ASIC's AI Expectations for Australian Financial Services: Licence Obligations, RG 271, and the Enforcement Direction

ASIC's position on AI — existing obligations apply, with no special exemptions

The Australian Securities and Investments Commission (ASIC) has been clear and consistent: existing regulatory obligations on AFS licensees apply with full force when AI is used. There will not be a separate "AI rulebook" for financial services. Instead, ASIC will enforce the existing framework — best interests duty, efficiency/honesty/fairness, design and distribution obligations, prohibition on misleading conduct, prohibition on unconscionable conduct, directors' duties — against AI-enabled processes just as it does against conventional ones.

ASIC's REP 798 (October 2024) "Beware the gap: Governance arrangements in the face of AI innovation" formalised the position. The report's central finding: licensees are adopting AI faster than they are updating their risk and compliance frameworks. This gap creates significant risks to consumers and market integrity. ASIC's enforcement direction follows the same logic — AI use that produces consumer detriment is enforceable under existing law, regardless of whether ASIC has issued AI-specific guidance for that particular use case.

The core obligations AI must satisfy

Efficiently, honestly and fairly (s 912A Corporations Act). The general conduct obligation applies to AI-assisted services. AI bias, opacity, or representations about a system's error rates must satisfy the s 912A standard. An AFS licensee that deploys an AI system known to produce systematically biased outcomes for a class of consumers is not providing services efficiently, honestly, and fairly.

Misleading or deceptive conduct (s 1041H Corporations Act; s 12DA ASIC Act). Representations about AI capabilities, model performance, or AI-generated outputs must be factual and accurate. Marketing AI as "objective" or "unbiased" when it produces measurably biased outputs is misleading. Holding out AI-generated advice as personalised when it does not actually consider the client's individual circumstances is misleading.

Unconscionable conduct (ss 12CB-CC ASIC Act). AI must not exploit vulnerable consumers. ASIC has specifically warned that AI's inferential power could be used to predict consumer vulnerability — for example, identifying consumers likely to accept high-interest loans, or targeting financially distressed consumers with unsuitable products. Such use would violate the unconscionable conduct prohibition.

Best Interests Duty (s 961B Corporations Act; for personal advice). Where AI is involved in providing personal financial advice to retail clients, the best interests duty applies. The provider must demonstrate the advice is in the client's best interests. AFSLHouse's March 2026 guidance identifies retrieval-augmented generation (RAG) architecture as a practical technique to help satisfy this duty — AI systems should query verified, real-time data sources rather than relying on potentially-hallucinated training data.

Design and Distribution Obligations (DDO) (Pt 7.8A Corporations Act). When AI is used to personalise product recommendations or target marketing, DDO obligations extend to ensuring the AI is not systematically directing unsuitable products at vulnerable consumers. AI-driven distribution decisions must remain consistent with target market determinations.

Directors' duties of care and diligence (s 180 Corporations Act). ASIC has explicitly highlighted that directors' duties extend to AI adoption, deployment, and use decisions. Directors who rely on AI-generated information must do so with reasonable care. The duty also extends to overseeing reasonably foreseeable AI-related risks.

Regulatory Guide 255 (RG 255) — digital financial advice

ASIC's RG 255 establishes the framework for digital financial advice in Australia. Where AI generates or assists financial advice, RG 255's requirements apply. A "suitably qualified individual" must review and sign off on AI-generated advice — a licensed adviser remains accountable, the AI does not. This human-in-the-loop process cannot be a "tick-a-box" exercise. The reviewer must have sufficient understanding of the AI's rationale, risks, and rules (though not necessarily knowledge of the specific code). The review must assess advice quality and appropriateness, verify alignment with client circumstances and best interests, and the licensee must be able to suspend the AI system immediately if errors are found.

Record-keeping under s 286 of the Corporations Act

Section 286 of the Corporations Act requires AFS licensees to maintain written financial records that explain transactions for seven years. When AI is involved in advice or other regulated services, this record-keeping obligation extends to the AI process. To reconstruct the advice context, licensees should capture and store system prompts, user inputs, model metadata, and outputs. Generic logging is insufficient — the records must allow regulators or auditors to reconstruct what the AI considered, what it recommended, and how the human adviser used the AI output.

REP 798's 11 questions for AFS licensees

REP 798 included 11 specific questions ASIC expects licensees to consider. These cover: AI strategy and alignment with business objectives; AI governance committees and oversight roles; risk management for AI-specific risks; documentation of AI systems, decisions, and outcomes; testing and validation processes (including bias and fairness testing); third-party AI vendor due diligence and ongoing oversight; human oversight arrangements; explainability of AI decisions to consumers and regulators; consumer remediation processes for AI errors; staff training and competency for AI use; and ongoing monitoring of AI performance and updates.

ASIC's enforcement focus areas

ASIC's stated enforcement priorities for 2025-26 include several areas where AI is implicated: misleading conduct in financial product marketing (where AI generates promotional content or personalisation); financial advice quality (where AI is used in advice production or review); consumer remediation (where AI-driven decisions caused detriment that requires remediation); and dealings with vulnerable consumers (where AI-driven targeting affects vulnerable cohorts). In February 2026, ASIC commenced a new review of advice licensees that use lead generation services — investigating practices that may inappropriately encourage consumer switching of superannuation. Lead generation is an area where AI is increasingly deployed and where the existing best interests duty intersects with AI capability.

Practical compliance for AFS licensees

Map every AI deployment in your business: what AI is used, by whom, for what purpose, and what consumer outcomes it influences. Apply REP 798's 11 questions to each material AI use — and document your responses. For any AI used in advice production, ensure RG 255-compliant human review is in place and is substantive rather than rubber-stamping. For any AI used in marketing, distribution, or product targeting, audit against DDO obligations and document the assessment.

Conduct algorithmic fairness testing for AI used in credit decisions, insurance underwriting, or pricing — particularly for demographic groups identified as potentially vulnerable. Update third-party AI vendor contracts with AI-specific provisions (explainability, data use restrictions, audit rights, incident notification). Ensure your record-keeping captures sufficient information to reconstruct AI-driven decisions for the seven-year retention period. Brief your board on AI risk and document the briefings — directors' duties require informed oversight, and the documentation provides evidence of fulfilment.

Primary sources: ASIC REP 798 · APRA