Spending on compliance, whether through inhouse staff or external suppliers, has experienced a stark drop, according to findings from the 2025 Compliance Trends Survey by law firm Holley Nethercote.
The report revealed 40 per cent of respondents are spending less than $100,000 on internal compliance staff, down from 29 per cent in last year’s survey.
But that decrease hasn’t translated to an increase in third-party suppliers, with 57 per cent of respondents spending less than $50,000 on external compliance, compared to 39 per cent in 2024.
The survey further sounds the alarm on a decline in monitoring and supervision with approximately 30 per cent of licensees not having any monitoring and supervision policy, while only 28 per cent review their compliance with licensing obligations once every two years or less.
Only 40 per cent of licensees with 16 to 50 representatives lack a monitoring and supervision policy, and 37.8 per cent (versus 26 per cent in 2024) required complaints to be made in writing despite not being a legal requirement.
The biggest compliance concerns were the reportable situations regime (also known as breach reporting), cybersecurity, and risk management – all cited by at least nine in 10 responses.
“While the top regulatory concerns have remained consistent in our Compliance Trends Survey for the three years we have run it, this year showed some notable changes in compliance trends, especially in relation to spending and investment,” the report said.
In breach
The larger the licensee, the less likely a breach would not be reported, with over 27 per cent of large licensees (as measured as having over 100 staff) and 28 per cent of licensees with 51-100 staff not reporting breaches.
Conversely, 33 per cent (16-50 staff), 42 per cent (six-15 staff) and 60 per cent (one to five staff) didn’t report breaches.
Overall, 41 per cent of licensees said they reported no breaches to ASIC, while 8 per cent said they reported between 11 to 50, 2 per cent said they reported over 50 breaches.
It matches findings from ASIC, who has been critical that the industry may not be fulfilling its obligations with the regime, but has conceded in the past it hasn’t been the clearest regulation to follow.
The regulator is now consulting on plans to publish public dashboards containing breach reporting data in the second half of the year that identifies licensees by name.
When it comes to cybersecurity, the number of licensees with a dedicated cyber policy has increased from 60 per cent to 76 per cent.
“This still seems low given it was identified as the top regulatory risk for licensees,” the report said.
But the report acknowledges this heightened status reflects the importance of the issue in the wider community as new threats continue to emerge.
“There is also an increasing community sentiment that service providers have a responsibility to take active steps to protect clients from scams and hacking,” the report said.
“This means that the ability to proactively identify and address cyber threats is becoming increasingly important.”
Furthermore, the survey found a “significant increase” in AI usage from respondents – with 46 per cent using AI for minute-taking compared to 10 per cent a year ago.
However, 20 per cent of respondents still do not use AI and have no plans to do so.
“It would be interesting to see if this is due to non-usage or lack of awareness by compliance teams,” the report said.
‘Conflict free’
The first iteration of the report found smaller licensees were less likely to disclose conflicts of interest which has seen little change in the new report.
Approximately 55 per cent believed they have no conflict, according to the 2025 report.
“As with previous surveys, it is surprising to find how many licensees consider that they do not have any conflicts of interest – although the trend would indicate that this number is decreasing slightly,” the report said.
“While the percentage decreases as the size of the licensee increases, roughly a quarter of large licensees still feel that they are conflict free.”
Standard 3 of the financial adviser Code of Ethics states “you must not advise, refer or act in any other manner where you have a conflict of interest or duty”.
“The regulatory system works on an assumption that conflicts of interest are to be expected and managed,” the report said.
“We would be surprised to find such a large number of financial services businesses that really do not have any conflicts of interest.”
However, 90 per cent of respondents said they have a conflicts of interest policy and register, which the report said indicates “compliance in this area is not being overlooked – even if it is not properly understood”.
The report included responses from 179 Australian financial services licensees and 29 from Australian credit licensees.
