Doubled Investigations, AUD $349.8 Million in Penalties: The Enforcement Curve
ASIC’s enforcement caseload doubled in the 12 months to May 2026, with new court matters rising at a similar pace, Longo said at the Tech Council panel. The agency secured AUD $349.8 million in civil penalties between July and December 2025, the highest six-month total since ASIC’s founding, alongside AUD $583 million returned to consumers, according to ASIC enforcement data published in February 2026.
Headline matters included a proposed AUD $240 million penalty against ANZ Banking Group, potentially the largest ASIC has sought against a single entity, and AUD $35 million from Macquarie Securities for short sale reporting failures. The regulator also secured a 14-year prison sentence, the longest in its enforcement history.
The CFD sector remained a focus. ASIC’s 14-month review of 52 licensed CFD issuers, published in January 2026 as REP 828 (Risky Business), documented compliance failures at 48 firms, including 70 million erroneous transaction reports and prohibited margin discount practices at more than half the sector. The review produced six license cancellations and AUD $39 million returned to 38,000 investors, with the FXCM Australia interim stop order issued in December 2025 and Federal Court proceedings against eToro becoming the first enforcement action under the Design and Distribution Obligations regime, in force since October 2021.
To be sure, the current pace builds on an already higher baseline. ASIC removed close to 7,000 investment scam and phishing websites in the 12 months to June 2025, with full-year enforcement actions up 50% before the most recent expansion. The latest figures are layered on that prior step, not a single isolated cycle.
The Regulated-Institution Quirk: Why CBA Cannot Use the Sandbox
Australia’s regulatory sandbox carries a structural limitation. Regulated institutions including major banks cannot participate, even when launching products in entirely new categories. Stuart Munro stated at the panel that the Australian sandbox operates at lower efficacy than the UK and Singapore equivalents and described the regulated-institution exclusion as a quirk of the scheme.
For CBA, the compliance function sits inside the institution, not alongside it. The bank employs approximately 15,000 technologists across the group and runs its largest operational area in economic crime, with about 4,000 staff dedicated to financial crime, fraud and scams, roughly 8% of its 50,000-person workforce, according to Munro.
Early-stage fintech operates under a different cost structure. Zepto, an account-to-account payments infrastructure provider, employs 85 people, with approximately 20% of the company allocated to resilience, compliance and security, according to Chief Business Resilience Officer Mariana Paun. The firm spent AUD $1.5 million and approximately seven months building its security foundation before generating revenue from its non-bank connection to the New Payments Platform.
These figures do not constitute a like-for-like burden comparison. CBA’s 8% figure covers financial crime alone and understates broader regulatory compliance spend, while Zepto’s 20% includes resilience and engineering functions that scale with company size. The structural point is that fixed compliance and security thresholds apply regardless of company stage, and that neither tier of operator can currently use the sandbox to defer or stage those costs.
Sarah Court Inherits a Reform Agenda Across Three Regulatory Threads
Sarah Court, ASIC Deputy Chairman since June 2021 and a 13-year veteran of the Australian Competition and Consumer Commission, takes over as Chairman on June 1, 2026. ASIC framed the handover as continuity, with Longo crediting Court for the agency’s recent structural changes.
Court inherits at least three regulatory threads. The Corporations Amendment (Digital Assets Framework) Bill, passed April 1, 2026, brings approximately 400 crypto platforms under the AFSL regime, with an ASIC class no-action letter expiring June 30, 2026. A payments licensing regime sits behind that. The Product Intervention Order governing retail CFDs expires May 23, 2027, with the next consultation expected to define copy trading rules and wholesale client classification.
Longo’s substantive reform proposal at the Tech Council panel centered on resourcing, not legislation. He outlined a model in which each startup is assigned a dedicated, senior ASIC contact who maintains the relationship across the licensing journey, coordinated with the Reserve Bank of Australia and Treasury. Longo described the approach as resource-intensive and unavailable to every applicant.
Longo also cited Anthropic’s Claude Mythos Preview, disclosed April 7, 2026, as an example of a topic that he said “didn’t even exist six weeks ago.” He said the model can find vulnerabilities in banking and utility systems if misused. Anthropic disclosed in May 2026 that Mythos had identified 23,019 issues across more than 1,000 open-source projects, including 6,202 high or critical severity findings, through its Project Glasswing initiative.
This analysis draws on the ASIC transcript of the Tech Council of Australia panel (May 21, 2026), ASIC enforcement data published February 2026, REP 828 (January 2026), and Anthropic’s Project Glasswing disclosures (April and May 2026), supplemented by Finance Magnates reporting. The Tech Council panel transcript is marked “check against delivery” by ASIC. All figures are attributed to their original sources. Comparisons between Zepto and CBA workforce allocations cover different functional scopes and are not directly comparable.