Day Two Session Summaries

These session notes are provided for the use of Summit attendees only and should not be distributed to a wider audience.

ASIC Keynote: Conduct, Accountability and Market Integrity

Tuesday 23 June, 9:10am

  • Kate O’Rourke, ASIC Commissioner

  • Fireside chat with Diane Tate, AFIA CEO

Key Insights

  • ASIC’s work was framed as that of a “goalkeeper”: protective of system integrity and consumer/investor trust while enabling the finance sector (the “forwards”) to drive productivity through funding innovation, skills, new business processes and technology. 

  • Regulatory reform must be additive rather than a trade-off: productivity gains should not come at the expense of trust, market integrity or consumer confidence. Four interconnected streams of ASIC work were outlined:

    1. Regulatory Simplification (Playing out from the back)

    ASIC is actively reducing complexity in areas within its control to make it easier for businesses to comply and for consumers/investors to understand their rights. 

    Key initiatives include:

    • Major website overhaul: removal of approximately 9,000 obsolete pages and experimentation with AI to improve search and user experience. 

    • Transition from paper-based to digital processes: over 57,000 paper forms no longer being processed following recent changes allowing email lodgement. 

    • Ongoing review and simplification (or consolidation) of regulatory guides and legislative instruments, with an open invitation for industry to suggest overly complex instruments for review. 

    • Registry Connect program: uplift of business registers. From 1 July 2027 (subject to passage of the relevant bill currently before the Senate), Director IDs will be linked to company registers. This will enable: 

    • Directors to provide a business address instead of a residential address for service of documents (addressing security concerns). 

    • A more secure, authenticated system with reduced need for repeated personal details (e.g. date/place of birth). 

    2. Supporting Innovation (Wing play / charging forward)

    ASIC positions itself as a backer, not a blocker, of financial innovation, recognising its importance for productivity. 

    Key points:

    • The ASIC Innovation Hub has assisted more than 1,000 fintech and regtech businesses over the past decade. 

    • Review of the Enhanced Regulatory Sandbox is underway, with strong interest in creating a clearer graduated pathway from sandbox testing to full licensing. 

    • Participation in the RBA’s Project Acacia (CBDC / wholesale tokenised asset markets pilot) — positive results and ongoing work on digital money settlement infrastructure. 

    • Recent publication (with Digital Finance CRC) on practical steps to support financial innovation. 

    • Upcoming roundtable on financial market infrastructure and practices (late June). 

    3. Council of Financial Regulators (CFR) – Roadmap for Better Regulation (Midfield coordination)

    ASIC is an active participant in the CFR’s contribution to the Government’s productivity agenda. 

    Key outcomes:

    • The Roadmap on Better Regulation (published at the May 2026 Budget) contains over 50 commitments across regulators, of which 15 are ASIC-led or co-led. 

    • Treasury estimates the full package of commitments could reduce regulatory burden by up to $180 million

    • ASIC and APRA jointly led the workstream on improving data sharing and coordination, aiming to reduce duplication when regulators request information from industry (e.g. avoiding multiple similar requests in quick succession). 

    • The Regulatory Initiatives Grid (RIG), published twice yearly, provides a forward-looking, quarter-by-quarter view of upcoming consultations, reviews and implementation timelines to help industry plan. 

    4. Law Reform and Broader Economic Analysis (Set pieces)

    ASIC is contributing to structural reforms and the Productivity Commission’s current inquiry into business dynamism

    Relevant reforms include:

    • Changes to financial reporting thresholds (reducing the number of businesses required to prepare and lodge audited financial reports). 

    • Streamlining of the mandatory climate reporting framework. 

    • Reduced frequency of Internal Dispute Resolution (IDR) reporting (arising from the Small and Medium Business Review). 

    ASIC (as the insolvency regulator) has made submissions to the Productivity Commission inquiry highlighting areas for potential reform to support business dynamism and integrity, including simplified liquidation processes, interactions between insolvency and other structures (trusts, partnerships), pre-insolvency advice, and voidable transactions. 

    Upcoming ASIC Publications of Interest to Members

    • Reviews into debt management/credit repair and debt collection — expected in the coming months. 

    ASIC is committed to working collaboratively with the finance sector on shared goals of a strong, efficient and trusted financial system that supports productivity without compromising protections. 

    Cyber Resilience & Operational Risk

    Cyber was highlighted as a significant and rapidly evolving challenge due to increasingly sophisticated threat actors. Expectations regarding cyber resilience are embedded in the general obligations of financial services licences. The successful FIIG Securities Federal Court case demonstrated that these general obligations apply to cybersecurity controls and that ASIC will take action where systems are inadequate. 

    On 8 May 2026, ASIC issued practical guidance on cybersecurity in the context of AI tools. The guidance includes 12 actionable points and is described as a “practical call to arms.” Members who have not yet reviewed it are encouraged to do so. 

    Responsible Lending & Financial Inclusion

    In the current environment of cost-of-living pressures, some consumers seeking credit may be in more vulnerable positions. ASIC’s guidance on responsible lending obligations is intended to remain flexible and responsive to changing circumstances, including current economic conditions. 

    Guidance preferences across industry are split roughly 50/50 between those wanting high-level principles and those preferring more prescriptive examples. ASIC tries to accommodate both where possible. Recent examples clarified in guidance include: 

    • Treatment of HECS/HELP debt. 

    • Access to credit cards for retirees. 

    Hardship

    Hardship was described as an important and ongoing focus area. ASIC has completed two reports on hardship practices (the first focused on the four major banks; the second with a broader range of participants). Key themes include: 

    • The importance of appropriately tailored responses rather than purely standardised “cookie-cutter” approaches. 

    • Hardship requests as a useful indicator of financial stress in the community. 

    • The challenge of balancing consistency, transparency and standardisation with compassionate, individualised support. 

    ASIC continues to monitor hardship trends and encourages industry to adopt better practices highlighted in the reports. 

Fairness and Competition in the Data Economy

Tuesday 23 June, 9:50am

  • Dr Scott Farrell, Data Standards Chair for the Consumer Data Right (CDR) and Digital ID

  • Fireside chat with Roza Lozusic, AFIA’s Executive Director Policy and Public Affairs

Key Insights

  • The session offered a forward-looking perspective on the transformation of the digital economy, emphasising that this shift is already underway globally and will continue regardless of individual organisational readiness. 

  • A central theme of the presentation was the need to move away from fragmented digital systems toward an integrated model known internationally as Digital Public Infrastructure (DPI). Traditionally, key components of the digital economy – digital identity, data-sharing frameworks (such as the Consumer Data Right), and payment systems – have been developed as separate ‘roads”. While effective individually, this approach creates inefficiencies, limits interoperability, and increases risk when transitioning between systems. 

  • These systems are fundamentally similar. At their core, all operate as data networks that exchange valuable information, relying on trust, security, and resilience. The future model is therefore a multi-lane digital ‘highway’, where identity, data, and payments are seamlessly connected. Such integration would allow individuals and businesses to move easily between services, improving efficiency and enabling innovation. 

  • This transformation is not theoretical. Globally, many countries have already implemented elements of DPI, including digital identity frameworks, real-time payment systems, and data-sharing regimes. Australia’s approach, particularly its ambition to implement economy-wide data sharing, positions it well, though the broader challenge lies in achieving interoperability across systems. 

  • Interoperability is both a technical and policy challenge, requiring coordination across engineering, legal, and commercial domains. Encouragingly, lessons from payment system integration, particularly in cross-border contexts, can be applied to linking identity and data-sharing systems. 

  • A key forward-looking risk identified in the presentation is the rapid emergence of artificial intelligence, particularly agentic AI. These systems are increasingly capable of acting on behalf of users in economic transactions. However, this introduces a tension: AI systems operate probabilistically, while financial and legal systems require deterministic certainty. 

  • To address this, there is a need for a new interface layer that can translate AI-driven decisions into secure, rule-based actions within existing digital infrastructure. This challenge is compounded by the fact that many AI standards are being shaped by global technology firms, which may not align with national regulatory frameworks or financial system requirements.

  • The privacy regime of the EU, GDPR, is potentially at odds with the productive and enabling capability of agentic AI. 

  • While Australia is not behind in this transition, the pace of change is rapid and requires proactive engagement. The integration of digital identity, data sharing, and payments (combined with the rise of AI, and particularly agentic AI) will define the next phase of the digital economy. Understanding and shaping this convergence is critical to managing future risks and capturing its benefits. 

  • There was a call for industry assistance in developing further the CDR for lending access to ATO data. More broadly, the development of the digital economy should not be left only to the public policy developers. It needs to work for industry, and so industry needs to step in to support.  

AUSTRAC: Emerging Risks in Competition and Conduct Enforcement

Tuesday 23 June, 10:55am

  • AUSTRAC CEO Brendan Thomas

  • Fireside chat with Dr Emma Penzo, Head of Regulatory Policy, AFIA

Key Insights

  • AML reporting in the sector has improved materially since last year. AUSTRAC had been blunt last year about poor reporting standards following its NBL AML reporting campaign, but said there has since been significant improvement, helping better protect customers and the financial system. 

  • Across the sector, Suspicious Matter Reporting (SMR) have increased by up to 12% year-on-year, and the number of businesses submitting reports has risen by 20%. Despite this progress, AUSTRAC still expects stronger reporting uplift. 

  • Money laundering networks are becoming more sophisticated and corporate-like. Australia is seeing increasingly advanced laundering operations using multiple financial products, payment channels, and encrypted communications. These are no longer loosely connected criminal groups, but highly organised networks with structured operating models. 

  • Illicit money flows are rising, driven particularly by drugs and illegal tobacco. The volume of illicit money in Australia is increasing, with key drivers including the sale of illicit drugs and the illegal tobacco trade. 

  • Insider-enabled fraud is a growing threat. Criminals are increasingly exploiting insiders to bypass organisational controls. As a result, cultural integrity, governance, and staff vetting are now just as important as technical AML controls. 

  • AI is accelerating both criminal activity and AUSTRAC’s response. Criminals are using synthetic identities, deepfake audio/video, and AI-enabled tactics to move money faster than firms can detect. In response, AUSTRAC is also using AI to analyse SMRs more quickly, identify patterns at scale, and provide faster feedback to industry and law enforcement. 

  • Fraudulent lending activity is an emerging concern distinct from classic AML issues. AUSTRAC is seeing recurring behaviour where lending systems are being used to conceal fraudulent information, placing strain on traditional controls. There is a distinction between this issue and broader AML/CTF concerns in the real estate market. 

  • “Micromoney laundering” is becoming more common. Another emerging pattern is small, frequent transactions spread across multiple businesses, making suspicious activity much harder to detect through conventional monitoring approaches. 

  • AML/CTF legislative changes from 31 March place risk and governance at the centre. The focus is on ensuring organisations properly understand and manage the specific risks they face, with stronger accountability and governance. The AML officer role is fundamentally important, not intended as a default “fall person,” but as a key governance and culture leader.

Redefining Cyber Readiness: Building Resilience in an Era of Escalating Threats

Tuesday 23 June, 11:30am

  • John McPherson & Emma Butler, Partners, Ashurst Risk Advisory

Key Insights

Geopolitics is actively shaping the threat landscape

  • Geopolitical tensions are a major driver of cyber activity. Criminal networks appear to have been under pressure to keep a low profile in recent months (possibly linked to summits and enforcement), but this is likely to reverse, with increased activity expected over the next six months. China’s periods of quiet are strategic, not accidental. APRA has explicitly called out geopolitics as a driver of cyber, operational, and broader risk, urging regulated entities to manage it. A striking real-world example cited was the use of AI to target data centres in Middle East conflict zones.

Regulatory and judicial expectations are rising sharply

  • Multiple regulators are active: APRA (operational resilience and supply chain risk), ASIC (expectation of “thorough and comprehensive planning” for significant cyber incidents), the Office of the Australian Information Commissioner (OAIC), and the courts. 

  • A standout example was the recent FIIG Federal Court case, in which ASIC successfully took action against a company for failing to meet the required standard of cyber readiness. The company was penalised $2.4 million, double the estimated cost of an adequate compliance program ($1.2 million). The court’s key message was that organisations must adequately resource cyber resilience across three domains: technology, financial investment, and people/skills (from board level downward). Directors now face personal liability considerations, not just strategic risk. 

AI has fundamentally accelerated the threat

  • AI tools (such as the Mythos large language model) can now identify and exploit vulnerabilities at extraordinary speed. Average time to remediate vulnerabilities has collapsed from 771 days (2018) to 54 days (2024) and, in some cases, to minutes or hours today. The Five Eyes intelligence community has warned that AI is already being used by attackers; defenders who do not integrate AI into their own capabilities will fall further behind. A real-world illustration was a US company whose production server was deleted by its own AI agent during an “update” process, the AI admitted it had circumvented its own controls. AI governance and security remain major gaps. 

Ransomware is back on the agenda

  • Ransomware activity and willingness to pay are increasing among Australian organisations. Under the mandatory ransom payment reporting regime, 94 Australian companies reported paying a ransom in the first nine months (including 17 critical infrastructure entities), representing tens of millions of dollars flowing to criminals. 

  • Most organisations that pay do so because they are not adequately prepared to respond without paying. Paying almost never ends the incident: regulatory scrutiny, customer and member impacts, system recovery issues, and reputational damage continue (the “long tail”). Data often surfaces later anyway. Common post-incident regrets include: insufficient simulation and stress-testing, weak communication planning (especially around regulatory notifications), and poor documentation of cyber decisions and investments (board minutes on these matters are frequently the most valuable artefacts in post-incident reviews). 

  • Human impacts are real and severe, particularly for vulnerable individuals (e.g., family violence situations where address or personal details are exposed). Upcoming class actions (Optus, Medibank) are expected to highlight these downstream effects further. 

Core Takeaways for Attendees

  • View cyber through an integrated legal + risk lens. Cyber risk touches every part of the organisation; siloed approaches (IT-only, risk-only, or legal-only) are insufficient. 

  • Security and resilience are about the choices and compromises you make, and your ability to demonstrate and govern those choices effectively. 

  • Preparation is non-negotiable: Conduct regular simulations and stress tests; develop clear communication protocols (internal, public, and regulatory); maintain detailed records of cyber decisions and investments. 

  • Adequate resourcing (technology, funding, and skilled people at all levels, including the board) is a judicial and regulatory expectation. 

  • AI is here now:" both as an attack tool and a necessary defensive capability. Organisations that delay integrating AI into defence will be at increasing disadvantage. 

  • No one ever regrets being over-prepared. The biggest regrets come from under-preparation. 

Organisations that treat cyber resilience as a holistic, well-documented, and tested capability, rather than a purely technical or compliance exercise, will be best positioned to withstand both regulatory scrutiny and real-world incidents. 

Financial Crime & Fraud Risk – Responding to a Shifting Threat Landscape

Tuesday 23 June, 12:00pm

  • Tony Meredith, COO and Drew Beresford, Head of Sales, Equifax

Equifax has made the 2026 Fraud Index Report available to AFIA Members (this is normally limited to Equifax’s Fraud Focus Group members and selected partners). The Fraud Index Report aggregates Equifax's proprietary data with public and third-party sources, highlighting shifting fraud trends.

Key Takeaways

  • Equifax believes collaboration is the key is to combat fraud. For Equifax, this involves data sharing with integrity and strict adherence to privacy principles as well as community collaboration. Their Fraud Focus Group has 125+ members

  • While the definition of fraud remains the same, what has changed is how that fraud is disguised. Technology creates seemingly impenetrable masks  

    The current threat landscape

  • Based on 2024-25 data, Australians reported $3 billion in scam losses.

  • The Equifax Fraud Focus Group helped identify $1.57 billion in application fraud in 2025 

  • While overall volume of fraud listings only grew by 4%, the true danger lies in the mix shift. Criminals are moving away from traditional ID theft towards high-value credit targets and complex mule networks 

  • Based on 2025/26 data, New Zealand reported $1.6 billion annual cyber crime loss. The dangerous part is the scams that aren’t reported  

  • There are macro forces changing the landscape of fraud: economic factors and opportunism, agentic Ai scams and deep fakes, traditional fraud, industrialised phishing 

  • Equifax has also seen a tactic shift: synthetic identities driven by AI capability and significant growth in first-party fraud attributed to socioeconomic pressures. They have seen a decline in identity takeover, due to broader adoption of biometrics  

  • They described a 'Sleeper Synthetic Identity curve – where a bad actor builds a credit history over a period of 18 months, so that repayments show good account health, before committing fraud 

  • When it comes to broker loans and mortgage fraud, 74% of brokers say that they are facing escalating fraud  

  • There is a Scams to Fraud feeder loop: Scams are often identity harvesting using an ecosystem of exploitation and money laundering -> 90.9% mule activity surge 

Summary

  • Firms should adopt an adaptable layered approach: identity verification, biometrics and liveness, document validation, device intelligence (machine to machine trust scoring), email checks (analyse email age and risk history), payment fraud  

  • Scams are the feeder system (low-level, non-credit scams are manufacturing the disposable accounts and synthetic identities that can attack high-value products tomorrow). AI has industrialised the thread, collaboration is the only defence 

  • Defending in silos leaves businesses vulnerable. Government, industry and data providers need to work together to turn isolated vulnerabilities into a unified shield 

OAIC Update

Tuesday 23 June, 1:25pm

  • Carly Kind, Privacy Commissioner, OAIC

Key Takeaways

Regulatory Philosophy and Proposed Reforms

  • The OAIC is mindful of concerns about “performative regulation” and is focused on ensuring compliance is not overly burdensome. A priority is “spelling out what good looks like” through practical guidance. 

  • A key proposed reform supported by the OAIC is the introduction of a fair and reasonable test in the Privacy Act. This would require the collection, use or disclosure of personal information to be fair and reasonable in the circumstances, even where an individual has consented. The reform aims to address power imbalances, prevent consent being used to legitimise unfair or unreasonable practices, and give organisations greater clarity to innovate responsibly.

Enforcement Focus

  • The OAIC has become more enforcement-oriented, prioritising matters that can reshape market practices and address significant harms. Recent and upcoming actions align with priorities around rebalancing power and information asymmetries (particularly in rental, credit reporting, data brokerage and ad tech sectors) and risks associated with artificial intelligence and excessive collection or retention of personal information. 

  • Examples include determinations involving American Express (security protections) and Optus (publication of personal information), an investigation into third-party tracking pixels on health websites, and a recent determination on excessive collection in the rent tech sector. An investigation into Latitude Financial’s personal information handling practices is in its final stages. 

2026 Australian Community Attitudes to Privacy Survey

Key findings from the recently released survey of more than 1,500 Australians include: 

  • Only 10% believe organisations handle their data fairly. 

  • 90% do not want data collected for one purpose to be used for another (e.g. targeted advertising, AI training or sale to third parties) without consent. 

  • 96% want guardrails and protections for AI; trust in AI companies is very low (4%). 

  • The finance sector is viewed as having high responsibility for responsible AI use (68% of respondents). 

  • Many Australians feel they lack genuine choice and control over their personal information, with strong support (93%) for a legal right to request deletion of personal data. 

These insights continue to shape the OAIC’s regulatory posture and focus on areas of greatest community concern. 

AML/CTF Reforms (Effective 1 July 2026)

  • Approximately 120,000 new businesses — including real estate professionals, lawyers, accountants and other professional service providers — will come under the Privacy Act as a result of tranche 2 AML/CTF reforms. The OAIC has issued updated guidance and a template privacy collection notice to support the transition. 

  • Key messages include collecting only the personal information reasonably necessary for AML/CTF compliance (not broader organisational functions) and minimising the retention of full identity documents, which can exacerbate data breach harms. Digital ID is promoted as a privacy-preserving alternative. The OAIC will take a proportionate and reasonable approach to enforcement, particularly for smaller operators during the transition. 

Automated Decision-Making (ADM) Transparency Obligation (Effective 10 December 2026)

  • From December 2026, privacy policies must include information about substantially automated decisions that significantly affect individuals’ rights and interests. OAIC guidance is expected in September 2026. 

  • This responds to community wariness about AI and ADM, especially in high-stakes contexts such as credit decisions. While ADM and AI can deliver efficiency, accuracy and consistency, transparency is the foundation for building trust and enabling accountability. 

Children’s Online Privacy Code (December 2026)

  • A new set of rules will apply higher privacy protections for children across the entire online environment — not just social media. Organisations will need to consider the best interests of children, provide more child-friendly privacy information, and give kids greater control over their data. This is a potentially significant shift that could change how future generations experience the internet. 

AI, ADM and Trust

  • While the new ADM transparency obligation (also December 2026) is an important first step, it is largely symbolic because most people don’t read privacy policies. Trust is the biggest barrier to AI adoption — both from the public and from employees inside organisations. Companies need to actively demonstrate trustworthiness through clear communication about how and why they use AI, rather than assuming trust will follow. 

Regulatory Coordination

  • Coordination between regulators remains challenging. AI adoption is happening unevenly across sectors, and current secrecy provisions make it difficult for regulators to share intelligence effectively. Privacy complaints to the OAIC have risen sharply, but AI-related issues are not yet showing up strongly in complaints. Greater information sharing and interpretive alignment between regulators (OAIC, ASIC, APRA) will be needed as AI use grows. 

“Reasonable Steps” – A Strength of the Australian Approach

  • Australia’s flexible, principles-based framework was highlighted. The requirement to take “reasonable steps” allows the OAIC to scale its expectations according to an organisation’s size, resources and risk — making the Privacy Act workable across the whole economy. 

CDR and Screen Scraping

  • The OAIC strongly supports wider adoption of the Consumer Data Right. A recent review of screen scraping practices raised concerns about security risks. Going forward, the OAIC will increasingly ask whether it remains “reasonable” for organisations to continue using screen scraping when CDR is available. Noting there are not a large amount of community complaints on screen scraping, the regulator will take a proportionate, intelligence-led approach rather than a hardline stance in the short term. 

Overall Message

  • Meaningful progress on privacy and AI will require systemic and regulatory action, not just relying on individuals to protect themselves.

  • Greater alignment of privacy and consumer data rules where possible. 

Ethics in AI – Balancing Innovation, Compliance and Accountability

Tuesday 23 June, 2:00pm

  • Kendra Fouracre, Senior Associate, Mallesons

Key Takeaways

  • AI adoption has accelerated faster than both the personal computer and the internet and is now embedded across organisations. With more than half the population using generative AI and widespread corporate uptake, the focus has shifted from whether to adopt AI to how to use it responsibly without falling behind. 

  • At the same time, regulatory scrutiny is increasing. APRA and ASIC have made clear that managing AI risk is now a priority, particularly in financial services. APRA has warned that failure to adequately manage AI risks may lead to supervisory action, and AI risk is increasingly viewed at a systemic level alongside major global threats. This signals that AI is no longer just a technology issue, but a core governance and risk concern. 

  • A key theme was the breadth of AI risk. These include performative risks such as hallucinations, bias, and security issues; compliance risks where systems may breach laws such as privacy, consumer, or discrimination laws; and use risks arising from misuse or over-reliance, including fraud and deepfake scams. There are also broader concerns such as reputational impact, reliance on third parties, and environmental costs. 

  • Generative AI has amplified these risks, but the next shift, agentic AI, introduces a more significant change. These systems can act autonomously, making decisions and executing tasks without human involvement. This fundamentally shifts the focus from simply assessing outputs to understanding what actions AI systems take, whether they are authorised, and how accountability is maintained. 

  • Traditional IT governance frameworks are not sufficient to manage this complexity. AI is adaptive, widely embedded in everyday tools, and often used without formal approval, leading to ‘shadow AI’ across organisations. A more tailored governance approach is required. 

Key elements of effective AI governance

  • A clear governance framework supported by an AI or acceptable use policy, defined roles and accountability, and a risk-based approach to managing different use cases. Staff training is essential to ensure proper understanding and use.

  • Organisations must also maintain an inventory of AI tools, as it is not possible to manage risks without knowing where AI is being used. Incident management processes, along with a clear AI strategy and supporting technical controls, are also critical. 

  • Organisational leadership plays a central role. While AI use spans the organisation, accountability ultimately sits with boards and senior management. Leaders must set strategy aligned to risk appetite, ensure effective oversight, foster a responsible culture, and build sufficient AI literacy to make informed decisions. 

  • Importantly, organisations are at different stages in their AI journey, and even leading institutions are still developing their approaches. The priority is not perfection, but rather, having a structured and evolving governance framework in place. 

AI offers significant opportunities, but these can only be realised through active and responsible management of its risks. The goal is not to slow adoption, but to enable its safe and effective use.  

The Consumer Lens: Balancing Risk, Fairness and Financial Resilience

Tuesday 23 June, 2:30pm

  • Stephanie Tonkin, CEO, Consumer Action Law Centre

  • Dominic Meyrick, CEO, Financial Counselling Australia

  • Paul Holmes, Director Disaster Relief, Legal Aid Queensland

  • Erin Turner, CEO, Consumer Policy Research Centre

Key Themes

Household Financial Pressures

  • Cost-of-living pressures remain intense and are now affecting a broader demographic, including many in full-time employment (30% of recent National Debt Helpline callers nationally). Individuals are typically juggling multiple, overlapping commitments across housing, energy, buy-now-pay-later, telco and everyday expenses. This creates cross-sectoral strain, particularly for people already experiencing vulnerability, but increasingly for working households and a new cohort unfamiliar with navigating financial difficulty systems. Many find the process intimidating and disempowering. 

Hardship Responses – What Good (and Poor) Practice Looks Like

  • Effective hardship responses are tailored, flexible and genuinely consumer-centred rather than standardised or “cookie-cutter”. Clear communication through multiple channels and a real range of options are essential. The sector (in collaboration with industry and regulators) has developed the 10 Principles of Good Hardship as a practical reference point. 

  • Poor responses often trigger cycles of disengagement, loss of trust in institutions, compounding problems and worse outcomes for both consumers and lenders. Advocates stressed that the best outcome is preventing people from entering hardship in the first place through robust responsible lending — verifying information, assessing requirements and objectives, and avoiding unsuitable credit — rather than relying solely on post-default hardship processes. Staff incentives should reward sound decisions (including declining unsuitable loans), not just origination volumes. 

Scams, Fraud and Emerging Risks

  • Scams and scam-adjacent issues (including fraud and problematic lead generation) are causing significant and growing harm. One frontline service alone reported $8 million lost to scams in a single recent quarter, with consumers often having nowhere to turn. This is an ecosystem-wide problem involving digital platforms, communications channels and financial service providers. 

  • Lenders can become entangled when consumers are manipulated into taking out loans as part of scams. In these cases, victims should be treated compassionately as victims of crime rather than pursued in ways that compound their harm. Advocates noted that the post-incident response from financial institutions is frequently reported as the most distressing part of the experience. Regulatory settings are still developing; businesses are encouraged to invest proactively in protecting customers and fortifying systems now. 

Communication, Engagement and Process

  • Plain, accessible language is critical. Legalistic or overly formal communications discourage engagement and can escalate issues unnecessarily. Early, supportive contact — meeting people where they are and recognising that financial problems are rarely their only concern — produces far better outcomes than later enforcement action. The first or second interaction is often decisive. 

Opportunities for Industry

Panellists highlighted several practical steps AFIA members can take: 

  • Maintain a strong customer focus in everyday decisions — from responsible lending assessments and hardship tailoring to scam/fraud responses. 

  • Explore opportunities to support the financial counselling sector (e.g., contributions to the industry fund) to help reduce wait times and strengthen the broader ecosystem that assists consumers navigate complexity. 

  • Simplify customer-facing documents and engage early with financial counsellors and legal services to resolve issues before they escalate. 

  • Participate in collaborative forums, including the upcoming AFIA hardship roundtable, to develop humane and practical responses to longer-term and complex hardship situations (including asset sale or exit decisions). 

Financial Resilience, Insolvency & the PPSR – AFSA’s Role in a Changing Credit Landscape

Tuesday 23 June, 3:30pm

  • Tim Beresford, CEO, Australian Financial Security Authority, AFSA

  • Fireside chat with Dr Emma Penzo, Head of Regulatory Policy, AFIA

Read Tim Beresford’s full speech at the 2026 AFIA Risk Summit here.

Key Takeaways

Global Risk Environment & Trust

  • Highlighted rising global risks, particularly geopolitical volatility in the Middle East and the rapid pace of AI development outpacing risk management capabilities. 

  • Noted the long-term erosion of public trust (citing the Edelman Trust Barometer), with trust becoming more local and personal. Stressed that regulators and credit providers must demonstrate consistency, transparency, fairness, and follow-through to maintain credibility. 

  • Welcomed AFIA’s new Code of Practice (effective 1st October) as a positive, industry-led step that sets clear standards for conduct and disclosure in the non-bank and specialist lending sectors. Real value lies in the Code shaping behaviour when no one is watching — i.e., when staff make decisions because it is the right, fair, and transparent thing to do, not merely because it is lawful. 

Financial Resilience & Insolvency Trends

  • Australian households, especially at the margins, are showing declining financial resilience. One in five debtors in the personal insolvency system have assets-to-liabilities ratios below 10%, leaving minimal buffers against shocks (e.g., job loss, health issues, or cost-of-living pressures). 

  • Personal insolvencies are rising modestly from post-COVID lows (projected ~13,500 this year and ~15,200 in 2026/27) but remain well below GFC peaks. This represents a healthy “reversion to the mean” for capital allocation, though it creates real hardship for individuals. 

  • Credit usage is shifting: unsecured personal credit as a share of GDP has roughly halved since 2008, with greater reliance on secured credit (redraws, offsets). Buy Now Pay Later (BNPL) has become mainstream — now present in around half of personal insolvency cases (60–65% for those under 29) — alongside growth in payday lending and crypto-related products. This creates a higher-risk environment, particularly for the most vulnerable cohort. 

Creditor Behaviour & System Integrity

  • In creditor-initiated bankruptcies (around 10% of total insolvencies), strata managers, non-bank lenders, and motor vehicle financiers now account for nearly a quarter of cases (big four banks <1%). Private schools have also emerged as users of the process. 

  • Warned against misuse of bankruptcy as a debt-collection tool (e.g., for school fees or strata arrears), which undermines the system’s purpose of providing a fresh start while returning value to creditors. AFSA intends to write to organisations exhibiting this behaviour and encouraged industry to report concerns. 

AFSA Regulatory Priorities

  • Personal Insolvency Agreements (PIAs): AFSA is focused on proposals that deliver poor returns to creditors or appear designed to protect debtor wealth. In a high-profile example (John Angelus — the largest bankruptcy since Alan Bond), a PIA offered just 0.15 cents in the dollar. AFSA escalates concerns in ~15% of PIAs reviewed and uses statutory powers where needed. Creditors were urged to review proposals carefully, participate in voting, and engage with registered trustees. 

  • PPSR Integrity: Emphasis on removing outdated registrations promptly (a legislative obligation). Recent targeted engagement with the top 120 secured parties has already resulted in the removal of over 215,000 stale registrations, improving credit access and reducing friction in commerce. One major motor vehicle financier alone removed nearly 40,000 before the meeting. AFSA encouraged ongoing proactive hygiene of the register. 

Call to Action — Collective Stewardship

Risks are interconnected and cannot be managed by any single organisation or regulator. Industry participants see issues on the ground that AFSA does not. Finance firms are called to:

  • Maintain robust hardship processes to help vulnerable customers get back on track where possible. 

  • Participate actively in PIA processes and report poor proposals. 

  • Keep PPSR registrations current and remove them when no longer required. 

  • “If you see something, say something” — report emerging risks, misconduct, or system issues to AFSA or through AFIA channels. 

Misuse of Personal Insolvency Agreements (PIAs)

  • Hartnett Service Trust case is an example of a PIA where related parties (including a trust and the debtor’s wife as a creditor) were used to artificially reach the 75% voting threshold. 

  • The Federal Court (Justice Kylie Downes) described the arrangement as unreasonable.

  • Creditors who find themselves in the minority in similar questionable proposals should contact AFSA, reinforcing the earlier message to “say something” when arrangements do not appear genuine. 

Rising Financial Vulnerability & Lender Responses

  • Noted observations from financial counsellors that ~30% of callers to the National Debt Helpline are in full-time employment — indicating financial stress is no longer limited to traditional crisis cohorts. 

  • The most effective industry response is the development of robust, well-resourced hardship programs. Success is measured by helping people get back on track before they enter the insolvency system. 

  • Current insolvency increases reflect a reversion to the long-term mean rather than a new crisis peak and encouraged lenders to focus resources on prevention through effective hardship support while maintaining prudent lending standards. 

Data Sharing & Single View of the Customer

  • The Fintel Alliance (led by AUSTRAC) was noted as a promising vehicle for improved, privacy-respecting data sharing on complex issues. There is potential for the Alliance to evolve beyond its original AML/CTF focus. 

Financial Literacy

  • Many people enter financial difficulty partly due to limited financial literacy. 

  • This is a broader societal and systemic issue that requires attention across the education system — from early childhood and school levels through to tertiary education — rather than being solely the responsibility of lenders at the point of credit application. 

Previous
Previous

Day One Session Summaries

Next
Next

Day Three Session Summaries