Key trends, sectors and areas of compliance focus for Australian regulators

2025 has already been a transformative year for regulatory enforcement, shaped by advances in technology and evolving standards of consumer protection. Australian regulators are under increasing scrutiny and will continue to adopt a proactive and, in some cases, an interventionist approach. We have seen regulators ramping up enforcement action to address new challenges prompted by technological innovation, ranging from ESG disclosures to AI, cyber security and cryptocurrency, as well as continuing to take a tough stance on corporate misconduct. ASIC remains particularly focused on protecting vulnerable consumers and actions against directors and officers.

Overview of key regulatory themes

• Increased regulatory enforcement: Australian regulators like ASIC, ACCC, AUSTRAC, ATO, APRA and OAIC are under increasing scrutiny from law makers, the media and the general public. These regulators continue to be more active in their conduct of investigations and in pursuing Court based outcomes. Organisations now face the risk of concurrent regulatory investigations in respect of the same incidents and conduct. It can regularly be observed that businesses who face heightened media or parliamentary scrutiny will often shortly thereafter face regulatory scrutiny which in turn can increase the risk of class action attention. See for example the Optus cyber attack. That incident prompted investigations by ACMA, OAIC and the AFP, as well as class action proceedings commenced on behalf of affected Optus customers. See an overview of ASIC’s 2025 key issues outlook in our Financial Services: Regulatory Recap here.

• Financial fraud and scams: Regulators like ASIC and the ACCC are focused on disrupting scams under the Scams Prevention Framework Bill (see our insight here) which passed through parliament on 13 February 2025. The new laws impose a positive obligation on banks, telecommunications companies and social media and technology companies to prevent, detect, disrupt, respond and report scams and attempted scams. Businesses face additional scrutiny on their ability to ensure they have adequate controls to prevent and detect unauthorised payments and adequately investigate customer reports of unauthorised transactions. Regulators are also willing to commence proceedings where they believe that a business has failed to adequately prevent scams against their customers (for example proceedings commenced by ASIC against HSBC Bank Australia Ltd on 13 December 2024).

• ESG compliance, greenwashing and climate risk: The significant penalties obtained by ASIC in 2024 and 2025 for instances of greenwashing (Mercer Superannuation (Australia) Limited $11.3 million, Vanguard Ethically Conscious Global Aggregate Bond Index Fund $12.9 million (see our insight here) and Active Super $10.5 million (see our insight here) highlight the importance of ensuring that businesses do not misrepresent the environmental, sustainability or ethical credentials of their products. Banks, insurance companies and superannuation funds should actively consider the financial implications of climate risk in decision making as APRA moves to create more onerous expectations in this regard. See our insight on Greenwashing and what to expect for 2025 here.

• Cyber security and data privacy: A series of high-profile data breaches and cyber attacks in Australia (for example Australian Clinical Labs, Medibank and Optus) have underscored the regulatory and ancillary risks that organisations face in the wake of cyber attacks. Recent amendments to the Privacy Act (see our insight here), including the introduction of a new statutory tort for serious invasions of privacy, are also likely to encourage plaintiff law firms to commence representative proceedings on behalf of customers affected by large-scale privacy breaches. Regulators are also sharpening their focus on who is responsible for cyber resilience, with ASIC’s chairman Joe Longo warning that ASIC will consider bringing charges against directors who fail to adequately prepare for cyber attacks, and APRA flagging that they are seeking to raise industry standards of cyber risk management.

• Product Design and Distribution Obligations (DDO) compliance: The significant penalties recently obtained by ASIC against Amex ($8 million) (see our insight here) and Firstmac ($8 million) in the financial sector underscore the importance of businesses complying with their DDO obligations and ensuring their financial products meet customer needs. As ASIC continues to focus on this area, it will be vital for businesses to ensure they have adequate systems, policies, practices and procedures to address identified or reasonably identified risks associated with retail product distribution.

• Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF): Regulators such as AUSTRAC and ASIC continue to target AML/CTF non-compliance, particularly in the financial and gaming sectors (for example the commencement of civil penalty proceedings by AUSTRAC in December 2024 against Entain Group Pty Ltd which operates online betting sites including Ladbrokes and Neds). The financial and reputational consequences of potential non-compliance continue to be significant for both directors and businesses. For example, SkyCity Adelaide Pty Ltd was ordered to pay a $67 million penalty for breaches of the AML/CTF Act. Additionally, ASIC is pursuing legal action against 11 current and former directors of The Star Entertainment Group Limited for alleged breaches of their director’s duties. In January 2025, amendments to the AML/CTF Act commenced, enhancing AUSTRAC’s information gathering powers, including the power to compel people to attend compulsory examinations.

• ATO and promoter penalty laws: Reforms introduced to the ‘promoter penalty’ regime in late 2024 have increased the ATO’s power to target advisers who are involved in the design, marketing and implementation of scheme or arrangements that are designed to reduce client’s tax or increase refunds (and where the benefits are not available under tax laws). We expect the ATO will take a more proactive, aggressive approach in this area, with the reforms extending the time for the ATO to commence civil proceedings and increasing the maximum civil penalties for both body corporates and significant global entities to $780 million.

• Corporate governance and accountability risks: ASIC continues to focus on directors’ compliance with their duties across all elements of business life, with significant penalties and disqualification periods being sought and obtained by the regulator in 2024. See ASIC Chair Joe Longo’s speech on directors’ duties on 12 March 2025.

• Insider trading and market manipulation: Upholding market integrity is an enduring priority for Australian regulators, with ASIC announcing in late 2024 the establishment of a new dedicated team to target insider trading and the expedition of criminal insider trading cases from investigation to prosecution, if appropriate.

Sector-specific regulatory risks

Crypto, fintech, telecom and digital platforms

Key risks:

• Consumer protection, unlicensed conduct, scams, design and distribution obligations, vulnerable consumers, cyber security and AML/CTF compliance.

Notable cases:

• ACMA commenced proceedings against Optus in the wake of a cyber attack that resulted in the data of 9.5 million customers being accessed by a ‘bad actor’ who exploited a coding error. ACMA alleges that Optus failed to protect the confidentiality of its customer’s information from unauthorised access. As a result of the incident, over 3 million customers had their physical address accessed and approximately 10,000 customers had their personal information published on the dark web. Optus is also facing a class action and two ‘representative’ style complaints were filed with the OAIC with respect to this incident.

• Amex has been ordered to pay an $8 million penalty for design and distribution obligations (DDO) regime breaches (see our insight here). Amex made a target market determination (TMD) for co-branded Amex/David Jones cards which were primarily offered to customers in David Jones’ retail stores. ASIC alleged that, due to cancelled application rates for those cards (which were 60%), Amex should have known that the TMD for the co-branded cards was no longer appropriate. The decision highlights that businesses should ensure that they have adequate systems and processes in place to monitor new developments and circumstances which could suggest that a TMD is no longer valid.

• Web3 Ventures Pty Ltd (Block Earner) was relieved from liability to pay a penalty after it was found, in earlier liability proceedings, that a product (Earner product), that it no longer offered was a managed investment scheme and an investment facility and that Block Earner had contravened the Corporations Act 2001 (Cth) by operating the product without an AFSL and not registering the scheme. ASIC had sought a penalty of $350,000 to be imposed. However, the Court found that Block Earner should be relieved from paying a penalty as it was satisfied that Block Earner had acted honestly, without any intent to gain an improper benefit or advantage and in circumstances where Block Earner had made a genuine attempt to comply with the law. ASIC has appealed the penalty decision, and Block Earner is cross-appealing in relation to the findings of liability in relation to the Earner product. The appeal was heard on 6 March 2025.

2025 outlook:

• There will be ongoing regulatory scrutiny of cryptocurrency and FinTech products and services and the platforms on which they are offered and operate. In 2025, regulators will continue to regulate through litigation and proactively commence enforcement proceedings as they seek to test the applicability of traditional financial services laws to new products, services and platforms in an effort to extend and clarify the ‘regulatory perimeter’.

• The decisions and developments in this space remain important for businesses and those who advise them, as businesses navigate the complexities of the legislation governing Australia’s financial services industry and its application to new products, services and platforms. Given the ad hoc manner in which clarity has been provided, this is an area which would benefit from more wholistic consultation and legal reform by law-makers and regulators.

Banking

Key risks:

• Market misconduct, cyber security protections, design and distribution obligations, scams, ESG and climate change risks.

Notable cases:

Penalties for continuous disclosure breaches, commencement of proceedings in relation to alleged scams and ongoing reforms post-Banking Royal Commission.

• In ASIC’s first civil penalty action alleging design and distribution obligations (DDO) breaches, the regulator obtained an $8 million penalty against Firstmac (a mortgage lender). Firstmac had adopted a cross-selling strategy of marketing and distributing investments in High Livez (a registered managed investment scheme) to 780 consumers who held existing term deposits with Firstmac. As part of that strategy, it sent product disclosure statements to clients without first taking reasonable steps to ensure its offering was consistent with its target market determination for the product. The Court found that Firstmac’s conduct was ‘objectively reckless’ and that it did not have adequate systems, policies, practices and procedures in place to address identified or reasonably identified risks of retail product distribution.

• On 13 December 2024 ASIC commenced proceedings against HSBC Bank Australia Ltd (HSBC) alleging that HSBC failed to adequately protect customers from scams. In particular, ASIC alleges that HSBC failed to have adequate controls in place to prevent and detect unauthorised payments and failed to comply with its obligations to investigate customer reports of unauthorised transactions within the specified timeframes required, and to promptly reinstate their banking services in a timely manner.

2025 outlook:

• Expect enhanced focus on banks’ abilities and obligations to prevent and detect scams, to ensure customer protection. On 13 February 2025, the Scams Prevention Framework Bill 2025 passed both Houses of federal Parliament (see our insight here). The bill establishes a new Scams Prevention Framework that requires banks, telecommunications and social media companies to prevent, detect, disrupt, respond and report scams and attempted scams. Australian regulators (including ASIC and the ACCC) will be empowered to investigate potential breaches and to take enforcement action where entities do not comply with their obligations under the Framework. Under the new Framework, fines of up to $50 million can be applied to those who fail to meet their obligations.

• The financial impacts of climate risk remains a focus for APRA-regulated entities. APRA has foreshadowed that it intends to elevate climate risks within the regulatory and supervisory landscape, including by consulting on amending Prudential Standards CPS 220 and SPS 220 Risk Management to include climate risk in 2025. The results of APRA’s second climate risk self-assessment survey, which provide insights into how regulated entities identify, manage and disclose the financial risks of climate change and align their practices with the Prudential Practice Guide CPG 229 Climate Change Financial Risks, were released in late 2024. This was the first time all APRA-regulated banks, insurers and superannuation trustees had been invited to participate in the survey.

Entertainment and gambling

Key risks:

• AML/CTF compliance, scams, data privacy and security and cyber security.

Notable cases:

• The volume of high-profile cases being brought by regulators in this space emphasise the ongoing significant business, financial and reputational risks of potential AML/CTF non-compliance for companies and their directors and officers.

• In late 2024, AUSTRAC commenced its first civil penalty proceedings against a business operating in the online betting sector. The claim against Entain Group Pty Ltd (Entain), which operates online betting sites including Ladbrokes and Neds, allege serious and systemic non-compliance with the AML/CTF Act and were preceded by an investigation of Entain by AUSTRAC that commenced in September 2022. Relevantly, it is alleged that:

  • Board and senior management failures: Entain’s board and senior management did not have appropriate oversight of its AML/CTF program.

  • Control failures: Entain did not have appropriate controls to confirm the identity of customers making deposits and the source of funds being deposited.

  • 24/7 business risks: By operating a 24/7 business through its website and app, there was a risk that people unknown to Entain could access and use Entain’s betting platform, including through third party providers.

• SkyCity Adelaide Pty Ltd received a $67 million penalty in relation to admitted historical contraventions of the AML/CTF law during the period 7 December 2016 to 14 December 2022. The AUSTRAC claim against The Star Pty Limited and The Star Entertainment QLD Limited for alleged AML/CTF breaches remains ongoing.

• On 10 February 2025, the final hearing in ASIC’s civil penalty proceedings brought against 11 current and former directors and officers of The Star Entertainment Group Limited (Star) commenced. ASIC alleges that Star’s board and directors breached the duties that they owed under s 180 of the Corporations Act 2001 (Cth). Two defendants have received penalties after admitting to breaches of their duties. Star’s former Chief Casino Officer has been ordered to pay a penalty of $180,000 and has been disqualified from managing corporations for 18 months and Star’s former Chief Financial Officer has been ordered to pay a $60,000 penalty and has been disqualified from managing corporations for nine months.

2025 outlook:

• The gambling and gaming sectors continue to be a priority for Australia’s regulators. AUSTRAC also received additional investigatory powers in early January 2025, so the conduct of investigations will change as AUSTRAC compels individuals to attend compulsory examinations.

Consulting and auditing

Key risks:

• Insider trading, ethical breaches, auditor misconduct and AML/CTF compliance.

Notable cases:

• In July 2024, reforms were introduced to the ‘promoter penalty’ legislative regime, which were designed to increase the ATO’s power to target advisers involved in promoting schemes and arrangements designed to reduce client’s tax or increase refunds. The reforms extend the time for the ATO to commence civil proceedings and increase the maximum civil penalties for both body corporates and significant global entities to $780 million.

• On 11 December 2024 the Companies Auditors Disciplinary Board (CADB) ordered the suspension of the registration of a company auditor, for a two year period, after it was found that the auditor (an individual) had failed to perform adequately and properly the duties of an auditor, in connection with their role as lead auditor and engagement partner for the group audit by Nexia Sydney Audit Pty Ltd (Nexia Sydney Audit) of the financial statements of the Greensill Group.

2025 outlook:

• Stricter rules governing transparency and conduct in consulting services and broader legislative and regulatory reform are likely in 2025. In June 2023, the Parliamentary Joint Committee on Corporations and Financial Services commenced an inquiry into allegations of misconduct in the Australian operations of the major accounting, audit and consultancy firms. The inquiry was triggered by the revelation of breaches of confidentiality at PwC. The committee’s final report was presented to the Senate in November 2024. Enhanced regulatory oversight is also likely in the context of the recommendations of that final report, which included that:

  • ASIC re-establish a program of audit inspections.

  • ASIC increase the level of resources that it devotes to financial report inspections and audit inspections until there is a significant improvement in audit quality.

  • ASIC be given further powers to oversee audit to cover all partners within multidisciplinary firms regardless of which part of the firm they work in.

  • The CADB be reformed to improve its efficiency and effectiveness.

Superannuation and insurance

Key risks:

• Member services failures and protecting vulnerable Australians, fair dealing, underwriting algorithms, compliance with requirements under the retirement income covenant and ESG claims.

Notable cases:

• In ASIC’s third greenwashing enforcement action, the Federal Court found that Active Super made misleading marketing and greenwashing claims in connection with various misleading representations concerning its ESG credentials. Active Super invested in various securities (both directly and indirectly) that were connected to gambling, coal mining, Russian entities and oil tar sands investments, despite contradicting statements made on its website, reports and disclosure documents. The court found that the use of terms such as “not invest”, “no way” and “eliminate” were unequivocal and not the subject of any potential qualifications. In March 2025, following a contested penalty hearing, the Federal Court imposed a $10.5 million penalty on Active Super. ASIC has noted that the case demonstrates their commitment to taking on misleading marketing and greenwashing claims made by companies promoting financial services. See our insight here.

• In March 2025, ASIC commenced civil penalty proceedings against AustralianSuper (the trustee of Australia’s largest superannuation fund) alleging that it failed to process death benefit claims in a timely and efficient manner, potentially causing financial and emotional distress to the affected parties. ASIC identified nearly 7,000 death benefit claims which AustralianSuper took between four months and four years to assess. ASIC alleges that AustralianSuper failed to meet its obligations under the Superannuation Industry (Supervision) Act and the Corporations Act. ASIC Deputy Chair, Sarah Court said, "At its heart, this matter is about protecting vulnerable Australians and their families". ASIC has also stated that member services failures in the superannuation sector remains an enforcement priority. See an overview of ASIC’s case against AustralianSuper in our Financial Services: Regulatory Recap here.

• In November 2024, ASIC commenced civil penalty proceedings against United Super (trustee of Cbus) with respect to alleged claims handling failures, which resulted in more than 10,000 Cbus members being impacted by death benefits and TPD insurance claims which took more than 90 days to be processed. ASIC alleges that more than 6,000 members and claimants had their payments delayed by more than 12 months and that United Super failed to act efficiently, honestly and fairly in the handling of the relevant claims. ASIC Deputy Chair Sarah Court has noted that, “trustees cannot outsource accountability when it comes to claims handling. It is the trustee’s responsibility to ensure there is adequate oversight of their systems and to prioritise the resources necessary to deliver the services they have promised to their members”.

• Recent actions against insurers like QBE underscore the importance of businesses ensuring transparency in claims handling and product disclosures. In October 2024, ASIC commenced proceedings against QBE Insurance (Australia) Limited alleging the company misled customers by promising discounts for their loyalty in connection with certain general insurance products, which were never received. ASIC alleges that the discounts were offered through more than 500,000 renewal notices and statements published on QBE’s website. ASIC alleges that due to a pricing algorithm that was applied at the time the relevant insurance policies were renewed, QBE’s customers did not receive the full value of the discounts promised by QBE.

2025 outlook:

• Trustees will face stricter accountability, insurers will be expected to act efficiently and transparently in claims handling and product disclosures and ESG disclosure standards will tighten. See our insight on ASIC’s 2025 enforcement focus on the superannuation sector here.