Day One Session Summaries

These session notes are provided for the use of Summit attendees only and should not be distributed to a wider audience.

The Evolving Legal and Regulatory Backdrop for Australia's Non-Bank Finance Sector

Monday 22 June, 1:15pm

  • Rachel Walker, Partner, Gilbert + Tobin

  • Kerensa Sneyd, Partner, Allens

  • Edward Martin, Partner, Gadens

  • Steven Klimt, Partner, Clayton Utz

Key Insights

  • AUSTRAC's supervisory focus will shift decisively toward tranche 2 entities from 1 July. Tranche 1 entities can expect reduced enforcement pressure as AUSTRAC has deliberately wound up outstanding enforcement actions against them over recent years, but serious and systemic non-compliance will remain in scope regardless.  

  • Budget cuts to AUSTRAC mean resources will be stretched, driving greater reliance on external audits as a regulatory tool in preference to costly civil penalty proceedings. Enforcement activity will need to be strategic and prioritised, with a harm focus, not just a compliance focus, shaping case selection.  

  • Governance and board-level conduct is an increasing supervisory priority for AUSTRAC. Boards need to ensure they have genuine visibility over the health of their AML/CTF compliance programs, and strong compliance culture will be a material factor in how AUSTRAC directs its supervisory attention.  

  • Under new leadership, ASIC's enforcement approach may be more deliberate and targeted, not a return to "why not litigate," but a shift toward using enforcement as a market-shaping tool. ASIC may be more strategic in case selection, more willing to run cases where the law needs clarifying, and increasingly focused on systems and governance failures rather than isolated misconduct.  

  • ASIC is paying close attention to how businesses manage risk at scale and how system failures affect customers broadly. Recent cases, FIIG, ANZ, Mercer, share a common thread of systems going wrong. NBL executives should not assume small size provides insulation; ASIC will pursue example cases to set industry-wide standards. AFIA’s Industry Code of Practice will be a comparative advantage going forward. 

  • AFCA is increasingly declaring matters systemic and reporting them to ASIC, converting what firms treat as minor operational issues into regulatory enforcement risk. The Mercer case illustrates this: breach reporting failures seen as insignificant internally became significant at scale. "We've fixed it now" will not satisfy ASIC, the underlying conduct remains the focus. 

  • ASIC's hardship review findings underscored that robust systems and genuinely customer-positive processes are what good looks like. Box-ticking compliance is insufficient. It would be surprising if ASIC does not take hardship-related enforcement action against a firm within the next few years.  

  • The Money3 Federal Court decision was significant and a loss for ASIC, who declined to appeal. It clarified that reasonable inquiries under RLO do not require eliminating all risk or taking every possible step, that industry practice is relevant to the standard, and that lenders are entitled to rely on broker representations. However, the finding that bank statements should be used to verify expenses where available raises the bar on verification practice in a way many practitioners had not previously appreciated.  

  • AI can be accommodated within existing RLO frameworks under RG209's provisions on automated systems, but lenders must exercise care around how AI is trained, particularly regarding use of customers' personal information without consent.

  • Separately, the proposed abolition of negative gearing will directly affect how lenders assess investor property loan applications, requiring adjustments to serviceability methodologies.  

  • On DDO, broadly defining a target market offers no safe harbour, ASIC applies an appropriateness test and will not accept that approach. RLO assessments should actively inform target market determinations, and review triggers backed by robust data and statistics are increasingly important for demonstrating compliance.  

ACCC: Emerging Risks in Competition and Conduct Enforcement

Monday 22 June, 1:50pm

  • Luke Woodward, ACCC Commissioner

  • Fireside chat with Roza Losuzic, AFIA’s Executive Director Policy and Public Affairs

Key Insights

  • The ACCC's core regulatory philosophy is right-sized regulation: rigorous where harm is greatest, proportionate where regulatory burden risks holding back progress. Competition and consumer trust are treated as inseparable, with markets working well only when consumers have genuine choice and confidence in the options available to them. 

  • Digital markets are a current enforcement and policy priority, with the ACCC focused on data access, interoperability, and distribution arrangements that can restrict competition. The Equifax investigation, resolved through changes to exclusivity arrangements over payroll and superannuation data, was cited as an example of using targeted tools, including court-enforceable undertakings, to open access in developing markets. 

  • The unfair trading practices reforms currently before Parliament would introduce a principles-based prohibition on unfair conduct and specific obligations around subscriptions and fee disclosure. The Medibank case, where Justice Beach found conduct harsh and unfair but not unconscionable, illustrates the gap the reforms are designed to close. If passed, the regime commences July 2027. 

  • CDR uptake is accelerating, with over 1.4 million consumers served by CDR-enabled businesses in the second half of 2025, a 71% increase on the prior six months. As the framework expands into non-bank lending, the ACCC will maintain a proportionate approach, simplifying guidance and supporting exemption pathways where compliance burden is disproportionate. 

  • On CDR compliance and enforcement posture, the ACCC's approach is collaborative and guidance-led, with enforcement reserved for egregious cases. The NAB and CBA infringement notices reflected the maturity of those institutions in the regime, with well-established participants expected to have systems in place and regulatory posture adjusting accordingly. 

  • Data quality and information security are the ACCC's primary CDR compliance focus areas, particularly where failures could harm consumers or undermine the integrity of the regime. The approach leans toward guidance and education but will escalate to enforcement where necessary, as reflected in the infringement notices issued to NAB and CBA. 

  • On scams, the National Anti-Scam Centre now has over 50 active data-sharing arrangements across banks, telcos, digital platforms, digital currency exchanges, and law enforcement. The Scams Prevention Framework, introduced into the Competition and Consumer Act in February 2025, will see substantive obligations commence in March 2027, with banks, telcos, and digital platforms as the first designated sectors. 

  • The ACCC has streamlined powers to grant authorisations and class exemptions for competitor coordination under the new exceptional circumstances and national emergency exemption framework, allowing rapid coordination during major disruptions while safeguards remain, with agreements on price explicitly excluded. 

  • Digital ID represents a significant opportunity to improve efficiency, reduce fraud, and support safer participation in the digital economy. Private sector services will become eligible to join the Australian Government Digital ID System by end of 2026, and the ACCC sees the scalable verification mechanism as having material implications for market competition and innovation. 

  • On crisis readiness and supply chain shocks, the ACCC's role during recent disruptions focused on monitoring for anticompetitive conduct and providing transparency through data reporting, including moving to weekly fuel price reporting. Transparency helped demonstrate that price gouging was not occurring, directly informing government policy decisions and illustrating how market monitoring functions as a public good beyond enforcement. 

How to Avoid Being the Next AI Headline

Monday 22 June, 2:30pm

  • David Brykman, Founder & CEO, Bryk Group

Bryk Group is an award-winning Australian technology company with over 20 years’ experience delivering digital transformation, bespoke software development, and managed IT services to government, commercial, and corporate clients, with a dedicated focus on fintech.  

With leadership that includes deep expertise in finance, credit, and risk management, Bryk Group works with both established financiers and emerging fintechs to reduce operational and credit risk, strengthen compliance and identity controls, lower administrative costs, and improve agility through automation and system integration. 

Key Insights

  • There are only two types of companies: those that are great at using and governing AI, and everyone else. If you don’t understand it, you will fail.

  • The biggest risks are often invisible and already embedded in everyday processes.

  • “Don’t be the headline. Be the boring footnote. Because in systems, boring is beautiful.” 

Invisible & Embedded Influence – The Second Missing Risk

AI influence is not confined to executives making big decisions. It is already quietly shaping ordinary work: 

  • Contact centre conversation summaries 

  • CRM recommendations 

  • Fraud scoring 

  • Collections prioritisation 

  • Credit workflow suggestions 

  • Copilot recommendations 

The hardest AI influence to govern is the influence nobody notices. Most risk is not hidden in technology, it is hidden in ordinary work. 

The Agentic Shift – From Summaries to Actions

  • Yesterday’s AI advised the human after being prompted. Today it acts, often with no human in the loop. Areas already moving from advice to autonomous action include customer service (resolves and refunds), payments, fraud, collections, onboarding (including eKYC), and copilots that query core systems and execute steps. 

AI and Psychological Manipulation

  • Four phenomena are documented across models: persuasion (models can out-argue humans), sycophancy (flattery and validation of user beliefs), emotional dependency (especially for lonely users), and manipulation tactics. In one study, GPT-4 out-persuaded humans 64% of the time in debate. 84% of conversations were rated as manipulative by researchers. 

Monitoring vs Observability

  • Traditional monitoring tells you the system ran (uptime, latency, error rates). AI observability asks whether the output was correct, safe, faithful, on-policy, and free from drift. A response can be fast, cheap and technically successful and still be wrong, unsafe or off-policy. Most AI failures are quality failures, not outages — and standard dashboards miss them until a user complains. 

The Lethal Trifecta

Three capabilities should never be combined in one agent: 

  1. Access to private data (customer records, account data, internal systems) 

  2. Untrusted content (emails, documents, web pages an attacker can write) 

  3. Ability to send data out (email, API calls, web requests, tool actions) 

When all three are present, a single hidden instruction can turn the agent into a data-theft tool. IBM research showed 97% of AI-related data breaches were first detected through the AI itself. 

Accountability – The Four Challenges Test

Apply these four questions to any AI-influenced decision: 

  • What supports this? 

  • What contradicts this? 

  • What might be missing? (Omissions are usually more dangerous than errors.) 

  • Would I make the same decision without AI? 

Regulators and standards bodies are shifting the burden of proof onto the organisation. Yesterday’s question was “Is the model running?” Today’s question is “Can you prove it behaved?” The gap between those two questions is liability. 

Five Practical Questions for Your Team

  • Do we know when our AI gives a wrong or unsafe answer, before a customer does? 

  • Could we show a regulator or auditor exactly how our AI behaved, with evidence? 

  • Do we know our AI spend per use case, and would we catch a spike early? 

  • When we change a prompt or model, do we confirm quality didn’t drop? 

  • Who owns this: an engineering afterthought, or a governed business capability? 

Key Takeaways for AFIA Members

  • Map where agentic or generative AI is already embedded without human oversight (especially in credit, fraud, collections, onboarding and customer communications). 

  • Move beyond traditional monitoring to genuine AI observability that can detect drift, hallucinations, bias and off-policy outputs. 

  • Treat all external content as hostile by default when it reaches an AI that can act or send data. 

  • Require human approval for irreversible or outbound actions. 

  • Log and monitor agentic actions. Embed observability within solutions, not as an afterthought. 

  • Build (or adopt) an AI assurance framework

Early Engagement in Hardship: Lifting Capability Across the Industry

Monday 22 June, 3:20pm

  • Damien Farrell, Founder & CEO, Humbli

Key Insights

  • Humbli operates as a social enterprise supported by a philanthropic fund, focused on delivering economic and social value, particularly at the acute end of the hardship spectrum. Its mission is underpinned by a clear objective: to drive better outcomes for customers, businesses and the broader system through lifting industry practice. 

  • A key theme of the presentation was the opportunity for industry collaboration in hardship and vulnerability; an area not viewed as a source of competitive advantage. This is a “rising tide” opportunity, where sharing and scaling best practice benefits all participants.

  • Drawing on global data and cross‑market benchmarking, Humbli identifies leading practices that are currently unevenly distributed and works to curate and deliver them to all lenders. 

  • The presentation emphasised that behind the data are real human stories, reinforcing the urgency of action.

Humbli frames hardship support as a customer journey, centred on two core pillars: 

  • Accessibility – how easily customers can find and engage with support 

  • Support – the quality and effectiveness of the assistance provided 

To operationalise this, Humbli has developed two frameworks: 

  • The Hardship Accessibility Index, assessing how effectively lenders present hardship information, particularly via their websites 

  • The Hardship Support Index, a broader global benchmark of end‑to‑end support practices 

  • The session focused on the Accessibility Index. Findings from 120 Australian lenders across 43 metrics show material variation in performance, with non‑banks averaging 4.4 compared to 6.1 for mutuals and 7.1 for ADIs.  

  • A critical insight was the central role of websites as the first point of contact for customers in distress. Many individuals experience acute anxiety and distrust, leading them to seek information anonymously online rather than engaging directly. This reinforces ASIC’s focus (REP 782) on clear, prominent and accessible hardship information. Only around 30% of non‑ADIs adopt all key ASIC‑recommended actions from REP 782, and industry‑wide gaps are most evident in vulnerable customer care and access to external support services. Exemplars such as Pepper Money demonstrate what leading practice can look like. 

  • Humbli also highlighted its collaboration with AFIA on a member video resource for AFIA Finance industry Code of Practice Members, designed to support improved customer outcomes, which lenders can embed on their websites to strengthen hardship accessibility.  

Risk Transformation

Monday 22 June, 3:45pm

  • Christopher Murphy, Head of Risk Operations, Volvo

  • Sharron Yardley, Head of Reverse Mortgages / Head of Risk and Compliance, Brighten

  • Grant Howells, Chief Risk Officer, Moneytech

  • David Hannah, Chief Risk Officer, Allied Credit

Key Insights

  • The role of the CRO has broadened. Board accountability is becoming increasingly important as regulatory expectations continue to evolve.

  • Risk must be an intrinsic part of an organisation, ensuring employees at every level understand what risk means and how it should be managed.

  • Important to know the difference between risk and compliance

  • Equally important to be aligned to core business outcomes (i.e. growth, profitability, view to an exit).

    Key risks emerging

    • Artificial intelligence: if you think your employees aren’t using AI, that is untrue. They’ll be using it without any framework or policy (shadow AI use).  

    • Current economic conditions: Four key indicators: cash rate 4-5%, inflation around 4%, wage growth about 4%, asset growth is about 4%. Similar conditions were seen in early 2010s, but that can change very quickly.  

    • Strain on business: Fuel excise ends June 30, which will reintroduce more costs when businesses can least afford it and have low margins.

    • Balancing automation and growth with the risk of fraud: Don’t just leave cyber security with your CIO, partner with risk and technology sides of your business.

    Final thoughts

    • Operationalise risk documentation, controls and frameworks, so that risk is owned and understood by the frontline and built into processes – most important thing when it comes to emerging risks.

    • Balance operational risks with supporting customers, there is a use case to vary risk controls and risk appetites as long as it’s controlled in the right way.

    • AI policy trials and data governance frameworks, build a very specific version of AI that is carefully controlled, before building that out across wider teams. AI comes with a lot of risk if employees at all levels don’t know how to use it. I.e. Junior employees “don’t’ know what they don’t know”, when it comes to analysing AI outputs  

    • Customer vulnerability and hardship: Ensure staff are trained to identify vulnerability, recognise that any customer can become vulnerable at any time, and provide support that reflects individual circumstances rather than treating customers simply as deposit holders. For example, is your vulnerability guidance suitable for people from culturally and linguistically diverse (CALD) backgrounds or customers with cognitive impairment?

    • Build financial crime prevention into your business - if you see a suspicious matter, raise it, report it  

Next
Next

Day Two Session Summaries