The evolution of regulatory enforcement: where escalation is coming next

Global forces – including geopolitical uncertainty, the accelerating pace of AI and technological development, and mounting environmental pressures – are reshaping regulatory reforms and related enforcement priorities. In recent years, Australia’s regulatory landscape has seen a period of rapid and wide-ranging reform, with significant impacts from new merger reforms, privacy and online safety, financial crime and ESG regulation. 

As regulators test the boundaries of expanded powers and embed oversight for new regimes, the next phase of regulatory risk will increasingly be defined by the speed, intensity and focus of enforcement activity into 2027 and beyond.

Businesses operating in Australia are likely to see increased regulatory risk in these six areas: 

1. AI regulation and governance: applying existing laws to emerging technologies

In the wake of Anthropic’s announcement about its AI model Mythos, and the US government’s recent order prohibiting access to certain Anthropic models by foreign nationals, Australian regulators have issued clear signals in relation to AI governance and risk management. The Australian Securities and Investments Commission (ASIC), the Australian Prudential Regulation Authority (APRA), the Australian Communications and Media Authority (ACMA) and the Australian Competition and Consumer Commission (ACCC) have all emphasised the importance of strengthening cyber resilience and implementing systems to manage the risks associated with AI-enabled technologies. 

The Australian Government recently confirmed that its regulatory approach to AI will build on established legal and regulatory frameworks as the foundation for addressing AI-related risks as they emerge. This approach differs from that adopted in other jurisdictions where AI-specific regulation has been adopted, most notably the European Union, where the AI Act legislates a risk-based approach to the development and use of AI in the EU, with differing obligations depending on the level of privacy risk presented – there is strict regulation for high-risk systems (and outright bans for some) and lighter touch transparency obligations for lower-risk AI models.

In Australia, the focus of future reform will be influenced by the effectiveness of the regulatory response to new and emerging AI technologies relying on existing laws on privacy, data protection, intellectual property and consumer protection. Early indications of this have been evident in recent cases where the Office of the Australian Information Commissioner (OAIC) has sought to apply the Privacy Act 1988 (Cth) to AI-enabled facial recognition technologies.

To guide responsible AI development and use, the Australian Government has adopted voluntary AI Ethics Principles, last updated in December 2025. Treasury also concluded that the principles-based approach to consumer protection under the Australian Consumer Law is broadly fit for purpose in an AI-enabled environment. Overseas enforcement activity provides some insight into how these issues may evolve in practice. For example, in the United States, the Federal Trade Commission has commenced an inquiry into consumer-facing AI chatbots, focusing on steps taken by seven companies to evaluate potential harm from chatbots when acting as companions, particularly for children and teens. 

For organisations, the practical implication is that AI-related risk will continue to be assessed through established compliance lenses, and an expectation that governance, systems and controls should already be capable of responding to these issues.

A key challenge for Australian organisations operating across jurisdictions will be maintaining compliance with a range of different regulatory requirements that continue to evolve alongside AI innovation, as well as regulatory expectations around cyber resilience and AI risk management. 

2. Online safety: evolving enforcement expectations

Australia’s world-first ban on under-16s accessing social media (introduced via amendments to the Online Safety Act 2021 (Cth) in December 2025) has positioned Australia at the forefront of digital platform regulation. The eSafety Commissioner has signalled that it will pursue major platforms for inadequate age verification and compliance failures.

While the social media ban is subject to constitutional challenge in Australia, it forms part of a broader global shift towards more active regulation of digital platforms. In the United Kingdom, new child safety duties (in force from July 2025) require digital platforms to conduct risk assessments and deploy age assurance measures to prevent minors from encountering harmful content. In the United States, the Kids Online Safety Act has been reintroduced to Congress, and in the EU, the European Commission has commenced proceedings against major platforms for alleged non-compliance with child safety obligations under the Digital Services Act.

These developments are also beginning to be tested through litigation. Examples include a March 2026 decision by a Californian jury considering the first-ever social media addiction claim, and similar actions may follow in other jurisdictions. 

3. Financial crime and scams regulation: expanding scope 

Anti-money laundering and counter-terrorism (AML/CTF) reforms became effective from 31 March 2026 for entities already caught by the regime, and from 1 July 2026 for newly regulated entities. These reforms implement some of the most significant expansions of Australia’s financial crime regime since its inception, including an extension of the regime to lawyers, accountants and real estate professionals, and updating requirements relating to program design, transfers of value and ongoing customer due diligence. 

The reforms also give AUSTRAC jurisdiction over regulated entities’ compliance with financial sanctions laws and require entities to screen customers against Australian sanctions lists as part of their customer due diligence processes. This represents a notable shift in oversight, given that sanctions oversight has historically sat with the Australian Sanctions Office and the Australian Federal Police and is likely to result in increased regulatory activity in this area.

In Australia, sanctions enforcement has so far remained nascent. While proceedings against individuals for sanctions breaches have been brought in the past, there has yet to be a criminal prosecution of a corporation for sanctions offences. However, the Australian Sanctions Office has been establishing a substantial volume of guidance notes and advisory material and engaging in targeted supervisory campaigns, which may be a precursor to future enforcement activity. Australia also continued to impose new sanctions in response to global armed conflict, and reforms of Australia’s sanctions regime must be finalised before the Autonomous Sanctions Regulations 2011 (Cth) sunset on 1 October 2027. 

Alongside these developments, Australia is also moving to address the growing impact of scams. ACCC data suggests that Australians lose more than $2.5 billion to scams each year, and Australia’s new Scams Prevention Framework (SPF) introduces mandatory obligations on banks, telecommunications providers and digital platforms to prevent, detect and respond to scams. 

Internationally, there has been a similar shift towards stronger intervention, including scams compensation frameworks in the UK and Malta, and shared responsibility models in jurisdictions such as Singapore. Australia’s approach differs in seeking to regulate the full lifecycle of scams, extending responsibility across multiple sectors rather than concentrating liability within financial institutions alone.

The proposed rollout of the SPF on 31 March 2027 will give rise to a number of practical challenges, including the apportionment of liability between the three sectors, and how companies can show they had adequate scams controls in place. Regulated sectors will also need to develop internal dispute resolution mechanisms and allow for complaints to be referred to external dispute resolution before the Australian Financial Complaints Authority, a body previously only dedicated to resolving financial services complaints. The details of the regime also remain unlegislated and subject to further public consultation, with a relatively compressed implementation timeframe for affected sectors.

4. Private credit regulation: transparency, governance and rising enforcement focus

Regulators have responded to the rapid expansion of the private credit market and concerns about key vulnerabilities in the sector. The International Monetary Fund has issued repeated warnings about opaque valuations and hidden leverage. ASIC has responded by making private credit an enforcement priority, flagging material shortcomings in disclosure, fee transparency, conflict management and governance. 

This enforcement landscape is consistent with developments in other jurisdictions. In the US, the US Securities and Exchange Commission is pursuing cases against private fund advisers for undisclosed conflicts of interest tied to fees and expenses, while in the UK, the Financial Conduct Authority has identified valuation practices in private markets as a supervisory focus area. 

These developments indicate the shift towards far greater regulatory engagement with private markets is unlikely to abate any time soon. Scrutiny is likely to increase, particularly in areas such as valuation, disclosure and governance, as regulators continue to take a more active approach to regulation following ongoing reviews and ASIC litigation.

5. ESG and greenwashing: a focus on disclosure

2026 has seen the first sustainability reports filed under Australia’s new climate-related financial disclosure regime, which now sits alongside financial reporting obligations in the Corporations Act. Those sustainability reports disclose material climate-related financial risks and opportunities, scope 1, 2 and 3 greenhouse gas emissions, information about the governance of, and risk management for, those risks, and an assessment of the entity’s resilience to climate-related changes using scenario analysis based on increases in global temperatures. 

While the modified liability regime under the legislation provides reporting entities with a three-year period of immunity from civil claims by private litigants, this does not extend to any proceeding brought by ASIC. While ASIC has indicated that it will take a ‘proportionate and pragmatic’ approach to supervision and enforcement, focusing on supporting entities to meet reporting expectations, it has also indicated it will rely on its new directions power to engage with reporting entities to interrogate statements it has identified as incorrect, incomplete or misleading.  Reporting entities should be mindful that ASIC’s enforcement approach is likely to toughen as reporting entities become familiar with the new requirements.

In parallel, both ASIC and the ACCC have continued to pursue enforcement action in relation to greenwashing and associated governance failures. The ACCC has brought numerous greenwashing enforcement proceedings, and ASIC has also pursued actions against superannuation funds and fund managers for misleading sustainability-related claims in financial products. ASIC’s approach has evolved from pure greenwashing claims to enforcement action for governance failures that contributed to misleading sustainability-related claims. 

6. Corporate crime and bribery: evolving enforcement and global coordination

Recent developments suggest a changing global landscape for foreign bribery enforcement. In February 2025, a US executive order paused certain aspects of enforcement under the Foreign Corrupt Practices Act. In response, UK, French and Swiss regulators announced the creation of the International Anti-Corruption Prosecutorial Task Force in March 2025, and the Australian Federal Police established Taskforce Solaris in October 2025, a dedicated unit focused on preventing, detecting and investigating foreign bribery and corruption. In April 2026, the European Union also adopted a new EU Anti-Corruption Directive, which introduces uniform definitions of public officials, tightens the corporate penalty framework, and requires national implementation of further anti-corruption measures by 2028.

While the mutual legal assistance obligation for foreign bribery investigations and proceedings in the Organisation for Economic Co-operation and Development (OECD) Anti-bribery Convention is routinely engaged between countries, the OECD has recently published research highlighting the growth in coordinated multi-jurisdictional investigations and resolutions in relation to foreign bribery, particularly for large transnational bribery cases. The research cites the benefits of ‘synchronised accountability’ and the use of credit-granting and penalty-offset frameworks to ensure that sanctions are effective, proportionate and dissuasive, while avoiding duplicative penalties. Cross-border enforcement (and resolution) is also more likely to guarantee a fairer redistribution of the unlawful gains from foreign bribery between the participating jurisdictions. Almost all of the multi-jurisdictional resolutions studied for this research involved some form of non-trial resolution, such as a Deferred Prosecution Agreement (DPA) or Non-Prosecution Agreement. 

In Australia, attention is also turning to the potential introduction of a DPA regime under the Criminal Code as part of the review of the new foreign bribery regime that was introduced in September 2024. A DPA regime would allow companies accused of foreign bribery to seek settlements with prosecutors in exchange for financial penalties and strengthened compliance programs (potentially on a coordinated basis where there are investigations involving other jurisdictions). Comparable frameworks in the US and UK already have DPA schemes and they are commonly utilised in anti-corruption enforcement action against organisations. One further argument in favour of a similar regime in Australia is that it may encourage greater self-reporting by companies.

From compliance to readiness: the next phase of regulatory enforcement

The regulatory landscape in 2026 and beyond will be defined by the implementation of recent reforms, accelerated implementation timelines and a corresponding increase in regulatory scrutiny. Across the enforcement areas discussed above, technological capability – particularly the use of AI – is expected to enhance regulators’ ability to detect wrongdoing, identify patterns and prioritise investigations. At the same time, there is a growing expectation that regulated entities will use technology to enhance their compliance systems and processes. 

The traditional approach providing extended transition periods following reform is beginning to shift. Recent frameworks, including the SPF and the amended AML/CTF Act, have been introduced without transitional compliance periods, possibly reflecting an expectation that organisations should be able to implement new requirements more quickly, supported by technology-enabled systems and controls. In this environment, the regulatory focus needs to shift to swift implementation of risk-based controls and demonstrating readiness in practice. The organisations that will be best placed to respond will be those that leverage technology to enhance risk management and fast-track compliance, maintain clear and adaptable governance frameworks, and anticipate how regulatory expectations may evolve over time.