The CFO’s Compliance Problem

Who Owns the Risk When AI Sends the Letter?

Australia’s Unfair Trading Practices Bill shifts the compliance question from ‘did we break a rule?’ to ‘was this fair?’ For CFOs, it demands a fundamental rethink of how compliance in customer comms actually works – Nic Chin, CFO at InDebted explains more in his Op-Ed for CFO Magazine A/NZ.

On 1 April 2026, the Competition and Consumer Amendment (Unfair Trading Practices) Bill 2026 was introduced to Australia’s House of Representatives. If passed, the bill will take effect on 1 July 2027. For CFOs whose companies distribute customer communications at scale, that applies to most of us, the clock is already ticking.

The Bill introduces a general prohibition on unfair trading practices, which refers to conduct that unreasonably distorts or manipulates consumer decision-making and causes, or is likely to cause, detriment. This change marks a structural shift in how business conduct will be assessed, moving from a paradigm that focuses on the question: ‘did we break a specific regulation?’ to one that asks: ‘was this fair for the consumer?’

For organisations running high-volume automated communications – think those operating in debt collection, telecommunications, utilities, BNPL providers, insurers, subscription businesses – the implications are immediate. These are industries where AI has an increasing influence over the messages a customer receives, when, through which channel and in what tone. Systems built for efficiency were not natively built for this kind of compliance. 

The financial exposure is not theoretical

Parliament has already passed the Treasury Laws Amendment (Doubling Penalties for ACCC Enforcement) Act 2026, doubling maximum penalties for breaches of the Competition and Consumer Act. The fixed monetary limb has increased from A$50 million to A$100 million per contravention. The alternative limbs – 30 per cent of adjusted turnover or three times the benefit obtained – remain unchanged.

For organisations sending millions of automated communications annually, the per-contravention framing is the critical detail. A single systemic flaw in an AI communication workflow could generate exposure across every message sent. The government has been explicit: breaching consumer law is not a line item on a balance sheet.

ASIC secured record civil penalties in the second half of 2025, with its Deputy Chair signalling an intensified focus on holding individuals to account. Australia’s Financial Accountability Regime, now live for banks and extended to insurers and super funds, requires senior executives to take reasonable steps to prevent compliance failures and makes clear that passive oversight no longer meets the bar.

Who is most exposed?

Organisations running high-volume, low-touch communication models where AI makes decisions about timing, tone or content, with or without meaningful human review – particularly those serving financially vulnerable customers – need to be on high alert.

Consider a typical automated collections workflow. An AI model determines a customer is 45 days past due, selects SMS as the channel, generates a message calibrated for urgency, schedules delivery for 7.15am and appends a payment link. Each decision – channel, content, timing, tone – is now potentially assessable under a fairness standard. Was the customer in financial hardship? Did the timing create undue pressure? Was there a reasonable opportunity to seek help?

If you cannot produce a clear audit trail showing each communication met a fairness standard, you are exposed. The governance gap is well documented. IBM’s 2025 Cost of a Data Breach Report^[1], which studied 600 organisations globally, found that 97 per cent of those experiencing an AI-related security incident lacked proper AI access controls. Sixty-three per cent had no AI governance policies in place at all.

Australia is not moving in isolation. The US Consumer Financial Protection Bureau has established that there are no exceptions to consumer protection laws for new technologies. In the UK, the Financial Conduct Authority has signalled guidance on audit trails and human-in-the-loop protocols for AI in financial services. Securities class actions targeting AI misrepresentations doubled between 2023 and 2024^[2]. The global direction is unmistakable.

Three questions every CFO needs to address

First: where does compliance liability sit in an automated workflow – and who owns it?

In most organisations, the answer is ambiguous. Product teams build the models, engineering deploys the infrastructure, operations manages the queues, legal drafts the policies. But when a regulator asks who was responsible for a specific message sent to a specific customer at a specific time, there needs to be a named executive who owns the answer.

Second: what does ‘compliant by design’ actually require?

It means building fairness evaluation into the communication workflow itself – pre-send assessment of vulnerability indicators, real-time content review against fairness criteria, channel and timing logic that accounts for consumer circumstances and complete audit trails recording why each message was sent. Most high-volume AI systems were not built to capture this. Retrofitting is materially more expensive than building it in.

Third: what is the financial case for acting now?

Organisations that embed compliance before the July 2027 commencement avoid three categories of cost: the direct penalties (up to A$100 million per contravention), the operational disruption of retrofitting live systems under time pressure and the reputational damage of an early enforcement action. The ACCC’s track record makes the risk tangible.

In FY2024 alone, consumer and industry codes enforcement yielded over A$500 million in court-ordered penalties, including A$100 million against Qantas for misleading consumers through its automated booking systems. Courts are increasingly willing to impose penalties at the higher end of the spectrum, and the doubling of maximum penalties to A$100 million per contravention in March 2026 signals the direction of travel.

What CFOs should do now

Map every automated customer touchpoint and assess fairness exposure – not just SMS and email, but push notifications, in-app messages, chatbot interactions and any communication where AI influences content, timing or targeting.

Assign named executive ownership of compliance liability for AI-assisted communications. Ambiguity in accountability is the single largest organisational risk under the new regime.

Build audit trail capability if it does not already exist. If your systems cannot produce a record of why a particular message was sent to a particular customer – including the data inputs, model logic and fairness assessment – you have a gap that needs closing before July 2027.

Model remediation costs against early investment. A system redesign conducted under regulatory pressure, against a hard deadline, with enforcement risk crystallising, will cost multiples of what the same work costs when planned properly.

Get legal and operations working from the same framework. Under a fairness-based standard, the gap between policy and practice is precisely where enforcement actions land.

Brief your board now, not six months before the deadline. This is one of the most significant shifts in Australian consumer protection in a generation. Boards informed early make orderly capital allocation decisions. Boards that learn late make expensive ones.

The shift from rule-based compliance to fairness-based assessment reflects a global regulatory consensus that automated systems interacting with consumers must meet standards beyond technical legality. For CFOs, it represent more than a legal issue to delegate but rather a financial risk to quantify, a system design decision to fund and a governance question to own.

It’s a problem we’ve spent years working through at InDebted and the lesson that keeps repeating is simple: compliance that’s embedded into the workflow from the start costs a fraction of what it costs to retrofit later.

The Bill may not take effect until July 2027, but when you’re rewiring how millions of customer communications get sent, those 12 months will fly, so the time to act is, undoubtedly, now.

---

^[1] https://www.ibm.com/reports/data-breach

^[2] https://nysba.org/regulating-ai-deception-in-financial-markets-how-the-sec-can-combat-ai-washing-through-aggressive-enforcement/