← All posts

TL;DR

In November 2024, ASIC published REP 798 finding that most financial services licensees had inadequate AI governance. Boards couldn't explain automated decisions, vendors weren't vetted, and consumer harm was already occurring. ASIC made clear that existing Corporations Act obligations already cover AI use — if you can't explain it, you can't deploy it. Independent AI vendor auditing is the fastest path to compliance.

In November 2024, the Australian Securities and Investments Commission dropped a report that most of the financial services industry hoped nobody would read. Its title was blunt: REP 798, subtitled "Beware the Gap: Governance arrangements in the face of AI." The message was even blunter: most of you are using AI in ways that affect customers, and most of you cannot explain how it works.

ASIC didn't issue this as a consultation paper or a discussion draft. It was a finding. They had looked under the hood at how Australian financial services licensees were deploying artificial intelligence, and what they found wasn't a few bad actors. It was an industry-wide gap between how fast firms were adopting AI and how little they understood it.

What ASIC Actually Found

The review covered credit licensees and AFS licensees across the spectrum — banks, insurers, super funds, fintechs, and advisory firms. The picture that emerged was consistent and troubling.

AI was being used in decisions that directly affected customers. Credit assessments were being automated. Insurance claims were being triaged by models nobody had independently tested. Pricing engines were adjusting premiums based on AI-driven risk scores. Fraud detection systems were flagging transactions and blocking accounts. In many cases, the people responsible for these systems could not explain — in plain language, to a customer, a regulator, or a court — how the AI had reached its conclusion.

Boards and senior management were largely unaware of the AI tools operating inside their own organisations. When ASIC asked about AI governance, the answers were vague: references to vendor assurances, marketing materials, and internal policies that hadn't been updated to account for machine learning models making decisions that were once made by humans with documented discretion.

The testing gap was perhaps the most damning finding. Firms were deploying AI without testing for bias, without measuring fairness across customer segments, and without validating that the model's outputs were consistent with the firm's legal obligations. An AI system that systematically disadvantages applicants from certain postcodes, or that produces different outcomes for customers with non-English names, is not just unethical — under Australian consumer law and anti-discrimination legislation, it is unlawful. And ASIC found that most firms hadn't checked.

Third-party AI vendors were an especially blind spot. Licensees were plugging in external AI tools — chatbots, decision engines, document analysers, voice analytics — without understanding the model architecture, the training data provenance, the bias testing results, or the vendor's own governance practices. The sales deck was treated as due diligence. When ASIC pressed firms on what they actually knew about their vendor's AI, the answers were thin.

The Legal Reality ASIC Pointed To

REP 798 wasn't a proposal for new regulation. ASIC was making a simpler and more uncomfortable point: your existing obligations under the Corporations Act already cover this.

The obligation to provide financial services "efficiently, honestly and fairly" applies to decisions made by AI just as it applies to decisions made by humans. The obligation to have adequate risk management systems applies to AI risk just as it applies to credit risk or operational risk. The obligation to ensure representatives are adequately trained applies to the people overseeing AI systems just as it applies to the people giving financial advice.

AI does not get a regulatory holiday because it's new. If a human employee systematically denied credit to applicants from certain demographics, that would be a compliance failure. If an AI model does the same thing and nobody tested for it, it's the same compliance failure — plus the additional failure of deploying a system you didn't understand.

ASIC made clear that "the vendor said it was fine" is not a defence. The licensee bears the responsibility. The licensee's board bears the responsibility. If an AI vendor's model produces a biased outcome, and your firm deployed it without independent verification, your firm wears the consequences. The Corporations Act doesn't have a "blame the vendor" provision.

What Good AI Governance Looks Like

REP 798 wasn't all criticism. ASIC highlighted what the better-prepared firms were doing, and the pattern was consistent: they treated AI governance like they treat financial governance.

These firms had independent review processes. Just as financial statements get audited by external firms, AI models got tested by independent assessors who weren't the vendor and weren't the internal team that built the deployment. They had documented controls: not just a policy document that said "we take AI seriously" but specific, testable controls governing how models were selected, tested, deployed, monitored, and retired. They had board-level accountability: someone in the boardroom could answer questions about AI risk because AI governance was a standing agenda item, not a one-off briefing.

They also had something less formal but equally important: they could explain, in plain language, how their AI made decisions. Not the mathematics. The logic. If a customer asked why they were declined, the firm could give an answer that was true, fair, and comprehensible. If ASIC asked, the firm could demonstrate the chain of reasoning from input to output. And if a court asked, the firm could produce evidence that the decision was lawful.

The Gap That Hasn't Closed

REP 798 was published in November 2024. It is now 2026. The question every AFS licensee and credit licensee should be asking is: has our AI governance improved since ASIC looked, or are we still in the gap?

The firms that moved early have spent the last eighteen months building the infrastructure ASIC described: vendor audits, bias testing frameworks, model documentation, board reporting. They've turned AI governance from a project into a process. The firms that didn't are now in an uncomfortable position: the regulator has told them what good looks like, and they're not there yet.

When ASIC comes back — and they will — the scrutiny will be sharper. REP 798 established the baseline. A follow-up review will compare current practice against that baseline. Firms that cannot demonstrate improvement will not be able to claim they didn't know. They were told.

The Fastest Path to Closing the Gap

An independent AI vendor audit is not compliance theatre. It is the fastest way to answer the question ASIC is already asking: do you actually know what your AI is doing?

A proper audit doesn't accept the vendor's marketing. It examines the model's training data for bias. It tests the outputs for fairness across customer segments. It verifies that the vendor's data handling practices comply with the Australian Privacy Principles. It documents the decision logic so that when a customer, a regulator, or a court asks how a decision was made, you have an answer that holds up.

REP 798 gave the industry a roadmap. The firms that follow it will be ready when the regulator returns. The firms that don't will be the reason the regulator returns.

Book a scoping call to discuss auditing your AI vendors against ASIC's expectations.

Frequently asked questions

What did ASIC REP 798 find?

ASIC found that most Australian financial services licensees had deployed AI without adequate governance. Boards couldn't explain how AI made decisions affecting customers, third-party AI vendors weren't being vetted, and no testing for bias or unfair outcomes was being conducted.

Does ASIC regulate AI use by financial services firms?

Yes. ASIC made clear that existing obligations under the Corporations Act already require proper governance of any system — including AI — that influences customer outcomes. AI does not get a regulatory pass because it is new technology.

What should AFS licensees do about AI governance?

Licensees should understand how their AI makes decisions, test for bias and unfair outcomes, be able to explain AI decisions to customers and regulators, and independently audit their AI vendors — not just accept the vendor's marketing claims.

What happens if we ignore ASIC's AI governance warning?

REP 798 was a finding, not a suggestion. If an AI system causes consumer harm and the licensee cannot demonstrate proper governance, ASIC has made clear that "we were planning to fix it" will not be an acceptable defence.