Compliance reference · ASIC RG 277

Remediation programs that survive ASIC.

ASIC Regulatory Guide 277 sets the expectations for how AFS and credit licensees should run remediation programs. The framework has six phases. Most programs falter at the seam between two of them, where evidence stops travelling cleanly. This page is the plain-English version.

Book a remediation walkthroughSee the audit architecture
Regulator
ASIC
Applies to
AFS + credit licensees
Latest update
2022
Phases
Six

What it actually requires

Six phases. One chain of evidence.

RG 277 frames consumer remediation as an end-to-end pipeline. Each phase produces evidence the next phase depends on. A program that loses the chain at any seam is the program that struggles in regulator review.

01

Identification

Recognise that a remediation event may be required. Triggers come from complaints, file reviews, breach reporting, internal audit, or whistleblower disclosures. A licensee that misses the trigger is the licensee that ends up explaining themselves to ASIC.

02

Scoping

Define which consumers were affected, the period in scope, and the categories of conduct. Scoping decisions need documented evidence behind them — assumptions, exclusions, and the rationale for both. ASIC expects scope to be set with reference to the consumer, not to the cost of remediation.

03

Assessment & methodology

Decide how the remediation will be calculated — fee refunds, foregone earnings, opportunity cost, interest. The methodology needs to be defensible, tested, and consistently applied. Document the methodology before running it on a single account.

04

Calculation

Run the methodology across the cohort with full chain of custody on inputs and outputs. Each consumer outcome traces back to the source data and the documented methodology. Manual spreadsheet calculations are where most programs lose ASIC.

05

Communication & payment

Notify each affected consumer in plain English, explain the issue, the remediation, and how the amount was calculated. Make the payment, retain the evidence. RG 277 has specific expectations for tone, timing, and what good looks like.

06

Reporting & closure

Report to ASIC at the cadence required, close out the program with evidence of completeness, and feed lessons learned into the control environment. A program that closed without changing how the firm operates was a refund exercise, not a remediation.

Where remediation programs lose ASIC

Four failure modes that show up in nearly every program review.

Identification triggers live in five places

Complaint files in one system, breach reports in another, audit findings in a third, file reviews in a shared drive. No single feed surfaces the cross-pattern that says "remediation event."

You learn about the issue from the regulator, not internally.

Scoping freezes the program

Months of legal review before the cohort is agreed. By the time scope is locked, the evidence has aged, customer contact details have moved, and the methodology assumptions need re-validating.

Your program ages while the issue keeps compounding.

Calculations are spreadsheet-bound

Methodology lives in a model owned by one person. Each consumer outcome is the product of a chain of formulas no audit team can defend. ASIC asks for the workings; you produce screenshots.

Your defence rests on a single Excel file.

Communication compliance lapses

Letters drift from the template. Some consumers get the wrong amount. Some get reached on the wrong channel. Each lapse is itself a remediation issue, and the program quietly grows new tails.

You remediate the remediation.

How BackPro maps to RG 277

The chain travels with the program.

BackPro is the source of record for every phase, with the audit chain that connects them. Each row below maps an RG 277 phase to the part of the platform that does the work.

RG 277 phase

Identification triggers

Complaint files, breach reports, file reviews, audit findings, and whistleblower disclosures are ingested into a single source of record. The Risk Correlator agent surfaces cross-domain patterns that suggest a remediation event before any single channel raises it formally. Findings carry severity, dedup keys, and source attribution.

RG 277 phase

Scoping & cohort definition

Cohort criteria, exclusions, and rationale live in the platform with full edit history. Each scoping assumption links to the evidence that supports it. Versioning means the scope at any point in time is reconstructible — useful when ASIC asks why a decision was made on a particular date.

RG 277 phase

Assessment & methodology

Methodology documents are versioned, signed, and chained. Test runs against representative samples are recorded with results. The audit log captures who approved what, when, and against which test outputs.

RG 277 phase

Calculation across the cohort

Calculations run as deterministic templates with explicit inputs, outputs, and intermediate workings. Each consumer outcome has a source trail back to the underlying transactions and the methodology in force at the time. No screenshots, no detached spreadsheets.

RG 277 phase

Communication & payment

Letter templates are generated against the methodology and the consumer record. Tone, timing, and channel are configured once and applied consistently. Each communication links to the calculation that backs it. Payment evidence ties to the consumer outcome.

RG 277 phase

Reporting & closure

ASIC reports are generated from the source of record, not assembled from spreadsheets. The chain of evidence — identification, scoping, methodology, calculation, communication, payment — is exportable as a single audit package. Closure documentation links lessons to control changes.

See the architecture in detail

Who runs remediation?

Three roles carry RG 277 accountability more than any others.

Compliance Officers

Owns the program record and the chain of evidence ASIC will inspect. Defends scoping decisions and methodology choices.

Open page

Financial Adviser Principals

AFSL holder accountable for advice-record remediation, fee-for-no-service issues, and best-interests outcomes.

Open page

Credit Licensees

Australian credit licence holders running remediation across consumer credit conduct, fee miscalculations, and product placement.

Open page

Frequently asked questions

What licensees ask before bringing AI inside a remediation program.

Who does ASIC RG 277 apply to?
RG 277 sets expectations for AFS licensees and Australian credit licensees that run consumer remediation programs. While the guide is technically guidance rather than law, ASIC treats consistent failure to meet the expectations as a supervisory matter. The latest major update was published in 2022 and broadened scope across the financial services sector.
When is a remediation program required?
A remediation program is required when conduct has caused consumer loss and the harm cannot be addressed through ordinary complaints handling. Triggers commonly include systemic fee-for-no-service issues, miscalculated interest or charges, inappropriate product placement, breach of best-interests obligations, or systemic AFCA outcomes. The threshold is consumer harm, not financial materiality to the licensee.
What does ASIC expect on identification?
ASIC expects licensees to actively look for issues, not wait for them to be raised. That means having processes that aggregate signals from complaints, file reviews, breach reports, internal audit, whistleblower channels, and AFCA outcomes — and acting when the pattern emerges. Licensees that explain a delay by saying the issue was not flagged through the formal channel often find that explanation does not land.
How does BackPro support RG 277 programs?
BackPro provides the source of record for the full six-phase pipeline: identification, scoping, methodology, calculation, communication, and reporting. The Risk Correlator agent surfaces remediation triggers across complaint, breach, audit, and review feeds. The audit log signs every action with HMAC-SHA256 and chains it to the previous entry, producing the chain-of-custody ASIC increasingly expects. Calculations run as deterministic templates, not Excel files. Communications generate from the methodology so consumers receive consistent, plain-English notifications.
Can BackPro replace our remediation consultants?
BackPro is the platform that holds the work. Consulting partners who run programs on BackPro spend their time on judgement calls — methodology design, edge cases, regulator engagement — rather than on operating the spreadsheets. Most large remediation programs are still consultant-led; BackPro changes what the consultant is paid to do.
How does BackPro itself meet our security review for a RG 277 program?
BackPro deploys entirely inside your Azure, AWS, or GCP tenant. Customer PII never leaves your perimeter. The platform is designed to align with APRA CPS 234 (Information Security) — encryption at rest and in transit, tenant isolation, role-based access control, audit logging on by default, and a tamper-evident HMAC-chained audit log. SOC 2 Type II and ISO/IEC 27001 readiness programs are underway.

Ready to run remediation on a chain, not a spreadsheet?

One walkthrough covers architecture, audit chain, deployment model, and how the platform maps to each RG 277 phase.

Book a remediation walkthroughSee the audit architecture