 5)

      If a weak option is selected: Cash-back attribution - recommending a lender because of a consumer cash-back that doesn't actually net-benefit over loan life - is a recurring ASIC concern. RG 273 expects a documented net-benefit assessment before a cash-back is the deciding factor. Annotate the cash-back analysis on the file.

    10. Q10 (BID, weight 3): Do you only recommend products from lenders you are currently and accurately accredited with (and on the current product version)?

      • Yes - accreditation status checked at every recommendation (score 5)
      • Mostly current, occasional out-of-date accreditation (score 2)
      • Recommendations made without active accreditation check (score 1)
      • Unaware accreditation hygiene is a BID issue (score 0)

      If a weak option is selected: Recommending a product from a lender whose accreditation has lapsed - or recommending a product variant you're not on the current version of - exposes both RL and BID risk under RG 273. Aggregator CRMs typically surface accreditation status; build it into your recommendation workflow as a hard gate.

    11. Q11 (BID, weight 2): Are your loan-writers trained on the BID priority rule (s158LB) and how to handle conflicts between consumer interests and broker/aggregator/related-party interests?

      • Yes - annual training, scenario-based examples (score 5)
      • General awareness (score 2)
      • No formal BID training (score 0)

      If a weak option is selected: s158LB requires the broker to give priority to the consumer's interests when a conflict arises with the broker, an associate, or the licensee. Anti-avoidance under s158T means it can't be contracted around. Train annually with real conflict scenarios - related-party referrals, panel cash-backs, lender campaigns - and document attendance.

    12. Q12 (BID, weight 2): Do you maintain a register of related-party referrals (family-member real-estate agents, accountants, FPs, conveyancers) with disclosure language consented by the consumer?

      • Yes - register maintained, disclosure consented in writing (score 5)
      • Disclosed verbally, not registered (score 2)
      • Related-party arrangements undisclosed (score 0)
      • N/A - no related-party referral arrangements (score 5)

      If a weak option is selected: Undisclosed related-party referral fees are a frequent ASIC and aggregator-audit finding, and trigger s47(1)(b) (conflicts), s158LB (priority) and the MFAA Code. Maintain a register with: relationship, fee mechanism, disclosure language, consumer consent date. Review at every new engagement.

    13. Q13 (RL, weight 3): For every consumer credit file, do you make and document reasonable inquiries about the consumer's requirements, objectives and financial situation (s117 NCCP Act)?

      • Yes - structured fact-find, scaled to product complexity (score 5)
      • Inquiries made but documentation light (score 3)
      • Inquiries informal (score 1)
      • No structured inquiry process (score 0)

      If a weak option is selected: s117 inquiries scale with risk and complexity - first-home, high-LVR, interest-only, investor and SMSF require deeper inquiry per RG 209. Build a tiered fact-find that surfaces extra fields when product flags fire. The documentation is your defence; the absence is the audit finding.

    14. Q14 (RL, weight 3): Do you take reasonable steps to verify the consumer's financial situation using reliable evidence (payslips, tax returns, bank statements, CCR data) - not self-declaration alone?

      • Yes - documented verification on every file (score 5)
      • Verification done but not consistently documented (score 3)
      • Self-declaration relied on for routine cases (score 1)
      • Verification ad hoc (score 0)

      If a weak option is selected: s117(2) verification can't be 'tick and flick'. RG 209 expects reliable sources - payslips plus bank statements, tax returns and BAS for self-employed, accountant's letter where appropriate. The Westpac (Wagyu and Shiraz) decision did not relieve brokers of this duty - your s117 obligation is independent of the lender's s130 assessment.

    15. Q15 (RL, weight 3): Do you inquire specifically and contextually about living expenses, using HEM only as a sense-check rather than a substitute for inquiry?

      • Yes - itemised expense inquiry, HEM used as a floor only (score 5)
      • Inquiry done, HEM regularly relied on as primary (score 2)
      • HEM used by default (score 0)
      • Unaware of HEM's correct role under RG 209 (score 0)

      If a weak option is selected: RG 209 Part D: HEM is a reasonableness sense-check, not a substitute. Over-reliance on HEM was a central Royal Commission criticism and remains an ASIC concern. Itemise expense inquiry; if HEM is higher than declared expenses, use HEM as the floor - but always inquire first.

    16. Q16 (RL, weight 3): Do you have a documented preliminary-assessment process under s115, with a written copy provided to the consumer free of charge within 7 business days of request (s120)?

      • Yes - assessment generated and retained for 7 years; on-request delivery process documented (score 5)
      • Assessment generated, on-request process informal (score 3)
      • No formal preliminary assessment (score 1)
      • Unaware of the s115/s120 obligation (score 0)

      If a weak option is selected: s115 requires a preliminary assessment of unsuitability before providing credit assistance; s120 requires a free written copy within 7 business days of consumer request. Aggregator CRMs typically generate this - check yours produces a record you can retrieve on request, and that the 7-year retention (NCCPR Reg 30) is met.

    17. Q17 (RL, weight 2): Do your loan-writers understand that BID and Responsible Lending are independent obligations - that a loan can pass RL ('not unsuitable') and still fail BID?

      • Yes - trained, file evidence reflects both analyses (score 5)
      • Concept understood, files conflate the two (score 2)
      • Treated as the same test (score 0)

      If a weak option is selected: ASIC's RG 273 view: brokers cannot hide behind BID compliance to ignore RL, and cannot hide behind RL to ignore BID. They are parallel tests. The file must show the s115 unsuitability analysis AND the s158LA best-interests analysis - not just one.

    18. Q18 (RL, weight 2): When a consumer raises hardship signals during the broking process, do you have a documented referral path to the lender's hardship team and the National Debt Helpline?

      • Yes - written process, NDH details ready (score 5)
      • Informal - we'd refer if it came up (score 2)
      • No process (score 0)
      • Unaware brokers are expected to refer hardship (score 0)

      If a weak option is selected: Brokers have no standalone hardship obligation, but RG 209 and the NCC s72 hardship right mean you're expected to surface hardship signals to the lender, and best-practice (and aggregator) guidance points to referral to the lender's hardship team and the National Debt Helpline. ASIC's REP 783 hardship work has heightened scrutiny on the surrounding ecosystem.

    19. Q19 (DSC, weight 3): Is a current Credit Guide (s113 / s158) given to every consumer as soon as it becomes apparent you'll provide credit assistance, including the top-6-lenders disclosure?

      • Yes - Credit Guide issued at first contact, top-6 list refreshed periodically (score 5)
      • Issued but top-6 list not actively refreshed (score 3)
      • Inconsistent - not always issued early (score 1)
      • Credit Guide missing on most files (score 0)

      If a weak option is selected: The Credit Guide must include the names of at least 6 lenders with which you conducted the most business in the previous 6 months - a Hayne-era transparency measure that distinguishes broker guides from lender guides. Aggregator CRMs auto-populate this from submitted-loan data - check yours refreshes the list and that the Guide is delivered at first credit-activity contact, not at submission.

    20. Q20 (DSC, weight 3): Is a Credit Quote (s114 / s158H) issued and signed by the consumer before credit assistance is provided, including any direct broker fees?

      • Yes - signed before assistance every time (score 5)
      • Issued but not always signed before assistance (score 3)
      • Issued at submission stage, not before (score 1)
      • Credit Quote not issued separately (score 0)
      • N/A - no direct broker fees charged, Credit Quote acknowledged (score 5)

      If a weak option is selected: The Credit Quote must be given - and the consumer must agree to fees in writing - before credit assistance starts. Verbal fee discussions then a quote at submission don't satisfy s114. If you don't charge a direct fee, the Credit Quote is still required (showing zero fees + commission disclosure).

    21. Q21 (DSC, weight 3): Does every recommendation file include a Credit Proposal Disclosure Document (s121 / s158L) with a reasonable estimate of indirect remuneration (upfront + trail) and any third-party fees?

      • Yes - generated for every recommendation, indirect remuneration estimated (score 5)
      • Generated but indirect remuneration left at zero or generic (score 2)
      • Inconsistent (score 1)
      • No Credit Proposal Disclosure Document on file (score 0)

      If a weak option is selected: The Credit Proposal Disclosure Document must give a reasonable estimate of upfront + trail commissions you'll receive, plus any referrer fees and lender fees the consumer is likely to pay. 'Reasonable estimate' means real numbers - generic copy is an audit finding. Aggregator CRMs generate this - verify yours fills in remuneration estimates correctly.

    22. Q22 (DSC, weight 2): If you deliver disclosure documents electronically, have you obtained the consumer's consent (express or by conduct under the Electronic Transactions Act) and recorded delivery receipts?

      • Yes - consent recorded, delivery confirmation retained (score 5)
      • E-delivery used, consent informal (score 3)
      • Documents emailed without explicit consent process (score 1)
      • Unaware consent is required for e-delivery (score 0)
      • N/A - paper delivery only (score 5)

      If a weak option is selected: NCC s194 + NCCP s187 + the Electronic Transactions Act 1999 (Cth) permit electronic delivery, but consumer consent - express or inferred from conduct - is required, and delivery confirmations should be retained. DocuSign / FinPower / Salestrekker / mybroker e-sign flows handle this; verify your audit trail captures it.

    23. Q23 (DSC, weight 3): If you write reverse mortgages, is the Reverse Mortgage Information Statement (NCC Schedule 5A) given before assessment AND displayed on any website that provides reverse-mortgage information?

      • Yes - RMIS given pre-assessment and on website (score 5)
      • RMIS given pre-assessment, not displayed on website (score 3)
      • RMIS given at submission only (score 1)
      • RMIS not consistently given (score 0)
      • N/A - we don't write reverse mortgages (score 5)

      If a weak option is selected: NCC s133DC requires the Reverse Mortgage Information Statement (Schedule 5A) before making the assessment, and any broker website that provides information about reverse mortgages must display it. Equity projections / the ASIC MoneySmart calculator disclosure are part of the same envelope. Heightened RG 209 inquiries apply (life events, beneficiary impact).

    24. Q24 (DSC, weight 2): Do all marketing materials - website, social, email, brochures - meet the comparison-rate disclosure rules (NCC s154–158, $150K / 25-year example, with the prescribed warning)?

      • Yes - every advertised rate has a compliant comparison rate and warning (score 5)
      • Most do, some 'rate from' claims appear without comparison rate (score 2)
      • Inconsistent compliance (score 1)
      • Unaware of comparison-rate rules (score 0)
      • N/A - we don't advertise rates (score 5)

      If a weak option is selected: Showing 'rate from X%' without the comparison rate beside it, using a non-standard example loan, or omitting the prescribed warning are all NCC breaches. Aggregator-supplied templates usually comply; broker-customised marketing - especially social media - frequently doesn't. Audit your channels.

    25. Q25 (CMM, weight 3): Do all of your commission arrangements with lenders comply with the post-Hayne ban on conflicted remuneration (no volume-based or campaign bonuses)?

      • Yes - confirmed, periodically reviewed (score 5)
      • Believed compliant, not actively reviewed (score 3)
      • Some legacy arrangements still in place (score 1)
      • Unaware of the conflicted-remuneration ban (score 0)

      If a weak option is selected: Volume-based benefits ('write 10 with Lender X this quarter and get a bonus') and campaign bonuses are conflicted remuneration and prohibited under ss158LC–158NE NCCP. Most legacy bonus structures were unwound before 1 Jan 2021 commencement; review at every aggregator agreement renewal that nothing has crept back in. Lender audits and aggregator audits both look for this.

    26. Q26 (CMM, weight 3): Are clawback obligations handled in line with the ban on passing clawback costs to the consumer (no side letters, no 'cost recovery' fees, no consumer reimbursement clauses)?

      • Yes - Credit Quote, engagement docs and any side agreements all reviewed and clean (score 5)
      • Believed clean, not actively reviewed (score 3)
      • Some legacy contracts include consumer-reimbursement language (score 0)
      • Unaware that pass-through is prohibited (score 0)

      If a weak option is selected: Post-Hayne reforms prohibit any arrangement that requires the consumer to reimburse the broker for lender clawback. Side letters, 'cost recovery' fees, and refinance penalties dressed differently are all the same prohibited substance. Aggregator audits routinely flag these; review every standard-form and bespoke engagement document.

    27. Q27 (CMM, weight 2): Do you maintain a register of soft-dollar benefits (lender-funded education, conference sponsorships, hospitality) above the de minimis threshold?

      • Yes - register maintained, items reviewed against the threshold (score 5)
      • Hospitality accepted but not registered (score 2)
      • No register (score 0)
      • Unaware soft-dollar limits apply (score 0)

      If a weak option is selected: Conflicted-remuneration analysis covers soft-dollar benefits - education, conferences, hospitality - above a de minimis threshold (commonly cited as ~$300 per benefit; verify against current NCCPR). Maintain a register: who paid, what it cost, who attended, why it doesn't influence advice. Aggregator templates exist; use one.

    28. Q28 (CMM, weight 2): If you charge a direct broker-fee-for-service (rare in resi, more common in commercial / complex), is it disclosed in the Credit Quote and consented to in writing before assistance?

      • Yes - disclosed and consented every time (score 5)
      • Disclosed but consent informal (score 3)
      • Fee invoiced post-settlement only (score 1)
      • N/A - no direct broker fees charged (score 5)

      If a weak option is selected: Direct broker fees are permitted but must be disclosed in the Credit Quote (s114) and consented in writing before credit assistance is provided. Post-settlement invoicing without prior consent breaches s114 and exposes you on UCT and ACL grounds. Use a templated Credit Quote with explicit fee acknowledgement.

    29. Q29 (CMM, weight 2): Are referrer fees from third parties (accountants, FPs, real-estate agents) disclosed in the Credit Proposal Disclosure Document and not contingent on a specific lender being recommended?

      • Yes - disclosed, no lender contingency (score 5)
      • Disclosed, contingency arrangements unclear (score 2)
      • Not disclosed in the CPDD (score 0)
      • N/A - no referrer arrangements (score 5)

      If a weak option is selected: Referrer fees are permitted but must be disclosed (CPDD), and any arrangement that conditions the fee on a specific lender being recommended is conflicted remuneration. Document each referrer arrangement and its consideration mechanism. Aggregator compliance templates usually exist for this - use one and keep it on file.

    30. Q30 (CMM, weight 1): If you've sold or bought a trail book in the last 24 months, did the transaction handle consumer consent, GST, and retention obligations correctly?

      • Yes - legal review completed, consent / data-handover documented (score 5)
      • Transaction completed, consent / data approach informal (score 2)
      • Done without specific compliance review (score 0)
      • N/A - no trail-book transactions (score 5)

      If a weak option is selected: Trail-book sales raise consumer-consent, GST and ongoing-record-handover issues. The consumer's permission to share data with a successor, the GST treatment of the sale price, and the 7-year retention obligation following the original engagement all need to be addressed at the deal level. Get legal advice; don't paper it on a template.

    31. Q31 (PRV, weight 3): Is your privacy policy published on your website, current within the last 12 months, and aligned with the 2024 Privacy Act amendments?

      • Yes - published and reviewed annually (score 5)
      • Published but not recently reviewed (score 2)
      • Outdated or missing (score 0)

      If a weak option is selected: APP 1.3 + APP 1.4 require a clearly-expressed, current privacy policy. The Privacy Act has changed materially in 2024–25 - penalties up to $50M / 30% turnover, statutory tort, ADM disclosure roadmap, small-business exemption removal expected. A policy older than 12 months is almost certainly stale; review annually.

    32. Q32 (PRV, weight 3): Do you provide an APP 5 collection notice at the start of every consumer engagement, naming aggregator, lenders, and Credit Reporting Bodies as recipients?

      • Yes - APP 5 notice given and acknowledged at intake (score 5)
      • Some intake notice, completeness uncertain (score 3)
      • No formal APP 5 notice (score 1)
      • Unaware APP 5 applies (score 0)

      If a weak option is selected: APP 5 requires you to notify the consumer at collection: identity, purpose, who you'll disclose to (aggregator, lenders, CRBs), and access/correction rights. The intake form is the natural place. Aggregator CRMs often include the notice in the digital fact-find - verify yours is current and explicitly names the disclosure recipients.

    33. Q33 (PRV, weight 3): Do staff understand the Part IIIA / CR Code 2024 purpose-limitation rules - that credit-report data accessed for a loan cannot be recycled for marketing?

      • Yes - trained, marketing systems segregated from credit-data systems (score 5)
      • General awareness (score 2)
      • Marketing and credit-data systems intermingled (score 0)
      • Unaware Part IIIA + CR Code apply (score 0)

      If a weak option is selected: Part IIIA of the Privacy Act and the Privacy (Credit Reporting) Code 2024 govern credit information. Brokers accessing CCR data on a consumer's behalf (typically as 'access seekers') are bound by purpose-limitation - the data cannot be used for marketing or any purpose beyond the credit assistance. Train staff and check that marketing automation does not pull from credit-report fields.

    34. Q34 (PRV, weight 3): Do you have a documented data-breach response plan, and does the team know the OAIC NDB notification timeframe?

      • Yes - documented plan, tested, 30-day NDB clock understood (score 5)
      • Plan exists but never tested (score 3)
      • Informal understanding only (score 1)
      • No plan (score 0)

      If a weak option is selected: The Notifiable Data Breach scheme requires notification as soon as practicable, with a 30-day assessment window. A mortgage file (TFN, bank statements, ID, payslips, tax returns, security details) crosses the 'serious harm likely' threshold easily. Recent broker-sector incidents (Finsure 2024, youX 2026, Mortgage Choice 2025) show how exposed the channel is. Test your plan.

    35. Q35 (PRV, weight 2): Are client ID scans, payslips, bank statements and other sensitive documents collected via a secure portal - not via email attachments?

      • Yes - secure-portal-only collection (score 5)
      • Mostly portal, some email use (score 3)
      • Email-attachment collection routine (score 1)
      • Unaware email is high-risk for ID documents (score 0)

      If a weak option is selected: ID documents and bank statements via email are the single biggest practical privacy and BEC risk in broking. Use your aggregator's secure portal, or a dedicated tool (DocuSign with secure-collection features, ShareFile, etc.). Train staff to refuse email attachments and forward consumers to the portal. APP 11 requires reasonable steps.

    36. Q36 (PRV, weight 2): Have you reviewed your aggregator CRM, document store, marketing platform and any third-party tools for cross-border data flows under APP 8?

      • Yes - vendor register with jurisdiction documented (score 5)
      • Main vendors mapped, smaller tools unclear (score 3)
      • No APP 8 review (score 1)
      • Unaware of APP 8 (score 0)

      If a weak option is selected: APP 8 makes you accountable for overseas vendors' handling of personal information. Map the vendor stack - CRM, doc store, marketing automation, AI tools, e-sign - and document either reasonable steps (security attestations, contract terms) or consumer consent for cross-border transfers. The 2024 Finsure incident involved a third-party supplier compromise - vendor-security review is not optional.

    37. Q37 (PRV, weight 2): Have you reviewed your retention and destruction process so that files are securely destroyed after 7 years (not retained indefinitely)?

      • Yes - retention schedule documented, destruction process in place (score 5)
      • Retention happens, destruction inconsistent (score 3)
      • Indefinite retention by default (score 1)
      • No retention policy (score 0)

      If a weak option is selected: NCCP Reg 30 requires a 7-year retention from the date credit assistance is provided. Beyond that, indefinite retention is itself a privacy risk under APP 11.2 (destroy / de-identify when no longer needed). Document a retention schedule, secure-destruction process and certificates where third parties hold data. AML/CTF rules add their own retention if Tranche 2 captures any of your services.

    38. Q38 (DSP, weight 3): Do you acknowledge every consumer complaint within 24 hours (1 business day) per RG 271?

      • Yes - automated or templated acknowledgement within 24 hours (score 5)
      • Acknowledged within 1–3 days informally (score 3)
      • Acknowledgement timing inconsistent (score 1)
      • No tracked acknowledgement process (score 0)
      • Unaware of the 24-hour standard (score 0)

      If a weak option is selected: RG 271 requires complaint acknowledgement within 24 hours (or 1 business day) of receipt - or as soon as practicable. The clock starts at first receipt, by any channel (email, phone, social). Template a same-day acknowledgement and log it. ASIC's IDR data reporting captures acknowledgement timing.

    39. Q39 (DSP, weight 3): Do you provide an IDR final response within 30 calendar days for standard complaints (and 21 days for traditional credit hardship)?

      • Yes - both timeframes met, complaints log in place (score 5)
      • Met for standard, hardship handling unclear (score 3)
      • Targets sometimes missed (score 1)
      • No tracked IDR timeframes (score 0)
      • Unaware of RG 271 timeframes (score 0)

      If a weak option is selected: RG 271 sets enforceable IDR timeframes: 30 calendar days for standard complaints (down from 45 in 2021); 21 calendar days for traditional credit hardship. Build a complaints register that auto-flags approaching breach. Missed timeframes are themselves reportable situations under RG 78.

    40. Q40 (DSP, weight 3): Do you have a documented reportable-situations process under RG 78, with the 30-day notification clock understood by the responsible person?

      • Yes - documented process, escalation path clear (score 5)
      • General awareness, no documented process (score 2)
      • No process - would figure it out if a trigger arose (score 1)
      • Unaware of RG 78 (score 0)

      If a weak option is selected: RG 78 (re-issued 19 December 2023) sets out the reportable situations regime under Part 3-6A NCCP Act. ACL holders must notify ASIC of significant breaches of core obligations within 30 calendar days of knowing or having reasonable grounds to suspect. CR brokers report through their aggregator. Make the trigger and escalation path explicit in writing.

    41. Q41 (DSP, weight 2): Do your loan-writers know the 'dobbing' obligation - to report reportable situations they observe at OTHER licensees' representatives?

      • Yes - trained, escalation pathway in place (score 5)
      • General awareness (score 2)
      • No - treated as 'someone else's problem' (score 0)
      • Unaware the obligation extends to other licensees' reps (score 0)

      If a weak option is selected: The reportable-situations regime extends to reports about other licensees' representatives - a 'dobbing' obligation that mirrors the AFSL regime. If your broker discovers a competitor broker falsifying documents (e.g. through a co-mortgaged consumer's file), the obligation engages. Train and document the escalation channel.

    42. Q42 (DSP, weight 2): Is your IDR record system structured and searchable enough to satisfy ASIC IDR data reporting if requested?

      • Yes - purpose-built complaints system or aggregator IDR module (score 5)
      • Spreadsheet-based, manageable (score 3)
      • Email-based, not searchable (score 1)
      • No structured complaints record (score 0)

      If a weak option is selected: RG 271 requires complaints to be recorded systematically and searchably. ASIC has powers to mandate periodic IDR data submissions from credit licensees. A purpose-built system (or your aggregator's IDR module) is the safe path; email-only records will not survive a data request.

    43. Q43 (DSP, weight 2): Are you aware of current AFCA monetary caps (general consumer ~$1.26M per claim; small-business credit-facility ~$6.3M) and how AFCA fees are charged per complaint?

      • Yes - caps and fee structure understood (score 5)
      • General awareness (score 2)
      • Not aware of caps or fees (score 0)

      If a weak option is selected: AFCA monetary caps are indexed every 3 years (next review 1 January 2027). Per-complaint fees create a strong incentive to resolve at IDR - escalation to AFCA costs even if you win. Brief loan-writers on the economics so escalation isn't accidental.

    44. Q44 (REC, weight 3): Does every credit-assistance file contain the full regulator-ready set: Credit Guide, fact-find, Credit Quote, verification docs, preliminary assessment, comparison, recommendation reasoning, Credit Proposal Disclosure, PCS/IS delivery, and any complaints?

      • Yes - file checklist used on every engagement (score 5)
      • Most files complete, some gaps (score 3)
      • Files inconsistent - some core docs frequently missing (score 1)
      • No file checklist used (score 0)

      If a weak option is selected: A regulator-ready broker file is the single most important compliance artefact. Build a checklist into your CRM submission gate and don't let a file close without each item ticked. Missing a Credit Guide or unsigned Credit Quote is a recurring aggregator-audit finding and can be a reportable situation if systemic.

    45. Q45 (REC, weight 3): Are credit-assistance files retained for 7 years from the date credit assistance is provided (NCCP Reg 30)?

      • Yes - retention configured at the system level (score 5)
      • Believed met, not actively configured (score 3)
      • Retention shorter than 7 years for some files (score 1)
      • Unaware of the 7-year retention (score 0)

      If a weak option is selected: NCCP Reg 30 + s88: 7 years from the date credit assistance is provided. The BID-related retention (s158LE + NCCPR) aligns. Check your CRM and document store retention configuration explicitly - defaults shorter than 7 years are a common oversight.

    46. Q46 (REC, weight 3): If you've changed (or are changing) aggregator, is there a documented file-export plan so historic records remain accessible to you for the full 7-year retention period?

      • Yes - file-export plan in place, costs and timing understood (score 5)
      • Aware of the issue, no concrete plan (score 2)
      • No plan - assume aggregator will retain (score 1)
      • N/A - no aggregator change in last 24 months (score 5)

      If a weak option is selected: When you switch aggregators, you remain personally responsible for the 7-year retention, but the legacy data sits on the previous aggregator's system - sometimes with extraction fees. Plan the export before departure: full PDF / CSV of every file, a written retention assurance from the outgoing aggregator, and confirmed access for the residual retention period.

    47. Q47 (REC, weight 2): Does your PI policy include explicit run-off cover that survives a change of insurer or aggregator (typically aligned with the 7-year retention)?

      • Yes - confirmed at every renewal (score 5)
      • Believed included, not actively confirmed (score 3)
      • Unsure (score 1)
      • No run-off cover (score 0)
      • N/A - APRA-regulated entity, alternative arrangements confirmed (score 5)

      If a weak option is selected: Run-off cover is the most common PI gap, especially when switching aggregators or exiting the industry. The legacy BID/RL/RG 271 liability survives for the full 7-year retention. Get run-off in writing on the certificate at every renewal - and again specifically when you change aggregator or carrier.

    48. Q48 (REC, weight 2): Do you treat aggregator audit findings as your personal compliance to remediate (not as the aggregator's problem alone)?

      • Yes - findings logged, remediation tracked, evidence retained (score 5)
      • Findings addressed, tracking informal (score 3)
      • Audit treated as a paper exercise (score 1)
      • Unaware of personal remediation responsibility (score 0)

      If a weak option is selected: ASIC bans individual brokers under s80 NCCP Act regardless of aggregator standing. Aggregator audit findings are evidence - and if you ignore them, that's a record ASIC will see in any later investigation. Treat findings as personal: log them, remediate, retain evidence, and review at next-cycle audit.

    49. Q49 (CYB, weight 3): Is multi-factor authentication enforced on email, your aggregator CRM (NextGen / Salestrekker / Mercury / myCRM / Mortgage Choice One), document store, and lender portals for every staff member?

      • Yes - handled in-house, and we verify it (reports, logs, or checks) (score 20)
      • Yes - outsourced to our IT provider, verified (they send us reports) (score 20)
      • Yes - in-house, but not formally verified (score 15)
      • Yes - outsourced, but we assume rather than verify (score 15)
      • Partial or inconsistent across staff/devices (score 8)
      • No, or don't know (score 0)

      If a weak option is selected: MFA on every business-critical system is the baseline under APP 11 and ASIC's cyber expectations for credit licensees (s47(1)(a) and (l)). The 2024 Finsure incident and 2026 youX incident both involved third-party platform compromise where credential strength mattered. Verify MFA coverage quarterly; SMS MFA is weaker than authenticator apps for principals.

    50. Q50 (CYB, weight 3): Are operating systems, browsers and Office applications patched on the Essential Eight 48-hour critical-patch cycle?

      • Yes - handled in-house, and we verify it (reports, logs, or checks) (score 20)
      • Yes - outsourced to our IT provider, verified (they send us reports) (score 20)
      • Yes - in-house, but not formally verified (score 15)
      • Yes - outsourced, but we assume rather than verify (score 15)
      • Partial or inconsistent across staff/devices (score 8)
      • No, or don't know (score 0)

      If a weak option is selected: Essential Eight expects critical patches for internet-facing services and operating systems within 48 hours. If your IT provider owns patching, ask for monthly patch-compliance evidence - not assertions, logs. Unpatched browsers and Office apps remain the most common small-business breach vector.

    51. Q51 (CYB, weight 3): Do you have a tested business email compromise (BEC) defence - particularly callback verification for any change of settlement bank details?

      • Yes - written rule, callback to known number, simulations run (score 5)
      • Verbal rule, occasionally enforced (score 3)
      • Email-only verification of payee changes (score 1)
      • No BEC defence in place (score 0)

      If a weak option is selected: Settlement-redirect BEC is the single most damaging attack pattern in broking - multiple consumer-reported losses of $100K+ between 2022 and 2025. Mandate callback to a previously-known number for any change of payee or settlement details. Train and simulate at least quarterly. The economic and reputational cost of one missed callback dwarfs the operational friction.

    52. Q52 (CYB, weight 2): Do you have a documented incident response plan with clear roles, OAIC NDB notification timing and aggregator/lender notification pathways?

      • Yes - written plan, rehearsed annually (score 5)
      • Plan exists, never rehearsed (score 3)
      • Informal understanding (score 1)
      • No plan (score 0)

      If a weak option is selected: An IR plan that's never been rehearsed is a draft. Run an annual tabletop simulation: ransomware on file share, BEC settlement redirect, phishing-credential compromise. Cover OAIC notification, aggregator notification, lender notification, consumer comms, insurer call. The first 24 hours dictate the next 30 days - practice them.

    53. Q53 (CYB, weight 2): Do you have cyber insurance separate from PI, covering privacy-breach liability, regulatory investigation costs, BEC funds-transfer loss and ransomware?

      • Yes - all four coverages confirmed in writing (score 5)
      • General cyber cover, sub-limits not confirmed (score 3)
      • Business policy only - no specific cyber cover (score 1)
      • No cyber cover (score 0)

      If a weak option is selected: PI typically excludes cyber. Cyber cover for brokers should explicitly include privacy-breach liability (OAIC), regulatory investigation costs (ASIC, OAIC, AUSTRAC if Tranche 2), BEC funds-transfer loss, ransomware payment / restoration, and breach-response services. Sub-limits and exclusions are where insurers save money - read the policy, don't rely on the broker summary.

    54. Q54 (CYB, weight 2): When staff leave, are credentials revoked the same day across email, CRM, lender portals, document store and any related systems?

      • Yes - handled in-house, and we verify it (reports, logs, or checks) (score 20)
      • Yes - outsourced to our IT provider, verified (they send us reports) (score 20)
      • Yes - in-house, but not formally verified (score 15)
      • Yes - outsourced, but we assume rather than verify (score 15)
      • Partial or inconsistent across staff/devices (score 8)
      • No, or don't know (score 0)

      If a weak option is selected: Same-day revocation is the standard. For brokers this includes aggregator CRM, every lender portal you've personally been accredited on, document store, password manager, social/marketing tools, and any third-party SaaS. Document the offboarding checklist and the completion timestamp. Aggregator audits and cyber-insurance underwriters both look for this.

    55. Q55 (PRD, weight 3): If you write commercial / business loans, do you only sign Business Purpose Declarations where the loan is genuinely for business purposes (not investment in residential property)?

      • Yes - purpose tested before signing, residential investment loans treated as consumer credit (score 5)
      • Mostly correct, occasional borderline files (score 2)
      • BPD used to simplify investment-resi loans (score 0)
      • Unaware of the BPD limits (score 0)
      • N/A - no commercial / BPD work (score 5)

      If a weak option is selected: Investment in residential property is NOT a business purpose under NCCP Code s5(1)(b) - investment home loans are consumer credit. Signing a BPD on a personal/investment-resi loan to sidestep RL/BID is an offence and the BPD is ineffective anyway. ASIC's 2025 priorities explicitly target business models designed to avoid consumer credit protections (cf. ASIC v Membo Finance / Green County). If in doubt, treat it as consumer credit.

    56. Q56 (PRD, weight 3): If you provide credit assistance on SMSF LRBA loans, do you stay on the LOAN side and refer SMSF strategy advice to a licensed AFSL adviser or accountant?

      • Yes - clear scope boundary, referral panel in place (score 5)
      • Boundary informal (score 2)
      • We provide some SMSF strategy advice ourselves (score 0)
      • N/A - no SMSF lending (score 5)

      If a weak option is selected: Credit assistance on an SMSF LRBA requires ACL/CR authorisation; SMSF strategy advice (set up the fund, recommend LRBA as a strategy) requires AFSL/AR authorisation - a different licence. Crossing the line is unlicensed financial product advice. Document the scope boundary, refer strategy questions to a licensed adviser, and BID-document why the loan suits the fund's age, balance, contributions, insurance, and liquidity to service.

    57. Q57 (PRD, weight 3): If you refer consumers to BNPL / Low-Cost Credit Contract providers, do you hold the credit authorisation required since the regime commenced 10 June 2025?

      • Yes - authorisation confirmed, referrals documented (score 5)
      • Refer informally, authorisation status unclear (score 1)
      • Unaware BNPL became regulated credit (score 0)
      • N/A - we don't refer to BNPL providers (score 5)

      If a weak option is selected: From 10 June 2025, BNPL became regulated credit under the NCCP (Low Cost Credit Contract category). A broker referring to a BNPL provider is engaging in credit activity - ACL or CR authorisation is required. Commission arrangements fall under conflicted-remuneration analysis. The 2024 Amendment includes anti-avoidance provisions; pre-reform structures don't escape the regime.

    58. Q58 (PRD, weight 2): If your brokerage has adjacent regulated services (real estate / buyer's agency / conveyancing / accounting / trust-and-company services), have you confirmed Tranche 2 AML/CTF scope for those arms before 1 July 2026?

      • Yes - service lines mapped, adjacent arms enrolled or N/A confirmed (score 5)
      • Aware of the issue, mapping incomplete (score 2)
      • Not assessed (score 0)
      • Unaware Tranche 2 may apply to adjacent services (score 0)
      • N/A - pure-play mortgage broking, no adjacent services (score 5)

      If a weak option is selected: Standalone mortgage broking is NOT a Tranche 2 designated service in the 2024 AML/CTF Amendment. But buyer's-agency, conveyancing, accounting trust services and trust/company services ARE - and 'all under one roof' brokerage groups commonly have one or more adjacent arms. Map your service mix; if any arm is in scope, it must enrol with AUSTRAC by 29 July 2026 and run an AML/CTF program for that arm.

    59. Q59 (PRD, weight 2): Do brokers who use social media (Instagram / TikTok / Facebook / LinkedIn) for promotion understand that giving specific loan recommendations triggers full credit-assistance obligations (Credit Guide, Quote, BID, RL)?

      • Yes - social posts reviewed against credit-assistance rules (score 5)
      • General awareness, no formal review (score 2)
      • Specific product recommendations posted on social without compliance gate (score 0)
      • N/A - no broker-run social media (score 5)

      If a weak option is selected: ASIC's finfluencer focus extends to credit. A specific loan recommendation on TikTok or Instagram is credit assistance - Credit Guide, Credit Quote, Credit Proposal Disclosure, BID and RL all apply, with no fact-find. Either keep social to general education (no specific recommendations), or run consumers through a full fact-find before any product mention. Document the policy and review posts.

    60. Q60 (PRD, weight 1): Do you assess your aggregator's compliance audit findings with the same seriousness as a regulator finding - including documentation of why thin-file / templated-file findings won't recur?

      • Yes - written remediation against each finding, evidence on next-cycle file (score 5)
      • Findings addressed informally (score 3)
      • Audit findings treated as paperwork (score 1)
      • Unaware aggregator audit findings carry weight (score 0)

      If a weak option is selected: ASIC's resumed 2025 BID surveillance flows through aggregators. Aggregator audit findings are the documented evidence ASIC reaches when looking at your conduct - and the ACCC's joint-assurance authorisation (AA1000640, April 2024) is raising the bar. Treat each finding as a recordable remediation: what was wrong, what you changed, how you'll evidence it next cycle.

    Guidance

    Licensing & Authorisation

    Your authorisation pathway - own ACL or Credit Representative - drives the entire compliance stack: PI, AFCA, RG 206 competence, RG 271 IDR, RG 78 reportable situations, and RG 210 PI cover. ASIC bans individual brokers under s80 regardless of aggregator standing - personal compliance hygiene matters whether you're an ACL holder or a CR.

    • Confirm authorisation status and CR Register entry (Within 30 days · Principal): Check the public CR Register for every authorised loan-writer. Confirm the authorising licensee (your aggregator if a CR), authorisation scope, and that no expired entry remains. Loss of authorisation while still acting is unlicensed conduct. Record this check annually.
    • Audit RG 206 competence and CPD by writer (Annually · Compliance lead): Cert IV in Finance and Mortgage Broking baseline; MFAA 30 hrs/yr (with AML refresher every second renewal) or FBAA 25 hrs/yr depending on body. Aggregator and lender minimums often layer on top. Track per writer in the relevant body's portal; retain certificates for audit.
    • Lock down PI cover with run-off (At every renewal · Principal): RG 210: $2M per claim minimum, adequate aggregate, run-off cover surviving change of insurer or aggregator. Run-off is the most common gap - get it on the certificate. CR brokers covered by aggregator scheme PI: confirm the scheme run-off treatment when you join, and again if you leave.
    • Use the reference-checking protocol on every recruit (Process from now on · Principal): ASIC's reference-checking and information-sharing protocol extends to mortgage aggregators and credit licensees. Request 5-year compliance audit history from the candidate's previous aggregator before authorising. Skipping this exposes you to inheriting BID/RL deficiencies.

    Best Interests Duty

    BID (s158LA + RG 273) is the principle-based test that has no safe harbour - unlike the FP equivalent. ASIC paused its surveillance in 2023 and resumed engagement with aggregators in 2025. File quality is the focus: genuine fact-find, documented comparison, and traceable 'why this product / why not the alternatives' reasoning.

    • Eliminate templated 'objectives' text across files (Within 30 days · Senior broker review): RG 273 expects individualised needs analysis. Identical objectives copy across pipeline files is the textbook BID audit finding. Add a senior-broker review step that flags duplicated objectives and forces remediation before submission.
    • Build a BID worksheet into every recommendation (Within 60 days · Compliance lead + IT): Lender comparison, feature analysis, cash-back net-benefit (where relevant), and a written 'why this / why not the alternatives' rationale. Attach to the file as a living artefact - not a tick-box. Aggregator CRM templates exist; if yours doesn't, build a standalone worksheet.
    • Make accreditation hygiene a hard recommendation gate (Within 30 days · IT + Compliance lead): Recommending a product from a lender whose accreditation has lapsed or whose product version has changed exposes both RL and BID risk under RG 273. Build accreditation-status verification into the recommendation step in your CRM - not an after-the-fact audit catch.
    • Train annually on the BID priority rule (Annually · Compliance lead): s158LB priority rule plus s158T anti-avoidance - train every loan-writer with real conflict scenarios (related-party referrals, panel cash-backs, lender campaigns). Document attendance and content. Aggregator-supplied modules count if you also discuss the scenarios specific to your business.

    Responsible Lending

    Chapter 3 NCCP Act remains in force unchanged - the 2020 wind-back was abandoned. Brokers carry parallel obligations to lenders: reasonable inquiries, verification, unsuitability test. Westpac (Wagyu and Shiraz) did not relieve brokers of s117 - your obligation is independent of the lender's s130 assessment. RG 209 plus the 2023–24 hardship focus drive ongoing scrutiny.

    • Build a tiered fact-find that scales with risk (Within 60 days · Compliance lead + IT): Default fact-find for vanilla resi; expanded inquiry triggered for high-LVR, first-home, interest-only, investor, SMSF, reverse, alt-doc, construction, bridging. RG 209 expects the inquiry depth to track product complexity. Build the conditional fields in your CRM.
    • Lock living-expense inquiry to itemisation, HEM as floor (Process from now on · Loan-writers + Senior review): Itemise inquiry first; use HEM as a sense-check / floor where declared expenses look low. Over-reliance on HEM was a Royal Commission criticism and remains an ASIC focus. The file should show the inquiry, not just the benchmark.
    • Document the s115 preliminary assessment and on-request delivery (Within 30 days · IT + Compliance lead): s115 preliminary assessment generated for every credit-assistance file; s120 on-request written copy delivered free within 7 business days. Aggregator CRMs typically generate this - verify yours produces a retrievable record and that the 7-year retention (NCCPR Reg 30) is configured.
    • Document the hardship referral path (Within 60 days · Compliance lead): Brokers have no standalone hardship obligation but RG 209 / NCC s72 / aggregator best-practice guidance expect referral to the lender's hardship team and the National Debt Helpline when signals appear. Write the path; brief loan-writers; record the referral when it happens. ASIC REP 783 keeps the surrounding ecosystem in scope.

    Disclosure Documents

    Credit Guide (s113/s158, with the top-6-lenders disclosure), Credit Quote (s114, signed before assistance), Credit Proposal Disclosure Document (s121/s158L, with reasonable estimate of indirect remuneration), and the lender-side PCS / Information Statement / RMIS - the disclosure stack is precise and audit-visible. Aggregator CRMs handle most of it; broker-level overrides are where errors accumulate.

    • Refresh the Credit Guide top-6 lenders list (Quarterly · Compliance lead): The top-6 list must reflect the previous 6 months of submitted-loan business. Aggregator CRMs auto-populate but list-refresh cadence is variable. Verify quarterly that the live Credit Guide reflects current data, and that it's delivered at first credit-activity contact (not at submission).
    • Make the Credit Quote a hard pre-assistance gate (Process from now on · Loan-writers + IT): Credit Quote must be issued and the consumer must agree to fees in writing before credit assistance starts. Build an e-sign step that blocks progression until signature. Even zero-fee Credit Quotes are required (showing zero direct fees + commission disclosure).
    • Verify Credit Proposal Disclosure remuneration estimates (Within 30 days · IT + Compliance lead): The CPDD must give a reasonable estimate of upfront + trail commissions. Generic copy / zero placeholders are an audit finding. Verify aggregator CRM populates real numbers from the lender + product combination; manual override path documented.
    • If you write reverse mortgages, fix the RMIS gap (Within 30 days · Compliance lead + Web team): NCC s133DC: RMIS given before assessment AND displayed on any website that provides reverse-mortgage information. Add the RMIS to your website page; build it into the reverse-mortgage workflow as a pre-assessment step. Heightened RG 209 inquiries (life events, beneficiary impact) on the same files.

    Commissions & Clawbacks

    The post-Hayne conflicted-remuneration architecture commenced 1 January 2021 and remains the highest-stakes commercial-conduct overlay on broking. Volume / campaign bonuses banned; soft-dollar above de minimis is conflicted; passing clawback to the consumer is prohibited. ASIC and aggregator audits both target this area.

    • Audit every lender / aggregator commission arrangement (Annually · Principal): Confirm no volume-based or campaign-based bonus components survive. Soft-dollar items (education, conferences, hospitality) above the de minimis threshold logged in a register with attendees, value and disclosure language. Most legacy structures unwound before 1 Jan 2021 - verify nothing has crept back.
    • Sweep engagement docs for consumer-pass-through clauses (Within 30 days · Principal + legal review): Any clause requiring the consumer to reimburse you for clawback, or a 'cost recovery' fee on early refinance, or a 'loyalty period' in a side letter - all prohibited. Side letters and 'admin fee' redresses are aggregator-audit hot-spots. Strip them.
    • Maintain a referrer / related-party register (Process from now on · Compliance lead): Every referrer arrangement (accountant, FP, real-estate agent, related-party) - fee mechanism, disclosure language, lender-contingency status, consumer consent date. Disclose in the CPDD and in the engagement materials. No arrangement that conditions referrer fee on a specific lender being recommended.
    • Treat broker-fee-for-service as a Credit Quote event (Process from now on · Loan-writers): Direct broker fees are permitted but the Credit Quote (s114) must disclose them and the consumer must consent in writing before assistance is provided. Post-settlement invoicing without prior consent is a s114 breach. Use a templated Credit Quote with an explicit fee acknowledgement.

    Privacy & Credit Reporting

    Brokers are APP entities virtually by default - handling credit information lifts you in regardless of turnover. Part IIIA + the CR Code 2024 add credit-specific obligations. Recent broker-sector incidents (Finsure 2024, youX 2026, Mortgage Choice 2025) and the 2024 Privacy Act reforms (penalties up to $50M / 30% turnover, statutory tort) make this a live regulatory zone.

    • Refresh privacy policy and APP 5 collection notice (Within 60 days · Privacy Officer): Walk through APP 1.4: identity, kinds of PI, purposes, disclosure (aggregator, lenders, CRBs, offshore vendors), access and correction, complaints with OAIC referral. Add retention by data type. Prepare for the 2026 Tranche 2 Privacy Act bill that's expected to remove the small-business exemption.
    • Move ID-document collection off email onto a secure portal (Within 60 days · IT + Office Manager): ID via email is the single biggest practical privacy-and-BEC risk. Use the aggregator's secure portal or a dedicated tool. Train staff to refuse email attachments and forward consumers to the portal. APP 11 requires reasonable steps.
    • Build a vendor register with cross-border review (Within 90 days · Privacy Officer + IT): Every vendor touching client data - CRM, document store, marketing platform, AI tools, e-sign, SMS. Document jurisdiction and APP 8 treatment (reasonable steps OR consumer consent). The 2024 Finsure incident involved a third-party supplier compromise - vendor-security review is not optional.
    • Test the data-breach response plan (Within 90 days · Privacy Officer + IT): OAIC NDB notification within 30 days of awareness. Mortgage files cross the 'serious harm likely' threshold easily. Tabletop annually: ransomware on file share, BEC settlement redirect, third-party platform breach. Cover OAIC, aggregator, lender, consumer comms, insurer call.

    IDR, AFCA & Reportable Situations

    RG 271 (24-hour acknowledgement, 30-day standard, 21-day hardship) and RG 78 (30-day reportable-situations clock) are enforceable standards. AFCA membership is mandatory and lapses are a recurring 2025 ACL-cancellation cause. The reportable-situations regime extends to 'dobbing' on other licensees' representatives.

    • Stand up a structured complaints register (Within 60 days · Compliance lead + IT): Searchable, RG 271-compliant: receipt timestamp, acknowledgement timestamp, response timestamp, hardship flag, final outcome, AFCA escalation status. Aggregator IDR modules are usually adequate; spreadsheet works at smaller scale; email-only does not. Configure breach-approach alerts on 24-hour and 30-day timers.
    • Train loan-writers on the RG 271 timeframes (Annually · Compliance lead): 24-hour acknowledgement, 30-day standard response, 21-day traditional credit hardship. Channel-agnostic - email, phone, social count from first receipt. Missed timeframes are themselves reportable situations under RG 78. Run scenarios; document attendance.
    • Document the RG 78 trigger and escalation path (Within 60 days · Principal + Compliance lead): What constitutes a significant breach for your brokerage. Who decides. Who escalates (aggregator if CR, ASIC directly if own-ACL). The 30-day clock from knowing or having reasonable grounds to suspect. Include the 'dobbing' obligation re other licensees' reps. Refresh annually.
    • Confirm AFCA membership currency annually (Annually · Principal): Mandatory under s47(1)(h). ASIC has cancelled multiple ACLs in 2025 specifically for lapsed AFCA membership. CR brokers depend on the authorising licensee - confirm at every membership cycle. Loss of AFCA = ACL non-compliance the same day.

    Records, PI & Aggregator

    The broker file is the single most important compliance artefact. NCCP Reg 30 requires 7-year retention from the date credit assistance is provided. PI must include run-off cover that survives change of insurer or aggregator. The 'aggregator compliance is enough' fallacy - ASIC bans individuals regardless of aggregator standing.

    • Lock down a regulator-ready file checklist (Within 30 days · Compliance lead + IT): Credit Guide, fact-find, Credit Quote, verification docs, preliminary assessment, lender comparison, BID reasoning, Credit Proposal Disclosure, PCS/IS delivery evidence, complaints. Build it as a CRM submission gate - nothing closes without each item ticked.
    • Configure 7-year retention at the system level (Within 30 days · IT + Compliance lead): NCCP Reg 30 + s88: 7 years from the date credit assistance is provided. Aligned BID retention (s158LE). Check CRM and document-store retention defaults - anything shorter is non-compliance. Lock the configuration; don't rely on individual brokers to retain.
    • Plan aggregator-switch file extraction in advance (Before any aggregator change · Principal): Personal responsibility for 7-year retention survives an aggregator change. Plan the export: full file PDFs, written retention assurance from outgoing aggregator, confirmed access for the residual retention period. Extraction fees are common - budget for them.
    • Treat aggregator audit findings as personal compliance (Process from now on · Principal): Log every finding, document remediation, retain the next-cycle evidence. ASIC bans individual brokers under s80 regardless of aggregator standing. The audit log is what ASIC reaches in any later investigation - make it short and clean.

    Cyber & Data Security

    A typical Australian mortgage file is among the richest PI datasets in private-sector commerce - TFN, ID, payslips, tax returns, bank statements, security details. ASIC's RMG 776 / Cyber Pulse, APP 11, and recent broker-sector incidents (Finsure, youX, Mortgage Choice) make this a live regulatory zone, with PI typically excluding cyber.

    • Make MFA universal and verified (Within 14 days · IT lead): Email, aggregator CRM, document store, every lender portal, password managers, social/marketing tools, myGovID/myID. Authenticator app or hardware key for principals. Verify quarterly with a coverage report - assertions, not assumptions.
    • Mandate callback verification for settlement bank changes (Within 14 days · Office Manager): Callback to a previously-known number for ANY change of payee or settlement details. The single most damaging attack pattern in broking is settlement-redirect BEC - losses of $100K+ per incident. Train, simulate quarterly, document the rule.
    • Test the IR plan annually (Annually · Principal + IT lead): Tabletop simulation: ransomware on file share, BEC settlement redirect, phishing-credential compromise. Cover roles, OAIC notification within 30 days, aggregator notification, lender notification, consumer comms, insurer call. The first 24 hours dictate the next 30 days.
    • Hold cyber cover separate from PI (At next renewal · Principal): PI typically excludes cyber. Cyber should explicitly include privacy-breach liability, regulatory investigation costs, BEC funds-transfer loss, ransomware, business interruption, breach-response services. Sub-limits and exclusions matter - read the policy.

    Products & Marketing

    Product-specific obligations and marketing rules are where compliance gaps tend to cluster. BPD misuse on investment-resi; SMSF strategy advice without an AFSL; reverse mortgage information statements; BNPL referrals post-10 June 2025; comparison-rate compliance in advertising; specific recommendations on social media.

    • Stop BPD use on personal / investment-resi loans (Within 30 days · Principal + Loan-writers): NCC Code s5(1)(b): investment in residential property is NOT a business purpose - investment home loans are consumer credit. Signing a BPD to sidestep RL/BID is an offence and ineffective. ASIC's 2025 priorities target avoidance models. Train; review borderline files; if in doubt, treat as consumer credit.
    • Document the SMSF scope boundary (Within 30 days · Principal): Credit assistance on the LOAN: ACL/CR. SMSF strategy advice (set up the fund, recommend LRBA): AFSL. Crossing the line is unlicensed financial product advice. Maintain a referral panel for the strategy questions; BID-document why the loan suits the fund's age, balance, contributions, insurance, liquidity to service.
    • Confirm BNPL referral authorisation (Within 30 days · Principal): From 10 June 2025, BNPL is regulated credit (Low Cost Credit Contract). Referring to a BNPL provider is credit activity - ACL or CR authorisation required. Audit any referral arrangements; commission falls under conflicted-remuneration analysis. The 2024 Amendment includes anti-avoidance - pre-reform structures don't escape.
    • Audit social media against the credit-assistance gate (Within 60 days · Compliance lead + Marketing): ASIC's finfluencer focus extends to credit. Specific loan recommendations on social trigger Credit Guide / Credit Quote / CPDD / BID / RL - with no fact-find. Either keep social to general education (no specific recommendations), or run consumers through a full fact-find. Document the policy and review posts quarterly.

    Disclaimer

    General disclaimer

    This assessment is an indicative self-diagnostic tool and does not constitute legal, regulatory, or compliance advice. It reflects the regulatory landscape as of April 2026, including the NCCP Act, the Financial Sector Reform (Hayne) Act 2020 (BID + conflicted remuneration), RG 273, RG 209, RG 271, RG 78, RG 210, the AML/CTF Amendment Act 2024, and the Privacy and Other Legislation Amendment Act 2024.

    ASIC and ACL advice

    Authorisation, fit-and-proper, BID and RL obligations require professional judgement applied to your specific business. This tool is not a substitute for advice from a credit-licensing lawyer, your aggregator's compliance team, your professional body (MFAA or FBAA), or your PI insurer.

    AML/CTF advice

    Tranche 2 obligations depend on which designated services you actually provide. Standalone mortgage broking is not itself a designated service, but adjacent services (real-estate, conveyancing, trust/company services) may be. This tool is not a substitute for an AUSTRAC-aware AML/CTF compliance review.

    Privacy advice

    Privacy Act compliance - including Part IIIA (Credit Reporting) and the CR Code - involves factors specific to each brokerage's systems, aggregator setup, and product mix. For a definitive privacy review, consult a qualified privacy lawyer or your aggregator's privacy resources.