"Perfect storm" ahead for AFSLs in 2026

As if recent years haven’t been interesting enough from the perspective of adviser, in 2026 they face a “perfect storm” defined by three converging forces:

1. Non-negotiable reform deadlines: Major legislative overhauls, particularly from the Australian Transaction Reports and Analysis Centre (AUSTRAC) and the Office of the Australian Information Commissioner (OAIC), with implementation deadlines requiring substantial operational and policy changes.
2. High-penalty enforcement: Regulators, including ASIC and the ACCC, are actively shifting from guidance to litigation. They are using new and expanded penalty powers to target perceived failures in existing obligations like cyber-resilience and consumer contracts.
3. Regulatory scrutiny: The lines between regulators are blurring. A single business decision, such as implementing a new AI-driven advice tool or offering an ESG-labelled product, now attracts simultaneous scrutiny from ASIC, the ACCC, and the OAIC.

The primary strategic challenge for AFSLs will be managing the cumulative weight of these changes. The demand on licensee time, budget and technology resources will be challenging. The greatest risk is not failing to understand one individual change, but operational failure resulting from the inability to resource and manage all of them concurrently.

This is the practical roadmap for AFSLs and Responsible Managers to prioritise these risks and allocate resources effectively.

Immediate risks: High-penalty enforcement actions

Before addressing future deadlines, licensees must be aware that regulators are actively enforcing existing laws, with significantly higher penalties.

1. ACCC focus on Unfair Contract Terms (UCTs)

This is one of the most significant “sleeping giants” for AFSLs. New, multi-million-dollar penalties for Unfair Contract Terms are now in effect. The ACCC has been explicit in targeting the very clauses that are standard in many advice agreements, such as “automatic renewals” and “cancellation/termination” terms.

The risk is that a single clause deemed “unfair,” used across an entire client base, could attract per-contract, per-clause penalties that could be financially severe.

• Required Action: If not done already, review all client service agreements for UCT compliance.

2. Greenwashing: The multi-million-dollar trap

Both ASIC and the ACCC have “greenwashing” as a top-tier enforcement priority. Recent significant penalties against firms like Mercer and Vanguard set a clear precedent. The core failure was not about the philosophy of ESG, but about a basic failure of verification – making claims that were not factually accurate.

This risk flows directly to advisers. Recommending a product based on a “green” claim that has not been independently verified is a high-risk act. If an adviser repeats a false claim, they are engaging in misleading and deceptive conduct.

• Required Actions:
  • Validate the approved product list (APL): Review the due diligence for every product making an ESG claim. The claim must be substantiated by proof.
  • Marketing Statements: Remove all vague, unprovable language like “green” or “sustainable” from websites, brochures, and advice documents.

Major Changes: Cyber, AML and privacy

These are non-negotiable, projects that must be initiated now to meet deadlines.

1. AUSTRAC: The 31 March 2026 AML program rewrite

This is the single largest and most complex compliance project for all AFSLs over the next 18 months. The 31 March 2026 deadline requires current reporting entities to have their new, updated Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) programs fully operational.

This is not a simple “tweak.” The new rules are a fundamental rewrite of the entire AML/CTF program, governance and risk assessment methodologies. This new program must be formally documented and approved by senior management before the deadline.

AUSTRAC has stated its regulatory expectation: it requires firms to show “sustained effort” and a “formal implementation plan” during this transition. A licensee that “waits until 2026” to begin this work will have no evidence of this effort, which will likely be viewed as a failure of governance.

• Required Actions (Immediate):
  • Draft a formal, documented implementation plan. This document is, in itself, a critical compliance control.
  • Commence the new AML/CTF risk assessment immediately: this is the foundation of the entire program.
  • Draft the updated AML/CTF program based on the identified risks.

2. OAIC and Privacy: New liabilities

Two game-changing privacy requirements.

• Since 10 June 2025 – The Statutory Tort for Invasion of Privacy. This new law gives individuals such as clients a personal right of action to sue a firm directly for a “serious” invasion of their privacy. A simple “human error” breach, such as emailing the wrong client file, is no longer just an internal incident or a Notifiable Data Breach. It can now become a direct lawsuit seeking damages for emotional distress, even if no financial loss occurred.
• Deadline: 10 December 2026 – Automated Decision-Making Transparency. This new rule is not just about future AI. It applies to any automated process that “significantly affects” an individual’s rights or interests. This includes existing systems. For example, a CRM that automatically segments clients into service tiers, or a risk-profiling tool that automatically generates a client rating, falls under this definition. Licensees have until this deadline to update their Privacy Policy to disclose what these systems do and how they work.
• Required Actions:
  • Update the firm’s Data Breach Incident Response Plan to include a legal assessment of this new tort liability for every incident.
  • Ensure you have briefed the Professional Indemnity (PI) insurer to confirm coverage for this new tort.
  • Begin an “Automated Decision Register” to audit all existing practice software.

ASIC: The future of advice and enforcement

ASIC is driving core changes to the profession while simultaneously increasing enforcement in key areas.

1. Cyber-resilience as a director’s duty

ASIC has elevated cyber-resilience from an IT issue to a core, non-delegable AFSL obligation. The regulator is now commencing civil penalty proceedings against licensees for perceived cybersecurity failures.

The legal argument is that failing to maintain adequate cyber protections is a breach of a licensee’s, director’s, and responsible manager’s statutory duty of care and diligence. This risk also extends to a licensee’s suppliers, such as CRM providers and cloud hosts.

• Required Actions:
  • Conduct a formal, documented Cyber Risk Assessment.
  • Audit all third-party supplier contracts that handle client data for security controls and data breach notification procedures.

2. The Quality of Advice Review (QAR) deadlines

• Deadline: 10 January 2026 – QAR Tranche 1 (DBFO Act) This is the deadline for ongoing fee arrangements that were in place before 10 January 2025. The transitional period to move these clients to the new, simpler consent model ends on this date. Failure to migrate all clients by the deadline will mean an inability to legally collect ongoing fees from them.
• Required Action: Licensees must ensure all clients are on track for the new ongoing fee arrangements for 10 January 2026.

From compliance burden to resilient practice

The regulatory burden through 2026 is undeniably challenging. The deadlines from ASIC, AUSTRAC, the OAIC, and the ACCC are not distant concepts; they are imminent, creating a perfect regulatory storm for AFSLs.

This storm, however, is navigable. Firms who act now will be able to meet these requirements. They will do more than just survive. They will be able to sail through this storm, emerging as the resilient, defensible, and trusted market leaders they are.

Amanda Mark is CEO of financial services regulatory risk consultancy MIntegrity