DDO and Breach Reporting Guide 2025-2026: Design and Distribution Obligations for Financial Institutions

The Design and Distribution Obligations (DDO) regime and the modernised breach reporting framework represent two of the most consequential regulatory reforms to emerge from the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry. Together, they fundamentally shift the compliance burden on product issuers and distributors - from a reactive, disclosure-based model to a proactive, consumer-outcomes-focused regime.

These obligations apply to all Australian Financial Services Licence (AFSL) holders who issue or distribute financial products, including banks, insurers, superannuation trustees, managed fund operators, and credit providers. Since the DDO regime commenced on 5 October 2021 and the breach reporting reforms took effect on 1 October 2021, ASIC has been actively enforcing both - issuing stop orders, infringement notices, and civil penalty proceedings against entities that fail to meet the new standard.

Why DDO Was Introduced: The Royal Commission Context

Before DDO, Australian financial product regulation was built almost entirely around disclosure. The assumption was that if consumers received enough information - Product Disclosure Statements (PDSs), Financial Services Guides (FSGs), and Key Information Documents - they could make informed decisions. The Royal Commission demonstrated that this assumption was fundamentally flawed.

Commissioner Hayne's final report identified a pattern where financial products were being sold to consumers for whom they were clearly unsuitable: junk insurance policies sold to people who could never claim on them, complex investment products marketed to retail investors with no understanding of the risk, and credit products extended to borrowers who could not afford repayments. The disclosure model had created a compliance culture focused on process rather than outcomes.

The DDO regime, introduced through the Treasury Laws Amendment (Design and Distribution Obligations and Product Intervention Powers) Act 2019, addresses this by requiring product issuers to actively consider who their products are designed for and to take reasonable steps to ensure they are distributed accordingly. It shifts the question from "did we disclose enough?" to "did the right people get this product?"

Target Market Determinations: The Core Obligation

At the heart of DDO is the requirement for product issuers to make a Target Market Determination (TMD) for each financial product before it can be distributed to retail clients. The TMD is not a marketing document - it is a regulatory instrument that defines who the product is appropriate for and who it is not.

What a TMD Must Contain

Under s994B(5) of the Corporations Act 2001, a TMD must include:

• Target market description - a clear description of the class of retail clients that comprises the target market, including their likely objectives, financial situation, and needs
• Conditions and restrictions on distribution - any conditions or restrictions on how the product can be distributed, such as requiring advice, limiting to certain channels, or prohibiting unsolicited sales
• Events or circumstances requiring review - specific triggers that would require the issuer to review the TMD (review triggers), including significant dealing outside the target market, material complaints, or a significant deviation in actual consumer experience from expected outcomes
• Maximum review period - the TMD must specify a review period, and ASIC expects this to be no longer than necessary (typically annually, but shorter for higher-risk products)
• Reporting requirements for distributors - what information distributors must report back to the issuer, including complaints data, significant dealings, and information suggesting the TMD may no longer be appropriate

TMD Review Triggers

Issuers cannot simply set and forget a TMD. The regime requires active monitoring and review when specific events occur:

• Material complaints - a significant number or pattern of complaints suggesting the product is not performing as expected for the target market
• Significant dealing outside the target market - evidence that the product is being acquired by consumers outside the defined target market
• Product performance deviation - the product's actual outcomes diverge materially from the outcomes described in the TMD or PDS
• External events - regulatory changes, market events, or economic conditions that fundamentally change who the product is appropriate for
• ASIC direction - ASIC can direct an issuer to review a TMD at any time under its product intervention powers

Distribution Obligations: Reasonable Steps and Monitoring

DDO places obligations on both issuers and distributors. These are separate but interconnected duties.

Issuer Obligations

Product issuers must take reasonable steps to ensure that distribution of the product is consistent with the TMD. This is not a guarantee of outcome - it is a process obligation requiring genuine, documented effort. Reasonable steps include:

• Selecting appropriate distribution channels - choosing distributors whose customer base aligns with the target market, and avoiding channels likely to reach consumers outside it
• Setting distribution conditions - requiring distributors to apply eligibility criteria, ask qualifying questions, or obtain personal advice before distributing higher-risk products
• Monitoring distributor conduct - actively monitoring whether distributors are complying with the TMD and distribution conditions, not just relying on contractual clauses
• Acting on information received - when distributor reports or complaints data suggest the TMD may be inadequate, acting promptly to review and update it

Distributor Obligations

Distributors of financial products must:

• Not distribute outside the TMD - a distributor must not distribute a product if they know, or reasonably ought to know, that the distribution is not consistent with the product's TMD
• Report to the issuer - provide the issuer with complaints data, information about significant dealings, and any information that suggests the TMD may no longer be appropriate
• Comply with reporting periods - the TMD specifies reporting periods, and distributors must meet these deadlines
• Maintain records - keep records sufficient to demonstrate compliance with distribution obligations for at least seven years

Reportable Situations: What Must Be Reported and When

The reportable situations regime (Part 7.6A.4 of the Corporations Act) requires AFSL holders to report certain matters to ASIC. This was significantly reformed in October 2021 to replace the old "significant breach" reporting requirement with a broader, more prescriptive framework.

What Constitutes a Reportable Situation

Under s912DAA, reportable situations include:

• Significant breaches or likely breaches of core obligations - breaches of AFSL conditions, financial services laws, or other obligations prescribed by regulation
• Gross negligence or serious fraud - by the licensee or any of its representatives, regardless of whether it constitutes a breach of a specific obligation
• Investigation reports from investigators - where an investigation under the licensee's breach reporting procedures results in a report
• Other matters prescribed by regulation - including certain notifications to other regulators (e.g., APRA notifications about operational risk events)

The 30-Day Lodgement Deadline

The reformed regime introduced a strict 30 calendar day deadline for lodging a report with ASIC. This runs from the day the licensee first knows it has reasonable grounds to believe the reportable situation has arisen, or from the day it ought reasonably to have known - whichever is earlier. The "ought to know" element is critical: ignorance is not a defence if the licensee's systems and processes should have detected the situation earlier.

For DDO-specific reportable situations (significant dealing outside the TMD), the timeline is even tighter in practice. Distributors must report significant dealings to the issuer as soon as practicable, and the issuer must then assess whether a TMD review and ASIC report are required.

Breach Reporting Regime: Significant Breaches and ASIC Lodgement

The concept of a "significant breach" remains central to the reporting framework, but the 2021 reforms introduced a deemed significance test that removes much of the subjective assessment that previously allowed licensees to avoid reporting.

Significance Assessment

A breach is significant if it satisfies any of the following criteria under s912D:

• Deemed significant - the breach results in a loss to a client, involves dishonesty or fraud, breaches a civil penalty provision, or is a breach of certain prescribed obligations (including DDO provisions)
• Overall significance assessment - considering the number and frequency of similar previous breaches, the impact on clients, the extent to which the breach indicates inadequate compliance arrangements, and the extent to which the breach was caused by systemic issues

ASIC Lodgement Process

Reports must be lodged through ASIC's Regulatory Portal in the prescribed form. The report must include:

• Details of the reportable situation, including the nature of the breach and the obligations involved
• When the situation arose and when it was identified
• The number of affected clients and estimated financial impact
• Steps taken or proposed to address the situation, including remediation
• Whether the matter has been reported to any other regulator (APRA, AUSTRAC, OAIC)

ASIC uses lodged breach reports as a key input for its risk-based surveillance program. Patterns of breaches across an industry sector can trigger thematic reviews, and individual entities with persistent reporting issues will attract increased regulatory attention.

Penalties and Enforcement

The penalty regime for DDO and breach reporting obligations is substantial and has been used actively by ASIC since the reforms commenced.

Civil Penalties

• Failure to make a TMD - civil penalty of up to 5,000 penalty units per contravention ($1.565 million per contravention for a body corporate as of 2025-2026)
• Distribution inconsistent with TMD - same civil penalty applies to both issuers and distributors
• Failure to report a reportable situation - civil penalty of up to 1,000 penalty units ($313,000 per contravention for a body corporate)
• Failure to report within 30 days - separate contravention that accrues for each day the report is late

ASIC Stop Orders and Infringement Notices

ASIC has the power to issue interim stop orders (up to 21 days) and final stop orders on products where the TMD is deficient. A stop order prohibits all distribution of the product until the TMD is remediated to ASIC's satisfaction. Since October 2021, ASIC has issued stop orders across a range of product categories including insurance, managed funds, and structured products.

ASIC can also issue infringement notices for less serious contraventions, carrying penalties of up to 600 penalty units ($187,800 for a body corporate). These are used for administrative failures such as late TMD reviews or incomplete distributor reporting arrangements.

Recent Enforcement Actions

ASIC has demonstrated a willingness to pursue DDO enforcement aggressively:

• Multiple stop orders issued for generic TMDs that failed to adequately describe the target market or set meaningful distribution conditions
• Civil penalty proceedings against issuers who continued to distribute products after becoming aware of significant dealing outside the target market
• Infringement notices for failure to establish adequate distributor reporting arrangements
• Thematic reviews of TMD quality across insurance, superannuation, and managed investment scheme sectors

Common Gaps GoComply Detects

When GoComply scans your compliance documentation against DDO and breach reporting requirements, it identifies the specific gaps that most frequently lead to regulatory action:

• TMDs without meaningful review triggers - generic triggers like "annual review" without specific, measurable events that would require an earlier review. ASIC expects triggers tied to complaints thresholds, distribution data, and product performance metrics.
• No distributor reporting framework - the TMD states that distributors must report, but there is no documented process, template, or system for actually collecting and analysing distributor data. Without this, the issuer cannot demonstrate "reasonable steps."
• Missing breach assessment methodology - no documented framework for assessing whether a breach is "significant" under s912D. Without a methodology, the 30-day clock cannot start reliably, and the licensee risks a finding that it "ought to have known" earlier than it claims.
• Incomplete reportable situations register - the licensee maintains a breach register but does not capture all categories of reportable situations, particularly gross negligence and serious fraud by representatives, which must be reported regardless of whether they constitute a technical breach.
• No escalation pathway from complaints to TMD review - complaints data is collected by the customer service team but there is no documented process for escalating patterns to the product team for TMD review assessment. This is a common gap that ASIC has specifically called out in its guidance.

Interaction with Other Regulatory Frameworks

DDO and breach reporting do not operate in isolation. Your compliance team needs to consider the intersections with:

• Financial Accountability Regime (FAR) - accountable persons must have DDO and breach reporting responsibilities clearly allocated. Failure to maintain adequate TMDs or report breaches on time could constitute a breach of accountability obligations.
• AML/CTF Act 2006 - if a reportable situation involves a failure in AML/CTF controls, it may need to be reported to both ASIC and AUSTRAC. Dual reporting obligations require coordination.
• APRA CPS 220 (Risk Management) - for APRA-regulated entities, DDO compliance failures constitute an operational risk that should be captured in the Risk Management Framework.
• Privacy Act 1988 - if a breach involves personal information (e.g., distributor data mishandling), the Notifiable Data Breaches scheme under the Privacy Act may also be triggered.
• ASIC Regulatory Guide 271 (Internal Dispute Resolution) - complaints data is a key input for both TMD review triggers and breach identification. Your IDR process must feed into your DDO and breach reporting frameworks.

GoComply's scanner checks your documentation against all 15 Australian financial regulations simultaneously, so these cross-regulation gaps are identified in a single scan rather than requiring separate compliance exercises for each framework.

This guide is for informational purposes and does not constitute legal advice. Consult qualified compliance professionals for specific obligations. GoComply covers 37 Australian financial regulations - try the chatbot for instant clause-level answers.