Offshore outsourcing under the spotlight: ASIC’s multi-front focus on advice licensees

ASIC’s February 2026 Financial Advice Update is not a routine publication. It draws together five concurrent supervisory workstreams targeting advice licensees: lead generation, SMSF establishment advice, internal dispute resolution, reportable situations and offshore outsourcing. Alongside this, the update sets out more than 20 enforcement actions taken between August 2025 and February 2026. This is a clear, public statement of regulatory intent. ASIC is testing whether advice licensees are genuinely in control of their businesses, backing this scrutiny with enforcement that is material and accelerating.

Here, we unpack the offshore outsourcing review that sits at the centre of this update, consider it in the broader context of ASIC’s advice licensee agenda, and outline what advice licensees should do next.

Key takeaways

• Treat this as a single compliance challenge. The five workstreams are not separate projects and instead, reflect increased regulatory focus for the sector as a whole. Advice licensees should map their arrangements across all five areas, having regard to ASIC’s published expectations.

• Effectiveness, not just policies. The SMSF review demonstrated that pre-vetting processes failed to catch non-compliant advice even where policies existed. This review demonstrates that policies are not sufficient without testing, audit and consequence management.

• Build operational visibility. Licensees need to have the ability to identify representatives using an outsourced service providers (OSPs), which also needs to be backed up with reporting requirements and centralised registers being maintained.

• Fix offshore outsourcing governance. Licensees must establish or upgrade policies with minimum appointment requirements, IT standards consistent with cyber policies, data privacy protections, client disclosure obligations and incident response protocols. Licensees also need to conduct due diligence on providers.

• IDR and reportable situations need to be a focus. Licensees should ensure staff understand the RG 271 definition of a complaint and that systems capture every expression of dissatisfaction. Licensees should also review breach reporting and escalation pathways, and where no breach reports have been reported to date, there is a real question as to why that is the case.

• Take it to the board. The breadth of ASIC’s focus means these issues cannot be managed in siloed compliance functions. Instead, board-level engagement and ownership is essential.

The most effective advice licensees will treat the convergence of these regulatory workstreams not as a compliance exercise, but as a catalyst for demonstrating that they are genuinely in control of their businesses. By adapting early and on their own terms, the transition will be far less painful than the enforced transformations that are otherwise coming.

What the offshore outsourcing review found

Published in October 2025, the review examined ten advice licensees with financial advice businesses who used OSPs through intermediary businesses.

The review highlighted an absence of licensee governance over OSPs. This includes a failure to:

• adopt formal offshore outsourcing policies, including minimum requirements that should be expected to satisfy the licensee that the OSP meets an adequate standard;

• implement offshore specific IT policies or additional requirements;

• identify and regularly audit representatives' use of OSPs;

• establish real-time alerts or an auditing system for OSP access violations;

• undertake independent verification of intermediary representations about cybersecurity and establish policies requiring OSPs to comply with their existing cyber frameworks; and

• implement policy about client disclosure or consent before transmitting data offshore.

These structural deficiencies indicate broader risk management and governance failings.

The broader context: ASIC’s five-front advice licensee agenda

The offshore outsourcing review does not sit in isolation.

The February 2026 Financial Advice Update brings together four other workstreams being, lead generation, SMSF advice, IDR, reportable situations, each targeting a different facet of licensee responsibility. The key takeaways of these workstreams include:

• Lead generation – The Financial Advice Update highlights enforcement actions concerning lead generation practices, particularly in the context of the role of lead generation in the Shield and First Guardian collapse (see ASIC Media Release 25-180MR).

• SMSF establishment advice – ASIC's Report 824 (November 2025) highlights recurring issues, including advisers acting as order-takers, failing to take into account the clients' relevant circumstances and using “control” as a blanket justification and failing to prioritise client interests where conflicts exist.

• Internal dispute resolution (IDR) – While any expression of dissatisfaction, regardless of severity or resolution time, qualifies as a "complaint" for the purposes of ASIC's Regulatory Guide 271, ASIC's review of IDR compliance of advice licensees found widespread misunderstanding of what in fact constitutes a complaint (with several licensees believing only matters involving compensation or more serious concerns needed reporting).

• Reportable situations – A late-2025 review of advice licensees found that some licensees did not understand their reportable situations obligations, may have under-reported breaches, and had not received copies of breach reports lodged by other licensees about them.

Across these workstreams, ASIC has found the same pattern of licensees delegating functions to representatives, intermediaries or offshore providers without maintaining adequate oversight. ASIC makes it clear, delegation of functions does not mean delegation of responsibility.

The enforcement backdrop

The volume and severity of the enforcement actions gives this update particular force. Between August 2025 and February 2026:

• ASIC cancelled or suspended six Australian financial services licences, including for serious and sustained breaches of supervisory, compliance and reporting obligations.

• Multi-year bans were imposed on advisers and compliance managers for dishonest conduct with clients' superannuation accounts, inappropriate high-risk investment advice and failures of oversight, competence and reporting obligations.

• Civil penalty proceedings were commenced in respect to the Shield and First Guardian matter against superannuation trustees, advice licensees and financial advisers and their directors.

• Criminal sentences were handed down including six years’ imprisonment for fraud and theft of clients’ superannuation.

Across 2025 more broadly, ASIC doubled the number of new investigations and nearly doubled the number of new matters filed in court. Deputy Chair Sarah Court has made clear in ASIC's 2026 enforcement priorities that this momentum will continue.

What good looks like for offshore outsourcing

The offshore outsourcing review follows the pattern ASIC has adopted in private credit: contrasting poor practice with better practice to establish a de facto expectations framework.

At a macro level, ASIC expect where functions are outsourced, advice licensees:

• have measures to ensure that due skill and care are taken in choosing suitable service providers;

• monitor the ongoing performance of service providers; and

• appropriately deal with any actions by service providers that breach service level agreements or the licensee’s general obligations.

These expectations align with the approach already taken by APRA for ADIs and superannuation fund trustees.

ASIC also provides nine areas of better risk management arrangements for OSPs. Advice licensees should treat these as minimum requirements, not aspirational targets in reviewing and updating their risk management arrangements.