AustraliaIn EffectLast updated: Jun 8, 2026

ASIC REP 798 and Directors' AI Duties: Closing the Financial Services Governance Gap

How ASIC Report 798 "Beware the gap" (29 October 2024) applies existing technology-neutral obligations and directors' duties to AI in Australian financial services - and how AFS and credit licensee boards, GCs, CROs and CISOs close the governance gap ASIC identified across 23 licensees and 624 AI use cases.

Non-compliance penalty: REP 798 is an ASIC report and surveillance finding, not a standalone offence - it carries no fines of its own. Instead it applies existing law to AI. The obligations it relies on are enforceable: an Australian financial services (AFS) licensee that fails the section 912A(1) Corporations Act 2001 duty to provide services efficiently, honestly and fairly (and to maintain adequate risk-management systems and adequate technological and human resources) can face licence conditions, suspension or cancellation, banning orders and civil penalty proceedings. Directors and officers who fail the section 180 duty of care and diligence risk pecuniary penalties, disqualification and "stepping-stones" personal liability where a corporate contravention is traced back to a governance failure. Accountable entities and accountable persons are separately exposed under the Financial Accountability Regime (FAR), jointly administered by ASIC and APRA. ASIC's position is unambiguous: these obligations already apply to AI and licensees must act now.

How Areebi helps you comply

Maintain a complete view of AI use cases, including shadow AI and embedded third-party AI, mapped to consumer-facing decisionsREP 798 best practice; s 912A(1)(h)

Areebi: Shadow-AI discovery and AI inventory

Discovers and inventories AI tools, models and embedded AI capabilities in use across the organisation, giving boards and risk teams the use-case visibility ASIC found largely missing and the basis for governing third-party AI.

Provide AI-influenced financial and credit services efficiently, honestly and fairly, with controls for fairness, bias and disclosureCorporations Act s 912A(1)(a)

Areebi: Policy engine and runtime guardrails

A centralised policy engine and configurable guardrails apply consistent, enforceable rules to AI interactions, supporting fair, controlled and documented outcomes for consumers.

Maintain adequate risk-management systems extended to AI-specific risks across the lifecycleCorporations Act s 912A(1)(h)

Areebi: Real-time DLP, guardrails and policy engine

Real-time data loss prevention and guardrails address AI-specific risks such as sensitive-data exfiltration, prompt injection and unsafe outputs, extending existing risk-management systems to cover AI.

Evidence that directors, officers and accountable persons exercised reasonable care and diligence over AICorporations Act s 180; FAR

Areebi: Immutable audit logging and access control

Tamper-evident, queryable audit logs and granular access control create a continuous evidence base that supports the s 180 reasonable-steps standard and FAR due-skill-care-and-diligence obligations.

Manage reliance on third-party AI model providers and reduce concentration and lock-inREP 798 (third-party providers)

Areebi: Model-agnostic architecture

A model-agnostic design supports substitution across providers, helping licensees reduce dependence on any single third-party model and govern external AI more credibly.

Keep AI data and processing within Australia and inside the licensee's control perimeterREP 798 (adequate resources and oversight)

Areebi: Sovereign private deployment (Docker, Kubernetes, on-premises, private cloud)

Deploying entirely within the licensee's own Australian environment keeps AI data resident in-country and brings AI usage inside the licensee's controlled, auditable boundary.

What is ASIC Report 798 and what does it require for AI?

ASIC Report 798 "Beware the gap: Governance arrangements in the face of AI innovation", published on 29 October 2024, found that Australian financial services and credit licensees are adopting AI faster than they are updating their risk and compliance frameworks - and reminds boards that existing, technology-neutral obligations and directors' duties already apply to AI in full, so licensees must close that governance gap now.

REP 798 is ASIC's first report on how AFS and credit licensees are using AI. It is not a new law or a new offence. It is a surveillance finding plus a clear statement of ASIC's enforcement posture: the obligations that already bind a licensee - and the duties that already bind its directors - extend to every AI system the licensee deploys, regardless of whether the technology is labelled "AI". You can read ASIC's summary in media release 24-238MR and the full report on the ASIC website.

ASIC reviewed 23 AFS and credit licensees across retail banking, credit, general and life insurance and financial advice, analysing 624 AI use cases that were in use or being developed as at December 2023, and met with 12 of those licensees in June 2024. The central finding, in then-Chair Joe Longo's words, was that "there is the potential for a governance gap - one that risks widening if AI adoption outpaces governance in response to competitive pressures".

For an AFS or credit licensee board, GC, CRO or CISO, the practical message is direct: you cannot wait for a dedicated Australian AI Act to act. ASIC has told the market that the licensing regime, the consumer-protection regime and the Corporations Act duties already reach AI. REP 798 is the warning shot; the next step ASIC contemplates is surveillance and, where warranted, enforcement.

What governance gap did ASIC find across the 23 licensees?

ASIC found AI adoption running ahead of governance: only about half of the 23 licensees had updated their risk-management policies or procedures to address AI, just 12 of the 23 had AI policy documents, guidance or checklists referencing fairness, discrimination and bias risks, and 61% planned to increase AI use within 12 months - even as generative AI already made up 22% of use cases in development.

The numbers from REP 798 paint a consistent picture of frameworks lagging deployment:

624 AI use cases were in use or in development across the 23 licensees as at December 2023, with AI use accelerating year on year.
22% of in-development use cases were generative AI - the fastest-growing and least-understood category - even though more established techniques such as supervised learning still dominated live deployments (confirmed by MinterEllison's analysis).
61% of licensees planned to increase their AI use within the next 12 months, and around 30% of use cases relied on models developed by third parties - concentrating risk in vendors the licensee does not control.
Only about half had updated risk-management policies or procedures for AI, and many had weak or absent controls for consumer fairness, bias, transparency and disclosure of AI use.

ASIC's concern is the gap between those two trends. AI was being deployed into decisions that affect consumers - pricing, underwriting, credit assessment, claims, advice and servicing - while the policies, model governance, human oversight and assurance needed to keep those decisions fair and explainable had not kept pace. ASIC singled out the risk that opaque models produce outcomes that are difficult to explain or that treat consumers unfairly, and that reliance on third-party models without adequate oversight compounds the problem. The report is, in effect, a benchmark: if your AI governance is no more mature than the licensees ASIC reviewed, you are inside the gap ASIC is now watching.

Which existing obligations does ASIC say already apply to AI?

ASIC's core position is that the financial services and credit framework is technology-neutral, so it applies to AI exactly as it applies to any other system. The anchor obligations are the AFS licensee general obligations in section 912A of the Corporations Act 2001, the equivalent credit-licensee obligations, and the directors' duty of care and diligence in section 180 - none of which contain an AI exception.

The obligations REP 798 puts front and centre are:

Efficiently, honestly and fairly (s 912A(1)(a)). An AFS licensee must do all things necessary to ensure the financial services covered by its licence are provided efficiently, honestly and fairly. ASIC was explicit that AI that produces unfair, biased or unexplainable consumer outcomes can breach this obligation. The general conduct standard for credit licensees under the National Consumer Credit Protection Act 2009 operates to similar effect.
Adequate risk-management systems (s 912A(1)(h)). Licensees must maintain adequate risk-management systems. ASIC's finding that only about half had updated those systems for AI goes directly to this duty.
Adequate resources (s 912A(1)(d)). Licensees must have adequate financial, technological and human resources to provide the services and to carry out supervisory arrangements - which ASIC reads to include the people and tooling needed to govern, monitor and challenge AI.
Directors' duty of care and diligence (s 180). Directors and officers must exercise their powers and discharge their duties with the care and diligence a reasonable person would exercise. ASIC made clear this duty extends to the adoption, deployment and oversight of AI - understanding key AI risks, ensuring an appropriate governance framework exists, and ensuring oversight, reporting and monitoring mechanisms are in place.

Because these obligations are technology-neutral, ASIC's enforcement options for AI failures are the ones it already has - including licence conditions, banning orders and civil penalty proceedings. The Hall & Wilcox and K&L Gates analyses of REP 798 both stress this technology-neutral framing: there is no regulatory holiday for AI.

How does REP 798 expose directors and officers to personal liability?

REP 798 turns AI governance into a personal-liability issue for directors and officers. Under section 180 of the Corporations Act, a director who fails to exercise reasonable care and diligence over the company's AI risk can face pecuniary penalties and disqualification - and through "stepping-stones" liability, a corporate contravention caused by inadequate AI oversight can be traced back to the individuals who allowed it.

"Stepping-stones" liability is the established mechanism by which Australian courts hold directors personally accountable: the company's contravention of a financial services or other obligation is the first step, and the director's failure to take reasonable steps to prevent it (a breach of the s 180 care-and-diligence duty) is the second. Applied to AI, the chain is straightforward - an AI system produces unfair or non-compliant consumer outcomes (a potential s 912A breach by the licensee), and a board that did not understand the risk, demand an adequate governance framework, or ensure oversight and reporting may itself have breached s 180.

REP 798 is therefore best read as a notice to directors that they are expected to:

Understand the material AI risks the licensee is running, including where AI affects consumer outcomes and where it depends on third-party models.
Ensure an appropriate AI governance framework exists - policies, model governance, accountability, human oversight and escalation - proportionate to the risk.
Ensure oversight, reporting and monitoring mechanisms give the board the line of sight needed to challenge AI decisions and detect problems early.
Avoid uncritical reliance on management or vendor assurances without independent examination of the key AI risks.

Recent ASIC enforcement against directors and officers for governance failures underscores that stepping-stones liability is not theoretical. For boards, the defensible position is documented engagement: minutes, risk reporting and an evidenced AI governance framework that show the board exercised real care and diligence over AI - not a single noting paper. To understand the underlying concept, see our explainer on what AI governance is.

How does REP 798 interact with the Financial Accountability Regime?

REP 798 sits alongside the Financial Accountability Regime (FAR), which is jointly administered by ASIC and APRA. FAR makes named accountable persons - including board members and senior executives - individually responsible for the prudent management of their area, so where AI risk falls within an accountable person's responsibilities, FAR adds a second, personal accountability layer on top of the directors' duties REP 798 invokes.

FAR replaced the Banking Executive Accountability Regime (BEAR) and commenced for authorised deposit-taking institutions on 15 March 2024 and for insurers and superannuation trustees on 15 March 2025. Under FAR, accountable entities must register their accountable persons, allocate accountabilities through accountability statements and maps, and ensure those persons act with honesty and integrity and with due skill, care and diligence, and deal with the regulators in an open and cooperative way. You can read ASIC's overview on the ASIC FAR page.

The practical interaction with AI governance is threefold:

Allocation. AI risk does not float free - it should be mapped to an accountable person (often the CRO, CISO, or the executive owning the affected product or function) so there is a clear owner accountable for AI governance failures.
Reasonable steps. FAR's due-skill-care-and-diligence standard mirrors the s 180 reasonable-steps expectation REP 798 relies on. The same evidence - a working AI governance framework, oversight and reporting - supports both.
Consequences. FAR breaches can trigger civil penalties for the entity and consequences for accountable persons, including deferral or reduction of variable remuneration and disqualification, reinforcing the personal stakes ASIC flags in REP 798.

For prudentially regulated entities, REP 798 should be read together with APRA's operational-resilience and information-security expectations - see our guides to APRA CPS 230 and AI and APRA CPS 234 and AI. REP 798 governs conduct and consumer outcomes; CPS 230 governs operational resilience and AI vendors; FAR pins individual accountability across both.

How should an AFS or credit licensee close the REP 798 governance gap?

Closing the REP 798 gap means building an AI governance framework that demonstrably keeps AI decisions fair, explainable and overseen - then evidencing it. ASIC's best-practice expectations centre on documentation and AI governance, adequate technological and human resources, risk-management systems calibrated to AI, and disciplined oversight of third-party AI providers.

A defensible programme aligned to REP 798 addresses each area ASIC examined:

Inventory and visibility. You cannot govern what you cannot see. Build and maintain a complete inventory of AI use cases, including shadow AI and AI capabilities embedded in third-party tools, mapped to the consumer-facing decisions they influence.
Policy and accountability. Put in place AI policies, model governance and clear ownership that explicitly address fairness, discrimination, bias, transparency and disclosure of AI use - the very controls ASIC found largely missing.
Human oversight and explainability. Ensure consequential AI-influenced decisions can be understood, challenged and, where required, explained to consumers, with meaningful human oversight rather than rubber-stamping.
Risk-management systems. Extend your s 912A(1)(h) risk-management systems to cover AI-specific risks across the lifecycle, including data quality, model performance, drift and security threats such as prompt injection and data leakage.
Third-party governance. Treat third-party model providers as a managed risk - due diligence, contractual rights and ongoing monitoring - given roughly 30% of reviewed use cases relied on external models.
Board oversight and evidence. Give the board regular, substantive AI risk reporting and keep the records that demonstrate the s 180 and FAR care-and-diligence standards were met.

This work also positions you for the broader Australian AI regime, including the principles-based Voluntary AI Safety Standard, the wider Australian AI governance framework, and the Privacy Act automated-decision transparency reforms in our ADM transparency guide. To benchmark and structure the work, run an AI governance assessment.

How does Areebi help AFS and credit licensees act on REP 798?

Areebi is a privately deployable Secure AI Control Plane that gives Australian financial services and credit licensees the visibility, controls and evidence ASIC expects over AI - the discovery, policy enforcement, guardrails and immutable audit trail needed to show that AI decisions are governed, fair and overseen. It deploys in your own environment (Docker, Kubernetes, on-premises or private cloud) so data stays in Australia and AI usage sits inside your control perimeter rather than in an opaque external service.

Mapped honestly to what REP 798 asks of licensees, Areebi helps you:

See every AI use case. Shadow-AI discovery and an AI inventory surface the AI tools, models and embedded AI capabilities in use - the foundation for the use-case visibility ASIC found lacking and for governing third-party AI.
Enforce policy at runtime. A centralised policy engine and configurable guardrails apply consistent rules to AI interactions, supporting the documented controls and human-oversight expectations in REP 798.
Protect consumers and data. Real-time data loss prevention (DLP) and guardrails help prevent sensitive data exfiltration and unsafe outputs, and mitigate threats such as prompt injection and data leakage.
Evidence care and diligence. Immutable, queryable audit logging and granular access control create the continuous evidence base a board, CRO, GC or accountable person needs to demonstrate the s 180 and FAR standards were met.
Reduce vendor concentration. A model-agnostic architecture supports substitution across providers, reducing lock-in to any single third-party model.

Areebi is an enabling control layer, not legal advice and not a compliance guarantee: accountability for meeting s 912A, s 180 and FAR obligations remains with the licensee and its directors. Areebi is currently pre-named-customer and in stealth, with SOC 2 readiness in progress (not yet certified). Explore the platform, the financial services solution, or request a demo to scope your REP 798 AI governance gaps.

Compliance Checklist

Build and maintain a complete inventory of AI use cases - in production and in development - including shadow AI and AI embedded in third-party tools, mapped to the consumer-facing decisions each influences.

Update risk-management policies and procedures (s 912A(1)(h)) to address AI-specific risks across the lifecycle: data quality, model performance, drift, fairness, bias, transparency and security.

Put in place AI policies, model governance and clear ownership that explicitly cover fairness, discrimination, bias, transparency and disclosure of AI use to consumers.

Ensure consequential AI-influenced decisions (pricing, underwriting, credit, claims, advice) can be understood, challenged and explained, with meaningful human oversight rather than rubber-stamping.

Govern third-party AI model providers as a managed risk - due diligence, contractual rights, and ongoing monitoring - given around 30% of reviewed use cases relied on external models.

Allocate AI risk to a named accountable person under FAR (where applicable) and confirm it appears in accountability statements and the accountability map.

Give the board regular, substantive AI risk reporting and keep records (minutes, risk papers, framework documents) that evidence the s 180 and FAR care-and-diligence standards were met.

Confirm adequate technological and human resources (s 912A(1)(d)) - the people, skills and tooling - to govern, monitor and challenge AI.

Establish controls for AI-specific security threats such as prompt injection and data leakage that could corrupt outputs or breach data obligations.

Benchmark current maturity against REP 798's findings and document a remediation plan, recognising ASIC's position that these obligations already apply and licensees must act now.

Frequently Asked Questions

When was ASIC REP 798 published and what does it cover?

ASIC Report 798 "Beware the gap: Governance arrangements in the face of AI innovation" was published on 29 October 2024 (media release 24-238MR). It reviewed 23 AFS and credit licensees and 624 AI use cases in use or in development as at December 2023, finding that AI adoption is outpacing risk and governance frameworks. It is ASIC's first report on AI use by licensees.

Is REP 798 a new law or a binding standard?

No. REP 798 is an ASIC report and surveillance finding, not a new law or offence. Its significance is that it applies existing, technology-neutral obligations - the AFS licensee general obligations in section 912A of the Corporations Act, the equivalent credit obligations, and the section 180 directors' duty - to AI. ASIC's position is that these obligations already apply to AI and licensees must act now.

What was the main governance gap ASIC identified?

ASIC found AI adoption running ahead of governance. Only about half of the 23 licensees had updated risk-management policies or procedures for AI, just 12 of 23 had AI policy documents, guidance or checklists referencing fairness, discrimination and bias, and 61% planned to increase AI use within 12 months - while generative AI already made up 22% of in-development use cases. The gap is between fast deployment and lagging controls.

How does REP 798 affect directors and officers personally?

REP 798 confirms the section 180 duty of care and diligence extends to AI - directors must understand key AI risks, ensure an appropriate governance framework, and ensure oversight and reporting. Through "stepping-stones" liability, a corporate contravention caused by inadequate AI oversight can be traced back to directors personally, exposing them to penalties and disqualification.

How does REP 798 interact with the Financial Accountability Regime?

FAR, jointly administered by ASIC and APRA, makes named accountable persons individually responsible for the prudent management of their area. Where AI risk falls within an accountable person's responsibilities, FAR adds a personal accountability layer on top of the s 180 directors' duty REP 798 invokes. FAR applies to ADIs from 15 March 2024 and to insurers and super trustees from 15 March 2025.

Does REP 798 apply if our AI is built by a third party?

Yes. The licensee remains responsible for the services it provides, regardless of who built the model. Around 30% of the use cases ASIC reviewed relied on third-party models. ASIC expects licensees to govern third-party AI through due diligence, contractual rights and ongoing monitoring - outsourcing the model does not outsource the s 912A and s 180 obligations.

What should a licensee do first to respond to REP 798?

Start by building a complete inventory of AI use cases - including shadow AI and AI embedded in third-party tools - and mapping each to the consumer-facing decisions it influences. You cannot govern what you cannot see. Then update risk-management policies, add fairness and oversight controls, and put substantive AI risk reporting in front of the board.

How can Areebi help us act on REP 798?

Areebi is a privately deployable Secure AI Control Plane that helps licensees discover shadow AI, inventory AI use cases, enforce policy and guardrails at runtime, protect data with real-time DLP, and evidence care and diligence with immutable audit logging. It deploys in your own Australian environment. Areebi is an enabling control layer - accountability remains with the licensee - and is in stealth with SOC 2 readiness in progress.

Related Resources

Ready to achieve ASIC REP 798 and Directors' AI Duties: Closing the Financial Services Governance Gap compliance?

See how Areebi maps to ASIC REP 798 and Directors' AI Duties: Closing the Financial Services Governance Gap requirements with a personalized demo.

Get a Demo Free AI Risk Assessment

Taking longer than expected.

Reload the page

What is ASIC Report 798 and what does it require for AI?

What governance gap did ASIC find across the 23 licensees?

The numbers from REP 798 paint a consistent picture of frameworks lagging deployment:

624 AI use cases were in use or in development across the 23 licensees as at December 2023, with AI use accelerating year on year.
22% of in-development use cases were generative AI - the fastest-growing and least-understood category - even though more established techniques such as supervised learning still dominated live deployments (confirmed by MinterEllison's analysis).
61% of licensees planned to increase their AI use within the next 12 months, and around 30% of use cases relied on models developed by third parties - concentrating risk in vendors the licensee does not control.
Only about half had updated risk-management policies or procedures for AI, and many had weak or absent controls for consumer fairness, bias, transparency and disclosure of AI use.

Which existing obligations does ASIC say already apply to AI?

The obligations REP 798 puts front and centre are:

Efficiently, honestly and fairly (s 912A(1)(a)). An AFS licensee must do all things necessary to ensure the financial services covered by its licence are provided efficiently, honestly and fairly. ASIC was explicit that AI that produces unfair, biased or unexplainable consumer outcomes can breach this obligation. The general conduct standard for credit licensees under the National Consumer Credit Protection Act 2009 operates to similar effect.
Adequate risk-management systems (s 912A(1)(h)). Licensees must maintain adequate risk-management systems. ASIC's finding that only about half had updated those systems for AI goes directly to this duty.
Adequate resources (s 912A(1)(d)). Licensees must have adequate financial, technological and human resources to provide the services and to carry out supervisory arrangements - which ASIC reads to include the people and tooling needed to govern, monitor and challenge AI.
Directors' duty of care and diligence (s 180). Directors and officers must exercise their powers and discharge their duties with the care and diligence a reasonable person would exercise. ASIC made clear this duty extends to the adoption, deployment and oversight of AI - understanding key AI risks, ensuring an appropriate governance framework exists, and ensuring oversight, reporting and monitoring mechanisms are in place.

How does REP 798 expose directors and officers to personal liability?

REP 798 is therefore best read as a notice to directors that they are expected to:

Understand the material AI risks the licensee is running, including where AI affects consumer outcomes and where it depends on third-party models.
Ensure an appropriate AI governance framework exists - policies, model governance, accountability, human oversight and escalation - proportionate to the risk.
Ensure oversight, reporting and monitoring mechanisms give the board the line of sight needed to challenge AI decisions and detect problems early.
Avoid uncritical reliance on management or vendor assurances without independent examination of the key AI risks.

How does REP 798 interact with the Financial Accountability Regime?

The practical interaction with AI governance is threefold:

Allocation. AI risk does not float free - it should be mapped to an accountable person (often the CRO, CISO, or the executive owning the affected product or function) so there is a clear owner accountable for AI governance failures.
Reasonable steps. FAR's due-skill-care-and-diligence standard mirrors the s 180 reasonable-steps expectation REP 798 relies on. The same evidence - a working AI governance framework, oversight and reporting - supports both.
Consequences. FAR breaches can trigger civil penalties for the entity and consequences for accountable persons, including deferral or reduction of variable remuneration and disqualification, reinforcing the personal stakes ASIC flags in REP 798.

How should an AFS or credit licensee close the REP 798 governance gap?

A defensible programme aligned to REP 798 addresses each area ASIC examined:

Inventory and visibility. You cannot govern what you cannot see. Build and maintain a complete inventory of AI use cases, including shadow AI and AI capabilities embedded in third-party tools, mapped to the consumer-facing decisions they influence.
Policy and accountability. Put in place AI policies, model governance and clear ownership that explicitly address fairness, discrimination, bias, transparency and disclosure of AI use - the very controls ASIC found largely missing.
Human oversight and explainability. Ensure consequential AI-influenced decisions can be understood, challenged and, where required, explained to consumers, with meaningful human oversight rather than rubber-stamping.
Risk-management systems. Extend your s 912A(1)(h) risk-management systems to cover AI-specific risks across the lifecycle, including data quality, model performance, drift and security threats such as prompt injection and data leakage.
Third-party governance. Treat third-party model providers as a managed risk - due diligence, contractual rights and ongoing monitoring - given roughly 30% of reviewed use cases relied on external models.
Board oversight and evidence. Give the board regular, substantive AI risk reporting and keep the records that demonstrate the s 180 and FAR care-and-diligence standards were met.

How does Areebi help AFS and credit licensees act on REP 798?

Mapped honestly to what REP 798 asks of licensees, Areebi helps you:

See every AI use case. Shadow-AI discovery and an AI inventory surface the AI tools, models and embedded AI capabilities in use - the foundation for the use-case visibility ASIC found lacking and for governing third-party AI.
Enforce policy at runtime. A centralised policy engine and configurable guardrails apply consistent rules to AI interactions, supporting the documented controls and human-oversight expectations in REP 798.
Protect consumers and data. Real-time data loss prevention (DLP) and guardrails help prevent sensitive data exfiltration and unsafe outputs, and mitigate threats such as prompt injection and data leakage.
Evidence care and diligence. Immutable, queryable audit logging and granular access control create the continuous evidence base a board, CRO, GC or accountable person needs to demonstrate the s 180 and FAR standards were met.
Reduce vendor concentration. A model-agnostic architecture supports substitution across providers, reducing lock-in to any single third-party model.