ASIC Regulatory Guide 209 — Credit Licensing: Responsible Lending Conduct
|
|
| Regulator |
ASIC |
| Jurisdiction |
AU |
| Status |
live |
| Applicability |
Platform |
ASIC Regulatory Guide 209 (RG 209) is the primary regulatory guidance for credit licensees on how to
meet the responsible lending obligations in Part 3-1 and Part 3-2 of the National Consumer Credit
Protection Act 2009 (NCCP). RG 209 sets out ASIC's expectations for the inquiry, verification, and
assessment steps that a licensee must take before providing credit assistance or entering a credit
contract.
The key standard under RG 209 is that a lender must make reasonable inquiries and take reasonable
steps to verify information — it cannot accept unverified income or expense claims without
cross-checking. RG 209 also establishes that assessments must be reasonable and documented. Where
automated decision engines are used, ASIC expects the engine to produce an auditable assessment record.
RG 209 complements au-nccp. The NCCP creates the statutory obligations;
RG 209 provides the standard of conduct required to meet them.
Compliance register
This register maps every material obligation or expectation in RG 209 to the platform control or
institutional process that satisfies it. It is the static traceability layer for the Totara compliance
report — dynamic data (module build status, test evidence, control test dates) is overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Inquiry obligations (RG 209.36–209.53)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| RG 209.36 |
Make inquiries about the consumer's financial situation — income, expenses, existing financial commitments |
🤖 Automated |
CRE-002, CRE-003 |
MOD-027 (CALC) — affordability calculation incorporates verified income, expenses, and existing commitments; computation is automatic and not reliant on self-declaration alone |
🔨 |
| RG 209.37 |
Make inquiries about the consumer's requirements and objectives for the credit |
🤖 Automated |
CRE-002 |
MOD-110 (GATE) — credit suitability engine evaluates product appropriateness against declared purpose; purposes outside the product's eligible use set are flagged |
🔨 |
| RG 209.38 |
The depth of inquiries must be proportionate to the risk of the credit contract being unsuitable |
🤖 Automated |
CRE-002, CRE-004 |
MOD-110 (GATE) — auto-assessment depth is configurable by product risk tier; higher-risk products require additional verification inputs before assessment completes |
🔨 |
Verification obligations (RG 209.54–209.74)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| RG 209.54 |
Take reasonable steps to verify information — cannot accept unverified income claims |
🤖 Automated |
CRE-002 |
MOD-027 (CALC) — income verification inputs sourced from open banking feeds and transaction history; self-declared income without corroboration cannot clear the suitability gate |
🔨 |
| RG 209.56 |
Cannot simply accept a consumer's statement of their income without some form of independent verification |
🤖 Automated |
CRE-002 |
MOD-027 (CALC) — verification rule: declared income must be corroborated by at least one independent data source (bank statement analysis, payroll feed, or open banking); unverified declarations are flagged as insufficient |
🔨 |
| RG 209.58 |
The level of verification must be proportionate to the risk of the credit being unsuitable |
🤖 Automated |
CRE-002, CRE-004 |
MOD-110 (GATE) — verification threshold is calibrated by product risk tier; high-value or high-risk credit products require stronger verification before the suitability gate passes |
🔨 |
| RG 209.60 |
Must verify expenses where the consumer's declared expenses appear unreasonably low |
🤖 Automated |
CRE-002 |
MOD-027 (CALC) — HEM benchmark floor applied automatically; where declared expenses fall below the HEM floor for the household type, the system substitutes the HEM benchmark figure |
🔨 |
Assessment standard (RG 209.75–209.98)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| RG 209.75 |
The responsible lending assessment must be reasonable — not a box-ticking exercise |
🤖 Automated |
CRE-002, CRE-003 |
MOD-110 (GATE) — credit suitability engine performs auto-assessment with no manual override below credit officer role; assessment is transparent and consistently applied |
🔨 |
| RG 209.76 |
Assessment must be based on verified information |
📊 Evidenced |
CRE-003 |
MOD-048 (LOG) — every credit decision is auditable; inputs and model version logged against every automated decision |
🔨 |
| RG 209.80 |
Document the assessment — must be able to produce a copy of the assessment for up to 7 years |
📊 Evidenced |
CRE-003 |
MOD-048 (LOG) — system decision log is immutable and retained; assessment record includes all inputs, verification sources, and outcome |
🔨 |
| RG 209.90 |
Where a consumer disputes a credit decision, must be able to explain the basis for the assessment |
📊 Evidenced |
CRE-003 |
MOD-048 (LOG) — every credit decision auditable; customer can receive explanation; regulator can inspect |
🔨 |
Systems and processes (RG 209.99–209.115)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| RG 209.99 |
Maintain adequate systems and processes to meet responsible lending obligations |
🤖 Automated |
CRE-002, CRE-004 |
MOD-110 (GATE) and MOD-027 (CALC) together constitute the systems required; adequacy must be assessed by the institution periodically |
🔨 |
| RG 209.105 |
Credit assessment process must produce consistent outcomes for consumers in similar circumstances |
🤖 Automated |
CRE-003 |
MOD-110 (GATE) — automated assessment engine applies rules consistently; no agent discretion below credit officer role in the normal processing path |
🔨 |
| RG 209.110 |
Governance oversight of the responsible lending system — board and senior management accountability |
🏛 Institutional |
CRE-002 |
System produces auditable outputs for governance review; oversight and sign-off is an institutional obligation |
— |
The following obligations under RG 209 are the responsibility of the institution, not the platform.
The platform may generate evidence inputs but does not own these processes.
| Obligation |
Owner |
Platform evidence input |
| Periodic review of the credit assessment model for accuracy and fairness |
Head of Credit Risk |
MOD-048 provides the model performance log and decision audit trail |
| Board and senior management sign-off on responsible lending framework |
CRO / Board |
MOD-048 and MOD-027 provide evidence inputs for governance review |
| Credit officer escalation and override processes |
Head of Credit Risk |
MOD-110 enforces the minimum role threshold for overrides; override events are logged |
| Training credit staff on RG 209 obligations |
Chief People Officer |
Not platform scope |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Inquiry obligations |
3 |
3 |
0 |
0 |
0 |
| Verification obligations |
4 |
4 |
0 |
0 |
0 |
| Assessment standard |
4 |
1 |
3 |
0 |
0 |
| Systems & processes |
3 |
2 |
0 |
1 |
0 |
| Total |
14 |
10 (71%) |
3 (21%) |
1 (7%) |
0 |
All attributed modules are currently build_status: Not started — the compliance position will update
as modules are built and deployed.
| Policy |
Title |
| CRE-002 |
Responsible Lending Policy |
| CRE-003 |
Credit Decisioning & Scorecard Policy |
| CRE-004 |
Loan Origination Standards |
See D02 Credit Risk. For the NCCP statutory obligations, see
au-nccp.
Official documentation
Policies referencing this standard
- CRE-002 — Responsible Lending Policy
- CRE-003 — Credit Decisioning & Scorecard Policy
Compiled 2026-05-22 from source/entities/regulations/au-asic-rg-209.yaml