In light of the Australian Securities and Investments Commission’s (ASIC) recent review into compliance plans across the managed investment industry, Responsible Entities (REs) are being urged to move beyond a legalistic, checkbox approach and adopt a more robust, risk-based mindset. The findings, published in ASIC’s media release 25-090MR, reveal systemic deficiencies in Compliance Plans and large scale non-compliance with Regulatory requirements.
The Compliance Plan Wake-Up Call
ASIC’s review of 50 compliance plans—covering 1,471 funds and nearly $1 trillion in assets—found that most failed to adequately address key Regulatory obligations. These include:
Design and Distribution Obligations (DDO) under Part 7.8A of the Corporations Act;
Internal Dispute Resolution (IDR) systems under s912A(1)(h) and associated regulations; and
Reportable Situations (RS) under Subdivision B, Division 3 of Part 7.6.
Alarmingly, some compliance plans did not address DDO at all, suggesting they had not been meaningfully reviewed since the regime’s introduction in 2021. ASIC Commissioner Alan Kirkland noted, “Failing to plan is planning to fail,” underscoring the critical role compliance plans play in safeguarding retail investors.
From Legal Formalism to Risk Management
Historically, many Responsible Entities have relied heavily on their legal advisers to draft compliance plans. While lawyers play a vital role in identifying and interpreting the relevant legislative obligations, this approach often results in documents that are technically compliant but operationally ineffective.
What’s missing is the practical application of those obligations – how they are controlled, monitored, and assured in day-to-day operations. This is where risk managers must step in. Risk professionals are best placed to:
- Translate legal obligations into operational controls;
- Design assurance mechanisms that test the effectiveness of those controls;
- Identify gaps and emerging risks; and
- Ensure the compliance plan evolves with the business and Regulatory landscape.
This shift aligns with ASIC’s broader Regulatory expectations, particularly those outlined in Regulatory Guide 259 (RG 259), which emphasises the need for Responsible Entities to maintain adequate risk management systems under s912A(1)(h) of the Corporations Act. RG 259 complements RG 132 by reinforcing that compliance is not just about documenting obligations – it’s about embedding risk awareness and control effectiveness into the operational fabric of the organisation.
Tailoring Compliance to Scheme-Specific Risks
A key theme emerging from ASIC’s review is the need for compliance plans to reflect the specific risks of each registered scheme. Too often, REs rely on generic templates that fail to consider the unique features, investment strategies, and operational risks of individual schemes. This undermines the effectiveness of the compliance framework and exposes investors to risk.
To meet ASIC’s expectations, REs must be able to demonstrate that their compliance plans:
- Identify the particular risks associated with each scheme;
- Include controls that are tailored to those risks;
- Provide for regular testing and review of those controls; and
- Are updated in response to changes in the scheme’s structure, strategy, or Regulatory environment.
This was reinforced in ASIC’s recent correspondence with Responsible Entities, where the Regulator raised concerns that some compliance plans did not adequately identify relevant obligations or appropriate controls, and that the same plan was being used across multiple schemes without sufficient customisation.
ASIC’s Direct Engagement with REs
In a clear signal of its intent to drive reform, ASIC has begun writing directly to Responsible Entities whose compliance plans were found wanting. These letters have urged REs to review and modify their compliance plans in line with RG 132 and the findings of the review. ASIC has also reminded REs of their obligation to lodge modified plans under s601HE(3) and to consider their breach reporting duties under the Corporations Act.
What This Means for Responsible Entities
The message is clear: REs must treat compliance plans as living documents that reflect a genuine understanding of their Regulatory obligations and the risks inherent in their operations. This means:
- Moving beyond generic templates;
- Embedding compliance into operational processes;
- Ensuring board and senior management oversight;
- Tailoring controls to scheme-specific risks; and
- Being proactive in identifying and addressing gaps.
ASIC has signalled that it will continue to monitor compliance plans and may take enforcement action where deficiencies persist.
What to do?
For Responsible Entities, the time to act is now. Drafting, reviewing and approving takes time. ASIC is expecting industry to act quickly given the issues highlighted in their review.
PX Partners works with REs to draft fit for purpose and pragmatic Compliance Plans which align with Regulatory requirements and expectations.
Jon O’Keeffe is the author of this article. Jon provides regulated entities with pragmatic advice on governance anchored in more than 20 years of practitioner experience.