What NCCP, BID, and your aggregator actually require from AI tools

A long-form authority guide to AI compliance for Australian mortgage brokers. Covers the three regulatory regimes (NCCP, ASIC, aggregator policies), what an aggregator audit actually checks, the four most common compliance failures, a fifteen-question vendor evaluation checklist, and an international view across UK, US, and NZ.
7 min read
9 min listen
July 4, 2026
Loading the Audio Player...

Most AI vendors selling to mortgage brokers can't articulate, in concrete terms, what NCCP compliance for an AI tool actually requires. They talk about "audit trails" and "compliance-ready." Ask them to walk through what a Connective or AFG compliance review would specifically check for on their system, and the answers go vague.

 

That isn't entirely their fault. The regulatory framework for AI in mortgage broking is being written in real time. ASIC published REP 798 on AI governance in financial services in October 2024 after reviewing AI use across 23 licensees. Each aggregator has updated their data retention and recording policies in the past eighteen months. The Best Interests Duty case law is still emerging. And brokers, the people actually deploying these tools, are caught between vendor pitch decks and aggregator BDMs who'll judge their implementation against expectations that didn't exist when they signed up.

 

This guide is the version of that conversation that should be happening at every demo, every scoping call, every quarterly compliance review. It covers what NCCP, BID, and ASIC actually require of an AI tool in 2026, what your aggregator specifically audits for, the four most common compliance failures in broker AI deployments, and a fifteen-question checklist any vendor should answer in under thirty minutes.

 

Compliance in broking is sharper than in most service businesses. Get it right and AI becomes a compliance enabler. Get it wrong and you've added a fourth column of risk to your business.


The three regulatory regimes operating in your brokerage


Every AI tool deployed in an Australian brokerage operates under three overlapping regimes simultaneously. Each one has different teeth.

 

NCCP (National Consumer Credit Protection Act 2009). The primary framework for credit assistance in Australia. Two obligations matter for AI specifically. First, the Best Interests Duty under Section 158LA requires that any credit assistance provided to a consumer must be in their best interests. The duty sits with the licensed credit assistance provider, not with the AI. If an AI tool provides credit assistance that breaches BID, the broker is liable. Second, the NCCP Act and ASIC's pro forma licence conditions impose record-keeping obligations across the credit assistance process. Section 158LG requires credit representatives to maintain clear and accurate records to prove BID compliance. Suitability assessment record-keeping flows from Sections 120, 132, 143 and 155, and financial records sit under Section 95 with a seven-year retention requirement. Records must be in writing or in a form capable of being reproduced in writing, and voice recordings count if they're transcribed and indexed.

 

ASIC's regulatory framework. ASIC is the primary regulator and enforces NCCP through Regulatory Guide 209 ("Credit licensing: Responsible lending conduct") and Regulatory Guide 273 ("Mortgage brokers: Best interests duty"). On 29 October 2024, ASIC published REP 798 ("Beware the gap: Governance arrangements in the face of AI innovation") after reviewing 23 AFS and credit licensees and analysing 624 AI use cases. ASIC's central principle is that the existing regulatory framework is technology-neutral. The "efficiently, honestly and fairly" obligation under the Corporations Act applies to AI tools exactly as it applies to human advisers. Licensees can't delegate their regulatory obligations to a tool. Governance and risk management arrangements need to keep pace with AI deployment, not lag behind it. The Royal Commission aftermath, from 2019 onwards, tightened these standards considerably. Borderline practice from 2017 sits in active enforcement territory today.

 

Aggregator policies. Each aggregator (AFG, Connective, Choice, Outsource, FAST, PLAN, and others) sets its own data retention, recording, and audit policies on top of the regulatory baseline. Aggregator policies can go further than NCCP requires. Retention periods may extend beyond the regulatory minimum, voice recordings may need retention in original audio format, and the categories of "auditable interaction" can include channels (SMS, WhatsApp, web chat) that NCCP doesn't explicitly mention. Check your specific aggregator's policy in writing. That's the operational standard you'll be measured against, regardless of what NCCP minimums say.

 

International parallels exist. The UK FCA's MCD plus the Senior Managers and Certification Regime sharpens individual accountability beyond what Australian brokers face. The US uses NMLS state-level licensing plus federal CFPB oversight, with each state's framework adding additional consumer protection requirements. NZ regulates mortgage advisers under the FAP regime through the Financial Markets Conduct Act 2013, with standard conditions covering outsourcing, technology systems, and record-keeping. The FMA hasn't yet published AI-specific guidance equivalent to ASIC's REP 798, but the existing technology-neutral standards apply to AI tools the same way they apply to human advisers. Brokers operating across jurisdictions face the additional task of meeting the strictest standard across all of them, particularly on data residency and consumer protection.


What an aggregator audit actually checks


Aggregator audits follow a structure that vendor pitch decks rarely walk through. The audit officer pulls a random sample of recent borrower interactions and walks each one against a fixed checklist.

 

Did the AI disclose its involvement? The expectation flows from ASIC's technology-neutral framework. The "efficiently, honestly and fairly" obligation under the Corporations Act applies to AI exactly as it applies to a human adviser, and a consumer who believes they're speaking to a person when they're actually speaking to an AI hasn't been dealt with fairly. REP 798 specifically flagged that most reviewed licensees did not inform customers about AI involvement in decisions, treating this as an emerging expectation. The disclosure can come at the start of an interaction or at the point where a borrower might assume they're speaking with a person. If the AI sounds like a human and never identifies itself, that's a problem.

 

Did the AI cross the credit advice line? The most-checked dimension and the most common failure point. Credit advice means recommending a specific lender, a specific product, or a specific rate to a specific consumer. Qualifying (capturing the borrower's scenario, asking standard questions) is fine. Recommending ("you'd be best with a CBA package") is a breach. Auditors test this by asking the AI rate or product questions and checking how it responds.

 

Is the full interaction reproducible? A complete, plain-text, timestamped record of the interaction must be retrievable in seconds. For voice interactions, that means both the original audio (where retained) and a transcript. For text channels, the full conversation thread. For multi-channel interactions (a lead that touches phone, SMS, and email), the entire thread should be unified under one borrower record.

 

Is the data retention period correct? Auditors test by asking to see interactions from specific past dates. If retention has been incorrectly configured (vendor default vs aggregator policy), the records won't exist when needed.

 

Was the broker's Best Interests Duty assessment documented at the appropriate decision points? When the AI hands off to the broker, the broker's subsequent BID assessment must still be documented in the audit trail. The AI handing off doesn't remove the broker's documentation obligation.

 

Were channel-specific compliance requirements met? Some channels have specific requirements. Recorded phone calls require two-party consent disclosure in some Australian states. SMS marketing has Spam Act implications. Email communications must include unsubscribe options under the Privacy Act. Each channel carries its own compliance layer that AI tools sometimes ignore.

 

The audit doesn't care about the average performance of the AI tool. It cares about whether each specific interaction met the rules. One breach across a hundred interactions is still one breach.


The four most common AI compliance failures


After watching brokers deploy AI tools across Australia, four failure modes show up regularly. None of them are about the AI being technically incompetent. They're about how the AI was configured, deployed, or boundary-set.

 

1. Credit advice slipping through. The AI is supposed to qualify the borrower and book the consult. A borrower asks "what would my repayments be at six percent?" and the AI helpfully calculates an answer. That's credit advice. Even though it sounds like a basic helpful response, the AI made a product-specific projection on the broker's licensed activity. The fix is hard configuration: the AI must refuse to answer rate, product, or eligibility questions and route those to the broker. Test any vendor by asking these questions directly during the demo.

 

2. Missing audit trail across channels. The AI handles a borrower who initially calls, then switches to SMS for documents, then closes via email. If the three channels aren't unified under one borrower record, the audit trail is fragmented. Auditors specifically look for fragmented records because they signal a deployment that's reactive rather than systematic. The fix is platform-level: the system that runs the channels must thread them together at the borrower-record layer, not at the conversation layer.

 

3. Data retention misalignment. The vendor's default retention is set to two or three years. The aggregator's policy is seven. The broker doesn't realise the mismatch until the audit asks for a four-year-old interaction and the record's gone. The fix is configuration at setup: verify retention is set to match the aggregator's specific policy, not the vendor's default, and verify the records actually exist by asking the vendor for a sample year-old transcript before going live.

 

4. Unconscious product steering. The AI's training data, or its decision logic, subtly steers borrowers toward certain products even though it's "just qualifying." This is the hardest failure to detect because it isn't explicit advice. It's the AI asking different questions for different borrower scenarios in ways that shape the eventual recommendation. The fix is regular audit: pull a random sample of qualifications and check whether the AI's qualification path varied based on the borrower's stated lender preference or perceived demographic. If it did, the AI is steering.


A fifteen-question checklist for evaluating any AI tool


The questions below cover the regulatory, audit, and operational dimensions of AI compliance. A capable vendor should answer all fifteen in under thirty minutes. If they can't, they aren't ready for production deployment in a brokerage.

 

Editor's note: ASIC's REP 798 contains its own framework of eleven questions for licensees to consider when adopting AI. The checklist below is an original Briick extension designed for the vendor-evaluation conversation rather than the licensee's internal governance review. Both lists are worth reading.

 

  1. Can you produce a complete transcript of an AI-handled interaction within sixty seconds?
  2. How does the system flag any interaction that approached credit advice for human review?
  3. How does the system record the human broker's BID assessment at decision points?
  4. What's the system's default data retention period, and can it be configured per aggregator?
  5. Where is borrower data stored, and in what jurisdictions?
  6. Who has access to borrower data within your organisation?
  7. How is data deleted when the broker cancels the service or migrates to another tool?
  8. Does the system support multi-jurisdiction compliance for borrowers across AU, NZ, UK, and US?
  9. Can you walk through how your AI handles a specific test scenario, such as a borrower asking about rates?
  10. What happens if a borrower requests their full conversation history under Privacy Act Section 32?
  11. How does the system handle compliance disclosures, including AI involvement disclosure?
  12. Are voice calls recorded in their original audio format, or only transcribed?
  13. How is the AI's training data sourced and updated, and is borrower data used in training?
  14. Do you have SOC 2 Type II certification? If not, what's the timeline?
  15. What's your incident response process if a compliance breach is discovered?


Save this checklist. Use it in every vendor demo. The vendors that pass all fifteen are the ones worth piloting. The vendors that get vague on more than three are the ones to walk away from.


How Briick handles each compliance dimension


Briick for finance was built compliance-first from the architectural decisions outward. Every interaction across voice, SMS, email, WhatsApp, and web chat is recorded, transcribed, and indexed against the borrower record under one unified thread. Data retention is configurable per aggregator policy, with voice recordings retained in original audio format where the aggregator requires it. The AI agent qualifies but never advises: rate, product, and lender-specific questions are routed to the broker through @Briicky, the AI Operator, before they leave the system. SOC 2 Type II certification is in progress.

 

The compliance posture is tested against the rest of the market in the seven best AI tools for mortgage brokers listicle, and the decision framework is covered in the buyer's guide on choosing AI as a mortgage broker. Brokers piloting the Lead Qualification automation report that the compliance dimension goes from "uncertain" to "documented" faster than any other part of the pilot, because the framework is mapped to the audit checklist before the agent runs a single interaction.

 

If your aggregator audit officer wants to walk through a Briick deployment, book a demo and the compliance setup gets mapped to your specific aggregator's policy on the call.


FAQ


What is the minimum compliance posture an AI tool needs to operate in an Australian brokerage?


At minimum: complete auditable interaction records across every channel, configurable data retention to match aggregator policy, clear separation between qualifying and credit advice with the AI never crossing into advice, and disclosure that the consumer is interacting with AI. Anything less exposes the broker to NCCP, BID, and aggregator audit risk.


Does NCCP apply to AI tools or just to human brokers?


NCCP applies to the credit licensee, which is the broker or brokerage holding the licence. AI tools don't hold licences. When an AI tool performs credit-assistance-adjacent work, the broker remains responsible for compliance. The AI doesn't absorb any of the regulatory obligation, which means deploying a non-compliant AI tool transfers no risk away from the broker.


What happens if my aggregator audits an AI-handled interaction?


The audit officer follows the same checklist used for human-handled interactions: was the consumer's scenario captured properly, was the Best Interests Duty assessment documented at decision points, was the interaction recorded and reproducible, did the broker maintain oversight on credit-assistance-adjacent moments. The AI involvement is treated as part of the broker's deployed system, with the broker accountable for the outcomes.


Can an AI tool give a borrower a rate estimate without it being credit advice?


Rate estimates that reference specific lenders or specific products are credit advice and should be routed to the broker. Generic market-wide ranges (such as referencing current RBA cash rate or average market rates) sit closer to information than advice, but the safest configuration is to route any rate question to the broker rather than have the AI answer. The cost of being wrong is significantly higher than the cost of being conservative.


How does AI compliance differ between Australia, the US, the UK, and New Zealand?


Each jurisdiction has its own framework. Australia uses NCCP plus Best Interests Duty plus aggregator-level policies, with ASIC's REP 798 sitting on top. The UK uses MCD plus the Senior Managers and Certification Regime, with sharper individual accountability. The US uses NMLS state licensing plus CFPB federal oversight. NZ regulates mortgage advisers through the FAP regime under the Financial Markets Conduct Act 2013, with technology-neutral standards rather than AI-specific guidance. Brokers operating across jurisdictions must meet the strictest standard across all of them, particularly on data residency and consumer protection.


What is the difference between SOC 2 Type II and NCCP compliance?


SOC 2 Type II certifies a vendor's information security controls. NCCP regulates how credit assistance is provided to consumers in Australia. A vendor can be SOC 2 Type II certified and still have an AI tool that breaches NCCP if the tool gives credit advice, fails to maintain audit trails to aggregator standards, or breaches Best Interests Duty. SOC 2 is a baseline trust signal, not a substitute for regulatory compliance.


How long do AI interaction records need to be kept?


Seven years is the standard minimum in practice, drawing from financial records retention under Section 95 and aggregator policies. Most aggregators set their own retention period at or above seven years. The operational standard is whatever your specific aggregator's policy requires. Configure retention to match aggregator policy, not vendor default.


Who is liable if an AI tool gives credit advice in breach of NCCP?


The credit licensee is liable. That's the broker or brokerage holding the credit licence. The AI vendor doesn't absorb the regulatory liability. If the AI tool provides credit advice (specific lender, product, or rate recommendation) outside the broker's licensed authority, the breach is the broker's. This is why the credit-advice boundary in AI deployment matters more than any other configuration decision.

 

If you want to map the compliance framework above against your brokerage's specific aggregator policy and lender stack, book a demo with Briick. To see how Briick is configured for finance and mortgage broking, start there.

Adam, Fractional CEO, smiling man with short dark hair and beard wearing a black shirt in a bright office environment
Sara Valentina
Co-Founder & CEO of Briick

TLDR Summary

  • Every AI tool deployed in an Australian brokerage operates under three overlapping regimes: NCCP plus Best Interests Duty, ASIC oversight (including REP 798 on AI governance in financial services, published October 2024), and aggregator-level policies that often go beyond the regulatory minimum.
  • Aggregator audits check six specific things on every AI-handled interaction: AI disclosure, the credit advice line, full interaction reproducibility, data retention configuration, broker BID documentation at decision points, and channel-specific compliance.
  • Four compliance failures show up repeatedly in broker AI deployments: credit advice slipping through, missing audit trails across channels, data retention misalignment between vendor default and aggregator policy, and unconscious product steering in the AI's qualification logic.
  • A capable vendor should answer fifteen specific compliance questions in under thirty minutes (covered in the checklist). Vendors that get vague on more than three of them are not ready for production deployment.
  • The credit licensee carries all regulatory liability. AI tools don't absorb NCCP obligations. Deploying a non-compliant AI tool transfers no risk away from the broker, which makes compliance configuration the most consequential decision in the deployment.