PIR Newsletter – March 2026

On this page

Cyber Security: ASIC and AFSA are on the same page – are you?

ASIC has reinforced its expectations around cyber resilience across the financial system. With businesses increasingly being exposed to fraud, scams and cyberattacks, AFSA encourages registered trustees and registered debt agreement administrators to be vigilant and focus on strong internal controls and timely reporting. These incidents can erode trust, compromise data security and possible recoveries, and create reputational and regulatory risks for practitioners.

Technology-enabled crime continues to grow. In 2024-25, the Australian Cyber Security Centre (ACSC) reported over 84,700 cybercrime reports to ReportCyber — an average of one every 6 minutes. 

We encourage you to: 

  • maintain an understanding of the threat environment and review best practices to respond to those threats
  • review your systems and internal controls on a regular basis to ensure they remain fit for purpose 

First steps - fraud and scam risk mitigation

Review information on the ScamWatch website to ensure you are aware of the current types of scams and early warning signs.

Consider whether your internal policies and practices are appropriate including: 

  • segregation of duties
  • systems and access controls
  • delegations of authority
  • joint versus single authorisation requirements
  • documentation (including supporting documents) of transactions
  • frequency and adequacy of reconciliations and other oversight or review activities.

First steps – cyber attack risk mitigation

Review information available on the Cyber website, including the Essential Eight which outlines eight practical mitigation strategies to help protect your systems and data. Ask your information technology manager (or service provider) to:

  • assess your systems and rate them against the Essential Eight
  • provide reports on intrusion attempts targeting your systems.

This will help you understand and assess the level of risk your systems face.

It is a good idea to:

For smaller firms and sole practitioners, further security steps include:

 Inspector-General’s expectations

The Inspector-General Practice Guideline 2 (IGPG 2) sets out how practitioners must protect sensitive information, including data stored in digital or cloud-based systems.

In addition to obligations under the Notifiable Data Breach Scheme, the Inspector-General expects practitioners to notify AFSA of any cyber security incident that has resulted in a system compromise or data/privacy breach.

Why it matters

Practitioners must have clear internal processes to detect, escalate, and report any breach without delay.

Prompt reporting helps AFSA to:

  • assess the impact of an incident on your practice
  • understand the actions you’ve taken in response
  • provide regulatory guidance where appropriate
  • mitigate any exposure to our systems and data.

Cyber Risk and Mitigation Practitioner Webinar - Save the Date

AFSA, in partnership with IDCARE and The Project Lab will be hosting an upcoming Cyber Risk and Mitigation Practitioner Webinar on 25 March 2026 to help practitioners understand cyber risks and practical steps to mitigate them.

We’ll be sending an email invitation to practitioners shortly, with more information and registration details.

Official Receiver Notice (ORN) applications – what best-practice looks like

What is changing

The Official Receiver (OR) is uplifting processes to support its role as a fair and independent decision maker, to improve efficiency and deliver better outcomes for practitioners and stakeholders. Ensuring timely and efficient responses is a priority, although application quality can affect the time the OR requires to make an informed decision.

What best practice looks like to the Official Receiver

A good application will:

  • include a draft schedule (for all notice requests excluding s77CA)
  • provide clear, supporting evidence for all claims and assertions in that schedule, as aligned with the legislation the notice is sought under
  • be factual, accurate and objective
  • be free from opinion, assumption or bias
  • include current contact details for the notice recipient.

Why quality matters

High-quality applications:

  • reduce processing time by ensuring the OR gets the right information from the start
  • support timely, defensible decisions.

Common pain points for specific notice types

s139ZL:

Strong applications can be determined in a timely manner with less engagement between the OR and your office by including:

  • Evidence of the most recent assessment for each Contribution Assessment Period (CAP), including:
    • how the outstanding liability has been calculated
    • all payments made to date by the debtor.

s77CA:
Applications must include evidence showing that more than 14 days have passed since the debtor was made:

  • aware of their bankruptcy
  • aware of their obligation to file a Statement of Affairs.

Good to know

Some notice types may require up-to-date information (e.g. valuations) which cannot be provided when the application is submitted. In these cases, the OR will work with you to obtain this information.

Further updates to the ORPS7 guidance and application forms are planned throughout 2026 to streamline processes for both practitioners and the OR.

Do you have evidence of an offence? Report it

Registered trustees must refer any evidence of an offence committed by the bankrupt against the Bankruptcy Act 1966 (Cth) to AFSA.

Why it matters

You have a legislative obligation to report possible offences.

Your referrals strengthen AFSA’s intelligence and compliance work by:

  • adding to existing data regarding behaviours of individuals
  • recognising patterns of offending
  • informing the broader regulatory picture
  • increasing information-sharing with other government agencies where relevant.

How we are improving the process

AFSA is undertaking a review of its offence referral process. This work is informed by feedback from trustees and aims to streamline the process and make it easier to use.

We are working to apply a consistent and rigorous harms‑based approach to assess existing matters and new offence referrals. This approach will support more timely decisions and outcomes.

Updates and comments on referrals

We will only contact you when additional information is required, and we do not provide ongoing updates or comment on investigations or actions based on the information we receive.

Please know that the information you have shared is considered, helps us do our work effectively and provides valuable insight to the insolvency ecosystem.

Have your say – draft Practitioner Vulnerability Toolkit

AFSA has developed a draft Practitioner Vulnerability Toolkit that brings together existing AFSA resources into a central location to support practitioners, their staff and clients identify and assist people experiencing vulnerability.

We encourage our regulatory community to:

Consultation closes 5.00pm (AEST) on Friday 6 March 2026.

Publication of the IGPG for Gambling Offences – IGPG 4

This new guideline, IGPG 4, outlines the principles which govern the Inspector-General in Bankruptcy’s (IGB) decision to take enforcement action under the gambling offence provisions of the Bankruptcy Act.

It provides practitioners with clear guidance on:

  • their obligations to report gambling behaviour to the IGB
  • AFSA’s position on assessing personal insolvency matters where gambling is a contributor to bankruptcy
  • offence referral expectations in these circumstances.

AFSA encourages practitioners to refer to the IGPG 4 for guidance and support information for people experiencing gambling-related harm.

Quick links

Stay informed with these key resources and updates: