AFSL Monitoring Requirements: What Every Licensee Must Have in Place

ASIC's enforcement posture has hardened significantly since the Hayne Royal Commission handed down its final report in 2019. Of the many systemic failures identified across the industry, the most consistent thread was not deliberate misconduct — it was a persistent failure by licensees to actually supervise what their representatives were doing. Since 2020, ASIC has secured more than $700 million in civil penalties against financial services firms, with a significant proportion relating directly to inadequate monitoring and supervision arrangements.

The legal trigger is section 912A(1)(ca) of the Corporations Act 2001, which requires every AFSL holder to take reasonable steps to ensure their representatives comply with financial services laws. ASIC's Regulatory Guide 104 expands on what "reasonable steps" looks like in practice — and it goes well beyond having a compliance policy on file. Firms relying on complaint-driven monitoring, rather than proactive systematic review, are unlikely to meet the standard.

This guide breaks down exactly what the monitoring obligation requires, where most licensees are currently falling short, and how Callyx.ai closes the gap between what ASIC expects and what most compliance teams can realistically deliver at volume.

The monitoring obligation doesn't sit in one place. Several pieces of legislation and regulatory guidance interact to create a layered compliance requirement — and understanding all of them is necessary to assess whether your current approach is actually adequate.

Together, these instruments establish that monitoring is not a discretionary activity — it is a legal obligation with a live 30-day breach reporting trigger attached. A licensee who discovers a pattern of non-compliance only through a client complaint, rather than systematic monitoring, is likely to find themselves in breach of both the supervision obligation and the breach reporting timeline simultaneously.

The phrase "reasonable steps" in section 912A(1)(ca) sounds deceptively manageable. In practice, ASIC's interpretation has become increasingly demanding. Regulatory Guide 104 makes clear that reasonable steps must be proportionate to the nature, scale and complexity of the licensee's business — which means a firm with 40 advisers providing personal advice to retail clients cannot satisfy the obligation by having a compliance officer listen to two calls per adviser per quarter.

What ASIC looks for is a systematic, documented monitoring programme with defined scope, methodology, frequency and escalation procedures. The monitoring must be capable of identifying both individual adviser conduct issues and systemic patterns across the business. Critically, the programme must generate records — ASIC will ask to see evidence of your monitoring activity, not just your monitoring policy.

"The obligation to monitor representatives is active and ongoing. Having the capability to monitor is not the same as monitoring."

ASIC Regulatory Guide 104 — Licensing: Meeting the General Obligations

This is where scale becomes the defining challenge. A licensee with 30 advisers each making 20 client calls per week generates more than 2,400 recorded conversations every month. A compliance team of two cannot meaningfully review that volume manually — and ASIC knows it. Callyx.ai resolves this by automatically scanning every call for the compliance signals your programme is designed to detect, generating a documented record of each review without any manual effort from your team.

The practical implication is that your monitoring programme needs to be designed around what you can sustainably operate at volume — not what looks adequate in a policy document. For the full picture on what ASIC expects, read Regulatory Guide 104 in full.

Working with Australian financial services firms, we see the same monitoring gaps appear repeatedly — not because compliance teams don't care, but because the volume of calls makes thorough manual review genuinely impossible to sustain.

When ASIC conducts a surveillance or investigation of an AFSL holder's monitoring arrangements, they are looking for three specific things — and most firms are only prepared for one of them.

The monitoring obligation is real, the enforcement risk is real, and the volume of calls makes manual compliance genuinely unsustainable for most firms. But there is a better way to think about it: the calls you are already recording contain some of the most valuable intelligence your business generates. Every conversation with a client captures what is working in your process, where advisers need support, and how clients are actually experiencing your firm.

Callyx.ai connects to your existing call recording setup, is configured to your specific compliance obligations during onboarding, and starts delivering intelligence from day one — with zero manual effort required from your compliance team. Your calls are already being recorded. Now make them count.

Most firms are still operating their monitoring programme the way they always have — not because it works, but because there hasn't been a better option. Here's what that actually looks like, alongside what's now possible.

Under section 912A(1)(ca) of the Corporations Act 2001, every AFSL holder must take reasonable steps to ensure their representatives comply with financial services laws. ASIC's interpretation of that obligation has become increasingly demanding — documented, systematic, coverage-based monitoring is the standard, not periodic sampling of a small fraction of calls.

Most firms are operating with a monitoring gap they don't know exists. Manual call sampling covers a fraction of recorded conversations, leaves the majority of potential conduct issues undetected, and generates limited documentary evidence that ASIC will consider adequate. The 30-day breach reporting obligation under s.912D makes this gap a compliance risk in its own right — you cannot report what you haven't detected.

Callyx.ai automatically monitors 100% of your recorded calls, generates documented compliance records for every conversation, and delivers real-time alerts for your defined conduct triggers — turning an unsustainable manual obligation into an automated, always-on programme that costs your compliance team almost no time to run.