The compliance framework is written.
The clocks are running.
The evidence gap is your risk.
Most compliance programs in Australia’s regulated sector have reached the same milestone: the policy exists, the committee has met, and the board pack has been presented.
That is the 5-star version of compliance.
The 10-star version is different. It is the version where engineering can show the evidence behind the policy, where operations can demonstrate the process under pressure, and where the regulator gets proof rather than reassurance.
In 2026, five regulatory clocks are running simultaneously in Australian financial services. Each one has a specific evidence burden. Most programs are still carrying the gap.
This article is about the five clocks and what finishing actually looks like for each one.
Important disclaimer: This article is for information and general awareness only. It is not legal advice, regulatory advice, compliance advice, or a recommendation to act in any particular way. Regulatory interpretation depends on your entity type, licence, and specific circumstances. For decisions about compliance programs, contracts, or regulatory obligations, engage qualified legal, compliance, or regulatory advisers.
The five clocks
| Clock | Obligation | Key date | What proof looks like |
|---|---|---|---|
| ① CPS 230 service providers | Bring pre-existing contracts within scope | 1 July 2026 or earlier renewal | Contract controls, concentration mapping, exit plans |
| ② ASIC digital assets | AFSL obligations for crypto exchanges and custodians | 18-month implementation path, ongoing | Licensing assessment, custody controls, AFSL register |
| ③ AUSTRAC AML/CTF | Tightened digital ID and auditable onboarding | No hard cutoff — examination scrutiny is live | Onboarding workflow evidence, exception handling, audit trail |
| ④ Privacy Act automated decisions | Disclose automated decision-making to the public | 10 December 2026 | Public statement, internal register, consumer-facing disclosure |
| ⑤ AI mandatory guardrails | High-risk AI settings require accountability and human oversight | Proposals paper released — final rules pending | Board accountability, human-in-the-loop evidence, use case register |
The clocks are not running at the same speed. One is days away. Another lands at year-end. The fifth is still in consultation. But all five share the same underlying problem: they require evidence, not just policy.
Clock ①: CPS 230 service providers — 1 July 2026
CPS 230 took effect on 1 July 2025.
For pre-existing service-provider contracts, APRA allowed a transition period. The catch-up deadline is the earlier of the contract’s next renewal date or 1 July 2026.
That date is now weeks away.
The requirement is not that every contract has been renegotiated. It is that every material service provider relationship is governed in a way that satisfies CPS 230’s obligations — including contractual rights of access for APRA, service-level controls that map to operational tolerance levels, exit and contingency arrangements, and concentration risk visibility.
APRA’s 30 April 2026 targeted amendments introduced a narrow carve-out for non-traditional service providers where strict contractual terms are impracticable. That softens one edge case. It does not remove the core obligation.
The questions a board or risk officer should be asking right now:
- Which pre-existing material service-provider contracts are approaching renewal or have not yet been reviewed?
- For each one, do we have the contractual controls, concentration view, and contingency evidence CPS 230 requires?
- Which providers are still ungoverned — and why?
The 1 July 2026 date is not a suggestion. Entities that cannot show evidence of systematic catch-up are carrying a gap that APRA can examine.
Related: APRA CPS 230: The 90-Day Engineering Framework
Clock ②: ASIC digital assets — 18-month AFSL path
In May 2026, ASIC outlined an 18-month implementation path to bring digital asset platforms and tokenised custody within the Australian Financial Services Licence perimeter.
Crypto exchanges, custodians, and tokenised-asset platforms that are currently operating under informal arrangements or relying on the intermediaries licence exemption need to assess where they sit.
This is not a distant deadline for the sector. KPMG’s 2026 fintech funding analysis noted that exits in Australian fintech are increasingly skewing to consolidation, with licensing strength being a key differentiator. Platforms that move early on AFSL compliance are better positioned than those that wait.
The practical questions:
- Has your legal team assessed whether your platform requires an AFSL under the incoming framework?
- Are your custody arrangements — including asset segregation, sub-custody, and operational controls — at the standard a licence application would require?
- If you are a startup building on tokenised infrastructure, do your service agreements reflect the incoming regulatory expectations?
The 18-month path is not infinite. And ASIC examinations do not wait for the path to end.
Clock ③: AUSTRAC AML/CTF — no grace window
AUSTRAC’s 2026 AML/CTF regime changes are not built around a single hard deadline.
That makes them more dangerous than the others.
The tightened standards — including stricter digital identity verification, more auditable onboarding workflows, and heightened exception handling requirements — are already in force. AUSTRAC examinations are live. Scrutiny of regulated entities, remittance providers, and fintechs with AML/CTF obligations has been increasing.
The two failure patterns AUSTRAC sees most often are not malicious. They are:
- Onboarding processes that were designed for a previous standard and have not been updated for the new one.
- Exception workflows that exist on paper but produce no auditable evidence when a transaction is flagged and reviewed.
The first is a technology debt problem. The second is a process design problem.
For fintechs and challengers that built their onboarding on manual processes or early-generation digital ID tools, the question is whether those systems still produce the evidence AUSTRAC expects at examination.
If you are not sure, the answer is probably no.
Clock ④: Privacy Act automated decisions — 10 December 2026
The Privacy and Other Legislation Amendment Act 2024 created a new obligation that many organisations are under-preparing for.
From 10 December 2026, businesses that use automated decision-making in ways that affect individuals must disclose this publicly.
This is not a narrow requirement.
If your organisation uses AI or automated systems to make or meaningfully inform decisions about customers, employees, or individuals — credit assessments, document processing, fraud flags, support triage, content filtering — you may need a public disclosure statement that describes:
- that automated decision-making is used
- the kinds of decisions it is used for
- in some circumstances, the right of individuals to request information about a decision made about them
Organisations that have assumed this only applies to government agencies are wrong. The obligation applies broadly. The December 2026 deadline is not long-term planning territory. It is six months away.
The evidence gap is not the disclosure itself. It is the internal inventory that makes disclosure possible.
To write an accurate public statement, an organisation needs to know:
- which processes use automated or AI-assisted decision-making
- what role automation plays in each decision (informing, recommending, or deciding)
- whether any of those decisions have a material impact on individuals
- who owns each automated process
Most organisations do not have that inventory. Building it takes longer than most teams estimate.
Clock ⑤: AI mandatory guardrails — proposals paper released
In May 2026, the Australian Government released a proposals paper on introducing mandatory guardrails for AI in high-risk settings.
The paper is in consultation. Final rules are not yet legislated.
But the direction is clear enough to act on now.
The proposals focus on:
- Board and executive accountability for AI systems used in high-risk settings
- Human-in-the-loop requirements for systems that affect individuals’ rights or access to essential services
- Data governance obligations for training data, model behaviour, and post-deployment monitoring
- Transparency requirements including consumer-facing disclosure and internal documentation
“High-risk settings” in the current proposal includes AI used in employment, credit, insurance, housing, healthcare, legal services, law enforcement contexts, and critical infrastructure.
That is a wide perimeter.
Organisations that wait for final legislation before beginning to build governance structures will find themselves trying to retrofit accountability into production systems under time pressure.
The organisations that prepare now — use case registers, named accountability owners, human oversight documentation, monitoring and exception logs — will have an easier path to compliance when the final rules arrive.
Related: AU Fintech Compliance Stack: Four AI Clocks, One Architecture Problem
The common failure mode
All five clocks share the same problem.
The policy exists. The committee has met. The framework is documented.
But when a regulator, an auditor, or a director asks a pointed question — which service providers have been brought into scope, which onboarding flows produce auditable evidence, which AI decisions are disclosed publicly, who is accountable for which automated process — the answer often falls back to the policy rather than the proof.
That is the evidence gap.
It is not a legal interpretation problem. It is an engineering and operations problem.
The firms that close these gaps before the deadlines are not just reducing regulatory risk. They are building the institutional capability that distinguishes a 10-star compliance program from a 5-star one.
| Five-star version | Ten-star version |
|---|---|
| Service-provider policy approved by board | Provider register connected to contract controls and tested contingency |
| AFSL review underway | Custody controls and licence conditions evidenced and tested |
| AML/CTF policy updated | Onboarding workflows produce auditable evidence at every exception |
| Automated-decision process listed internally | Public disclosure statement live and accurate before December 2026 |
| AI governance framework drafted | Use case register, named owners, and human-oversight logs operational |
The clocks are already running.
The question is whether your evidence is catching up.