Across Australia, the advice and financial services industries are entering a period of heightened change, with anti-money laundering (AML) and counter-terrorism financing (CTF) regulatory expansion, privacy reforms, sharper expectations on cybersecurity and offshoring, emerging AI and a renewed focus on investment governance and conflicts. None of this fits neatly into a silo, but put together it tells a consistent story: governance that scales.
Australia’s AML/CTF regime will expand dramatically by March 2026, from covering around 14,000 reporting entities, to nearly 90,000. The law regulates services, not ‘business type,’ so integrated practices combining wealth, property and accounting need to identify exactly which services trigger obligations, and design a single, client-friendly onboarding journey.
Privacy obligations are also tightening. While we’re still waiting for many reforms to take effect, some already apply. Australian Privacy Principle (APP) 11 now requires both technical and organisational measures for security, and by December 2026. Privacy notices must disclose any use of AI in automation decision that impact individuals, and a ‘safe countries’ list will soon define where data can go offshore.
The practical takeaway?
Build the bones before the muscles, and strengthen all privacy frameworks now, from encryption standards and access reviews to vendor due diligence and testing. It’s easier to maintain compliance than to play catch-up.
Cybersecurity, meanwhile, has become an ecosystem issue. A single vulnerability can expose an entire network, and regulators are paying close attention. Policies alone aren’t protection. The focus now is on continuous monitoring, regular testing and genuine accountability at every level of the business.
Decisions deferred need to be documented and remediation plans should be visible and funded, with the same principle applying to offshoring.
AI adds a fresh layer of complexity. The governance gap between use and oversight is widening, as teams experiment with tools that haven’t been formally risk-assessed. A simple starting point is creating a register of AI use-cases, evaluating privacy and accuracy risks and defining when human judgment must be applied.
Establishing an internal AI standard is critical – covering what’s in and what’s out, how data can be managed, and how results are being verified. This builds trust and clarity across the business.
Investment governance is also evolving. Recent regulatory themes point to a sharper focus on supervision, record-keeping and meaningful conflict management. It’s no longer enough to simply have policies on file; leaders must be able to show how they operate in practice. Creating a ‘conflicts map’ across personal, client-to-client and firm-level relationships helps to highlight where structures, incentives, or processes need review.
Compliance doesn’t have to slow a business down. When it’s woven into everyday systems such as onboarding, KPIs, dashboards and alerts, it becomes part of how teams perform, not an administrative burden.
Real-time data can flag emerging risk, including expiring certification or policy gaps before they escalate. When advisers and compliance teams share visibility, conversations shift from ‘checking’ to collaborating, and that’s when culture and systems start to reinforce each other.
For leaders wondering where to begin, focus the next 90 days on a few high-impact steps. Map your AMP services and reliance model. Uplift privacy controls. Run a cyber and offshoring review with clear board oversight. Build an AI register and standard, tighten investment governance and conflict mapping.
So, the question isn’t whether you can afford to do all this, it’s how to design compliance you can run. The answer lies in clarity, automation and embedding governance into business-as-usual. When systems are predictable, people are trained and accountability is shared, compliance stops being a cost centre and becomes a competitive advantage.
Compliance isn’t about the red tape, it’s about creating the safety rails that let your business go faster, and do so more sustainably. When governance is living, not laminated, and when culture supports the ‘why’ behind every rule, compliance become more than protection – it becomes performance.
Catherine Evans is founder and head of legal at Kit Legal.