Banks & ADIs compliance in Queensland

Enrol with AUSTRAC as a reporting entity

Tranche 2 entities must enrol with AUSTRAC by 29 July 2026.

Notify the OAIC and affected individuals of eligible data breaches

Eligible data breaches must be notified to OAIC and affected individuals 'as soon as practicable'.

Report cyber security incidents to ASD (SOCI)

Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.

Comply with APRA CPS 234 (Information Security)

APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.

Comply with Design and Distribution Obligations (DDO)

Issuers and distributors of retail financial products must have a Target Market Determination (TMD) and distribute consistently with it.

Comply with APRA CPS 230 (Operational Risk Management)

APRA-regulated entities must manage operational risk including a comprehensive third-party / outsourcing register from 1 July 2025.

Comply with Financial Accountability Regime (FAR) accountability obligations

Banking entities from 15 March 2024; insurers and super trustees from 15 March 2025.

Comply with APRA CPS 220 (Risk Management)

APRA-regulated entities must have a comprehensive risk management framework.

Major banks must provide CDR Banking + Action Initiation (2026)

CDR Action Initiation lets accredited recipients initiate payments + actions on consumer behalf.

Maintain a written AML/CTF program

Every reporting entity needs a documented AML/CTF program — Part A risk + Part B systems.

FAR deferred remuneration arrangements (40% deferral 4 years)

FAR accountable persons must have 40% of variable remuneration deferred 4 years.

Publish a Privacy Policy compliant with APP 1

Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.

Respond to hardship notices within statutory timeframe

Credit providers must consider hardship notices within 21 days under s 72 NCC.

Comply with credit reporting obligations (Part IIIA Privacy Act)

Credit providers and CRBs must adhere to the CR Code on collection, use, disclosure, hardship and dispute resolution.

Consumer Data Right (CDR) participant accreditation + compliance

Banking, energy and (soon) non-bank lending data sharing — accredited participants must comply with privacy safeguards.

Pre-2025 ban on unsolicited credit limit increase invitations

Credit card limit increase offers cannot be sent without prior written consent.

Avoid unfair contract terms in standard form consumer & small business contracts

From November 2023, unfair contract terms carry pecuniary penalties — up to $100M per term (from 28 March 2026).

Comply with CDR Banking (Open Banking) — major + non-major ADIs

Banking data holders must share consumer data with accredited recipients on consumer consent.

Comply with the ePayments Code

Voluntary but industry-standard code covering electronic transaction terms, mistaken internet payments, and unauthorised transactions.

Mandatory AI guardrails for high-risk AI (in development)

Australian Mandatory Guardrails for High Risk AI Settings — Treasury consultation in 2024/2025.

Banking Executive Accountability Regime (BEAR) — pre-FAR

BEAR superseded by FAR for banks 15 March 2024; historical exposure remains.

Energy Bill Relief Fund + state cost-of-living payments compliance

Retailers + suppliers administering federal/state energy bill relief must apply correctly + report.

Adopt the Voluntary AI Safety Standard (DISR 2024)

10 voluntary guardrails for safe + responsible AI deployment; mandatory regime in development.