ASIC Compliance Risks for CFD Brokers & Mitigation Strategies

Introduction

Contracts for difference (CFD) brokers operate in one of the Australian Securities and Investments Commission’s (ASIC) highest-risk regulatory segments, facing intense scrutiny due to the significant detriment these products can cause retail clients. High retail client losses drive this focus: 68% of investors incurred net losses of more than $458 million in the 2024 financial year alone. In response, ASIC has overseen a profound regulatory transformation, shifting from a disclosure-based regime to an outcomes-driven supervisory model that prioritises consumer protections.

ASIC’s focus has decisively shifted to scrutinising product design, client outcomes, and the operational effectiveness of compliance frameworks, particularly under the Design and Distribution Obligations (DDO) and ASIC’s CFD Product Intervention Order (PIO). Following a sector-wide review that resulted in approximately $40 million in refunds to retail investors, it is clear that a “set and forget” approach to compliance is no longer tenable. This article explains the key compliance risks facing CFD brokers and outlines the mitigation strategies required to navigate this heightened regulatory environment.

Interactive Tool: Check Your CFD Compliance Risk & Regulatory Gaps

Product Design, Distribution & Onboarding Failures

The Legal Framework: DDO & Part 7.8A

The DDO regime, established under part 7.8A of the Corporations Act 2001 (Cth), fundamentally reshaped how financial products are brought to market. This legal framework requires issuers to adopt a consumer-centric approach from the earliest stages of product development.

A core requirement of the DDO regime is the creation of a Target Market Determination (TMD). According to ASIC's Regulatory Guide (RG) 274, a TMD is a mandatory document that must be prepared before any retail product distribution occurs, and must include the following:

• Consumer class: describe the specific class of consumers that comprises the product's target market;
• Distribution conditions: specify any conditions or restrictions on how the product is distributed to ensure it reaches that market; and
• Review triggers: outline events or circumstances that would trigger a review of the TMD.

Consequently, issuers have a legal obligation to take 'reasonable steps' that are likely to result in distribution being consistent with the TMD. As stated in RG 274.11, this is a key obligation that applies throughout the product's lifecycle, ensuring that the systems and controls in place are actively guiding the product to the right consumers.

Common DDO Risks for CFD Brokers

ASIC's enforcement actions and sector-wide reviews have shown that many CFD brokers have failed to transition from a paper-based compliance mindset to one that demonstrates operational effectiveness. These failures often manifest in several key areas, including:

• Overly broad Target Market Determinations: many TMDs are drafted with insufficient granularity, defining the target market so widely that they fail to exclude consumers for whom high-risk, leveraged products are unsuitable. As noted in RG 274.84, an issuer is in breach if its TMD is so broad that the product would not likely be consistent with the objectives, financial situation, and needs of an identifiable group within that market.
• Weak onboarding filters: onboarding processes frequently rely on simple self-assessment questionnaires that do not properly assess a client's suitability. Furthermore, these filters are often designed to be passed rather than to effectively screen out consumers who fall outside the product's TMD.
• Failure to use client outcomes as review triggers: many firms do not use data on poor client outcomes, such as high loss rates or frequent margin close-outs, to trigger reviews of their TMD. Ultimately, this "set and forget" approach ignores the DDO requirement for ongoing monitoring.

The consequences of these failures are significant, as demonstrated by the approximately $40 million in refunds paid to over 38,000 retail investors. This remediation serves as a powerful case study of what happens when a TMD is merely a 'paper-only' document. In addition, it demonstrates that ASIC will hold firms accountable not just for having a TMD, but for ensuring it works in practice to prevent consumer harm.

Mitigating DDO & Client Suitability Risks

To effectively manage DDO and client suitability risks, CFD brokers must move beyond documentation and implement robust, data-driven operational controls. Mitigation strategies should focus on three key areas:

• Data-driven TMD design: instead of relying on theoretical assumptions, your TMD should be informed by historical client trading data, loss rates, and demonstrated risk tolerance. This ensures the target market is defined with specific, measurable criteria that genuinely reflect the high-risk nature of CFD products.
• Multi-layered onboarding: you must implement a robust process with effective screening that moves away from simple self-assessment questionnaires. As suggested in RG 274.178, processes should include objective filters and scenario-based "knock-out" questions that test a prospective client's genuine understanding of leverage, volatility, and margin mechanics.
• Real-time monitoring: establish a system for tracking client outcomes with clear, trigger-based interventions. This means actively tracking metrics such as client loss rates, margin call frequency, and account closure patterns. As illustrated in Example 11 of RG 274.148, these data points should trigger an immediate TMD review or other interventions to ensure the product distribution remains appropriate.

Breaching ASIC's PIO & Marketing Rules

Legal Basis: Misleading Conduct & the PIO

A general prohibition against misleading or deceptive conduct in relation to financial products and services is established under section 1041H of the Corporations Act 2001 (Cth). Furthermore, this rule is supplemented by ASIC's PIO, which imposes specific and strict conditions on the issue and distribution of CFDs to retail clients.

The PIO came into effect on 29 March 2021 and has since been extended for five years, remaining in force until 23 May 2027. Ultimately, the order was introduced to address the significant detriment to retail clients and to bring Australian regulations into line with comparable overseas markets. Key conditions of the PIO include:

• Leverage Ratio Limits: maximum leverage is restricted across various asset classes. For example, the ratio is capped at 30:1 for major currency pairs; 20:1 for minor currency pairs, gold, or major stock market indices; and 2:1 for crypto-assets.
• Standardised Margin Close-Out Rules: these rules act as a circuit breaker, requiring the close-out of one or more of a retail client's CFD positions before all or most of their investment is lost.
• Negative Balance Protection: this ensures a retail client's losses are limited to the funds available in their CFD trading account.
• Prohibition on Inducements: offering or giving certain inducements to retail clients, such as trading credits, rebates, or gifts like iPads, is banned.

Misleading Promotions & PIO Non-Compliance

ASIC's enforcement activities have highlighted several common ways CFD issuers fall foul of marketing rules and the PIO. Misleading promotions often use messaging that overstates the potential profit while understating the significant risks associated with CFD trading, a key focus of Australian financial services marketing compliance. In addition, some firms have also been found to use gamified trading interfaces with features like leaderboards that incentivise excessive trading rather than informed decision-making.

A widespread breach of the PIO identified by ASIC is the illegal practice of offering 'margin discounting' to retail clients with opposing long and short positions. This involves calculating the required margin on the net notional value or only the larger of the two positions, which effectively weakens the mandated leverage restrictions and distorts risk.

Operational failures are another frequent source of non-compliance that can lead to significant client detriment and regulatory action. These failures often include:

• Incorrect leverage settings: being applied to certain underlying assets; or
• System errors: occurring in the calculation and execution of margin close-outs, particularly during periods of high market volatility.

Strengthening Marketing Governance & PIO Controls

To mitigate these risks, CFD brokers should implement robust governance and control frameworks. A centralised marketing governance process is essential, requiring compliance to review and sign off on all client-facing content before publication. Consequently, this ensures that all promotional materials are consistent with the product's TMD and do not target an inappropriately broad audience.

Firms must also systematically remove any prohibited incentive structures. This process includes reviewing all commercial arrangements with affiliates or introducing brokers to confirm that no structure replicates the effect of a banned inducement.

Implementing automated, system-level controls is critical for enforcing the PIO's conditions. This involves:

• Automating the enforcement of leverage limits within the trading platform to prevent overrides;
• Establishing real-time monitoring of margin positions with automated close-out triggers set at the required threshold; and
• Conducting regular system testing and validation to ensure all protections function correctly, especially after platform updates.

Managing Conflicts of Interest in Principal Trading Models

Conflict of Interest Obligations: s912A(1)(aa) & RG 181

Under section 912A(1)(aa) of the Corporations Act 2001 (Cth), Australian Financial Services (AFS) licensees must have adequate arrangements to manage conflicts of interest, a complex legal duty where guidance from AFSL lawyers is often essential. Furthermore, these arrangements must address conflicts arising from the financial services provided by the licensee or its representatives.

ASIC's RG 181, updated in December 2025, clarifies what constitutes "adequate arrangements". According to RG 181.7, the obligation is to manage conflicts adequately and effectively, which may involve a combination of control mechanisms and disclosure. However, if a conflict cannot be managed this way, it should ultimately be avoided.

Crucially, RG 181.78 states that for many conflicts, particularly structural ones, disclosure alone is often insufficient, which is why developing an adequate AFS conflict of interest management policy is a critical compliance obligation. As a result, simply informing a client that a conflict exists does not satisfy the licensee's obligation. Instead, firms must implement controls or avoid the conflict altogether.

How Structural Conflicts Arise in Practice

Structural conflicts are inherent to the "Principal" or market-making trading model, in which the CFD issuer acts as the counterparty to a client's trade. In this model, the broker's profit is directly linked to the client's losses. Ultimately, this creates a fundamental conflict between the firm's commercial interests and the client's financial outcomes.

This conflict can manifest in several ways, as follows:

• Pricing and Execution: There is an incentive for the broker to widen spreads or delay order execution, particularly during volatile market conditions, to increase its own profitability at the client's expense.
• Misaligned Incentives: Remuneration structures may reward employees based on trading volume or client losses, further embedding the conflict within the firm's operations.
• Information Asymmetry: The broker, as a market maker, has access to client order information that could be used to benefit its own proprietary trading activities, a practice known as front-running.

In contrast, the "Agent" model involves the broker routing client orders directly to an external liquidity provider or exchange. While this model carries a different risk profile, it generally reduces the direct conflict of the broker profiting from client losses, as revenue is typically generated through commissions or spreads applied by the liquidity provider. In addition, RG 181, in Table 1, highlights proprietary conflicts where a market maker might use confidential client order information to its own advantage.

An ASIC-Aligned Approach to Mitigation

ASIC expects licensees to follow a structured, four-step approach to managing conflicts, as outlined in Table 2 of RG 181. Therefore, this framework requires firms to identify, assess, manage, and monitor conflicts of interest.

Applying this to the Principal trading model, an ASIC-aligned mitigation strategy involves several practical steps, including:

• Identify and Assess: Systematically map all conflicts arising from the Principal model, including those related to pricing, execution, hedging, and remuneration, and assess the materiality of each conflict based on its potential to cause client harm.
• Manage with Controls: Implement robust controls to address identified conflicts; disclosure alone is not enough. Key controls include:
  • Independent Pricing Controls: Ensure price feeds are independently sourced and regularly benchmarked against the underlying market to prevent manipulation;
  • Execution Monitoring: Implement systems to monitor execution quality, including slippage and fill rates, to ensure fairness; and
  • Review Remuneration Models: Remove or redesign incentive structures that reward staff for client losses or harmful trading behaviours.
• Disclose Transparently: Provide clear, plain-language disclosure to clients explaining the Principal trading model, the nature of the conflict, and the specific controls in place to manage it.
• Monitor and Review: Continuously monitor the effectiveness of conflict management arrangements, which include regular reviews of trading data, client outcomes, and remuneration structures to ensure they remain adequate and effective.

Addressing Weak Governance Systems & Reporting Failures

Legal Foundations for Governance & Reporting

AFS licensees are bound by general obligations under the Corporations Act 2001 (Cth) that mandate a robust internal governance structure. Specifically, Section 912A(1)(h) requires licensees to establish and maintain adequate risk management systems. According to ASIC's RG 104, this means having a structured and systematic process to identify, evaluate, and establish controls to manage the risks faced by the business, particularly those that could adversely affect consumers or market integrity.

This general duty is directly linked to the DDO. As part of taking 'reasonable steps' to ensure appropriate product distribution, ASIC's RG 274 clarifies that issuers must monitor client outcomes. Under RG 274.155, this involves using available information to review a TMD when events suggest it may no longer be appropriate. Therefore, effective risk management systems are essential for collecting and analysing the data needed for this ongoing monitoring.

Furthermore, the legal framework is strengthened by the reportable situations regime under section 912D of the Corporations Act 2001 (Cth). This provision requires licensees to report significant breaches, or likely significant breaches, of core obligations to ASIC. In addition, a reportable situation also includes conduct constituting gross negligence or serious fraud. Ultimately, this reporting duty is a cornerstone of ASIC's supervisory model, providing the regulator with critical intelligence on systemic issues within a firm or across the sector.

Identifying Common Systemic & Reporting Failures

In practice, weak governance manifests as fragmented systems and delayed reporting, creating significant compliance gaps. As a result, common failures identified by ASIC include:

• Fragmented Systems: Many firms operate with disconnected systems for trading, client onboarding, and compliance monitoring, which creates data silos that prevent a holistic view of risk and delay the detection of breaches.
• Lack of Real-Time Monitoring: Compliance processes often rely on periodic manual reviews rather than continuous, automated surveillance, meaning that breaches of the PIO or TMD trigger events may go unnoticed until long after client harm has occurred.
• High Client Loss Rates Without Intervention: A core failure of risk management is the passive observation of poor client outcomes, as a large percentage of clients consistently losing money indicates a potential failure in product design or distribution that a robust governance framework should identify and address.
• Delayed or Inadequate Breach Reporting: Firms frequently fail to report significant breaches to ASIC within the required timeframes, often due to slow internal escalation processes or a failure to recognise that systemic issues, like a pattern of high client loss rates, constitute a reportable situation under section 912D of the Corporations Act 2001 (Cth).

The discovery of 70 million erroneous transaction reports during ASIC's sector-wide review serves as a stark example of a systemic failure, the kind that often leads to ASIC audits and investigations. Consequently, this level of error points to deep-seated inadequacies in data integrity, system controls, and overall governance, rather than isolated technical glitches.

Building an Integrated & Proactive Compliance Architecture

To mitigate these risks, firms must move from a reactive, documentation-based approach to an integrated and proactive compliance architecture. This involves building systems and processes that embed compliance into daily operations. An effective framework should include:

• Integrated Compliance Systems: Implement technology that connects trading platform data with compliance monitoring tools to allow for the creation of real-time dashboards that give compliance staff and senior management immediate visibility over key risk indicators.
• Automated Client Outcome Tracking: Your systems should automatically track client outcomes, including profitability, loss rates, and margin call frequency. As outlined in ASIC's RG 104, effective risk management systems must monitor the controls in place, and this data should feed directly into the TMD review process to provide an evidence-based foundation for assessing whether the product distribution remains appropriate.
• Clear Breach Identification and Escalation: Establish a formal framework for identifying, assessing, and escalating potential breaches to ensure that reportable situations under section 912D of the Corporations Act 2001 (Cth) are promptly communicated to ASIC. Furthermore, all staff should be trained to recognise and report potential issues internally without delay.

Conclusion

To navigate ASIC's intense scrutiny, CFD brokers must effectively manage key compliance risks, including failures in product design, breaches of the PIO, and inherent conflicts of interest. This requires a fundamental shift from paper-based compliance to demonstrating active control over product distribution and measurable client outcomes.

To ensure your framework is robust and aligned with current regulatory expectations, contact our AFSL compliance lawyers at AFSL Housefor expert guidance on regulatory compliance and tailored frameworks. Our team assists financial services companies in securing their operations and protecting their licence through proactive risk management and ongoing monitoring.

Frequently Asked Questions