Home » IT Security & Technology Blog » Automated Decision-Making Rules Hit in December — What Wealth Managers Need to Know
By — IT Engineer |

Automated Decision-Making Rules Hit in December — What Wealth Managers Need to Know

If your financial services firm uses any software that makes or helps make decisions about clients — risk profiling tools, automated compliance checks, AI-driven portfolio screening, or even CRM-based lead scoring — new Privacy Act obligations are coming your way. The clock starts on 10 December 2026.

Under amendments passed as part of the Privacy and Other Legislation Amendment Act 2024, organisations regulated under the Privacy Act must update their privacy policies to disclose how they use automated systems that significantly affect individuals. That includes decisions about lending, insurance, client risk assessments, account approvals, and access to financial services. The definition is broad: any computer program that uses personal information to make a decision with limited or no human involvement, where that decision could reasonably affect someone’s rights or interests.

For wealth management firms, this is more than a compliance checkbox. Think about what your tech stack actually does. Does your platform auto-flag suspicious transactions? Does your onboarding system run automated identity verification or risk scoring? Does any tool filter or rank clients without a human reviewing every outcome? If yes, each of those processes likely falls within scope.

The practical steps are straightforward but need to start now. First, audit every system that touches client data and makes any kind of decision — even partially automated ones. Second, check your vendor contracts to confirm your software providers can supply the technical documentation you will need for your updated privacy policy. Third, draft the disclosure language. The OAIC has made clear that generic boilerplate will not cut it — your policy needs to describe the specific types of decisions, the personal information involved, and how individuals are affected.

Penalties for non-compliance are serious: up to $50 million for repeated or serious privacy interference. The Office of the Australian Information Commissioner is actively building its enforcement capability in this area.

If you are not sure where to start, All IT Services works with financial services firms to map their technology against compliance requirements and close the gaps before deadlines hit.

    Posted in Security

    About All IT Services

    We’re a leading IT specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At All IT Services, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in IT solutions.

    CONTACT US