How to Prepare for an ASIC Compliance Review Without Losing Sleep
In a December 2024 review, ASIC examined 14 financial services and credit licensees and found that half had recorded fewer than five incidents in their incident registers over a three-month period. ASIC said this suggested deficiencies in incident identification, which can affect breach identification and reporting. This article covers what ASIC actually looks at when it reviews an insurance brokerage, the records most firms are not ready to produce, and the practical steps that put a business in a stronger position before a review arrives.
What an ASIC Review Actually Looks Like
Most principals picture an ASIC review as a formal, scheduled visit. In practice it can start much more quietly. A review can begin as a desk check of publicly available information, a follow-up to a client complaint, or part of a thematic sweep across multiple brokerages in a sector. By the time ASIC is requesting documents or scheduling interviews, the review has often already started.
When ASIC does engage directly with a brokerage, it typically asks for records, speaks with compliance staff, and looks at advice files and supervision logs. What it is assessing throughout is straightforward: does this business run the way its compliance documents say it does? See ASIC's approach to enforcement for an overview of how the regulator escalates from review to action.
That question cannot be answered in the days between receiving ASIC's initial contact and responding to it. The records ASIC wants to see reflect months or years of day-to-day practice. Either they exist and are consistent, or they do not. For the underlying obligations that shape what ASIC is assessing, see What Is an AFSL and What Are Your Obligations as a Licence Holder?
Record court-ordered civil penalties in H2 2025 alone (ASIC enforcement update, Feb 2026)
Timeframe to report most reportable situations to ASIC after first becoming aware (ASIC RG 78)
Of 14 licensees in ASIC's Dec 2024 review had fewer than 5 incidents recorded in 3 months (ASIC, Dec 2024)
The Records ASIC Is Likely to Focus On
Firms that can produce clean, organised records across these five areas start any review from a materially stronger position. ASIC Regulatory Guide 104 sets out what ASIC looks for when assessing whether a firm's general obligations are being met.
Compliance incident log
A record of issues the business has identified, investigated and acted on. A well-maintained log shows the compliance function is actively monitoring the business. A sparse one raises immediate questions about whether the firm has genuine visibility across what its advisers are doing.
Call monitoring and supervision records
For each adviser, evidence that someone in the business is regularly reviewing their client conversations and following up on what they find. Not a policy that says this will happen. Actual records showing it did happen, consistently, across the team.
Training documentation
Not just completion certificates. Evidence that training reflects current requirements, and ideally some indication that it has translated into how advisers actually behave with clients. These two things are not automatically the same.
Advice files
A cross-section of actual client files. ASIC looks at whether advice is appropriate, whether required disclosures were made, and whether the documentation matches what supervision records suggest is happening in conversations.
Reportable situations history
ASIC checks whether the business has been identifying and reporting reportable situations within the required timeframes. Under ASIC's reportable situations guidance, most situations must be reported within 30 calendar days of the business first having reasonable grounds to believe one has arisen. A firm with very few or no reports in its history while running an active advice book may raise questions about whether issues are being identified at all.
Each of these areas tells ASIC something different about how the compliance programme is actually running. Together, they give a picture of whether the business's day-to-day operations match its documented intentions.
Build the supervisory record before you need it.
Callyx.ai automatically reviews 100% of your recorded calls, creating a documented supervisory record that reflects what is actually happening across your team.
How to Run an Internal Readiness Check
A structured internal review, run well before any contact from ASIC, gives a brokerage a clear picture of where its records are strong and where gaps may exist. It also demonstrates that compliance governance is taken seriously, which matters if a review does occur.
Work through five areas. Pull your incident log for the past 12 months: does the volume of recorded incidents feel proportionate to the activity level of the business? For each adviser, can you show a documented history of call monitoring and what happened when issues were found? Does your training reflect today's requirements, not those from two years ago? When was the risk register last updated? Pull a sample of advice files and check whether the documentation is consistent across the team.
"Proactively monitoring and tracking compliance allows licensees to identify and mitigate risks of non-compliance that may result in costly legal issues, reputational damage and consumer losses." — ASIC, Reportable Situations: Findings of ASIC's Review, December 2024
The output of this review is a prioritised list of things to address. Businesses that have already worked through this process before ASIC arrives are in a fundamentally different position to those that start when they receive the first contact. Callyx.ai surfaces the call monitoring and supervision records that are hardest to build manually.
For detail on the recording obligations that underpin these records, see AFSL Call Recording Requirements: The Complete 2026 Guide.
Your supervisory record is only as strong as what it actually documents.
Callyx.ai creates a complete record of call monitoring activity across your whole team, automatically, every week. See what that looks like for a brokerage your size.
Book a DemoThree Areas Where Brokerages Most Commonly Face Gaps
Looking at ASIC's published enforcement outcomes and surveillance findings across financial services licensees, three patterns are especially relevant for insurance brokerages.
1. Supervision happens in patches, not across the whole team
ASIC expects to see a regular, documented process that covers everyone, not occasional observations when a manager has time. Where that kind of record does not exist, ASIC has been explicit: self-reporting by advisers and informal oversight are not enough on their own.
2. Issues surface too late
The ASIC December 2024 review found a consistent pattern of complaints being handled at the front line without being escalated, recorded or assessed properly. By the time something reached the compliance function, weeks had passed and the reporting window had often already closed. The businesses with the cleanest records had systems that surfaced issues quickly.
3. The compliance manual and the operational reality do not match
A detailed compliance framework paired with supervisory records that show only intermittent activity is not a compliance programme. ASIC can tell the difference very quickly. The question it is trying to answer is simple: is this business actually doing what it says it does?
What ASIC Finds When the Records Do Not Stack Up
ASIC's published enforcement and surveillance outcomes give a clear picture of what happens at each level of gap severity.
Sparse incident register
ASIC finds a breach register with very few entries relative to the size and activity of the business. ASIC's December 2024 finding is that this typically indicates deficiencies in incident identification systems, not an absence of incidents.
Supervision records do not cover the whole team
Monitoring logs that show only intermittent activity or cover only some advisers. ASIC's published enforcement cases show this can result in licence conditions being imposed and an independent expert review being required. Callyx.ai covers 100% of recorded calls automatically.
Framework and operational records tell different stories
Strong compliance documentation alongside thin operational records. This is the most common pattern across published ASIC outcomes and the one that generates the widest range of consequences, from enforceable undertakings to civil penalty proceedings.
Your Business Already Has What It Needs
Insurance brokerages record their client conversations as a matter of course. Those recordings are already creating a compliance record. The question is whether that record is being actively used to demonstrate that the business is running the way its compliance documents say it is.
Callyx.ai is Australian-owned, built for the Australian financial services sector, and connects directly to your existing call infrastructure. About Callyx.ai
Comply — 100% call coverage
Every recorded advice conversation automatically reviewed against your compliance criteria. A supervisory record that reflects the whole team, not a sample. Learn more
Core — Same-week visibility
Issues identified the same week they occur, giving management time to act before they compound or reach the reporting window. See how it works
Learn — Training evidence
Call data showing how advisers apply their training in actual client conversations, not just what they completed in a module. Explore features
Coach — Incident surfacing
Compliance flags raised automatically and immediately, without depending on advisers to self-report or managers to notice during intermittent observation. Read more
See what your team's calls are actually telling you.
Book a demo to see how Callyx.ai builds the supervisory record your brokerage needs, automatically, across 100% of your recorded calls.
Summary
Preparing for an ASIC review comes down to one thing: the gap between what your compliance framework says and what your operational records show.
The three areas where that gap most commonly appears are supervisory records, incident identification, and advice file quality. All three connect directly to what happens in client conversations. Firms with systematic call monitoring across their whole team, and documented records of what was found and what was done about it, start any ASIC review from a position of genuine confidence.
The records ASIC asks for cannot be created retrospectively. Callyx.ai builds them automatically, every week, as a natural byproduct of the business running its compliance programme.
Review Readiness: Where Gaps Create the Most Exposure
Not all compliance gaps carry the same weight in an ASIC review. This matrix maps the key areas ASIC is likely to focus on against the level of exposure a gap in each area can create.
| Severity | What ASIC typically finds | ASIC's likely response | Potential outcome |
|---|---|---|---|
| Lower | Compliance framework not fully current; minor record-keeping gap with no client detriment identified | Informal guidance; request to update framework and confirm changes | Framework update required; enhanced monitoring period possible |
| Moderate | Sparse incident register inconsistent with business activity; supervision records incomplete across team | Licence conditions imposed; independent expert review required | Additional reporting obligations; reputational impact; compliance costs |
| Serious | Systematic supervision failure; advice file quality issues across multiple advisers; late or absent breach reporting | Enforceable undertaking; civil penalty proceedings | Civil penalties up to $1.65m (individual) or $16.5m (corporation); compensation orders to affected clients |
| Critical | Deliberate obstruction; repeated failures after prior regulatory contact; widespread client detriment | AFSL suspension or cancellation; criminal referral | Licence loss; imprisonment possible; permanent industry ban |
Sources: ASIC Fines and Penalties; ASIC Reportable Situations Review, December 2024. Penalty amounts reflect the Commonwealth penalty unit of $330 (from 7 November 2024). General guide only — seek qualified legal or compliance advice for your specific circumstances. ASIC Fines and Penalties
Frequently Asked Questions
About the Author
Vincent Keogh
Vincent is an operations specialist on the Callyx.ai team, writing for compliance managers and principals on how to get maximum value from recorded calls: across compliance, staff training, and business performance.
Related Articles
This article provides general information about preparing for ASIC compliance reviews and is not legal advice. The information is current at the date of publication. ASIC's review approach and regulatory requirements change over time. Callyx.ai does not guarantee compliance or the prevention of regulatory action. Seek qualified legal or compliance advice for guidance specific to your business and circumstances.
Your calls are already being recorded.
Now make them count.
Recorded advice conversations are reviewed against your compliance criteria, with issues flagged and documented. Less reliance on sampling. Fewer blind spots.