From 10 December 2026, Australian organisations that use personal information to make automated decisions will have to spell it out in their privacy policy. The obligation comes from the Privacy and Other Legislation Amendment Act 2024, and the privacy regulator, the OAIC, has just closed its consultation on the issues paper that will shape the official guidance — with that guidance due by September. For wealth and financial services firms, which lean heavily on automated risk scoring, eligibility checks and fraud screening, this one lands squarely on your desk.

Why it matters for wealth firms

If a system makes, or substantially contributes to, a decision that affects someone’s rights or interests — an automated credit assessment, a risk profile, an onboarding approval — you’ll need to disclose two things: the kinds of personal information feeding the process, and the kinds of decisions it drives. Wealth managers hold exactly the sensitive financial data regulators care about, and the OAIC is still consulting on precisely how widely the rule applies, so the safe assumption is that it catches more of your processes, not fewer. Vague boilerplate won’t cut it, and the regulator is already running privacy-policy compliance sweeps.

What to do before December

You’ve got roughly six months. Start by mapping where automated or AI-assisted decisions actually happen across your client lifecycle — including tools bolted onto your CRM or advice platform that you might not think of as “automated decision-making”. Then brief whoever maintains your privacy policy so the disclosures are written and reviewed well before the deadline, not in the final week. Treat it as a data-governance job, not a copy-paste.