AU: NCC Act 2009 (NCCP)
|
|
| Regulator |
APRA |
| Jurisdiction |
AU |
| Status |
live |
| Applicability |
Platform |
The National Consumer Credit Protection Act 2009 (NCCP) and its Schedule 1, the National Credit Code
(NCC), govern consumer credit in Australia. They require credit licensees to hold an Australian Credit
Licence (ACL), meet responsible lending obligations, provide prescribed credit guides and quotes, manage
hardship requests, and participate in external dispute resolution. ASIC is the regulator and primary
enforcer. The NCCP also implements Design and Distribution Obligations (DDO) for credit products via
Part 7.8A of the Corporations Act, which operate in parallel with the NCCP framework.
The responsible lending obligations require licensees to not enter a credit contract that is unsuitable
for the consumer (s.131). A contract is unsuitable if it does not meet the consumer's requirements or
objectives, or the consumer will be unable to comply with their obligations without substantial hardship.
ASIC RG 209 provides the detailed regulatory guidance on how to meet these obligations — see
au-asic-rg-209.
Section references are indicative — refer to the Act as amended for precise statutory language.
Compliance register
This register maps every material obligation under the Act to the platform control or institutional
process that satisfies it. It is the static traceability layer for the Totara compliance report —
dynamic data (module build status, test evidence, control test dates) is overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Part 2-2 — Licensing and general obligations
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| S.29 |
Must hold an Australian Credit Licence to engage in credit activities |
🏛 Institutional |
CRE-002 |
Licence maintenance and renewal is an institutional regulatory process. Platform logs cannot substitute for the licence itself. |
— |
| S.47 |
Must have adequate resources, systems, and risk management arrangements for credit activities |
📊 Evidenced |
CRE-002, CRE-004 |
MOD-027 (CALC) and MOD-110 (GATE) provide the system controls; systems adequacy assessment is an institutional obligation reviewed by ASIC |
🔨 |
| S.48 |
Must have a documented dispute resolution system covering IDR and EDR membership |
🏛 Institutional |
CON-002 |
AFCA membership is an institutional obligation; MOD-053 implements the IDR system on the platform side |
— |
Part 3-1 — Credit guide and preliminary assessment
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| S.113 |
Credit guide — provide before any credit assistance is provided; must include licensee details, fees, complaints procedure, and EDR scheme |
🤖 Automated |
CON-004, CRE-002 |
MOD-050 (GATE) — disclosure obligation met before every product acceptance; credit guide presented as part of the initial product disclosure flow and acknowledged by the customer before any credit facility activates |
🔨 |
| S.116 |
Preliminary assessment — must assess whether a credit contract would be unsuitable before providing credit assistance |
🤖 Automated |
CRE-002, CRE-003 |
MOD-110 (GATE) — credit suitability assessment is a system gate; facility cannot be activated without a completed assessment; no override path below credit officer role; MOD-027 (CALC) — affordability calculation documented for every application |
🔨 |
| S.117 |
Inquiry obligations — must make inquiries about requirements, objectives, financial situation; must verify information |
🤖 Automated |
CRE-002 |
MOD-027 (CALC) — income and expense verification computed automatically; inputs sourced from transaction history and open banking feeds |
🔨 |
| S.118 |
Unsuitable credit — must not provide credit assistance for a contract that would be unsuitable |
🤖 Automated |
CRE-002 |
MOD-110 (GATE) — system blocks activation if suitability assessment result is DECLINE; no human override below credit officer role |
🔨 |
| S.119 |
Written copy of preliminary assessment — must provide a copy if the consumer requests it within 7 years |
📊 Evidenced |
CRE-003 |
MOD-048 (LOG) — every credit decision auditable; customer can receive explanation; regulator can inspect |
🔨 |
Part 3-2 — Responsible lending (not unsuitable — s.131)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| S.131 |
Must not enter a credit contract that is unsuitable for the consumer |
🤖 Automated |
CRE-002, CRE-004 |
MOD-110 (GATE) — credit facility cannot be activated without a completed suitability assessment satisfying responsible lending obligations; MOD-027 (CALC) — responsible lending obligation met — affordability documented automatically for every application |
🔨 |
| S.133 |
Anti-avoidance — cannot structure credit to avoid the responsible lending obligations |
🏛 Institutional |
CRE-002 |
Platform does not contain structuring controls; anti-avoidance governance is an institutional compliance obligation |
— |
Part 2-5 — Hardship
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| S.72 |
Borrower may make a hardship application; lender must respond within 21 days (or such longer period as ASIC specifies) |
🤖 Automated |
CON-008, CRE-007 |
MOD-053 (ALERT) — IDR SLAs enforced automatically; hardship application cases escalated if the response SLA is breached; MOD-117 (ALERT) — customers drawn on overdraft for more than 60 consecutive days flagged for financial hardship review |
🔨 |
| S.72(5) |
If hardship is not agreed, lender must notify the borrower of their EDR rights |
🤖 Automated |
CON-008 |
MOD-053 (AUTO) — case management module tracks IDR completion and auto-escalates to AFCA referral status where required |
🔨 |
Part 2-6 — Disclosure obligations
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| S.149 |
Must provide a credit quote before entering a credit contract — must include the annual percentage rate, comparison rate, fees, repayment schedule, and total cost of credit |
🤖 Automated |
CRE-002, CON-004 |
MOD-050 (GATE) — repayment amount and total cost shown and acknowledged before loan acceptance; disclosure is synchronous and blocks contract execution |
🔨 |
| S.157 |
Ongoing disclosure — periodic statements required; must include amount owing, interest charged, payments received, and fees |
🤖 Automated |
CON-004 |
MOD-122 (AUTO) — periodic statements generated and delivered on schedule including all required particulars |
🔨 |
| S.158 |
Change in interest rate or fee — notify borrower before the change takes effect |
🤖 Automated |
CON-005 |
MOD-127 (GATE) — rate or fee change blocked until affected customers notified with required advance notice |
🔨 |
The following obligations under the Act are the responsibility of the institution, not the platform.
The platform may generate evidence inputs but does not own these processes.
| Obligation |
Owner |
Platform evidence input |
| Australian Credit Licence application, maintenance, and renewal |
Chief Compliance Officer |
Not platform scope |
| AFCA membership and subscription |
Company Secretary / Chief Compliance Officer |
MOD-053 implements the IDR workflow that precedes AFCA referral |
| Training credit staff on responsible lending obligations |
Chief People Officer |
Not platform scope |
| Anti-avoidance governance and product structuring review |
General Counsel |
MOD-048 provides credit decision audit trail |
| S.133 anti-avoidance sign-off on new product structures |
General Counsel |
Not platform scope |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Licensing & general |
3 |
0 |
1 |
2 |
0 |
| Credit guide & preliminary assessment |
5 |
4 |
1 |
0 |
0 |
| Responsible lending (s.131) |
2 |
1 |
0 |
1 |
0 |
| Hardship |
2 |
2 |
0 |
0 |
0 |
| Disclosure |
3 |
3 |
0 |
0 |
0 |
| Total |
15 |
10 (67%) |
2 (13%) |
3 (20%) |
0 |
All attributed modules are currently build_status: Not started — the compliance position will update
as modules are built and deployed.
| Policy |
Title |
| CRE-002 |
Responsible Lending Policy |
| CRE-003 |
Credit Decisioning & Scorecard Policy |
| CRE-004 |
Loan Origination Standards |
| CRE-007 |
Collections & Hardship Policy |
| CON-004 |
Product Disclosure & Sales Practice Policy |
| CON-005 |
Fee & Pricing Transparency Policy |
| CON-006 |
Product Suitability and Governance |
| CON-008 |
Financial Hardship Policy |
See D02 Credit Risk and D04 Customer & Conduct.
Official documentation
Policies referencing this standard
- CON-004 — Product Disclosure & Sales Practice Policy
- CON-006 — Product suitability and governance
- CON-008 — Financial Hardship Policy
- CRE-002 — Responsible Lending Policy
- CRE-004 — Loan Origination Standards
- CRE-007 — Collections & Hardship Policy
- CRE-009 — Fixed-Rate Component Break-Cost Methodology Policy
Compiled 2026-05-22 from source/entities/regulations/au-nccp.yaml