ASIC’s Increased Focus on Financial Hardship Obligations: A Compliance Guide for Digital Lenders

Introduction

Amidst ongoing cost-of-living pressures, the Australian Securities and Investments Commission (ASIC) has significantly increased its focus on how lenders meet their financial hardship obligations. Recent enforcement actions against major Australian lenders, resulting in multi-million dollar penalties, underscore a clear message from the regulator: automated systems and digital-first processes are not an excuse for compliance failures when supporting customers experiencing financial hardship.

For digital lenders, neobanks, and Buy Now, Pay Later (BNPL) providers, this regulatory scrutiny presents a critical challenge. This guide provides essential compliance information for integrating the strict requirements of the National Credit Code into automated, app-based platforms, ensuring that technology is used to support, rather than hinder, fair and empathetic outcomes for customers.

Interactive Tool: Check Your Digital Hardship Compliance & Risk

Understanding Section 72 of the National Credit Code

Defining a Hardship Notice in a Digital World

Under Section 72 of the National Credit Code, a financial hardship notice is triggered the moment a customer communicates that they are, or will be, unable to meet their repayment obligations.

The law does not require customers to use specific legal terms like “hardship.” Instead, a simple message indicating an inability to pay is sufficient to start the lender’s legal obligations.

For digital lenders, this means any communication channel can be a source for a valid hardship notice. Your systems must be capable of identifying these notices, whether they arrive through:

• In-app chat or AI-powered chatbots
• Email correspondence to support teams
• SMS replies or other messaging platforms
• Social media direct messages on official lender accounts

An automated system that only recognises formal applications submitted through a designated hardship portal is not compliant. The obligation begins as soon as the customer communicates their difficulty, regardless of the channel used.

Navigating the 21-Day Statutory Clocks

Once a hardship notice is received, Section 72 of the National Credit Code imposes strict, non-negotiable timelines for lenders to respond.

These statutory clocks begin the day after the notice is received, and digital systems must be configured to track them accurately to ensure compliance. Consequently, there are three primary scenarios that dictate the response deadline.

The lender must provide a decision within one of the following timeframes:

• 21 days after receiving the notice: This applies if you have enough information to decide without requesting further details from the customer.
• 21 days after receiving further information: If you need additional information, you must request it within 21 days of the initial notice. Once the customer provides the requested details, you have another 21 days to make a final decision.
• 28 days after requesting information: If you request further information, but the customer does not provide it within their 21-day response window, you must still provide a decision within 28 days of your original information request.

Failing to respond within these timeframes is a breach of the National Credit Code and can lead to significant penalties. Automated systems that create “loops” by repeatedly asking for information without human oversight risk expiring these statutory clocks.

The Immediate Freeze on Collections & Fees

A critical obligation begins the moment a hardship notice is received, even before the assessment process starts.

Lenders must immediately suspend all adverse credit and collection activities while the hardship notice is under review. This freeze is an essential protection that gives customers breathing space during a difficult time.

This immediate suspension requires a lender to halt several actions, including:

• All debt collection contact with the customer.
• Any scheduled automatic payment attempts that could lead to arrears.
• The accrual of new late fees during the assessment period.
• The listing of any new defaults on the customer’s credit file.

For a digital lender, this means a hardship notice must automatically trigger a change in the customer’s account status within your core system. This action cannot be a manual downstream step; it must be an automated and immediate consequence of the notice being identified.

Designing Compliant & Friction-Free Digital Hardship UX UI

Key Design Principles to Reduce Customer Drop-Out

ASIC has criticised lenders for creating “high-friction” digital experiences that make it difficult for customers to seek help. According to ASIC Report 782, approximately 35% of customers dropped out of the hardship application process at least once, often due to confusing or complex digital journeys.

To design a compliant and user-friendly interface that minimises this drop-out rate, lenders should focus on several key principles.

A compliant user experience should make finding and initiating a hardship request as simple as possible. This involves avoiding buried icons or multiscreen processes that create unnecessary friction for a customer already distressed.

Effective design principles include:

• Prominent and Accessible Entry Points: Place a dedicated and clearly labelled button, such as “Financial difficulty” or “I’m struggling with payments,” on the app’s home screen, repayment screen, and within navigation menus.
• Empathetic Language: Use plain, empathetic language instead of legal or clinical terms, such as phrasing like “We’re here to help you stay on track” rather than “Submit a hardship variation request.”
• Real-Time Progress Tracking: Implement a dashboard or status tracker that shows the customer where their application is in the process, as a visible tracker showing progress against the 21-day statutory clock can build trust.
• Proactive UI Triggers: Use predictive analytics to identify customers who may be experiencing hardship before they default, such as surfacing a “Need help with payments?” prompt when a customer misses a payment.

Proportional Data Collection & Avoiding Onerous Requests

A significant reason for high customer drop-out rates is the demand for excessive documentation. ASIC strictly warns against using blanket, automated requests for information that may not be relevant to the customer’s situation.

The principle of proportional data collection means a lender should only ask for information that is genuinely necessary to assess the specific request.

For example, asking for extensive documentation like bank statements or medical certificates for a minor form of assistance, such as a one-month payment deferral, is considered an onerous and non-compliant practice.

The legal proceedings against Resimac highlight this issue, where ASIC alleged the lender’s rigid, “cookie-cutter” process of demanding a full statement of financial position from every applicant breached the honestly and fairly obligation.

A compliant digital intake process should be adaptive and collect only the minimum information required, including:

• The reason for experiencing financial hardship
• The expected duration of the difficulty
• The type of assistance the customer is seeking
• A voluntary option to disclose any vulnerability, such as experiencing family violence

The system should not require full financial statements or certified documents as a prerequisite for submitting the initial notice. Instead, it should use progressive disclosure, where requests for more detailed information are made only if they are genuinely necessary for the specific customer’s circumstances.

Implementing a Human-in-the-Loop Protocol for Your Lender

Mandatory Triggers for Algorithm Handoff to a Human

To ensure compliance and provide genuine support, automated hardship systems must be programmed to escalate cases to a human agent under specific circumstances. These triggers act as “circuit breakers” that prevent purely algorithmic decisions in situations requiring nuanced assessment and empathy.

While relying on automation for approvals is acceptable, any proposed rejection must be reviewed by a person. Key mandatory triggers for escalating a case to a human agent include:

• Detection of Vulnerability Markers: If the system’s language processing tools detect keywords or phrases related to domestic violence, severe illness, terminal diagnosis, or a mental health crisis, the case must be immediately routed to a specially trained human agent.
• Repeat Hardship Notices: When a customer submits a second hardship notice within a 12-month period, automated standard offers are often insufficient. A human must review the case to understand why the initial assistance may have failed and to assess a more suitable, sustainable arrangement.
• Proposed Rejections: An algorithm should not be programmed to issue a final rejection. If the system cannot identify a viable assistance option or calculate a sustainable repayment plan based on the data provided, it must default to a “Human Review” queue rather than an automated decline.
• Explicit Request for Human Contact: If a customer explicitly asks to speak with a person at any point in the digital process, that request must be honoured. The system should facilitate a callback or transfer to a human agent within the statutory response window.
• Ambiguous or Complex Information: In cases where a customer provides incomplete, contradictory, or complex information that the algorithm cannot confidently process, the matter must be escalated for human assessment.

Supporting Vulnerable Customers in an Automated Environment

Identifying and supporting vulnerable customers in a low-touch digital environment is a significant challenge, but one that ASIC expects lenders to meet with documented procedures and specialist staff.

ASIC’s reviews have found that many lenders lack adequate processes for handling hardship applications from customers experiencing vulnerability. This includes those affected by family violence, serious health conditions, or cognitive impairment.

A compliant digital lender must build structural solutions to identify and support these customers. This involves designing intake flows with voluntary, non-stigmatising disclosure options and training AI models to flag linguistic patterns of distress for human review.

Consequently, any mention of family violence, a health crisis, or bereavement should automatically route the customer to a trained human agent before any system-generated response is sent. Lenders should provide extra care and support to vulnerable customers by implementing a range of flexible arrangements, including:

• Adopting a case-management approach: Assigning a single, experienced staff member to handle the customer’s case from end-to-end can minimise the need for them to repeat distressing circumstances.
• Handling by specialist staff: Ensuring that cases involving vulnerability are managed by more skilled team members who have received trauma-informed communication training.
• Providing process flexibility: This may involve expediting the assessment, waiving requirements for supporting documentation where appropriate, and tailoring communication methods to the customer’s needs.
• Offering referrals to external services: Providing clear links and contact information for external support services, such as the National Debt Helpline and domestic violence support services, directly within the digital interface.

Meeting Your Hardship Reporting Obligations to the ASIC

Capturing the Right Data for ASIC’s Surveillance

As part of its increased focus on financial hardship, ASIC expects digital lenders to capture and retain granular data on their hardship operations. Your systems must be capable of producing detailed statistics on demand to demonstrate compliance and provide insight into customer outcomes during the regulator’s surveillance activities.

High drop-out rates or numerous automated rejections can be seen by ASIC as evidence of a system designed with excessive friction.

Core data fields that your platform must be able to report on include:

• Notice Volumes and Timestamps: The total number of hardship notices received, broken down by channel and product type, along with the exact timestamp of receipt and response for each notice.
• Timeliness Metrics: The time taken from receiving a notice to deciding, specifically tracking compliance with the 21-day and 28-day statutory clocks.
• Application Outcomes: Detailed approval and decline rates, categorised reasons for all rejections, and the number of customers who withdraw their application.
• Customer Journey Metrics: The drop-out or abandonment rate, which is the percentage of customers who start a digital hardship application but do not complete it.
• Effectiveness of Assistance: Post-assistance outcomes, such as the percentage of customers who fall back into arrears within three to six months after a hardship arrangement ends.
• Vulnerability Data: The number of cases flagged with vulnerability indicators and the time taken to escalate these matters for human review.
• System Failures: A log of all incidents where statutory timelines were missed, including a root cause analysis and the remediation steps taken.

Understanding Your Internal Dispute Resolution Data Reporting Duties

All Australian credit licensees have mandatory Internal Dispute Resolution (IDR) data reporting obligations, and understanding IDR & RG 271 compliance is critical. This framework requires lenders to submit detailed data to ASIC twice a year, covering the periods from January to June and July to December.

Crucially, the definition of a “complaint” under RG 271 is broad and includes any expression of dissatisfaction where a response is expected. This means many mishandled hardship notices—such as those that are delayed, unfairly declined, or poorly communicated—qualify as reportable complaints that must be included in your bi-annual data submission to ASIC.

Your IDR reporting duties for hardship-related matters include several key requirements:

• Hardship-related complaints must be treated as time-sensitive matters.
• You must resolve these complaints within a 21-day timeframe, which aligns with the response clock under Section 72 of the National Credit Code.
• A written IDR response must be provided to the customer for any complaint related to a hardship notice.
• This response must clearly state the reasons for the decision and inform the customer of their right to escalate the complaint to the Australian Financial Complaints Authority (AFCA).

Learning from Recent Australian Securities and Investments Commission Enforcement Actions

System Failures: The Westpac & National Australia Bank Cases

Recent enforcement actions by the Australian Securities and Investments Commission (ASIC) highlight the significant risks of technical and system failures in managing financial hardship obligations.” These cases demonstrate that even silent, backend errors can lead to major penalties for a lender.

In its case, against Westpac, ASIC focused on a technology failure where an online hardship application system malfunctioned. This glitch resulted in 229 customer hardship notices disappearing without being routed to the correct internal team for assessment.

Consequently, the impact on customers was severe:

• Some faced debt collection activities while their unanswered notices were lost in a digital void.
• The lender breached its obligation to respond within the 21-day timeframe under the National Credit Code.

ASIC v National Australia Bank Ltd [2025] FCA 947 case involved a system configuration error rather than a software bug. Staff incorrectly used an option in their case management system that removed a customer’s account from the hardship workflow.

This prevented the system from generating and sending a required legal response. This failure to respond to 345 hardship applications resulted in a significant $15.5 million penalty, underscoring that both human error and system design can lead to serious compliance breaches.

The Risk of Rigid Processes: The Resimac Case

ASIC v Resimac Limited [2024] FCA 1112 establishes a critical precedent for digital lenders. Compliance with financial hardship obligations is about the quality of the process, not just meeting statutory timelines.

ASIC alleges that Resimac’s inflexible, “cookie-cutter” approach constituted a failure to act efficiently, honestly, and fairly. The regulator’s case focuses on Resimac’s practice of demanding a full, standard package of financial documents from every applicant, regardless of their individual circumstances.

When customers, particularly vulnerable ones, were unable to provide this extensive information, their applications were often rejected without:

• Considering alternatives to the standard documentation.
• Using information the lender already possessed.

This case signals that a “one-size-fits-all” automated workflow is a significant compliance risk. ASIC found that such a rigid process fails to provide the tailored care required.

It establishes that even if a lender responds within the 21-day clock, an inflexible system that does not consider a customer’s unique situation can still be a breach of their Australian credit licence obligations.

Conclusion

ASIC’s increased scrutiny and recent enforcement actions demonstrate that every Australian digital lender must embed the financial hardship obligations of the National Credit Code into their automated systems. This requires designing friction-free digital experiences with mandatory human oversight to ensure compliance and provide genuine, empathetic support to customers experiencing financial hardship.

Ensuring your platform meets these regulatory requirements is essential for avoiding significant penalties and reputational damage. For trusted expertise in navigating these challenges, contact AFSL House’s lawyers experienced in stringent compliance obligations today to develop a tailored compliance framework that protects your business and supports your customers.

Frequently Asked Questions (FAQ)

What legally triggers a financial hardship notice in a digital channel?

A financial hardship notice is legally triggered the moment a customer communicates through any digital channel, such as chat, email, or SMS, that they are or will be unable to meet their repayment obligations. The customer is not required to use specific legal terms like “hardship” for the notice to be valid and start the statutory clock.

Can our lender automate financial hardship rejections?

No, a lender cannot fully automate financial hardship rejections, as all proposed rejections must be reviewed by a human agent. This ensures that a customer’s individual circumstances are genuinely considered because automated “one-size-fits-all” declines are considered unlawful.

What are the potential penalties if our system misses the 21-day deadline?

The potential civil penalties for missing the 21-day deadline are severe and can be up to $16.5 million per contravention or 10% of the company’s annual turnover, whichever is greater. Recent enforcement actions against major lenders have resulted in multi-million dollar penalties for such failures.

How much information can we ask for in our hardship application?

Lenders should only ask for the minimum amount of information that is relevant and genuinely necessary to assess the customer’s specific situation and request for assistance. Requesting excessive or standardised documentation for all applications, especially for simple requests, is an onerous practice criticised by ASIC.

Do financial hardship rules apply to our Buy Now, Pay Later product?

As of 10 June 2025, financial hardship rules apply to BNPL products, which fall under the new BNPL regulation in Australia as Low Cost Credit Contracts (LCCCs) under the National Credit Code. BNPL providers are now required to apply for an Australian Credit Licence and must comply with all Section 72 hardship obligations.

What is a ‘vulnerability trigger’ in an automated system?

A ‘vulnerability trigger’ is a keyword or phrase in a customer’s communication that an automated system is programmed to detect, such as references to domestic violence, severe illness, or a mental health crisis. Once detected, the system must immediately escalate the case to a specially trained human agent for review and support.

How does a financial hardship arrangement affect a customer’s credit report?

A financial hardship arrangement is marked on a customer’s credit report for 12 months but cannot be used by credit reporting bodies to calculate a credit score. Other lenders are also prohibited from using this information to close or reduce the limit on a customer’s existing credit accounts.

What is the difference between a payment deferral & a formal hardship variation?

A short-term payment deferral of 90 days or less is a common form of temporary assistance that has less formal written notification requirements under the National Credit Code. A formal hardship variation involves longer-term or more significant changes to the credit contract and requires the lender to issue a detailed written notice outlining the new terms within 30 days.

What are the most common UX mistakes that the Australian Securities and Investments Commission criticises?

The most common UX mistakes criticised by ASIC include hiding or burying hardship options within apps, using overly complex and confusing digital journeys, and creating onerous application processes that demand excessive documentation. These high-friction experiences are a primary cause of high customer drop-out rates during the hardship application process.