The agent sets the price. Your business carries the exposure.
Pricing agents are attractive because they collapse a slow commercial loop. They can monitor demand, inventory, customer behaviour and public market signals, then recommend or execute a price change in seconds. That speed can improve responsiveness. It can also remove the pauses where a pricing team once asked why competitors were moving together, what data a vendor had combined or whether a rule was training the market not to discount.
The governance mistake is to treat the agent as an external decision-maker. It is not. It is a system selected, configured and deployed by the business. Its data access, reward objective, constraints and escalation rules are governance choices. So is the decision to leave it running.
The development
Algorithmic pricing has moved beyond fixed rules and simple revenue management. The OECD's October 2025 review, Algorithmic pricing and competition in G7 jurisdictions, maps how G7 competition authorities classify algorithm-driven collusion into four main categories: algorithms as facilitators of traditional price-fixing agreements, hub-and-spoke schemes where a common provider becomes the coordination point, vertical agreements, and tacit collusion where systems learn coordinated outcomes without any explicit agreement. The report also notes that most G7 authorities have so far responded with market studies, consultations and guidance rather than heavy enforcement.
These scenarios do not all have the same legal treatment. Explicit competitor agreement remains the clearest risk. Autonomous parallel behaviour without communication raises harder questions. That uncertainty is not a reason to wait for a case. It is a reason to govern the system so the organisation can explain what the agent saw, what it was optimising and who remained responsible.
Australia's current starting point is plain. The ACCC says businesses must set prices independently of their competitors. Price fixing happens when competitors agree on pricing instead of competing against each other, and the agreement can cover selling or buying prices, minimum prices, a formula for pricing or discounting, or rebates, allowances and credit terms. Surge and dynamic pricing are not illegal in themselves, but businesses must be clear about the price consumers will pay, and misleading pricing claims, misuse of market power and anti-competitive coordination all remain unlawful.
Regulatory context
Division 1 of Part IV of the Competition and Consumer Act 2010 contains the cartel framework. Section 45AD defines a cartel provision, including a provision that has the purpose, or has or is likely to have the effect, of fixing, controlling or maintaining prices. Sections 45AF and 45AG create criminal offences for making, or giving effect to, a contract, arrangement or understanding containing a cartel provision. Sections 45AJ and 45AK contain the corresponding civil prohibitions, which regulate the same conduct without the criminal fault element.
The Act reaches further than agreements. Since 6 November 2017, section 45(1)(c) has prohibited concerted practices that have the purpose, effect or likely effect of substantially lessening competition. The ACCC's Guidelines on concerted practices describe the target as communication or cooperative behaviour that goes beyond a business independently responding to market conditions, even where it never crystallises into an understanding. That is exactly the territory where shared pricing tools, common data feeds and vendor-mediated signals live.
The legislation is technology-neutral. It does not give a business a safe harbour because a model, software supplier or autonomous workflow recommended the price. The legal analysis remains fact-specific, especially where the concern is less explicit than a traditional agreement. Competition counsel should review the exact arrangement, data flows and market setting.
The consequences are material. The ACCC's fines and penalties page currently lists penalties for individuals of up to 10 years in jail or fines of up to $728,000 per criminal cartel offence, and maximum penalties for corporations of the greater of $100 million, three times the benefit obtained, or 30 per cent of adjusted turnover during the breach period. Check the current figures at the time of advice rather than copying them into a static control document.
The international enforcement picture matters because the technology is often supplied across borders. On 4 March 2026 the UK Competition and Markets Authority published AI and collusion: frontiers, opportunities and challenges, warning businesses about rivals enforcing collusion through algorithms, hub-and-spoke exposure through shared providers and data hubs, predictable algorithms that follow price leadership and punish deviation, and autonomous systems that may learn coordinated outcomes without human intent. It landed the same week the CMA announced an investigation into suspected sharing of competitively sensitive information between major hotel chains through a third-party algorithmic pricing tool. That is not Australian law, but it is a clear supervisory signal about the evidence competition agencies are learning to examine.
What this means for GRC practitioners
The competition-risk boundary has moved upstream. A traditional review might focus on communications between sales executives and competitors. A pricing-agent review must also examine model objectives, training and feedback data, third-party integrations, market-scraping logic, common-vendor architecture and automated responses to competitor moves.
Five questions matter.
1. What does the agent optimise?
"Maximise margin" sounds like a commercial objective, not a control specification. The team needs to know the time horizon, constraints and behaviours the objective rewards. An agent that learns never to undercut a rival may produce a stable price outcome even if nobody wrote "coordinate" in the prompt. That does not establish a legal breach by itself. It does establish a scenario worth testing.
2. What competitor information enters the system?
Public prices are not the same as non-public future intentions, capacity plans, discounts or customer-level terms. Map every feed. Ask whether the vendor combines data across customers, whether benchmarking is sufficiently aggregated and historic, and whether prompts or memory can expose one customer's sensitive information to another.
3. Does a common provider become the hub?
Multiple competitors may lawfully use the same software. Risk rises if the provider combines competitively sensitive inputs or delivers recommendations that reduce uncertainty about rivals' future conduct. Procurement cannot close this with a generic confidentiality clause. GRC needs the architecture, contractual data restrictions, testing rights and evidence of tenant separation.
4. How quickly can a human intervene?
Human approval on every change may be impractical. Human accountability is still required. Set materiality thresholds, prohibited behaviours, automatic pauses and escalation triggers. A sudden convergence with competitors, repeated punishment of discounts or unexplained margin changes should move the agent out of automatic mode.
5. Can the organisation reconstruct the outcome?
Logs should show the version, inputs, constraints, recommendation, final price, override, approver where required and monitoring result. A screenshot of the dashboard is not an audit trail. Link the system to the AI use-case register so ownership and materiality remain visible at board level.

Practical implications
1. Classify pricing agents as high-control use cases
Treat direct price setting, discount control and bidding support as material commercial decision systems. Require competition, legal, model-risk, data and business-owner review before deployment. Record markets, products, decision rights and any automated-execution limit.
2. Build a competition-risk data map
Separate internal cost and demand data, public market observations, purchased benchmarks, vendor-derived signals and any non-public competitor information. Block prohibited sources technically where possible. Do not rely on a policy that the agent cannot read.
3. Test adverse market behaviours
Run controlled tests for price convergence, retaliation after discounting, dependence on a common signal, discriminatory personalisation and price movement unsupported by costs or demand. Compare agent behaviour with a baseline rule and preserve the test design. The purpose is not to prove legality through simulation. It is to detect behaviour that needs human review.
4. Put the vendor inside the control environment
Ask whether the provider trains across customer data, uses aggregate market information, allows configuration of objectives, retains prompts, changes models without notice or subcontracts data processing. Contract for logging, change notice, incident support, data separation and audit evidence. CPS 230 obligations may also matter for an APRA-regulated entity if the pricing service supports a critical operation or exposes the entity to material operational risk.
5. Predefine stop conditions
Give operations a short escalation playbook. Pause automated pricing when the agent behaves outside approved bounds, logs fail, the vendor changes a material component, sensitive data appears in the workflow or competition counsel identifies a concern. Build the evidence package using the same discipline as an AI incident response pack.

The AI angle
AI can support the control work around a pricing agent. It can compare configuration against approved rules, summarise exception logs, generate test scenarios and help investigators organise evidence. Keep the second model separated from sensitive competitor information and verify its analysis.
The bright line is accountability. An AI reviewer cannot decide whether conduct constitutes an arrangement, understanding or concerted practice, whether market effects substantially lessen competition or whether a pricing practice is lawful. Those are fact-specific legal and economic judgements.
This is also a consumer-outcomes issue. Personalised pricing and product steering can intersect with design and distribution obligations in financial services. The separate DDO and AI-driven personalisation guide covers target-market and advice boundaries. Do not collapse competition, consumer and product-governance testing into one generic "responsible AI" check.
A minimum evidence pack
Before go-live, GRC should be able to retrieve:
- the approved business objective and prohibited behaviours
- the market and product scope
- data-source and data-lineage records
- architecture showing vendor and shared-data pathways
- competition-law advice for the use case
- pre-deployment test cases and results
- materiality thresholds and human approval rules
- monitoring metrics and stop conditions
- version and change records
- incident and escalation procedures
If these records cannot be assembled before deployment, they will not become easier to reconstruct after a regulator asks.

Put ownership across the three lines
The first line should own the commercial objective, approved market scope, operational monitoring and the decision to pause. It needs people who understand why a price changed and can challenge a recommendation that is technically in bounds but commercially or ethically wrong.
The second line should set the competition-risk standard, challenge the data and vendor design, review test coverage and monitor material exceptions. It should not become the daily pricing desk. Its independence weakens if it configures the agent and later assures its own choices.
Internal audit should assess whether governance and controls are designed and operating effectively. That may require technical specialists who can inspect configuration, logs and data separation. Internal audit does not need to recreate the model. It does need enough access to test management's claims.
Competition counsel sits across the model where facts require legal judgement. Data, technology, security and procurement specialists support the evidence. Document who can stop automated execution outside business hours and who informs senior management. An accountability chart that names committees but no operational pause owner is incomplete.
Use scenario exercises to test the ownership, not only the algorithm. Simulate an unexplained competitor convergence, a vendor update that changes optimisation behaviour and a missing log stream. Measure whether the right person notices, pauses, preserves evidence and escalates within the required time.
References
- Competition and Consumer Act 2010 (Cth), Part IV, current compilation C2026C00206. https://www.legislation.gov.au/C2004A00109/latest
- ACCC, Cartels. https://www.accc.gov.au/business/competition-and-exemptions/cartels
- ACCC, Setting prices. https://www.accc.gov.au/business/pricing/setting-prices
- ACCC, Fines and penalties. https://www.accc.gov.au/business/compliance-and-enforcement/fines-and-penalties
- ACCC, Guidelines on concerted practices, 31 August 2018. https://www.accc.gov.au/about-us/publications/guidelines-on-concerted-practices
- OECD, 'Algorithmic pricing and competition in G7 jurisdictions: Emerging trends and responses', October 2025. https://www.oecd.org/en/publications/algorithmic-pricing-and-competition-in-g7-jurisdictionsf36dacf8-en.html
- UK Competition and Markets Authority, 'AI and collusion: frontiers, opportunities and challenges', 4 March 2026. https://competitionandmarkets.blog.gov.uk/2026/03/04/ai-and-collusion-frontiers-opportunities-and-challenges/
- APRA, Prudential Standard CPS 230 Operational Risk Management. https://www.apra.gov.au/standards/cps-230
Content disclaimer: This article is for general educational and informational purposes only. It does not constitute legal advice, regulatory guidance, or a substitute for professional compliance judgement. Competition law analysis is fact-specific, obligations vary by entity and market, and penalty settings change. Always confirm your position against the current Competition and Consumer Act 2010, ACCC guidance and advice from qualified competition counsel before acting.
TheAICommand. Intelligence, At Your Command.



