LM-G01 Corporations Act 2001 (Cth)

TheAICommand Learning Library

GRC Module LM-G01

Corporations Act 2001 (Cth)

Directors Duties, AFSL, DDO, Whistleblower, and Financial Reporting

Module metadata Audience tier: Practitioner (with Foundation entry path and Leader extension content) Module body word count: 4,992 words Reading time: 23 minutes (calculated at 220 words per minute) Assessment duration: 25 to 30 minutes (30 multiple choice questions) Prerequisites: Working knowledge of Australian financial services structure and basic corporate governance vocabulary Learning outcomes: 1. Identify the principal obligations under sections 180 to 184 and the AFSL general obligations under s912A. 2. Apply the Design and Distribution Obligations to a Target Market Determination scenario. 3. Analyse the regulator interplay between ASIC and APRA on common breach patterns. 4. Evaluate when a disclosure attracts whistleblower protection under Part 9.4AAA. 5. Construct an AI-supported workflow for board paper drafting and TMD review with appropriate governance controls. 6. Critique AI outputs against directors duties, privacy, and audit trail requirements.

Currency note

This module reflects the regulatory landscape as at April 2026. Where a transitional date or amendment is in flight (notably the Group 2 and Group 3 climate-related financial disclosure tranches and the Treasury consultation on continuous disclosure penalties), the position is flagged inline.

TheAICommand. Intelligence, At Your Command.

1. Executive Summary

The Corporations Act 2001 (Cth) is the consolidated statute governing companies, financial product issuers and distributors, and the directors who oversee them. The Act sits at the apex of the Australian financial services regulatory hierarchy. The Australian Securities and Investments Commission (ASIC) is the lead regulator, with the Australian Prudential Regulation Authority (APRA) exercising prudential oversight where regulated entities also hold an APRA licence. This module focuses on the five highest-impact obligation clusters: directors duties (sections 180 to 184), the Australian Financial Services Licence regime (Part 7.6), Design and Distribution Obligations (Part 7.8A), whistleblower protections (Part 9.4AAA), and the financial reporting and audit obligations (Chapters 2M and 9). It closes with the climate-related financial disclosure amendments now embedded in Chapter 2M following the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Act 2024.

Why this matters for an Australian financial services audience. Enforcement outcomes across these provisions are now routinely measured in tens of millions of dollars, with personal liability attaching to directors and responsible managers. The shift toward outcomes-based regulation under DDO and the climate disclosure expansion means traditional documentary compliance is no longer sufficient. Boards and second line need defensible audit trails for product governance decisions, distributor monitoring, and disclosure positions. Regulator scrutiny in 2025 and 2026 has trended toward what the board knew, when it knew it, what was done, and what records exist of the activity.

What you will be able to do after this module:

Explain the s180 to s184 statutory tests in plain language and apply them to a board scenario.
Walk a colleague through the lifecycle of a Target Market Determination including review triggers.
Identify whether a disclosure attracts Part 9.4AAA protection and the steps required to preserve confidentiality.
Build a Claude or ChatGPT project space for AI-assisted board paper and TMD review production.
Run a maturity self-check across your control environment and identify the next 90 days of work.

2. Regulatory and Strategic Context

2.1 Issuer and statutory authority

The Corporations Act 2001 (Cth) was enacted following the 2001 referral of corporations powers from the States to the Commonwealth. It consolidated and replaced the Corporations Law and the Australian Securities and Investments Commission Act framework that preceded it. The Act is administered by ASIC under section 5B(1), with ASIC also responsible for the related Australian Securities and Investments Commission Act 2001 (Cth). Where an entity also holds an APRA licence, the prudential standards (CPS, SPS, GPS, LPS series) operate alongside the Corporations Act and do not displace it.

2.2 Scope of application

The Act applies to all Australian companies and to any person providing financial services in this jurisdiction or to Australian retail clients. Chapter 7 is the financial services chapter and is the primary entry point for AFSL holders. Chapter 2D contains the directors duties regime and applies to all directors and officers of companies registered under the Act, including de facto and shadow directors caught by the section 9 definitions. Chapter 9 captures the residual obligations including the whistleblower protections in Part 9.4AAA.

2.3 Key dates and transitional periods

Part 7.8A (DDO) commenced 5 October 2021 following the deferral from April 2021. RG 274 sets ASIC expectations for issuer and distributor conduct.
Part 9.4AAA (whistleblower) was substantially upgraded from 1 July 2019 with eligible recipient and protected disclosure expansions. RG 270 provides ASIC guidance on whistleblower policies.
Reportable situations regime under section 912DAA replaced the previous breach reporting regime from 1 October 2021. RG 78 sets the operating expectations.
Climate-related financial disclosure obligations under Chapter 2M took effect for Group 1 entities for financial years commencing on or after 1 January 2025. Group 2 entities enter the regime for financial years commencing on or after 1 July 2026. Group 3 entities enter for financial years commencing on or after 1 July 2027. The enabling legislation is the 2024 Treasury Laws Amendment package (verify exact short title before citing in a board paper). The substantive content is set by AASB S1 and AASB S2 (the Australian Sustainability Reporting Standards).
Treasury consultation on the continuous disclosure penalty framework (December 2025) is in flight at the time of writing. Position should be reconfirmed before relying in a board paper.

2.4 Regulator interplay (ASIC and APRA)

ASIC is the conduct and disclosure regulator and the primary administrator of the Corporations Act. APRA is the prudential regulator. For a financial services entity that is also an authorised deposit-taking institution (ADI), insurer, or RSE licensee, both regulators have jurisdiction over different aspects of the same activity. The clearest example is incident reporting. A serious operational incident at a major bank will simultaneously trigger:

ASIC reportable situation obligations under section 912D and section 912DAA of the Corporations Act.
APRA notification under CPS 230 (operational risk management) and any incident reporting standard applicable to the entity.
AUSTRAC reporting if there is an AML/CTF dimension under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
OAIC notification under the Privacy Act 1988 (Cth) where personal information was compromised and the eligible data breach threshold is met.

The interaction between regulators is governed by an MOU framework, but the entity carries the burden of identifying and discharging each obligation independently.

2.5 Strategic importance

For an Australian financial services entity, the Corporations Act is not a single risk to manage. It is the statutory backbone against which every other obligation must be reconciled. Boards that treat directors duties as a generic governance topic rather than a specific risk register item routinely encounter ASIC scrutiny when something goes wrong.

2.6 Cross-references in this learning library

Module LM-G02 (Privacy Act 1988 and Australian Privacy Principles) sits alongside the Corporations Act for personal information handling in connection with financial product distribution.
Module LM-G03 (APRA CPS 230 Operational Risk Management) establishes the operational risk and critical operation framework that intersects with directors duties (the board owns the operational risk profile).
Module LM-G06 (AUSTRAC AML/CTF) overlaps with the AFSL conduct obligations under section 912A.
Module LM-G09 (Financial Accountability Regime) places personal accountability obligations on directors and executive accountable persons that operate alongside Corporations Act duties.

Visual 1. Regulatory authority map

Designer brief (render in Lucidchart, Whimsical, or Mermaid). Top-down flowchart showing the Corporations Act 2001 (Cth) at the apex, with arrows to the four regulator nodes and their primary scope.

Statute or framework	Lead regulator	Primary scope
Corporations Act 2001 (Cth)	ASIC	Companies, financial services conduct, disclosure, AFSL, DDO, whistleblower, financial reporting
Banking Act 1959 (Cth) and APRA Standards	APRA	Prudential supervision of ADIs, insurers, RSE licensees. Interfaces with directors duties via CPS 510 and CPS 220.
AML/CTF Act 2006 (Cth)	AUSTRAC	Money laundering and counter-terrorism financing controls. Overlap with s912A general obligations.
Privacy Act 1988 (Cth)	OAIC	Personal information handling, Notifiable Data Breach scheme. Engages directly with AFSL records and DDO data.

3. Core Concepts and Defined Terms

3.1 Defined terms (extract)

Term	Section reference	Working definition
Officer	s9	Includes a director, secretary, or person who participates in decisions affecting the whole or substantial part of the business of the corporation.
Director	s9	A person appointed to the position regardless of name, plus any person whose instructions or wishes the directors are accustomed to act in accordance with (shadow director).
Financial product	s763A	A facility through which a person makes a financial investment, manages financial risk, or makes non-cash payments.
Retail client	s761G	A person to whom a financial product or service is provided otherwise than as a wholesale client. Wholesale client carve-outs include the sophisticated investor and product value tests.
AFSL holder	s913B	A person granted an Australian Financial Services Licence to provide financial services in this jurisdiction.
Responsible manager	RG 105	Individual nominated as having operational responsibility for an AFSL business and meeting the knowledge and skills standards.
Target Market Determination	s994B	Document made by an issuer that identifies the class of retail clients for whom a product is likely to be appropriate, distribution conditions, and review triggers.
Distributor	s994C	A person who engages in retail product distribution conduct in relation to a regulated financial product.
Eligible whistleblower	s1317AAA	A person who is or has been an officer, employee, supplier, or associate of the regulated entity and who makes a protected disclosure.
Eligible recipient	s1317AAC	A person to whom a disclosure can be made and retain Part 9.4AAA protection. Includes ASIC, APRA, officers, senior managers, auditors, and authorised whistleblower investigation officers.
Reportable situation	s912DAA	Includes significant breaches and likely significant breaches of core obligations, plus deemed reportable situations such as gross negligence and serious fraud.
Climate statement	Pt 2M.3 (as amended)	The sustainability disclosure required of in-scope entities, prepared in accordance with AASB S2 and incorporated into the financial reporting regime.

3.2 Directors duties (sections 180 to 184)

The duty cluster is the core of corporate governance. Each section attaches different consequences.

Section 180. Care and diligence

A director or other officer must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if they were a director or officer of a corporation in the corporation's circumstances and occupied the same office. The business judgment rule in s180(2) provides a safe harbour where the director made the judgment in good faith for a proper purpose, did not have a material personal interest in the subject matter, informed themselves to the extent they reasonably believed appropriate, and rationally believed the judgment was in the best interests of the corporation.

Section 181. Good faith and proper purpose

A director or other officer must exercise their powers and discharge their duties in good faith in the best interests of the corporation and for a proper purpose. Breach is a civil penalty provision.

Section 182. Use of position

A director, secretary, other officer, or employee must not improperly use their position to gain an advantage for themselves or someone else, or cause detriment to the corporation.

Section 183. Use of information

The same prohibition applies to improper use of information obtained because the person is or has been a director, officer, or employee.

Section 184. Criminal offences

The criminal counterpart to s181 to s183. Dishonesty or recklessness moves the conduct from civil penalty to criminal liability, with imprisonment exposure of up to 15 years for the most serious offences.

3.3 AFSL regime (Part 7.6)

The AFSL is a single licence covering financial product advice, dealing, market making, custodial services, and other financial services. The licence is granted under section 913B and carries general obligations under section 912A, including the obligation to do all things necessary to ensure that financial services covered by the licence are provided efficiently, honestly, and fairly. Other licensee obligations include having adequate resources, maintaining competence, managing conflicts of interest, complying with financial services laws, and ensuring representatives are adequately trained.

3.4 DDO (Part 7.8A)

The Design and Distribution Obligations apply to issuers and distributors of retail financial products. Issuers must make a Target Market Determination identifying the class of consumers for whom the product is likely to be appropriate, the distribution conditions, the review triggers, and the maximum review intervals. Distributors must take reasonable steps to ensure distribution is consistent with the TMD, must report distributor information back to the issuer, and must not engage in retail product distribution conduct without a current TMD in place.

3.5 Whistleblower (Part 9.4AAA)

The protected disclosure regime covers disclosures made by eligible whistleblowers to eligible recipients about misconduct, an improper state of affairs, or a contravention of the Corporations Act, ASIC Act, or other listed laws. Protections include identity confidentiality (an offence to disclose without consent or another permitted purpose), civil and criminal immunity, and statutory remedies for victimisation.

3.6 Financial reporting and audit (Chapter 2M)

Chapter 2M requires preparation of financial reports, directors reports, and auditor reports. Part 2M.4 governs appointment and removal of auditors. Part 2M.4A sets the auditor independence and rotation requirements. Auditor registration sits separately under Part 9.2. The 2024 amendments embed climate-related financial disclosure into the Chapter 2M architecture, requiring sustainability reports for in-scope entities aligned to AASB S1 and AASB S2.

4. Practical Application in Australian Financial Services

Each example uses a de-identified entity profile. No real names or claimant data appear in any derived artefact.

4.1 ADI scenario. Regional bank Entity A

Trigger event. Entity A's mortgage origination team identifies a flaw in the income verification process used for a particular product cohort over a 14-month period. Approximately 1,800 loans were originated without the documented income verification standard being met. Approximately 4 percent of those loans are now in arrears or hardship.

Obligation activated.

Sections 912D and 912DAA reportable situation. The breach is a significant breach of section 912A (do all things necessary).
Section 180 directors duties for the executive committee that approved the process change.
APRA CPS 230 critical operation tolerance reporting. Mortgage origination is typically a critical operation.
Possible breaches of the National Consumer Credit Protection Act 2009 (Cth) responsible lending obligations.
Australian Financial Complaints Authority exposure for affected customers.

Artefact produced.

ASIC reportable situation lodgement via the ASIC Regulatory Portal within 30 calendar days of the entity becoming aware.
APRA notification per the relevant APRA reporting standard.
Board paper recording the breach, root cause, remediation plan, and customer remediation framework.
Director attestation that the directors are satisfied the response is appropriate.

Audit trail expected.

Discovery date with corroborating evidence.
Reasonable steps reasoning supporting the 30-day decision point.
Remediation steering committee minutes.
Customer communications log.
Provisioning workings supporting the financial reporting impact.

4.2 General insurer scenario. Entity B

Trigger event. Entity B reviews its TMD for a personal accident product following a complaint volume spike. The data shows the TMD identified target market is materially different from the actual policyholder base. A meaningful proportion of policyholders are outside the documented target market.

Obligation activated.

Section 994B TMD review trigger (significant dealing not consistent with the TMD).
Section 994E distributor reporting. Distributor information has surfaced the divergence.
Section 912A general obligations (financial services efficiently, honestly, and fairly).
ASIC reportable situation if the divergence amounts to a breach of the TMD obligations.

Artefact produced.

TMD revision document with effective date and review history.
Distributor communication updating the TMD and distribution conditions.
Internal product committee minutes recording the review and rationale.
Reportable situation lodgement if applicable.

Audit trail expected.

TMD initial design rationale with consumer testing evidence.
Distributor monitoring data covering the relevant period.
Complaint trend analysis with categorisation.
Remediation framework if customers acquired the product unsuitably.

4.3 Superannuation trustee scenario. Entity C

Trigger event. Entity C identifies that an investment option marketed as Sustainable Growth is holding a position that is inconsistent with the option's stated environmental and social screen. The position has been held for nine months.

Obligation activated.

Section 912A general obligations.
Section 1041H misleading or deceptive conduct in relation to financial services.
SIS Act trustee covenants, including the best financial interests duty.
DDO obligations if the option is a retail product subject to a TMD.
Climate-related disclosure obligations if relevant to the climate statement preparation.

Artefact produced.

Trustee board paper recording the breach and remediation plan.
Investment committee resolution to divest or rebalance.
Member communication framework with stratified messaging by impact category.
ASIC reportable situation lodgement.
Potential financial statement adjustment and updated climate statement.

4.4 AFSL holder scenario. Wealth manager Entity D

Trigger event. An employee whistleblower discloses to the Head of Compliance that a client adviser team is systematically recommending a particular product despite the product not being in the best interests of the affected clients.

Obligation activated.

Part 9.4AAA whistleblower protection. Eligible whistleblower, eligible recipient, qualifying disclosure.
Section 961B best interests duty for the affected advice.
Section 912A general obligations.
Possible section 184 criminal liability for officers if dishonesty or recklessness is established.
Section 912DAA reportable situation.

Artefact produced.

Whistleblower investigation plan with confidentiality controls.
Board paper recording the disclosure and management response (de-identified).
Adviser remediation framework with consequence management.
Reportable situation lodgement.
Customer remediation program with file-by-file evidence.

Visual 2. DDO Target Market Determination lifecycle

Designer brief (render in Mermaid, Lucidchart, or Whimsical). Linear-then-loop diagram showing six stages. Stage 1: Product concept and target market analysis. Stage 2: TMD drafted including target class, distribution conditions, review triggers, and review intervals. Stage 3: TMD published and made available before retail distribution. Stage 4: Distribution under TMD with distributor reasonable steps obligation. Stage 5: Continuous monitoring (complaints, distributor reports, significant dealings). Stage 6: Review on trigger or interval, leading back to Stage 2 (revision) or to product withdrawal.

Stage	Activity	Owner	Evidence
1	Concept and target market analysis	Product team	Consumer research, competitor analysis
2	Draft TMD with class, conditions, triggers, intervals	Product team and Compliance	TMD draft, design review notes
3	Publish TMD before retail distribution starts	Product Committee	Approval minutes, publication record
4	Distribute under TMD with distributor reasonable steps	Distributors	Distribution playbooks, training records
5	Monitor complaints, distributor reports, significant dealings	Compliance and Operations	Distributor information register, complaint dashboard
6	Review on trigger or maximum interval	Product Committee	Review file, decision log, revised TMD

Visual 3. Comparison. Section 180 statutory duty vs general law duty of care

Element	Section 180 statutory duty	General law duty of care
Source	Statutory. Corporations Act 2001 (Cth) s180.	Equity and common law. Trustee-style fiduciary obligations and tort of negligence.
Standard	Reasonable person in the corporation's circumstances occupying the same office.	Reasonable person standard, modulated by the role and skills brought.
Who is owed the duty	The corporation.	The corporation. Limited circumstances for direct creditor claims when the corporation is approaching insolvency.
Who can enforce	ASIC, the corporation, derivative actions under Pt 2F.1A.	The corporation. Liquidator on insolvency.
Defence available	Business judgment rule s180(2). Four cumulative limbs.	Reliance on advice. Information barriers. Causation defences.
Maximum penalty	Civil pecuniary penalty up to the higher of 5,000 penalty units or three times the benefit obtained, plus disqualification.	Equitable compensation. Disgorgement. Damages.
Insurance	D and O cover available, subject to s199A limits on indemnity for civil penalties.	D and O cover available, subject to public policy exclusions for fraud or wilful default.
Limitation period	Six years from contravention for civil penalty proceedings.	Six years from breach for tort. Twelve years for deeds.
Common pleading	Pleaded together. ASIC routinely combines s180 with s181.	Pleaded in addition to s180 to capture remedies not available under the Act.

Visual 4. Directors duties severity and likelihood heat map (illustrative)

Designer brief. 5x5 risk heat map with severity on the vertical axis and likelihood on the horizontal axis. The table below specifies the placement of each scenario. Render with green for low, amber for moderate, and red for severe.

Scenario	Severity (1-5)	Likelihood (1-5)	Heat band
Failure to disclose material information to the board prior to a key vote	5	3	Severe
Approval of a strategy without obtaining required external advice	4	3	Moderate to Severe
Inadequate board minutes that omit the rationale for a decision	3	4	Moderate
Director receives a personal benefit not declared to the board	5	2	Severe
Late distribution of board pack reduces preparation time	2	4	Low to Moderate

Visual 5. Illustrative penalty exposure ranges (2025 enforcement context)

Designer brief. Stacked bar chart with one bar per provision cluster, showing the typical lower-quartile, median, and upper-quartile civil penalty exposure observed in published 2024 and 2025 ASIC enforcement matters. Figures below are illustrative ranges and should not be used for case-specific risk reserving.

Provision cluster	Lower quartile (illustrative)	Median (illustrative)	Upper quartile (illustrative)
AFSL s912A general obligations	$1.5m	$10m	$60m+
DDO Pt 7.8A failures	$0.5m	$5m	$20m
Directors duties s180 to s184	$25k	$250k + disqualification	$1.5m + criminal
Whistleblower victimisation Pt 9.4AAA	$0.2m	$1m	$3m
Continuous disclosure (s674 / s675)	$0.5m	$5m	$30m

Source. Synthesis of published ASIC enforcement outcomes 2024 to 2025. Illustrative only. Upper-quartile figures reflect outlier matters and should not be used for case-specific reserving. Penalty unit value was set to $330 by the Crimes Amendment (Penalty Unit) Act 2024; verify the current indexed value in the Crimes Act 1914 (Cth) s4AA before relying. Section 1317G corporate penalty caps allow penalties up to the greater of 50,000 penalty units, three times the benefit obtained, or 10 percent of annual turnover capped at 2.5m penalty units.

The five things to remember 1. Directors duties are owed to the corporation. ASIC enforces them. The board needs evidence of process, not just outcomes. 2. The AFSL general obligations under section 912A are the spine of conduct regulation. Every breach assessment starts here. 3. DDO is outcomes-based. A current TMD is not enough. The distribution data must show consistency. 4. Whistleblower confidentiality is a strict liability obligation. Identity disclosure without consent is an offence. 5. Climate disclosure is now a financial reporting obligation. AASB S2 sits inside Chapter 2M, not alongside it.

5. Operating This Framework With AI

This section builds a Claude or ChatGPT project space for a Company Secretariat function. It drafts board papers, maintains the directors duties register, runs TMD reviews, and triages whistleblower disclosures, with mandatory de-identification and human-in-the-loop checkpoints.

5.1 Use cases at scale

Board paper distillation. Convert a 60-page board pack into a 5-page directors brief that highlights decisions required, conflicts to declare, and material risks to question.
Directors duties register maintenance. Track each section 180 to 184 obligation with the supporting evidence, reviewer, and review date. Auto-flag stale entries.
TMD review against distributor information. Compare actual distribution data against the documented target market and produce a draft review file with supporting analysis.
Reportable situation drafting. Convert an incident timeline into a draft section 912DAA notification with required content fields populated and gaps surfaced.
Whistleblower disclosure triage. Produce a de-identified intake summary, a confidentiality control checklist, and a draft acknowledgement to the discloser.
Director onboarding briefing. Produce a tailored briefing pack covering directors duties, prior board decisions, key litigation, and current risk register.
Climate disclosure gap analysis. Map current disclosure content against AASB S2 line items and surface the gaps with priority and effort estimates.
Comparative analysis. Benchmark a draft board paper against an internal style guide and against published peer disclosures to lift quality before circulation.

5.2 Project space setup

Claude Project (preferred for governance-grade outputs)

Create a new Project named [Entity] Company Secretariat - Corporations Act.
Upload knowledge sources: the entity's directors duties register, board charter, sub-committee charters, current TMDs, whistleblower policy, reportable situations playbook, prior 12 months of board minutes (de-identified), and the entity's house style guide.
Add a Skill or System Prompt scaffold (see 5.3) that locks the role, the constraints, the prohibited inputs, and the required output format.
Configure file structure inside the project: /Briefs, /TMD-Reviews, /Reportable-Situations, /Whistleblower, /Templates, /Reference. Treat the project as a controlled environment with version-numbered files.
Naming convention: ENT-CS-YYYYMMDD-{type}-{topic}-vN. For example, ENT-CS-20260425-TMD-PersonalAccident-v1.

ChatGPT Custom GPT (alternative for ChatGPT-only environments)

Create a Custom GPT named Corporations Act Secretariat Co-pilot.
Add Instructions covering role, constraints, prohibited inputs, output format, and escalation triggers.
Upload knowledge files (as above) under Knowledge. Disable code interpreter unless required for spreadsheet work.
Disable web browsing for confidential drafting work. Enable only when sourcing public regulator material.
Configure conversation starters that map to the eight use cases.

5.3 Prompt library (Role / Context / Task / Constraints / Output Format / Quality Bar)

Prompt 1. TMD review checklist

Role. You are a senior product governance analyst preparing a TMD review under section 994B of the Corporations Act 2001 (Cth).

Context. I am reviewing the TMD for the [PRODUCT_NAME] product. I will provide the current TMD, the distributor information for the past 12 months, and the complaint dashboard for the same period. All data is de-identified. No customer identifiers appear in the input.

Task. Produce a structured TMD review checklist with three blocks: 1) Class consistency analysis. 2) Distribution conditions adequacy review. 3) Review trigger assessment. For each block, list the evidence needed, the test to apply, the conclusion in plain language, and the recommended action.

Constraints. Do not speculate beyond the data provided. Where data is missing, state the gap and what would need to be obtained. Cite section 994B and section 994E where relevant. Australian English. No em dashes.

Output format. Markdown table for the three blocks plus a 150-word executive summary suitable for the Product Committee minute.

Quality bar. Pass if every conclusion is traceable to a data point in the input and the recommended action specifies an owner and a deadline.

Prompt 2. Director onboarding briefing

Role. You are an experienced Company Secretary onboarding a new non-executive director.

Context. The new director will join the [ENTITY] board on [DATE]. They have a [BACKGROUND] background and limited prior exposure to financial services regulation. I will provide the entity's strategic plan, the current risk appetite statement, the past four board minute packs (de-identified), and the directors duties register.

Task. Produce a 6-page director onboarding briefing covering: section 180 to 184 duties in plain language, the entity's risk profile and current strategic priorities, the matters before the board in the next 90 days, the standing conflicts register, and the specific decisions the new director should expect to be asked to make.

Constraints. No real personal information beyond names that already appear on public board lists. No claimant or customer detail. Cite Corporations Act sections by full reference. Australian English. No em dashes.

Output format. Word document layout. Six pages. Each section under 800 words. Plain language. Side-bar callouts for the highest-risk items.

Quality bar. Pass if a director with no prior financial services experience can read the briefing and articulate their three highest-priority focus areas.

Prompt 3. Reportable situation draft

Role. You are a compliance lawyer preparing a draft section 912DAA reportable situation notification.

Context. I will provide an incident timeline (de-identified), the system logs, the impacted client cohort sizes, and the root cause analysis. The entity is an AFSL holder.

Task. Draft the ASIC Regulatory Portal notification. Populate every required field. Surface any gaps in the underlying information. Provide the supporting reasoning for the significance assessment under RG 78 paragraphs 78.92 to 78.97.

Constraints. No customer identifiers. No commentary on legal privilege beyond the standard non-waiver caveat. Cite section 912A, section 912D, and section 912DAA explicitly. Australian English. No em dashes.

Output format. Two parts. Part 1: completed notification fields in table format. Part 2: cover memo to the General Counsel with the significance assessment reasoning (under 600 words).

Quality bar. Pass if the reasoning would withstand cross-examination on the breach versus likely-breach distinction and on the timing of awareness.

Prompt 4. Board paper distillation

Role. You are a board pack editor preparing a directors brief from a 60-page board paper.

Context. I will provide the full board paper. The paper covers [TOPIC]. The board meeting is in 5 business days.

Task. Produce a 5-page directors brief with: 1) the decision being requested. 2) the three highest-risk issues a director should test. 3) the conflicts to declare. 4) the standing committee work that has informed the paper. 5) the questions a prudent director would ask. 6) any matter that should be referred to a sub-committee before the board decides.

Constraints. Preserve the original numbering and section references for traceability. Australian English. No em dashes. Do not introduce facts that are not in the source paper.

Output format. Five pages. Plain English. Each section labelled. A one-page Decision Summary as page one.

Quality bar. Pass if a director who reads only the brief can vote, identify the conflicts, and ask the most useful question in the meeting.

Prompt 5. Whistleblower disclosure triage

Role. You are a Whistleblower Investigation Officer applying the entity's policy under Part 9.4AAA.

Context. I will provide the disclosure intake form and the discloser's available preferences for communication. The disclosure has been received within the past 24 hours.

Task. Produce four artefacts. 1) A de-identified intake summary suitable for the General Counsel. 2) A confidentiality control checklist covering identity protection, file handling, and need-to-know list. 3) A draft acknowledgement to the discloser within the entity's documented acknowledgement timeframe (the SLA is set by the entity's whistleblower policy, not the Act). 4) A risk-rated triage assessment indicating likely investigation pathway.

Constraints. Never include the discloser's name, role, or any identifier in the intake summary. Apply section 1317AAE confidentiality strictly. Australian English. No em dashes.

Output format. Four artefacts in separate sections. Each labelled. Acknowledgement in letter format with merge fields.

Quality bar. Pass if the General Counsel can read the intake summary without being able to deduce the discloser's identity, and the discloser receives an acknowledgement within the policy SLA that explains protections clearly.

Prompt 6. Climate disclosure gap analysis

Role. You are a climate disclosure specialist preparing a gap analysis against AASB S2.

Context. I will provide the entity's current sustainability report (most recent published year) and the AASB S2 line item index. The entity is a Group 2 entity and enters mandatory disclosure for the financial year commencing 1 July 2026.

Task. Produce a line-by-line gap analysis: AASB S2 disclosure requirement, current state, gap, remediation effort, owner, target date.

Constraints. Do not speculate on commercial information not in the source. Cite the specific AASB S2 paragraph. Note any disclosure that would require board sign-off. Australian English. No em dashes.

Output format. Excel-ready table. Plus a 200-word executive summary highlighting the three highest-effort gaps.

Quality bar. Pass if the analysis identifies every AASB S2 disclosure requirement, ranks them by effort, and a Group 2 timetable can be built directly from it.

5.4 Governance, audit, privacy, and risk appetite controls

Mandatory de-identification

All claim, customer, employee, and discloser identifiers are removed before input. Use placeholders such as [CLIENT_REF], [WHISTLEBLOWER_REF], [STAFF_REF] in working drafts.
Where structured data is required, mask the identifier columns and replace with hashed references.
Document the de-identification approach in the prompt history file.

Human-in-the-loop checkpoints

Initial intake: a human reviewer confirms the input is appropriate for AI processing.
Pre-output: a second human reviews the draft against the prompt's quality bar before circulation.
Pre-decision: any artefact going to the board, a regulator, or an external party must be signed off by an accountable named officer.

Prohibited inputs

Personal information protected under the Privacy Act 1988 (Cth) (APP 1, 6, 11) unless de-identified.
Market sensitive information not yet released to the market under the continuous disclosure regime.
Sanctions data and DFAT-listed names that are subject to special handling.
Whistleblower identifying information (a strict liability prohibition under section 1317AAE).
Legally privileged communications unless privilege management protocol is observed.

Retention and logging

Retain all prompt-output pairs in the entity's records system for the lesser of 7 years or the longest applicable retention period.
Log the user, the timestamp, the project space, the model used, and the version of the system prompt.
Where the AI output forms part of a regulatory artefact, retain the input, output, and reviewer sign-off as a single record.

Model selection guidance

Public consumer chatbots should not be used for any confidential or commercially sensitive content.
Enterprise tenancy with contractual data handling commitments is the minimum standard for confidential drafting work.
Sovereign or on-prem deployment is preferred for the most sensitive content (whistleblower handling, board pack drafting prior to release, board minutes).
CPS 230 critical operation considerations apply where AI is used in the support of a critical operation. Treat the AI service provider as a material service provider unless the use is incidental.

APP alignment

APP 1 (open and transparent management). Document the use of AI in customer-facing or workforce processes in the entity's privacy policy.
APP 6 (use and disclosure). Confirm the AI processing is for a purpose for which the personal information was originally collected, or a related secondary purpose with a reasonable expectation.
APP 11 (security). Apply technical and organisational controls equivalent to those applied to other systems handling the same data sensitivity.

5.5 Quality assurance loop (5 steps)

Step 1. Source check. Every factual statement in the AI output is traceable to a named source in the input. Where it is not, mark it as inference and either remove or substantiate.
Step 2. Citation check. Every Corporations Act section reference is verified against the current version of the Act. Treat AI-cited sections with suspicion until checked.
Step 3. Tone and voice check. Output meets the entity's house style. No em dashes. Australian English. Defined terms used consistently.
Step 4. De-identification check. No personal identifiers, no internal references that could re-identify a person, no whistleblower-related information that breaches confidentiality.
Step 5. Decision-grade check. The output is sufficient for the named decision-maker to act on without additional verification, or the gaps are flagged with the work needed to close them.

Red team prompt for stress-testing your own draft

Red team prompt Role. You are a senior ASIC enforcement lawyer reviewing the attached draft. Task. Identify the three weakest points in the draft from an enforcement perspective. For each, name the section of the Corporations Act 2001 (Cth) you would rely on, the evidence you would seek in discovery, and the question you would put to the responsible director on cross-examination. Constraints. Be sceptical. Assume the entity is on notice. Do not soften your conclusions. Australian English. No em dashes. Output. Three numbered weaknesses with the structure above. Conclude with one sentence on whether you would recommend the matter to litigation.

5.6 Scaling pattern across a team

Templates. Convert the six prompts into saved, version-controlled templates.
Change log. Record any system prompt or template change with date, author, change, rationale.
Model evaluation cadence. Quarterly, benchmark three model options against a fixed set of 10 tasks. Score for accuracy, citation correctness, tone, and time-to-output.
KRI suggestions. Number of AI-assisted artefacts in production, percentage failing source check on first review, percentage requiring legal re-write, model-related incidents per quarter.
Operational risk linkage. Reflect AI use in the operational risk profile and the CPS 230 critical operation register where applicable.

6. Common Pitfalls and Watch-outs

Pitfall 1. Treating section 180 as an outcomes test. Corrective action. Document the process. Show the information considered, the advice taken, and the deliberation. The business judgment rule rewards process, not results.
Pitfall 2. Treating the TMD as a static disclosure document. Corrective action. Operationalise the review triggers. Build a monitoring dashboard. Treat distributor information as a live signal, not an annual obligation.
Pitfall 3. Reportable situation timing miscalculations. Corrective action. The 30-day clock starts when the entity becomes aware. Build a documented awareness register. Conservative bias on the start date.
Pitfall 4. Whistleblower identity slippage during investigation. Corrective action. Use a numbered reference on every artefact. Limit access on a strict need-to-know basis. Run a quarterly identity-protection audit.
Pitfall 5. Climate disclosure deferral on Group 2 timing. Corrective action. Begin AASB S2 readiness 18 months before the first reporting period. The first scope 3 measurement cycle is the longest path item.
Pitfall 6. AI-drafted board papers introducing unsupported facts. Corrective action. Apply the source check at step 1 of the QA loop. Treat AI as a draft producer, not an authority. The accountable officer remains the human signatory.

7. Decision Frameworks and Tools

7.1 Decision tree. Is this a reportable situation?

Question	Yes	No
Q1. Has there been a breach (or likely breach) of a core obligation under section 912DAA?	Go to Q2	Stop. Not reportable under the regime. Consider other obligations.
Q2. Is the breach significant under RG 78 (deemed significant or significance assessment)?	Go to Q3	Stop. Document the assessment.
Q3. When did the entity first know (or have reason to know)?	Set the 30-day clock from that date.	Investigate to fix the awareness date.
Q4. Is there an investigation gateway extending the clock?	Document the investigation start and duration.	Lodge within 30 days.
Q5. Are there overlapping APRA, AUSTRAC, or OAIC obligations?	Coordinate notifications. Do not delay ASIC.	Lodge with ASIC.

7.2 Maturity ladder. Corporations Act control environment

Level	Stage	Indicators
1	Reactive	Compliance is event-driven. Directors duties register is incomplete or out of date. Reportable situation lodgements miss timelines.
2	Documented	Policies exist for each obligation cluster. Reviews happen annually but are not always linked to triggers. AI is not in the workflow.
3	Operationalised	Triggers operationalised. Distributor information feeds a live dashboard. Reportable situations have a documented decision tree. AI is used for drafting under HITL.
4	Predictive	Forward indicators surface emerging breach risk. AI-assisted analysis is benchmarked quarterly. Climate disclosure readiness is on a multi-year roadmap.
5	Optimised	Continuous improvement loop. Board has line of sight to leading indicators. Regulator engagement is proactive. AI governance is integrated with the CPS 230 framework.

7.3 Self-check questionnaire (7 items)

Can your company secretary produce, in 24 hours, a complete record of every section 180 to 184 risk identified by the board in the last 12 months?
For your highest-distribution retail product, can you show the distributor information that confirms distribution is consistent with the TMD?
Has every reportable situation lodged in the past 12 months been documented with the awareness date, the significance assessment, and the lodgement reasoning?
Does your whistleblower policy reflect the 2019 reforms, and have you tested confidentiality controls in the last 6 months?
If you are a Group 2 climate disclosure entity, do you have a dated AASB S2 readiness plan with named owners?
If you use AI in the workflow, can you produce the prompt history, the de-identification check, and the human reviewer sign-off for any specific output in the last 90 days?
If a regulator asked you to identify the AI-generated content in a board paper, could you?

8. Further Reading and Authoritative Sources

The following are the primary authoritative sources for the obligations covered in this module. Read against the current ASIC Corporate Plan and the most recent ASIC Annual Forum keynote for the regulator's stated priorities.

Corporations Act 2001 (Cth). Particularly sections 180 to 184, Part 7.6, Part 7.8A, Part 9.4AAA, and Chapter 2M.
Australian Securities and Investments Commission Act 2001 (Cth).
ASIC Regulatory Guide 78. Reportable situations for AFS licensees and credit licensees.
ASIC Regulatory Guide 105. AFS licensees: organisational competence.
ASIC Regulatory Guide 270. Whistleblower policies.
ASIC Regulatory Guide 274. Product design and distribution obligations.
ASIC Information Sheet 245. Board oversight of executive variable remuneration.
APRA Prudential Standard CPS 230 Operational Risk Management and Prudential Practice Guide CPG 230.
APRA Prudential Standard CPS 510 Governance and Prudential Practice Guide CPG 510.
Australian Sustainability Reporting Standards AASB S1 and AASB S2.
Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Act 2024.
ASX Corporate Governance Council. Corporate Governance Principles and Recommendations (4th edition, with amendments).
Governance Institute of Australia. Good Governance Guides series.
AICD. Director Tools and the Director's Guide to Section 180.

TheAICommand. Intelligence, At Your Command.

Module LM-G01. Australian Financial Services Learning Library.

Corporations Act 2001 (Cth)

1. Executive Summary

2. Regulatory and Strategic Context

2.1 Issuer and statutory authority

2.2 Scope of application

2.3 Key dates and transitional periods

2.4 Regulator interplay (ASIC and APRA)

2.5 Strategic importance

2.6 Cross-references in this learning library

Visual 1. Regulatory authority map

3. Core Concepts and Defined Terms

3.1 Defined terms (extract)

3.2 Directors duties (sections 180 to 184)

Section 180. Care and diligence

Section 181. Good faith and proper purpose

Section 182. Use of position

Section 183. Use of information

Section 184. Criminal offences

3.3 AFSL regime (Part 7.6)

3.4 DDO (Part 7.8A)

3.5 Whistleblower (Part 9.4AAA)

3.6 Financial reporting and audit (Chapter 2M)

4. Practical Application in Australian Financial Services

4.1 ADI scenario. Regional bank Entity A

4.2 General insurer scenario. Entity B

4.3 Superannuation trustee scenario. Entity C

4.4 AFSL holder scenario. Wealth manager Entity D

Visual 2. DDO Target Market Determination lifecycle

Visual 3. Comparison. Section 180 statutory duty vs general law duty of care

Visual 4. Directors duties severity and likelihood heat map (illustrative)

Visual 5. Illustrative penalty exposure ranges (2025 enforcement context)

5. Operating This Framework With AI

5.1 Use cases at scale

5.2 Project space setup

Claude Project (preferred for governance-grade outputs)

ChatGPT Custom GPT (alternative for ChatGPT-only environments)

5.3 Prompt library (Role / Context / Task / Constraints / Output Format / Quality Bar)

Prompt 1. TMD review checklist

Prompt 2. Director onboarding briefing

Prompt 3. Reportable situation draft

Prompt 4. Board paper distillation

Prompt 5. Whistleblower disclosure triage

Prompt 6. Climate disclosure gap analysis

5.4 Governance, audit, privacy, and risk appetite controls

Mandatory de-identification

Human-in-the-loop checkpoints

Prohibited inputs

Retention and logging

Model selection guidance

APP alignment

5.5 Quality assurance loop (5 steps)

Red team prompt for stress-testing your own draft

5.6 Scaling pattern across a team

6. Common Pitfalls and Watch-outs

7. Decision Frameworks and Tools

7.1 Decision tree. Is this a reportable situation?

7.2 Maturity ladder. Corporations Act control environment

7.3 Self-check questionnaire (7 items)

8. Further Reading and Authoritative Sources

LM-G01 assessment — 30 questions