Who must lodge a modern slavery statement in Australia?

Under section 5 of the Modern Slavery Act 2018 (Cth), any entity based in Australia or carrying on business in Australia with an annual consolidated revenue of at least $100 million must lodge a modern slavery statement. For financial institutions, consolidated revenue includes net interest income, fee income, insurance premium revenue, and investment income. Most banks, insurers, and super funds with meaningful operations will exceed the threshold.

Does the board need to approve the modern slavery statement?

Yes. Section 14 of the Modern Slavery Act 2018 requires that the statement be approved by the principal governing body — the board of directors. The statement must also be signed by a principal officer (CEO or equivalent). A delegation to management to approve and submit is not sufficient; the board must formally resolve to approve the statement, and board minutes should evidence genuine consideration of whether the seven mandatory criteria have been addressed.

What are the penalties for failing to lodge a modern slavery statement?

The Modern Slavery Act 2018 (Cth) currently does not impose civil penalties for failing to report or for submitting an inadequate statement. Enforcement is primarily reputational, through the public Modern Slavery Statements Register maintained by the Australian Border Force. However, ASIC has flagged modern slavery risk as a director duty issue, APRA expects it to be managed within CPS 230 operational risk frameworks, and the NSW Modern Slavery Act (once commenced) would impose civil penalties of up to $1.1 million for NSW-based entities.

How does modern slavery compliance intersect with APRA CPS 230?

APRA CPS 230 (Operational Risk Management, effective 1 July 2025) requires regulated entities to manage all material service providers and their associated risks. Modern slavery risk in the supply chain of a material service provider — such as IT hardware manufactured in Xinjiang — is an operational risk that must be managed within the CPS 230 framework. CPG 230 specifically cites legal and regulatory compliance, including modern slavery, as a category of operational risk obligation. Financial institutions should integrate their modern slavery supply chain mapping with their CPS 230 material service provider register.

What is the most common gap in modern slavery statements from Australian financial institutions?

The most consistently identified gap is Criterion 5 — effectiveness assessment. Statements frequently describe actions taken (questionnaires sent, training delivered, contracts updated) but include no KPIs, no reporting against targets, and no discussion of what changed as a result. The Australian Border Force's published compliance assessments repeatedly flag this as the weakest element across the sector. Financial institutions should define measurable effectiveness metrics at the start of each reporting period and report against them honestly, including where targets were not met.

Modern Slavery Compliance for Australian Financial Services: What You Need to Know in 2026

Updated March 2026 | 14 min read | By GoComply

The Modern Slavery Act 2018 (Cth) imposes mandatory reporting obligations on Australia's largest businesses — including banks, insurers, superannuation funds, and wealth managers that meet the annual revenue threshold. Five years into operation, enforcement scrutiny is intensifying. The Australian Border Force has begun publishing compliance assessments, the Joint Standing Committee on Foreign Affairs, Defence and Trade tabled its landmark review recommending a shift toward mandatory due diligence, and institutional investors are treating modern slavery statements as a material ESG disclosure.

For financial institutions, the compliance picture is more complex than for corporates in other sectors. Banks and insurers are simultaneously reporting entities (obligated to report on their own operations and supply chains), financiers (potentially exposed through lending and investment portfolios), and governance actors (expected by APRA and ASIC to manage modern slavery as a form of operational and reputational risk). This guide covers every dimension of that obligation.

Have a question about the Modern Slavery Act 2018, supply chain due diligence requirements, or how this intersects with APRA CPS 230? Ask our AI compliance chatbot — it covers the Act, Home Affairs guidance, and APRA operational risk standards with specific section references.

Who Must Report: The $100 Million Threshold

Section 5 of the Modern Slavery Act 2018 (Cth) defines an entity as a reporting entity if it is an entity based in Australia or carrying on business in Australia and has an annual consolidated revenue of at least $100 million. The threshold applies to the consolidated group, not individual legal entities within the group.

Consolidated Revenue Calculation

For financial institutions, "annual consolidated revenue" means the total revenue reported in the consolidated financial statements of the Australian group. This includes:

Net interest income
Non-interest income (fees, commissions, trading income)
Insurance premium revenue (gross, before reinsurance)
Investment income in the case of superannuation funds

The Department of Home Affairs has clarified in its guidance that revenue for the purposes of the Act aligns with the accounting definition — it is not limited to operating revenue and does not allow netting of interest expense. For even mid-sized banks, credit unions, and non-bank lenders, the $100 million threshold is easily met. The question for most financial institutions is not whether they must report but how well their statement meets the mandatory criteria and APRA's expectations around operational risk management.

Voluntary Reporting Below the Threshold

Entities below the $100 million threshold may submit voluntary modern slavery statements. The Act does not preclude voluntary reporting, and the Australian Border Force's online register accepts voluntary statements. Smaller mutual banks, credit unions, and boutique investment managers have increasingly chosen to report voluntarily — particularly where their parent entity or institutional clients require it for supply chain due diligence.

The Seven Mandatory Criteria

Section 16 of the Act sets out seven mandatory criteria that every modern slavery statement must address. A statement that fails to address all seven criteria is non-compliant, regardless of how detailed the addressed criteria are.

Criterion 1: Identify the Reporting Entity

The statement must identify the reporting entity — including its structure, operations, and supply chains. For a financial institution with multiple subsidiaries, this means clearly explaining which entities are covered by the statement (either individually or jointly) and how they relate to each other. Joint statements are permitted under s14 where the parent entity's statement covers subsidiaries, but the statement must explicitly identify each covered entity and the parent must meet the threshold independently.

Criterion 2: Describe Operations and Supply Chains

This criterion requires a genuine description of the entity's operations — not a boilerplate summary of services offered. APRA-regulated institutions should map:

Direct workforce — employees, contractors, labour hire, secondees
Tier 1 suppliers — entities with a direct contractual relationship (IT vendors, facilities management, outsourced processing, legal and advisory services, printing and document management, cleaning and security services for offices and branches)
Tier 2+ suppliers — suppliers to suppliers, particularly in higher-risk categories. For a bank, this might include the manufacturers of technology hardware, the data centre infrastructure supply chains, or the agricultural supply chains underlying commodity finance portfolios
Financial services portfolio exposure — lending and investment activities that may create indirect modern slavery risk through financed entities

Criterion 3: Describe Modern Slavery Risks

The statement must describe the modern slavery risks in the entity's operations and supply chains. Modern slavery under s4 of the Act includes: trafficking in persons, slavery, servitude, forced marriage, forced labour, debt bondage, deceptive recruiting for labour or services, and child labour in its worst forms.

For financial institutions, the highest-risk areas are typically:

IT hardware supply chains — manufacturing of servers, network equipment, and mobile devices in jurisdictions with documented forced labour risks (particularly Xinjiang, China — which now triggers specific due diligence requirements under the Australian Government's supply chain guidance)
Facilities and cleaning services — a sector with documented labour exploitation in Australia itself, particularly affecting migrant workers. The Fair Work Commission's increased oversight of labour hire in this sector is a relevant compliance signal
Financial crime and trafficking nexus — financial institutions are uniquely positioned to detect transaction patterns associated with human trafficking. AUSTRAC's typologies on human trafficking and modern slavery (published November 2021) identify specific indicators for tellers, mortgage brokers, and transaction monitoring teams
Agricultural finance — lending portfolios with exposure to horticulture, viticulture, or aquaculture supply chains in regions with seasonal migrant worker populations
Superannuation investment portfolios — equity and fixed income exposure to companies operating in higher-risk jurisdictions or sectors

Criterion 4: Actions Taken to Assess and Address Risks

This is the substantive compliance criterion and the one most frequently assessed by the Australian Border Force in its compliance reviews. Entities must describe concrete actions — not policies or intentions — taken during the reporting period. Credible actions include:

Supplier questionnaires with modern slavery-specific questions completed and reviewed
Third-party audits of high-risk suppliers conducted by accredited social auditors
Contractual modern slavery clauses embedded in new and renewed supplier agreements
Due diligence integrated into procurement approval workflows above specified spend thresholds
Training completed by procurement, treasury, and relationship banking staff on identifying modern slavery indicators
Transactions flagged and reviewed through integration with AUSTRAC's modern slavery typologies

Criterion 5: Effectiveness of Actions

Entities must assess how effective their actions have been in addressing modern slavery risks. This criterion is the most poorly addressed in the majority of Australian modern slavery statements, according to the Home Affairs compliance assessments. Effectiveness assessment requires:

Defined key performance indicators (e.g., percentage of high-risk suppliers that completed questionnaires, number of site audits conducted, number of corrective action plans issued and closed)
Reporting against those KPIs, including where targets were not met
Evidence of continuous improvement — changes made to the program as a result of effectiveness assessments

Criterion 6: Consultation with Owned or Controlled Entities

The statement must describe how the reporting entity consulted with entities it owns or controls in preparing the statement. For a financial institution with subsidiaries across different business lines or geographies, this means documenting a governance process — not simply asserting that consultation occurred. Audit committees and boards of material subsidiaries should be involved in reviewing the statement before approval.

Criterion 7: Any Other Relevant Information

This catch-all criterion allows entities to include information relevant to their modern slavery response that does not fit neatly into the other criteria — for example, remediation actions taken where a modern slavery risk was identified, participation in industry initiatives, or policy commitments for future reporting periods.

Board Approval: The Governance Requirement

Section 14 of the Act requires that a modern slavery statement be approved by the principal governing body of the reporting entity. For an Australian company, this is the board of directors. For a registered mutual or cooperative, it is the board or equivalent governing body.

The approval must be genuine — the board must consider and formally approve the statement, not merely note or receive it. Board minutes should record: the statement was tabled; that directors considered whether the mandatory criteria had been addressed; and that the board resolved to approve the statement for submission. A delegation to the CEO or a board committee to "approve and submit" is not sufficient under the Act unless the board itself has authorised that delegation and reviewed the final statement.

The statement must also be signed by a responsible member — under s14(2), this is a principal officer of the reporting entity (i.e., the CEO or equivalent). The signature is distinct from board approval; both are required.

APRA's CPG 230 (Operational Risk Management guidance) specifically notes that modern slavery compliance is an example of a legal and regulatory obligation that must be managed within the operational risk framework. Ask the chatbot how your modern slavery program maps to CPS 230 requirements.

Supply Chain Mapping: The Practical Challenge

For most financial institutions, the supply chain mapping exercise is the most resource-intensive aspect of modern slavery compliance. The challenge is both technical (data systems do not naturally capture supplier-level information in a format useful for risk assessment) and commercial (suppliers may resist detailed disclosure about their own supply chains).

Prioritising the Supply Chain

The Home Affairs guidance recommends a risk-based approach to supply chain mapping. Not all suppliers require the same depth of assessment. A practical prioritisation framework for financial institutions:

Tier 1 by spend — identify the top 50–100 suppliers by annual spend. These warrant direct engagement through questionnaires or audits
Tier 1 by risk category — regardless of spend, suppliers in categories with elevated modern slavery risk (IT hardware, labour hire, facilities, catering, security guard services) warrant direct assessment
Geographic risk overlay — suppliers or their Tier 2 upstream suppliers operating in countries with elevated modern slavery risk indices (as measured by the Global Slavery Index) warrant deeper scrutiny
Financial portfolio — for banks with significant corporate lending books, engagement with high-risk sector borrowers (agriculture, construction, hospitality) through ESG questionnaires or covenants

Supplier Questionnaires and Due Diligence

The Financial Services Council (FSC), the Australian Banking Association (ABA), and the Responsible Investment Association Australasia (RIAA) have all published modern slavery due diligence frameworks that include questionnaire templates. The key questions cover:

Existence of a modern slavery policy and code of conduct
Whether the supplier conducts its own supply chain mapping
Specific questions about recruitment fees (debt bondage), subcontracting arrangements, and migrant worker protections
Whether the supplier has detected modern slavery risks and what remediation was undertaken
Whether the supplier is a member of an industry initiative (Sedex, EcoVadis, IAST Alliance)

The IAST Alliance and Industry Collaboration

The Investor Alliance for Human Rights and Supply Chain Due Diligence (IAST Alliance) is a coalition of institutional investors and financial institutions that coordinates modern slavery due diligence approaches and advocates for mandatory due diligence legislation in Australia. Major Australian superannuation funds and several of the large banks are members.

Membership in the IAST Alliance or equivalent initiatives (the Business and Human Rights Resource Centre's financial sector working group, or the UN Global Compact) demonstrates a commitment to continuous improvement that resonates with institutional investors, regulators, and the Australian Border Force. Compliance teams should ensure that industry coalition participation is documented and reported in the effectiveness section of the modern slavery statement.

The forthcoming mandatory human rights due diligence legislation that the Joint Standing Committee recommended in its 2023 review is modelled partly on the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz) and the French Loi de Vigilance. If enacted, it would transform the compliance requirement from a reporting obligation to an active due diligence obligation with liability exposure — a significant escalation that financial institutions should begin preparing for now.

Interaction with APRA CPS 230 and CPG 230

APRA's CPS 230 (Operational Risk Management), which became effective 1 July 2025, and the accompanying CPG 230 guidance paper treat modern slavery compliance as a category of legal and regulatory obligation that must be managed within the operational risk framework.

Material Service Providers and Supply Chain Risk

CPS 230 requires APRA-regulated entities to identify and manage their material service providers — those that support critical operations. Modern slavery risk in the supply chain of a material service provider is, by extension, an operational risk that the regulated entity must manage.

The practical implication: if a bank's IT outsourcing arrangement with a major technology provider involves hardware manufactured in jurisdictions with documented forced labour (e.g., Xinjiang), the bank has both a modern slavery reporting obligation (Criterion 3 risk assessment) and a CPS 230 service provider risk management obligation. These streams should be integrated — the modern slavery due diligence on IT suppliers should feed into the CPS 230 service provider risk register, not operate in a separate compliance silo.

Business Continuity and Remediation

CPS 230's tolerance levels and business continuity requirements also interact with modern slavery remediation. If a modern slavery risk is identified in a critical supplier and the entity decides to transition to an alternative supplier, CPS 230 requires that the transition plan does not create unacceptable operational risk during the changeover period. Compliance teams coordinating modern slavery remediation and CPS 230 service provider transitions need to work with technology and operations teams to ensure the plans are integrated.

Penalties and Enforcement

The Modern Slavery Act 2018 (Cth) is notable for what it currently does not include: there are no civil penalties for failing to report or for submitting an inadequate statement. The enforcement mechanism is reputational — the Australian Border Force maintains a public register of reporting entities and their statements (the Modern Slavery Statements Register), and it publishes compliance assessments identifying entities that have failed to address mandatory criteria.

However, the absence of direct penalties does not mean compliance is consequence-free:

ASIC enforcement — the Australian Securities and Investments Commission has signalled that modern slavery risk is a form of climate-related and ESG risk that directors must consider when assessing whether they are meeting their duties under the Corporations Act 2001. A board that approves a modern slavery statement without genuinely addressing the mandatory criteria could be exposed to allegations of inadequate director oversight.
APRA supervisory scrutiny — APRA has included supply chain risk and modern slavery compliance in its supervisory conversations with regulated entities, particularly in the context of CPS 230 service provider management reviews.
Contractual exposure — institutional clients (particularly government entities and superannuation funds) increasingly require suppliers to provide modern slavery statements as a condition of contract. Inadequate statements can jeopardise procurement relationships.
State law overlap — New South Wales has its own Modern Slavery Act 2018 (NSW), which is dormant pending commencement, but sets a much lower threshold of $50 million and includes civil penalties of up to $1.1 million. Commonwealth-reporting entities in NSW should monitor for NSW Act commencement, which the government has repeatedly deferred but not abandoned.
Future mandatory due diligence laws — the Joint Standing Committee's 2023 recommendation to introduce mandatory human rights due diligence with civil liability exposure would fundamentally change the risk profile for non-compliance.

Remediation: When a Risk Is Found

The Act's seventh mandatory criterion and the Home Affairs guidance contemplate that entities will sometimes find modern slavery risks in their operations or supply chains. What happens next is one of the most important — and most frequently omitted — elements of a credible modern slavery program.

Remediation Principles

The UN Guiding Principles on Business and Human Rights (UNGPs) — which underpin both the Australian Act and the international frameworks — set out a remediation hierarchy:

Cease the harmful practice — where the entity is directly causing or contributing to modern slavery, cessation is the primary obligation
Remediate affected individuals — compensation, referral to support services, or other measures proportionate to the severity of harm
Leverage influence over suppliers — where the harm is in the supply chain, the entity should use its commercial leverage to require remediation, rather than simply terminating the relationship (which can worsen outcomes for affected workers)
Responsible disengagement — where a supplier refuses to remediate and the relationship must be terminated, the exit should be planned to minimise harm to workers (including transitional support where possible)

Financial institutions that discover modern slavery indicators in a borrower's operations face particular complexity: immediate termination of a credit facility could accelerate business failure and worsen outcomes for workers. The UNGP remediation framework suggests engaging with the borrower on a remediation plan as a first step, with credit covenants that require compliance milestones, before exercising default rights.

Common Gaps GoComply Detects in Modern Slavery Statements

When financial institutions run their modern slavery statements and modern slavery program policies through GoComply's compliance scanner, these are the gaps that surface most consistently:

Criterion 5 effectiveness not addressed — statements that describe actions taken (questionnaires sent, training delivered) but contain no quantitative effectiveness metrics, no reporting against targets, and no discussion of what was learned or changed as a result. This is the most common compliance deficiency identified in the Australian Border Force's published assessments.
Operational supply chain mapping too superficial — statements that describe the entity's services or products but do not descend to Tier 1 supplier categories, leaving regulators and investors unable to assess whether the risk identification exercise was genuine.
Board approval evidence absent — statements signed by the CEO that do not reference board approval, or governance documents that show the statement was presented to the board but not formally resolved for approval. Under s14, both are required.
Financial portfolio risk omitted — banks and investment managers that assess their direct supply chain but make no reference to modern slavery risk in their lending or investment portfolios, even where the entity operates in high-risk sectors.
No integration with AUSTRAC typologies — failure to reference or embed AUSTRAC's human trafficking typologies into transaction monitoring arrangements, despite the clear overlap between financial crime obligations and modern slavery detection.
Modern slavery isolated from CPS 230 — supply chain due diligence programs that operate independently of the CPS 230 material service provider register and risk management framework, creating inconsistencies between what is disclosed to Home Affairs and what is disclosed to APRA.

Scan your modern slavery compliance documents

GoComply checks your modern slavery statement, supply chain due diligence policy, and procurement frameworks against all seven mandatory criteria and APRA CPS 230 operational risk requirements — and flags gaps before your statement is submitted.

See pricing — free tier available

Drafting a High-Quality Modern Slavery Statement: Practical Guidance

Structure and Length

The Home Affairs guidance does not prescribe a format. In practice, well-regarded statements from Australian financial institutions follow this structure:

Executive summary and CEO/board statement (1 page)
About our organisation — structure, operations, supply chain overview (2–3 pages)
Modern slavery risks — risk assessment methodology and findings by category (3–4 pages)
Actions taken during the reporting period — by risk category, with specific examples (4–6 pages)
Effectiveness assessment — KPIs, results, and what changed (2–3 pages)
Consultation with owned and controlled entities (1 page)
Approval and sign-off page

Key Drafting Pitfalls to Avoid

Policy language instead of action language — "We have a modern slavery policy" is not an action. "We reviewed 74 high-risk suppliers through self-assessment questionnaires, of which 8 required follow-up due diligence, resulting in 3 corrective action plans" is an action.
Boilerplate risk language — generic statements that modern slavery "may exist" in supply chains without identifying which specific sectors, geographies, or supplier categories are higher risk.
Reporting period mismatch — the statement must cover the entity's reporting period (typically the financial year). Actions described should be actions taken during that period, not historical program elements.
Forward commitments substituting for current actions — describing what the entity plans to do in future periods does not satisfy the mandatory criteria for the current period.

Related Regulations and Obligations

Modern slavery compliance for financial institutions intersects with a broader regulatory ecosystem:

APRA CPS 230 (Operational Risk) — service provider risk management, material outsourcing requirements, and supply chain operational risk
AUSTRAC AML/CTF Act 2006 — human trafficking typologies, suspicious matter reporting obligations where modern slavery indicators appear in transactions
ASIC RG 271 (Internal Dispute Resolution) — where employees or suppliers raise modern slavery concerns, IDR obligations may apply
Privacy Act 1988 — personal information of individuals identified in modern slavery investigations must be handled consistently with the Australian Privacy Principles
ESG/Climate Risk (APRA CPG 229) — modern slavery is increasingly treated as a social dimension of ESG risk, and APRA's climate guidance foreshadows similar expectations for social risk management
Consumer Data Right — where open banking data or CDR data is used to assess borrower supply chain practices, CDR data use limitations apply
Corporations Act 2001 — director duties of care and diligence extend to non-financial risks including modern slavery and supply chain risk, particularly following ASIC's guidance on climate-related financial disclosure

This guide is for informational purposes and does not constitute legal advice. Consult qualified compliance professionals for specific obligations. GoComply covers 37 Australian financial regulations — ask the chatbot for instant clause-level answers on the Modern Slavery Act 2018, CPS 230, AUSTRAC typologies, and all related frameworks.