ASIC contacts you. Not about a specific complaint or a consumer dispute, but a general enquiry into how you run your licence. The question is not whether you have a compliance policy. It is not whether your brokers are trained. The question is this: how do you supervise your broker network, and what evidence do you have that you checked what your brokers were doing in their loan files?

The timing matters. ASIC launched a sector-wide best interests duty review in June 2025, sending compulsory notices to six national aggregators. The regulator received the bulk of the data in late 2025 and expects to report in 2026. At an industry event in February 2026, ASIC Senior Executive Leader Nathan Bourne stressed that licensees must conduct "monitoring and supervision in a robust way". The regulatory spotlight is on broker supervision right now.

Most ACL holders could answer the supervision question in general terms. Fewer could produce specific, file-level evidence. This post walks through what the NCCP Act requires, what ASIC's regulatory guides spell out and what "adequate supervision" looks like when someone actually reviews a broker's loan file.

This is not legal advice. It is a plain-English overview of the regulatory landscape that sits behind every ACL holder's supervision obligation.

What Section 47 actually says

The NCCP Act states the obligation plainly. Section 47(1)(e) requires the licensee to take reasonable steps to ensure that its credit representatives comply with the credit legislation. Section 47(1)(k) requires a written compliance plan documenting the licensee's arrangements and systems. Section 47(1)(g) requires that representatives are adequately trained and competent. Section 47(1)(l) requires adequate resources, including human, financial and technological resources, to carry out supervisory arrangements.

Section 47(2) establishes a scalability principle. What counts as adequate depends on the nature, scale and complexity of the credit activities. A broker group managing 25 credit representatives is held to a proportionately higher standard than one managing 3. The obligation exists at every scale.

Section 47(4) makes these civil penalty provisions. Breach of s47(1)(e) carries a maximum penalty of 5,000 penalty units for an individual. For a body corporate, the maximum is 50,000 penalty units, three times the benefit obtained or 10% of annual turnover (capped at 2.5 million penalty units).

The reasonable steps standard does not make the licensee a guarantor of perfect conduct by every representative. It does require active, documented, risk-based monitoring proportionate to the business. ASIC is explicit on this point: the obligation is assessed by what the licensee did, not by whether a breach occurred.

The regulatory guides that fill in the detail

Section 47 sets out the obligations. ASIC's regulatory guides describe what the regulator expects to see in practice. These are not enforceable standards in themselves (with the exception of specified RG 271 paragraphs, which are enforceable). They are what ASIC uses when assessing whether a licensee is meeting its obligations.

What the regulatory framework covers

  • Monitoring and supervision. The licensee must monitor and supervise its representatives (RG 205). The level of monitoring scales with the nature, scale and complexity of the business. ASIC does not expect scrutiny of every activity but does expect measures to determine compliance and a mechanism to remedy breaches.
  • Responsible lending conduct. Brokers providing credit assistance must make reasonable inquiries about the consumer's requirements, objectives and financial situation, take reasonable steps to verify the financial situation and make a preliminary assessment that the proposed credit contract is "not unsuitable" (RG 209, ss116 and 117).
  • Best interests duty. Since 1 January 2021, mortgage brokers must act in the best interests of the consumer when providing credit assistance (s158LA). Where a broker recommends a loan that is not the lowest-cost option, the file should show the factors that support that recommendation (RG 273). ASIC expects evidence of best interests duty compliance to come predominantly from the broker's records (RG 273).
  • Disclosure and credit guides. Credit representatives must provide a credit guide before providing credit assistance (s113, s158). The credit guide, any fee disclosure and the quote (where applicable, s114) form part of the pre-contractual record that file audits test.
  • Complaints handling. ACL holders must maintain their own compliant internal dispute resolution process meeting RG 271 requirements. This cannot be wholly delegated to the aggregator. Standard complaints must be resolved within 30 calendar days (RG 271) and credit hardship complaints within 21 calendar days (RG 271). Specified RG 271 paragraphs are enforceable.
  • Record keeping and documentation. The licensee must keep sufficient records of its monitoring and supervisory activities (RG 205). Supervision measures should show how the licensee tracks representatives, ensures they act within scope, monitors compliance and responds to failures (RG 205). Assessments must be retained to enable consumer requests under s120 and s132.

ASIC's guidance is clear that a licensee can outsource functions, including periodic compliance reviews of representatives (RG 205), but the licensee remains responsible. Using an aggregator's compliance tools does not transfer the legal obligation.

What adequate supervision looks like at the file level

Most of the obligations above ultimately show up in individual broker loan files. A broker either completed a proper fact find or they did not. The credit guide was either delivered before credit assistance was provided or it was not. The preliminary assessment either documented the consumer's requirements and objectives or it did not. File-level review is where supervision obligations become tangible.

  1. Credit guide delivery. The credit representative must provide a credit guide to the consumer before providing credit assistance (s113, s158). A compliant file shows the guide was delivered and acknowledged with a timestamp. A gap shows either no evidence of delivery or evidence that it was delivered after credit assistance had already begun.
  2. Fact find and needs analysis. The broker must make reasonable inquiries into the consumer's requirements, objectives and financial situation (s116). A compliant file shows a detailed fact find covering the consumer's goals, preferences, financial position and relevant circumstances. A gap shows a generic or partially completed fact find that does not clearly support the lending recommendation.
  3. Preliminary assessment. The broker must assess that the proposed credit contract is "not unsuitable" for the consumer (s117). A compliant file documents the reasoning linking the consumer's stated needs to the specific product recommended, including why it meets their requirements and objectives. A gap shows a boilerplate assessment with no consumer-specific reasoning.
  4. Best interests duty documentation. Where the recommended loan is not the lowest-cost option available, the file should show the specific factors that support the recommendation (RG 273). A compliant file contains a personalised, consumer-specific explanation. A gap shows generic statements such as "product features suit the client" without specifying which features or why they matter for this consumer.
  5. Statement of Credit Assistance (SOCA). The broker must provide a SOCA to the consumer before they enter a credit contract or increase a credit limit (s121). It must disclose the credit assistance provided, the fees and the commissions. A compliant file shows the SOCA was provided within the required timeframe. A gap shows a missing, late or incomplete SOCA.
  6. Document management and retention. The complete loan file should be retained in the document management system with all required documents accessible. A compliant file is complete and current, with every required document present in the system. A gap shows missing documents, incomplete records or files that have not been uploaded.

The question most ACL holders cannot answer

Return to the opening scenario. If ASIC asked today how you supervise your broker network, what file-level evidence would you produce? Not what policies you have. Not what training your brokers completed. What evidence that you reviewed what your brokers were doing in their loan files and acted on what you found?

Most broker businesses with six or more brokers do not have a systematic approach to answering this question. Some rely on aggregator audits, which serve the aggregator's compliance needs rather than the ACL holder's obligations. Some rely on internal reviews, which carry an inherent conflict when the reviewer reports to the same business that wrote the file. Some have no structured file audit process at all.

This is not a criticism. It is the reality of running a busy broker business with limited resources. It is also a gap, and under s47 of the NCCP Act, it is the ACL holder's responsibility to address it.

The NCCP Act is clear about who holds the supervision obligation. ASIC's regulatory guides are specific about what supervision covers. With the regulator actively reviewing broker conduct and best interests duty compliance across the industry, the question of what the ACL holder can demonstrate is more relevant now than at any point since the reforms took effect.

Independent file audits, where someone outside the business reviews broker loan files against the regulatory framework and documents what they find, are one way to build a defensible supervision evidence base. Not the only way. But a structured, proportionate one.