Design and Distribution Obligations (DDO) have now been embedded in the regulatory landscape for several years. Most organisations have completed the foundational work. Target Market Determinations (TMD) are in place, frameworks are documented, and processes exist.

The question the Australian Securities and Investments Commission (ASIC) is now asking is more direct. Can you demonstrate that your framework is working in practice.

That was the central theme of our recent CREW session, where we were joined by Dhivya Mani, Executive Director, Compliance at Source, alongside Senior Compliance Managers Julianne McKnight and Natalie Trueman. Together, they explored where firms are still falling short, what ASIC is actively testing, and what defensible governance looks like in practice.

The shift in ASIC’s focus

The legal obligations under DDO have not materially changed. What has shifted is ASIC’s enforcement lens. The question is no longer whether a TMD exists, but whether an organisation can demonstrate, with evidence, that distribution is occurring consistently with that TMD across the product lifecycle.

ASIC is also taking a more proactive approach to enforcement. It is no longer necessary for consumer harm to crystallise before intervention occurs. Where there are early warning indicators, such as weak controls, inconsistent monitoring, or misaligned distribution patterns, ASIC has demonstrated a willingness to act.

As noted during the session, many of these indicators are already visible within organisations through complaints data, customer demographics, and distribution trends. The issue is often not a lack of data, but a failure to act on it.

Where firms are still falling short

Natalie and Julianne outlined the most common gaps observed across DDO frameworks.

TMD design

Template driven TMDs remain a persistent issue. ASIC expects TMDs to be tailored to the specific product, not adapted from unrelated products. Common concerns include:

• Overly broad or ambiguous language such as potentially suitable

• Risk profiles based solely on standard risk measures

• Portfolio allocation ranges and investment horizons that do not reflect the product’s actual characteristics

For industry super funds, broad target markets are not inherently problematic. However, where that breadth becomes too vague to monitor or test, defensibility is undermined. Stronger approaches introduce clear segmentation by life stage, risk tolerance, and investment horizon, and explicitly identify those outside the target market.

Monitoring and review

Monitoring frameworks are often either too generic or insufficiently linked to product specific risk. ASIC expects:

• Continuous, outcomes based monitoring, not periodic document updates

• Clearly defined triggers linked to performance, distribution, or complaints data

• Documented processes for escalation and response

On quantification, the position is increasingly clear. Where possible, thresholds should be defined. A documented trigger with a clear rationale is significantly more defensible than discretionary judgement without an audit trail.

Record keeping is equally critical. Documentation must be clear enough for an independent third party, whether regulator or successor, to understand the decision making process.

Distributor oversight

Third party distribution remains a consistent area of weakness. Common issues include:

• Reliance on self certification without validation

• Limited or inconsistent data from distributors

• Lack of ongoing engagement or challenge

ASIC expects active oversight, including targeted data requests, audit or spot check programs, and defined escalation pathways. Advisor attestations should be tested, not accepted at face value.

Governance structure

In some organisations, product governance remains concentrated within product or compliance teams, with limited senior oversight. This does not align with ASIC expectations. Effective governance requires:

• End to end accountability across the organisation

• Direct board visibility of key metrics such as complaints, significant dealings, and distribution risks

• Integration into broader risk and compliance reporting

Directors and responsible managers face personal accountability, including potential civil and criminal consequences in serious cases.

The Firstmac case

Julianne highlighted ASIC v Firstmac Limited as a clear example of how DDO enforcement is being applied.

Shortly after the regime commenced, Firstmac distributed a product disclosure statement for a managed investment scheme to existing term deposit customers without taking reasonable steps to ensure alignment with the TMD.

The products differed materially in risk profile, capital security, and investment timeframe. The outcome was an eight million dollar penalty.

The case reinforces a critical point. Distribution conditions must be satisfied before a product reaches the customer, not retrospectively.

TMD and PDS review cycles

A key discussion point was whether TMD reviews should align with product disclosure statement updates.

While alignment can be appropriate where there are material product changes, treating the product disclosure statement cycle as the primary driver of TMD review creates risk. TMDs should be dynamic and data driven. They should respond to real time distribution and outcome data and be reviewed more frequently for higher risk products.

A practical approach is to separate the processes. Documentation updates can be aligned where relevant, while trigger based monitoring should operate on its own cadence.

What to do now

Four immediate actions were identified:

• Review when TMDs were last assessed and whether current conditions warrant an update

• Reassess monitoring triggers and confirm they remain relevant and sufficiently robust

• Evaluate distributor reporting and confirm it provides meaningful and actionable data

• Align DDO reporting with board cycles to ensure visibility and accountability

Final thought

As Dhivya summarised during the session, defensibility is not about having more documentation. It is about having clear and credible evidence that the framework is working.

Disclaimer: This material is provided for general information purposes only and does not constitute legal, compliance or other professional advice. It should not be relied upon as a substitute for obtaining advice specific to your circumstances.