Decision-level provenance for every credit assessment
Side-by-side reconstruction of any two decisions. What model, what inputs, what changed, why outputs diverged. Defensible to ASIC, AFCA, and the customer.
Our customers
Built for Australian financial services.
For the structural and regulatory demands of APRA-regulated institutions, by directors and operators who've lived it.
The landscape
No AI-specific law. Full enforcement exposure.
“Where entities fail to adequately identify, manage or control AI risks in a manner proportionate to their size, scale and complexity, we will take stronger supervisory action and, where appropriate, pursue enforcement.”
Australia hasn't passed an AI-specific law, but that doesn't reduce regulatory risk. APRA's April 2026 letter to industry confirmed it will rely on its existing prudential framework, including formal enforcement powers, to police AI risk in regulated entities. ASIC has signalled the same posture under s912A.
Loxodrome maps your AI usage to the obligations actually in force, and prepares you for what's on the horizon — including EU AI Act high-risk obligations and Privacy Act ADM transparency provisions effective December 2026.
$40M + $447M
IAL/IAG penalty plus IAG/IMA remediation for algorithmic pricing breach
June 2023ASIC 23-179MR
$1.565M
Maximum civil penalty per individual contravention of s180 (Corporations Act)
Since March 2019s180
$50M
Maximum Privacy Act penalty per serious contravention — each affected individual counts separately
Since December 2022OAIC
Credit, complaints, and the cost of an answer you can't explain.
Banks have moved AI into the parts of the business that produce regulatory exposure. Credit decisioning, fraud detection, AML screening, complaint triage, customer-facing chat. ASIC's Report 798 (October 2024) examined 624 AI use cases across 23 financial services and credit licensees and singled out “unexplainable and inconsistent automated decisions” as a focus area.
The pressure point is consistency. Under the NCCP Act, you have to explain why a customer received a particular credit outcome. Under CPS 230, you have to demonstrate control over the systems making those decisions. Under APRA's April 2026 letter, you also need second-line tooling that can independently assess those decisions.
Where Loxodrome makes the difference
Continuous oversight of AI in material business activities
Real-time monitoring of credit, claims, AML, fraud detection. Drift, override rates, decision anomalies surfaced as they happen. Not after a complaint.
Vendor and fourth-party AI captured by default
Most credit and fraud stacks rely on third-party models, scoring APIs, bureau data. Loxodrome captures the full chain — yours and theirs — without needing the vendor's cooperation.
Evidence the IDR team can actually use
RG 271 requires comprehensive reasons for AI-driven complaint decisions. Loxodrome turns the decision chain into something a complaints handler can read, without involving data science.
Regulatory map
CPS 230 · CPS 234 · CPS 220 · NCCP Act ss128-133 · ASIC s912A · ASIC Act s12DA · RG 271 · REP 798 · Privacy Act ADM (Dec 2026)
Pricing, underwriting, and a precedent already on the books.
Insurance is where AI inconsistency has already been litigated. ASIC's June 2023 action against IAL/IAG: $40 million penalty plus an estimated $447 million in remediation across IAG/IMA brands for an algorithmic pricing inconsistency. Industry-wide: around $815 million in remediation by general insurers for pricing failures. The EU AI Act classifies life and health insurance pricing as high-risk. Actuarial exemptions to anti-discrimination law are narrow, and proxy-variable bias in underwriting models — postcode, browsing history, claims history — is exactly what regulators are focused on.
The regulatory perimeter is widest here. APRA covers prudential. ASIC covers consumer duty. The Privacy Commissioner covers automated decision-making. Anti-discrimination law sits over the top of all three.
Where Loxodrome makes the difference
Independent evidence of pricing consistency
Same risk, same inputs, same price. Where outputs diverge, Loxodrome shows you why — model version, feature change, input anomaly. Auditable, comparable, defensible.
A real answer to proxy bias questions
When ASIC or the Privacy Commissioner asks whether differential outcomes have actuarial justification, the answer needs to come from the decision record, not the model design document. Loxodrome captures both.
Claims AI under continuous oversight
Triage, assessment, and fraud detection are increasingly AI-driven. Loxodrome captures every claims decision chain with the human review record attached, and flags consistency drift before complaints accumulate.
EU AI Act readiness, on a flexible timeline
For insurers with EU exposure, EU AI Act high-risk obligations remain on the books for 2 August 2026, though the Commission's Digital Omnibus may extend the deadline by up to 16 months. Either way, evidence accumulation can't start retrospectively.
Regulatory map
CPS 230 · CPS 220 · ASIC s912A · ASIC Act s12DA · Anti-Discrimination Acts · EU AI Act (high-risk: insurance pricing) · Privacy Act ADM (Dec 2026)
Best financial interests, applied to systems that decide.
Trustee duty under the SIS Act is the most demanding consumer-protection standard in Australian financial services. Members aren't customers, they're beneficiaries. AI used in member-facing decisions, advice, administration, or investment processes operates inside that duty.
The structural problem for super trustees is that most don't build AI, they consume it. CPS 230 makes the trustee responsible for governance over their material service providers, regardless of who operates the technology. The trustee carries the obligation, which is why it's critical that the trustee also controls the evidence.
Where Loxodrome makes the difference
Evidence over AI you didn't build
Most super AI is delivered through administrators and tech partners. Loxodrome captures decision chains across the supply chain — independent of the vendor — so the trustee has its own record.
A defensible answer to AFCA, ASIC, and members
When members or AFCA ask why a particular outcome was reached, the trustee needs an answer that doesn't depend on the administrator's logs. Loxodrome gives trustees decision-level evidence they hold themselves.
SPS 230 and SPS 231 alignment without rebuilding the GRC stack
One evidence layer covers operational risk under CPS 230, outsourcing under SPS 231, and trustee duty under the SIS Act. Multiple frameworks, one ledger.
Board reporting that survives a trustee duty challenge
Trustees are increasingly asked to demonstrate active oversight of AI in member-facing decisions. Loxodrome provides detailed quantitative evidence that shows, not tells.
Regulatory map
CPS 230 · SPS 220 · SPS 231 · SIS Act trustee duties · ASIC s912A · RG 271 · Privacy Act ADM (Dec 2026)
Sell AI into a regulated buyer? Their compliance is now your sales cycle.
CPS 230 reclassified large parts of the AI vendor landscape as material service providers. That triggers a specific list of obligations: prescribed contract terms, audit access, sub-processor disclosure, performance monitoring, exit plans, fourth-party risk. APRA finalised targeted amendments on 30 April 2026 (commencing 1 July 2026) introducing limited exemptions for certain non-traditional service providers, but the core obligations on AI vendors are unchanged. Vendors that can meet these obligations move through procurement. Vendors that can't, don't.
Independence is the harder problem. Self-attested compliance documentation — audit logs you generated about your own system, signed by you — is exactly what APRA called out as inadequate in its April 2026 letter on AI, citing "overreliance on vendor presentations and summaries without verification of operations." Buyers now want evidence of operational risk management that doesn't come from the system being assessed. Most vendors don't have a clean answer.
Where Loxodrome makes the difference
Independent evidence buyers can verify themselves
Your customers, their auditors, and their regulators can verify your AI's decision history without your software in the loop. That answers the audit-access clause, the cooperation clause, and the regulatory-access clause in one record.
A faster, smaller procurement footprint
A standardised independent evidence layer reduces the per-customer customisation that blows out enterprise sales cycles. The same evidence bundle satisfies a bank, an insurer, a super trustee, and an FCA-regulated UK buyer.
Sub-processor transparency without exposing trade secrets
CPS 230 service-provider obligations require sub-processor notification and downstream liability flow-through. Loxodrome captures the chain at the decision level — what called what, when — without exposing model weights, prompts, or commercially sensitive infrastructure.
A structural answer to the vendor-can't-govern-itself problem
The most informed buyers increasingly understand that vendor self-attestation isn't the standard regulators want. APRA itself has now said so. Vendors that come to those conversations with independent evidence have a structural advantage.
Regulatory map (vendor-facing)
CPS 230 service provider obligations · CPS 234 third-party information security · APRA documentation & on-site access rights · ISO 42001 · EU AI Act provider obligations
Independence is defensible
Build a solid foundation of credible, independent AI decision evidence.
APRA's April 2026 letter to industry explicitly stated their expectation that “second line risk management and internal audit functions possess technical capability and tooling to independently assess AI systems.” Loxodrome is that independence.