Section 912A of the Corporations Act 2001 (Cth) sets out the general obligations that apply to all Australian Financial Services (AFS) licensees. These obligations form the backbone of financial services compliance in Australia, and ASIC actively monitors, investigates, and takes enforcement action against licensees who fail to meet them.

The general obligations are broad and principles-based, which gives licensees flexibility in how they comply but also creates the expectation that compliance arrangements are proportionate to the size, nature, and complexity of the business. ASIC has made clear through regulatory guidance (particularly RG 104 and RG 105) that it expects licensees to proactively manage compliance rather than take a reactive approach.

Understanding each obligation, mapping it to internal controls, and maintaining evidence of ongoing compliance is essential. The following sections break down the key obligations and provide a practical checklist for each.

The obligation under s912A(1)(a) to do all things necessary to ensure financial services are provided efficiently, honestly, and fairly is the most litigated and enforced general obligation. ASIC interprets this as requiring licensees to act in the interests of clients, avoid conflicts of interest, maintain competent service delivery, and ensure that products and services are appropriate for the client.

This obligation has been central to numerous ASIC enforcement actions following the Banking Royal Commission, particularly in relation to fees for no service, inappropriate advice, and conflicted remuneration. Licensees should ensure that their business practices, incentive structures, and product distribution frameworks are all aligned with the "efficiently, honestly, and fairly" standard.

Under s912A(1)(ca), licensees must have adequate arrangements for managing conflicts of interest. Under s912A(1)(h), they must have adequate risk management systems. Additionally, s912A(1)(d) requires licensees to comply with the conditions of their licence, and s912A(1)(f) mandates compliance with financial services laws.

ASIC expects licensees to maintain a formal compliance framework, typically documented in a compliance plan or compliance management system. This framework should include a compliance policy, compliance monitoring and testing program, incident and breach management procedures, regular reporting to senior management and the board, and a mechanism for updating the framework in response to regulatory change.

Since October 2021, the strengthened breach reporting regime under s912DAA has required AFS licensees to report significant breaches (and likely significant breaches) to ASIC within 30 calendar days of the licensee becoming aware of the breach. The test for significance considers factors including the number of clients affected, the quantum of loss, the duration of the breach, and whether it indicates systemic weakness in compliance arrangements.

Licensees must also investigate potential breaches in a timely manner. ASIC has indicated that it expects investigation to begin promptly and not be delayed while the licensee assesses whether reporting is required. The practical effect is that licensees need a well-defined breach identification, investigation, and escalation process that operates within the 30-day reporting window.

FormaOS provides financial services licensees with a compliance operating system that maps s912A obligations to controls, automates monitoring schedules, tracks breach investigations, and maintains an audit-ready compliance trail. This enables licensees to demonstrate to ASIC that compliance is an ongoing operational priority, not a reactive exercise.