Section 912 is not a single rule — it is a framework of interlocking obligations. Understanding each part is the first step to knowing where your compliance gaps may lie.
Section 912 is the primary accountability framework for every Australian Financial Services Licence (AFSL) holder. It is not aspirational guidance — it is a binding set of obligations governing how your firm operates, supervises its people, manages its risks, and in 2026, controls its automated systems.
Section 912 is not a single rule — it is a framework of interlocking obligations. Understanding each part is the first step to knowing where your compliance gaps may lie.
| Subsection | Ref | What It Covers |
|---|---|---|
| General Obligations
Primary Focus |
s912A | The core duties of every licensee: efficiency, honesty, fairness, conflicts management, adequate resources, competency, and risk management. The primary focus of ASIC's 2026 enforcement agenda. |
| Authorised Representatives | s912B | Your obligations when acting through ARs — including ensuring they are properly authorised, supervised, and do not exceed the scope of their authority. |
| Breach Reporting | s912C | The obligation to report significant breaches (or likely breaches) to ASIC within 30 days. Failures here are a compounding liability — a breach of s912A that goes unreported becomes two breaches. |
| Compensation Arrangements | s912D | The requirement to maintain adequate arrangements for compensating clients for losses — typically through professional indemnity insurance meeting ASIC's prescribed standards. |
| Financial Requirements | s912F | The obligation to meet ASIC's ongoing financial requirements, including maintaining sufficient net tangible assets or cash to support your licence obligations. |
Section 912A is the engine of the entire framework. It requires a licensee to take responsibility for the quality and integrity of every financial service it provides — including those delivered by software, algorithms, or AI. ASIC has made clear that s912A is "technology neutral": if your firm uses AI or automated decision-making (ADM), every obligation applies to your algorithms with the same force it applies to your human advisors.
Your AI must not be a "black box." Outputs must be fair, unbiased, and capable of being explained to the client and to a regulator. An algorithm that produces outcomes your Responsible Manager cannot articulate is already a potential breach of this limb.
A robo-advice or product-selection algorithm must not be programmed — even inadvertently — to favour your firm's interests over the client's. Algorithmic conflicts are not less serious because they are automated; in ASIC's view, they may be more serious because of their scale.
You must have the technological and human resources to monitor your AI in real time. Deploying a system you cannot supervise is a breach of this obligation. "Adequate resources" in 2026 means RegTech-enabled oversight — not spreadsheets.
Your people must be trained to understand, supervise, and where necessary override automated systems. "The algorithm decided" is not a defence. If your representatives cannot interrogate an AI output, they are not competent to rely on it.
Your risk framework must specifically address AI-specific risks: model drift, data poisoning, algorithmic bias, and "hallucination" errors. A risk register that does not name these exposures is not adequate for a firm that deploys ADM.
If an authorised representative uses AI tools in their practice, you remain responsible for the outcomes those tools produce. The Interprac case is the clearest warning yet that "I didn't know what my ARs were doing with their software" is not a defence.
ASIC has signalled — through enforcement actions, regulatory guidance, and Deputy Chair Sarah Court's public statements — that the 2026 regulatory agenda centres on Automated Decision-Making (ADM) transparency and "data-enabled supervision." There are three things ASIC is now examining in AFSL audits:
If a client receives advice or a decision partly generated by an algorithm, can your Responsible Manager walk ASIC through how that output was produced and why it was appropriate for that client? If not, you have an s912A(1)(a) exposure — and potentially a breach to report under s912C.
The Interprac Warning made explicit what ASIC had been signalling for years: manual, spreadsheet-based compliance monitoring cannot detect systemic failures in a high-volume, data-driven environment. If you process automated advice or product recommendations at scale, your compliance oversight must match that scale.
Under ss180–183 of the Corporations Act, directors have personal duties of care, good faith, and proper use of information. ASIC's position is that a director who cannot explain the AI systems their firm deploys has not exercised the "enquiring mind" the law requires.
Section 912 does not exist in isolation. For firms deploying AI, it operates as part of a wider accountability stack that every Responsible Manager and director needs to understand.
In 2026, "I didn't know the algorithm did that" is no longer a valid legal defence. ASIC expects your Responsible Managers and Directors to have real-time, data-driven, RegTech-enabled supervision of all automated systems. Section 912 is the legal framework that makes that expectation binding.
— Lead Strategist, Liberate Consulting
Liberate Consulting works with AFSL holders to close the gap between your current compliance architecture and the standard ASIC now expects — mapping your AI and ADM touchpoints against every limb of s912A, pressure-testing your breach detection systems, and ensuring your directors can demonstrate the "enquiring mind" the law requires.