The standards each persona answers to.
By role, in plain words.
Financial Advisors
Provide personal financial advice to retail clients under an AFSL. Spend their week on fact-finds, statements of advice, records of advice, and the supervision visits that follow.
Advisors are the front line for client dissatisfaction. The 30-day clock starts on any expression of dissatisfaction, and ASIC publishes IDR data publicly, so late or unresolved complaints surface as a public signal.
Fact-finds capture sensitive financial, health, and family information. APP 11 obligates reasonable steps to protect every record an advisor handles, and the Notifiable Data Breach scheme runs alongside, on a 30-day notification clock.
Funds Management
Manage investment portfolios for institutional and wholesale clients. Where the FUM exceeds the AASB's threshold, mandatory climate disclosure obligations arrive in the annual report.
For APRA-supervised fund managers, operational risk management is the central prudential obligation. Critical operations, third-party arrangements, and the §36 notifiable-events regime all apply.
Information security on client portfolios, holdings, and mandate documents. The 72-hour APRA notification window on a material incident is the part that keeps CIOs awake.
Climate and sustainability disclosures for Group 1 entities are now mandatory from FY2025–26. Disclosures are auditor-tested, so the underlying evidence must hold up under assurance.
Licensees
Hold an AFSL and supervise the advisers operating under it. Responsible for everything those advisers do, and the standard at which their complaints, breaches, and audit evidence are handled.
Licensees own the operational risk framework that every adviser inherits. Critical operations and BCP apply to the licensee, not the individual practice.
The licensee is the information security obligation-holder. Asset registers, control testing, and notification all roll up to the licensee.
Personal information aggregated across the adviser network sits at the licensee level. The NDB scheme triggers at licensee discovery, not at individual-adviser discovery.
IDR data is reported at the licensee level. The licensee carries the systemic-issues identification obligation across the whole adviser network.
Insurance
General or life insurance firms operating claims, underwriting, and conduct. Climate-related underwriting risk and claims-dispute volumes are the two areas where AASB and ASIC currently apply the most pressure.
Claims operations are explicitly critical operations under CPS 230. Continuity, tolerance levels, and third-party risk (including reinsurers) all apply.
Insurance firms hold among the largest personal-information data sets in financial services. CPS 234 information security obligations sit on top of APP 11.
Health, financial, and identity information for every policyholder. NDB scheme triggers and access requests run at high volume here.
Claims disputes are the dominant complaint volume in insurance. The 30-day clock and final-response standard apply to every contested claim.
Super Funds
Manage retirement savings on behalf of members. RG 97 fees and costs sit alongside the standards listed here, RG 97 is super-specific and not covered in the broader compliance hub.
Member servicing, investment operations, and benefit payments are critical operations. Trustee accountability sits on top of the standard obligations.
Member data is among the most sensitive APRA-supervised dataset categories. CPS 234 controls and testing cadence apply to every system that touches a member record.
Super funds were among the first sectors required to disclose climate-related risks under the new AASB standards. Members increasingly ask about the fund's transition plan and emissions profile.
Map your role to your obligations, in forty-five minutes.
Bring your control register. We take it, map it across the standards on this page, and show you which gaps BackPro closes automatically. You keep the mapping whether you proceed with us or not.