Governance Compliance

Your AFSL Privacy Policy doesn't cover your AI. Here's what the law now requires.

The Privacy and Other Legislation Amendment Act 2024 introduces a mandatory AI disclosure obligation taking effect 1 December 2026. Most AFSL holders haven't mapped it to their AI stack yet.

LC
Liberate Consulting
May 2026  ·  4 min read
4 min read
AFSL AI compliance and privacy law obligations

There's a structural change embedded in Australian privacy law that most AFSL holders haven't mapped to their AI stack yet.

The Privacy and Other Legislation Amendment Act 2024 introduces a mandatory disclosure obligation — APP 1.7 — that takes effect on 1 December 2026. From that date, if a computer program substantially and directly influences a decision about one of your clients, you must be able to explain it. Not just disclose it. Explain it. That's a different obligation from what most firms currently have in their privacy policies.

What APP 1.7 actually requires

The three obligations are specific — and the third is where most firms will fall short.

Obligation 1

Disclose that ADM is being used

You must proactively disclose to clients that automated decision-making is influencing outcomes that affect them. Burying this in a privacy policy is not sufficient.

Obligation 2

Identify the personal information used

You must specify the categories of personal information the system relies on to reach its conclusions — not just that data is used, but what kind.

Obligation 3

Provide a meaningful explanation

You must explain how the decision was reached in terms a client can understand. Most firms will fall short here — not because they have bad AI, but because they've never written down how it works in plain English.

This isn't only a Privacy Act issue

ASIC has been clear that AI transparency sits inside your s912A obligations — the requirement to act efficiently, honestly, and fairly. If a client is given advice informed by an algorithm they couldn't understand or interrogate, you have a fair dealing problem, not just a privacy one.

The OAIC and ASIC are moving in the same direction. Firms that treat the December 2026 deadline as a privacy-team issue will find themselves responding to ASIC inquiries with governance documentation they haven't built yet.

Firms that treat the December 2026 deadline as a privacy-team issue will find themselves responding to ASIC inquiries with governance documentation they haven't built yet.

— Liberate Consulting

The gap that most firms don't see

The problem isn't the AI tools. Most AFSL practices are using AI in some form — meeting note tools, digital advice engines, automated credit filters, AML monitoring. The problem is that the governance framework hasn't kept pace with the adoption.

You cannot disclose what you haven't mapped. The first step to December 2026 compliance is a systematic audit of every system in your stack that influences a client decision — not just the obvious ones.

The December 2026 deadline is not a future problem

Building explainable AI governance documentation, mapping your ADM systems, and updating your privacy policy to meet APP 1.7 takes time. Firms that start in Q4 2026 will not have enough runway to do this properly.

#governance #compliance #afsl #privacy #ai
LC
Liberate Consulting
AI Governance & Compliance · Financial Services
Liberate Consulting works with AFSL holders navigating the intersection of AI adoption and regulatory compliance — including APP 1.7 readiness, s912A obligations, and ADM governance frameworks.

Start your APP 1.7 compliance now — not in November

Liberate Consulting helps AFSL holders audit their AI stack, build ADM governance documentation, and update their privacy frameworks ahead of the December 2026 deadline.

Download the Free Checklist → Talk to Our Team