Trust & compliance

The compliance is in the architecture.

Brokerfront is the platform; our customers hold the licences. So we don't ask you to trust a policy document — we build each obligation into a mechanism that produces its own evidence, automatically, on every file. Here is the map, regulation by regulation.

ObligationHow the platform builds it inThe evidence it produces

Best Interests Duty — the broker personally owns every recommendation

NCCP s158LA/s158LE · ASIC RG 273

Recommendations cannot be one-click approved. A licensed broker reviews a frozen comparison basis (every lender considered, why each won or lost, what would change the answer), resolves or reasons past information gaps, adopts or amends the drafted reasons, attests to best interests and conflicts, and signs.The approval record: who, the exact frozen basis reviewed, edits made, attestations, review time — on an append-only log, rolled up in a firm supervision view (review durations, rubber-stamp flags).

Evidence of how the recommendation was reached

RG 273.165–.169 (records), s120 NCCP (preliminary assessment)

Every comparison shown to a customer is frozen as a reasoning trace before they see it: rates used, all options considered, near-misses, sensitivity analysis. Rate refreshes can never silently change what was said.A per-file compliance pack — one printable document with the full record set, generated from the log, not reconstructed.

Records kept complete and unaltered for seven years

NCCP record-keeping · RG 273.165 · CR Code

The audit log is write-once at the database engine level — updates and deletes are rejected by the database itself, for any caller. Loan files carry a seven-year retention guard; even a firm off-boarding tombstones the firm and keeps the trail.The WORM trigger and retention guard in the schema itself, plus audited erasure events carrying an explicit legal basis when a permitted deletion occurs.

Advice boundary — tailored comparisons are credit assistance

ASIC RG 203 (Example 10/12)

The credit guide is delivered and the fee quote accepted by the customer's own tap before the first personalised lender comparison will render — enforced in code, not by disclaimer. The AI cannot accept, claim, or work around it.Timestamped disclosure events with document versions, per file.

Responsible lending — inquire, verify, assess

NCCP ss115–120 · ASIC RG 209

Structured fact-find with code-enforced completeness; document extraction with per-field confidence; serviceability computed the way lenders compute it (APRA +3% buffer, HEM floors, income shading) — deterministically, per lender.The written preliminary assessment — a computed “not unsuitable” verdict with the serviceability numbers behind it, generated from the frozen basis and retrievable for 7 years.

A loan file cannot skip a stage of its legal life

NCCP process integrity · RG 273

Every status change runs through a legal state machine with evidence gates: a file cannot become “recommended” without a licensed broker's approval of a frozen basis, client authority requires a completed Credit Proposal, and “lodged” requires a gateway application reference. There is no code path around it.A transition event on the audit log for every stage change, carrying the evidence that satisfied its gate.

Consumer consent before any data is collected on their behalf

Privacy Act APPs 3 & 5 · CR Code

Consent is an engine, not a checkbox: explicit, timestamped, versioned consents recorded on the file, captured only by the customer's own tap. A credit-file pull or identity check is refused in code — before any vendor is contacted — unless the matching consent exists and is unwithdrawn.Consent records with document versions on every file; refusal events where a pull was attempted without one.

AI accountability — the licensee answers for its tools

ASIC REP 798

The AI assists; it never decides. Numbers come only from deterministic engines. The recommendation narrative is generated only from the frozen record and double-checked — every figure and lender name verified against the facts before anyone sees it; fabrications are rejected.Every AI action logged and attributable; model and prompt versions stamped on every narrative; evaluation suites run against the live models.

Product distribution within target markets

DDO · ASIC RG 274

Target-market style filters run inside the matching engine itself — an ineligible customer never sees the product ranked.Per-lender eligibility reasons recorded on every comparison.

Complaints handled inside the statutory clock

ASIC RG 271 (IDR) · AFCA

A complaints register with intake on every surface — the public site, the assistant, and the console — with the 24-hour acknowledgement and 30-day resolution timers computed, tracked, and escalation to AFCA recorded per case.The register itself: every complaint's clock, actions, outcome and AFCA reference, exportable, with lifecycle events on the audit log.

Only verified licensees serve customers

NCCP licensing · ASIC Credit Registers

A firm's licensing identity is structured data — ACL, ABN/ACN, credit-rep and AFCA membership — checksum-validated and verified against the government registers. A firm cannot activate a paid, customer-facing plan until it passes.The verified licensing record per firm, and audited activation-blocked events when the gate refuses.

Consumer data — right tier, right controls

Consumer Data Right (Treasury/ACCC)

Today: public Product Reference Data only — whole-of-market rates discovered from the open CDR register, no consumer data. Consumer-consented bank data arrives via the accreditation ladder (trusted-adviser and CDR-representative arrangements) — a gate that is enforced in code and defaults closed — with Privacy Act controls and hard tenant isolation.Data-quality guards and freshness quarantine on every ingested rate; per-tenant isolation re-proven by an automated auditor on every code change.

The compliance pack

Every loan file exports a regulator-ready record: disclosures with timestamps, the frozen comparison basis, the broker's signed approval, the full audit trail. Generated from the log, never reconstructed.

The governance kit

Firms onboard with an AI governance policy template, consumer AI disclosure copy, and a human-review path — the three gaps ASIC's REP 798 found across the industry, closed in the onboarding box.

Caged by code, not prompts

Verification flags the AI cannot write. Checklist evidence it cannot fake. Consents it cannot click. Numbers it cannot invent. Stages it cannot skip; history it cannot erase. The guardrails are in the type system and the database, not in polite instructions.

See it, don't take our word

The fastest way to evaluate any of the claims above is a 20-minute walkthrough on a live file: watch the disclosure gate fire, open the broker ceremony, export the compliance pack. Compliance officers welcome — bring your hardest questions.

Request a compliance walkthrough

Brokerfront provides technology to licensed credit businesses. It does not hold an Australian Credit Licence and does not provide credit assistance; regulatory obligations described here rest with the licensee, supported by the platform's mechanisms. Vendor-dependent checks (identity, credit bureau, document verification, lodgement) run against certified providers as part of production activation; until a firm activates, the platform runs them against conformant mock adapters and labels the results as such. Nothing on this page is legal advice.