Running a business in Australia means operating within one of the world’s most comprehensive regulatory frameworks. Between federal legislation, state-level obligations, and industry-specific rules, the number of laws that could apply to your business on any given day runs well into the dozens.
Here’s the thing: most businesses don’t fail at compliance because they’re dishonest. They fail because the landscape is genuinely complex, constantly changing, and rarely explained in plain English.
This guide changes that. Whether you’re a founder trying to understand your obligations for the first time, a compliance manager reviewing your framework, or a director wanting to know exactly what you’re accountable for — this is the most complete, practical overview of legal compliance in Australia available.
What Is Legal Compliance in Australia?
Legal compliance means operating your business in accordance with all applicable laws, regulations, standards, and codes — at both the federal and state or territory level.
That definition sounds simple. In practice, it covers everything from how you pay your employees and handle customer data, to how you structure financial products, manage workplace safety, and report to regulators.
It’s worth distinguishing compliance from two related concepts:
Compliance vs. governance: Governance is the system you put in place to make sure compliance happens — boards, policies, accountability structures. Compliance is the actual adherence to those rules. You need both, but governance is how you achieve compliance at scale.
Compliance vs. risk management: Risk management identifies what could go wrong. Compliance defines what you’re legally required to do. They work hand-in-hand — non-compliance is itself a significant business risk — but they’re not the same thing.
One thing is consistent across all business sizes: compliance applies to everyone. Sole traders, SMEs, and ASX-listed corporations all operate within the same fundamental legal framework. The obligations scale with your size, industry, and structure — but they never disappear.
Why It Matters: The Cost of Getting It Wrong
Let’s be direct about what’s at stake.
Between 2020 and 2024, more than 369 corporate fines were issued by Australian regulatory bodies, totalling nearly $30 billion in penalties (Protecht, 2024). That figure is dominated by large-scale mining and financial services cases — but the regulatory environment that produced those outcomes applies to businesses of all sizes.
At the individual penalty unit level, the numbers are also significant. As of November 2024, each penalty unit in Australia is worth $330. Many compliance breaches carry penalties of hundreds or thousands of units — meaning a single violation can quickly reach tens of thousands of dollars before the matter gets to court.
Some recent examples that illustrate enforcement intent:
- SkyCity Adelaide was fined $67 million in 2024 for failing to meet AML/CTF obligations — lacking adequate systems for monitoring suspicious transactions and customer due diligence.
- ASIC imposed over $32.2 million in penalties in just the first six months of 2024, including an $11.3 million fine against Mercer for greenwashing.
- Optus was hit with ACMA’s largest-ever fine of $12 million in 2024 for Triple Zero failures.
Financial penalties are only part of the picture. Non-compliance also creates reputational damage that can outlast the fine by years, director personal liability under the Corporations Act and WHS laws, operating licence suspension or cancellation in licensed industries, civil litigation from customers, employees, or third parties harmed by the breach, and increased regulatory scrutiny — once you’ve attracted attention, regulators tend to stay interested.
The question isn’t whether compliance is worth the effort. It’s whether your current approach to managing it is rigorous enough to protect you.
Core Legislation Every Australian Business Must Know
Australia’s compliance landscape is built on a foundation of federal statutes, with state and territory laws adding industry and jurisdiction-specific obligations. Here are the laws that affect almost every Australian business.
Corporations Act 2001
The Corporations Act is the primary piece of legislation governing how Australian companies are formed, operated, and wound up. Enforced by ASIC, it covers director duties (duty of care, duty to act in good faith, duty to avoid conflicts of interest), financial reporting and record-keeping requirements, disclosure obligations for public companies and fundraising, insolvency and liquidation procedures, and prohibition on insolvent trading.
If your business is a company — not a sole trader or partnership — the Corporations Act is the single most important piece of legislation you need to understand. Directors face personal liability for serious breaches, including civil penalties and criminal prosecution in the most serious cases.
Fair Work Act 2009
The Fair Work Act governs employment conditions for the vast majority of Australian workers. Its reach is broad: it covers minimum wages, leave entitlements, the National Employment Standards (NES), modern awards, enterprise agreements, and protections against adverse action. The Act is enforced by the Fair Work Ombudsman, which has significant investigatory and penalty powers. Underpayment — even unintentional — carries serious consequences, and since 2025, intentional wage theft is a criminal offence in Australia.
Privacy Act 1988 (and 2024 Amendments)
The Privacy Act governs how organisations collect, use, store, and disclose personal information. The 13 Australian Privacy Principles (APPs) form the core framework. Recent 2024 amendments significantly increased the penalty exposure for serious or repeated breaches — up to $50 million, three times the benefit obtained from the breach, or 30% of adjusted turnover, whichever is greater.
The Privacy Act generally applies to organisations with annual turnover above $3 million, but smaller businesses can also be captured if they trade in personal information, provide health services, or operate as a contracted service provider to government. With the OAIC actively auditing privacy policy compliance and the Children’s Online Privacy Code coming into force, 2026 is a particularly important year to get your privacy framework in order.
Work Health and Safety (WHS) Laws
WHS obligations are primarily governed at the state and territory level, but most jurisdictions have adopted the model WHS laws based on the Work Health and Safety Act 2011. The primary duty is clear: persons conducting a business or undertaking (PCBUs) must ensure the health and safety of workers “so far as is reasonably practicable.” This duty extends beyond employees to contractors, labour hire workers, visitors, and members of the public who may be affected by your operations.
Officers of a PCBU — directors and senior managers — face an independent due diligence duty. They are personally obligated to ensure the PCBU meets its WHS obligations. This cannot be delegated away.
Australian Consumer Law (ACL)
The ACL, contained in Schedule 2 of the Competition and Consumer Act 2010, applies to all businesses that supply goods or services to Australian consumers. Its core requirements include prohibitions on misleading or deceptive conduct, mandatory consumer guarantees (which cannot be contracted out of), restrictions on unfair contract terms, prohibitions on unconscionable conduct, and product safety standards. Enforcement sits with the ACCC at the federal level and consumer affairs bodies in each state and territory.
Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF)
The AML/CTF Act 2006 imposes obligations on “reporting entities” — businesses that provide designated services — to identify customers, monitor transactions, and report suspicious matters to AUSTRAC. Historically, reporting entities were largely financial services businesses.
From 1 July 2026, this changes dramatically. Tranche 2 of the AML/CTF reforms brings approximately 80,000 new businesses into the regime, including real estate agents, lawyers, accountants, and dealers in precious metals. If your business is in any of these sectors, AML/CTF compliance is no longer optional — it’s a legal obligation with serious enforcement consequences.
Key Regulators and Their Powers
Understanding who regulates what helps you prioritise where to focus your compliance effort.
| Regulator | Primary Focus | Penalty Powers |
|---|---|---|
| ASIC | Corporate governance, financial services, markets | Civil + criminal penalties, licence cancellation |
| APRA | Banks, insurers, superannuation funds | Directions, licence conditions, disqualification |
| AUSTRAC | Anti-money laundering, financial crime | Civil penalties up to $22M+ per contravention |
| Fair Work Ombudsman | Employment conditions, wages, record-keeping | Civil penalties, enforceable undertakings |
| ACCC | Consumer law, competition | Civil penalties up to $50M per contravention |
| OAIC | Privacy, freedom of information | Infringement notices, determinations, civil penalties |
| State WHS regulators | Workplace health and safety | Improvement notices, prohibition notices, prosecution |
| State revenue offices | Payroll tax, land tax, stamp duty | Assessments, penalties, interest |
One important nuance: most businesses face obligations from multiple regulators simultaneously. A financial services firm with 50 employees, for example, answers to ASIC (licensing), AUSTRAC (AML), the Fair Work Ombudsman (employment), OAIC (privacy), and their state WHS regulator — all at once. Managing these obligations in silos is where compliance programs tend to fall apart.
Industry-Specific Compliance in Australia
On top of the general compliance framework, regulated industries carry additional sector-specific obligations. Here’s a brief overview of the highest-risk sectors.
Financial Services
Businesses providing financial services require an Australian Financial Services (AFS) licence from ASIC. AFS licensees must maintain adequate financial resources, have dispute resolution systems, provide compliant disclosure documents, and meet conduct obligations under the Corporations Act. APRA-regulated entities (banks, insurers, superannuation funds) carry additional prudential requirements on top.
Healthcare and Aged Care
Healthcare providers operate under the Health Practitioner Regulation National Law, the Therapeutic Goods Act, and various state-based health legislation. Aged care providers must comply with the Aged Care Quality Standards and report under the new strengthened regulatory framework introduced following the Royal Commission into Aged Care Quality and Safety.
Real Estate
Real estate agents are among the most significantly impacted sectors by the 2026 AML/CTF Tranche 2 reforms. From 1 July 2026, agents providing real estate services must enrol with AUSTRAC, identify their customers, monitor transactions, and report suspicious matters. This is a completely new compliance category for most agencies.
Legal and Accounting Firms
Lawyers and accountants providing certain designated services also fall under the Tranche 2 reforms. From July 2026, firms providing real estate conveyancing, company formation, trust management, and related services must meet full AML/CTF obligations. Enrolment with AUSTRAC opens 31 March 2026.
Major Compliance Changes in 2026
2026 is one of the most significant years for Australian regulatory reform in a decade. These changes are already in effect or come into force this year.
AML/CTF Tranche 2 (1 July 2026): The most significant expansion of Australia’s AML/CTF regime since the original Act. Enrolment with AUSTRAC opens 31 March 2026 for newly regulated businesses. If your business is in real estate, legal services, accounting, or related sectors — preparation is now urgent.
Payday Super (1 July 2026): The current quarterly superannuation payment cycle ends. From 1 July, employers must pay superannuation guarantee contributions at or near each payday. This is a major payroll process change that requires early systems preparation.
Mandatory Merger Control (1 January 2026): Australia’s longstanding informal merger clearance system has been replaced with a mandatory notification and approval framework for acquisitions meeting prescribed thresholds. Transactions completed without ACCC approval are legally void.
Privacy Act Reforms: The OAIC has commenced its first active sweep of privacy policies in key sectors. The Children’s Online Privacy Code is also coming into force, imposing new obligations on online services handling children’s personal information.
How to Manage Legal Compliance in Your Business
Knowing your obligations is one thing. Systematically managing them is another. Here’s the framework that compliance professionals actually use.
1. Build a Compliance Register
A compliance register (also called a legal register or obligations register) is a centralised record of every law, regulation, licence, standard, and code that applies to your business — along with the specific obligations each creates, who owns them, and their current status. Without a compliance register, you’re relying on individual team members to remember and act on their obligations. That’s a fragile system. A well-maintained register makes your compliance program auditable, assignable, and defensible.
2. Assign Clear Ownership
Every obligation in your compliance register needs an owner — a named person who is accountable for monitoring it and confirming compliance. Shared accountability is no accountability. Compliance committees can govern the overall program, but individual obligations need individual owners.
3. Monitor Regulatory Change
Legislation changes. Regulators issue new guidance. Courts interpret existing rules in ways that shift practical obligations. A compliance program that doesn’t include a process for monitoring and incorporating regulatory change is already falling behind. Good monitoring practices include subscribing to regulator newsletters, setting up alerts for relevant legislation, and conducting a formal regulatory change review at least quarterly.
4. Run Regular Compliance Audits
An audit — whether internal or external — tests whether your documented controls are actually working. It’s not enough to have a policy; the audit asks whether people are following it. The frequency and scope of audits should be proportionate to your risk. High-risk obligations (AML, WHS, privacy) warrant more frequent review. Lower-risk administrative obligations can be reviewed annually.
5. Use Compliance Management Software
At some point, managing compliance obligations in spreadsheets stops working. As your register grows, as obligations change, and as your team expands, you need a system that keeps everything connected — obligations to owners, owners to evidence, evidence to audit trails.
Purpose-built compliance management platforms like Lahebo are designed specifically for this. Lahebo helps Australian businesses centralise their compliance obligations, assign ownership, track regulatory change, and generate audit-ready reports — all in one place. For businesses navigating the 2026 regulatory changes, having a platform that can adapt in real time is a significant advantage over maintaining a static spreadsheet.
State and Territory Compliance Differences
Australia’s federal structure creates compliance complexity for businesses operating across multiple states. While federal legislation applies uniformly, many important obligations are regulated at the state or territory level.
Work Health and Safety: Although most jurisdictions have adopted the model WHS laws, Victoria, Western Australia, and some territories have variations. WA only adopted harmonised WHS laws in 2022. Understanding which jurisdiction’s laws apply — and how they differ — is essential for multi-state employers.
Payroll Tax: Each state and territory imposes its own payroll tax, with different thresholds, rates, and grouping provisions. Payroll tax is one of the most commonly under-managed compliance obligations for growing businesses, particularly when they expand into new states without reassessing their threshold position.
Security of Payment: State-based security of payment legislation governs payment disputes in the construction industry. Each state has its own Act, with different timeframes and procedures.
Liquor, Building, and Occupational Licensing: Most occupational and business licences are state-issued. A contractor licensed in Queensland is not automatically licensed in NSW. Managing licence currency across jurisdictions — including renewal dates, CPD requirements, and condition changes — is a common compliance gap for multi-state businesses.
Common Compliance Mistakes Australian Businesses Make
Honestly, most compliance failures aren’t caused by bad intent — they’re caused by bad systems. Here are the five most common mistakes.
1. Treating compliance as a one-time exercise. Your compliance obligations change when laws are amended, when your business grows, when you enter a new market, or when you add a new service. Businesses that build a compliance register once and never update it quickly accumulate gaps.
2. Assuming small businesses are exempt. Many compliance obligations have size thresholds — but far fewer than business owners assume. WHS obligations apply from day one. Consumer guarantees under the ACL apply regardless of turnover. AML/CTF exemptions are industry-specific, not size-based.
3. Confusing policies with controls. Having a written privacy policy is not the same as having compliant data handling practices. Having a WHS policy is not the same as having a safe workplace. Regulators assess what actually happens, not what’s written in a document.
4. Relying on individuals rather than systems. When the person who “knows about compliance” leaves, their knowledge leaves with them. Compliance programs built around individuals rather than documented systems are fragile and high-risk.
5. Not tracking regulatory change. It’s remarkably common for businesses to be managing compliance well against the law as it was three years ago — but to have missed significant amendments since. A dedicated process for tracking regulatory change is non-negotiable.
Frequently Asked Questions
What are the main legal compliance requirements for businesses in Australia?
The core requirements apply to virtually all Australian businesses: registering the business and meeting ASIC reporting obligations (for companies), complying with employment laws under the Fair Work Act, meeting WHS obligations, adhering to the Australian Consumer Law, and managing personal information in accordance with the Privacy Act. On top of these, your industry, size, and structure will determine additional obligations.
What happens if a business is not legally compliant in Australia?
Consequences range from infringement notices and fines (starting at $330 per penalty unit) through to civil and criminal penalties for serious breaches. Regulators also have powers to issue improvement notices, suspend licences, and — in the most serious cases — pursue directors personally. Beyond regulatory action, non-compliance creates civil litigation risk and reputational damage.
Is legal compliance different for small businesses in Australia?
Some obligations scale with turnover or employee numbers — the Privacy Act’s $3 million threshold is one example. But many core obligations apply regardless of size: WHS duties, Fair Work Act employment conditions, and the Australian Consumer Law apply from the first day of operation. Small businesses should not assume they’re exempt without specifically checking.
How often should a business review its compliance obligations?
Best practice is to conduct a formal compliance review at least annually, and to build a process for monitoring regulatory change throughout the year. Businesses in heavily regulated sectors (financial services, healthcare, construction) should review more frequently. Any significant business change — new service, new market, new structure — should also trigger a compliance review.
What is the difference between a compliance register and a risk register?
A compliance register records your specific legal and regulatory obligations, who owns them, and their current status. A risk register records identified risks to the business, their likelihood and consequence, and the controls in place to manage them. They’re complementary tools. Non-compliance appears in a risk register as a risk; the compliance register is how you manage and evidence compliance.
Start Managing Your Compliance Obligations Properly
Legal compliance in Australia isn’t something you can set and forget. It’s an ongoing operational discipline — one that requires clear ownership, regular monitoring, and a system that keeps pace with regulatory change.
The businesses that manage compliance well don’t do it by working harder. They do it by working with better systems. If you’re currently tracking your obligations in spreadsheets, or relying on individuals to manage their obligations without a structured framework, that’s the place to start.
For Australian businesses looking to centralise their compliance obligations, assign ownership, and stay ahead of regulatory change, Lahebo is purpose-built for exactly that. See how it works for businesses managing compliance across multiple jurisdictions and regulatory frameworks.