REP 828, decoded for operators

Everyone quoted the same number. Forty million dollars in refunds, more than thirty-eight thousand retail clients, a whole-of-sector CFD review. It ran in the trade press and the compliance newsletters and the LinkedIn posts, and then most of the industry filed it under noted and moved on.

The number operators should have stopped on was seventy million.

That is the count of erroneous transaction reports ASIC turned up while checking how the sector reports its OTC derivative trades. Seventy million. Not forty million dollars of client harm, which is bad enough on its own. Seventy million individual reporting errors sitting inside regulatory data that everybody assumed was clean. That one finding tells you more about how brokers actually run than the headline ever will.

This is REP 828 read from the operations chair. Not what it means for your marketing copy. What it means for your books.

What the report actually is

In January 2026 ASIC published REP 828, Risky business. It was the output of a sector-wide review of fifty-two licensed CFD issuers, run from October 2024 to December 2025. ASIC did not go hunting for one bad actor. It pulled the whole industry in and made every issuer show how it distributed its products and whether it was meeting its obligations.

The review landed on three areas of widespread weakness. Design and distribution obligations. The CFD product intervention order. And regulatory transaction reporting. On the surface each one reads like a conduct and distribution story. Underneath, each one is an operations story, and that is the part worth decoding.

Pillar one: the breach nobody chose

More than half the sector contravened the product intervention order. Not through anything exotic. They offered margin discounts to retail clients holding opposing long and short positions. Those clients carried higher funding costs with no real way to profit from the offsetting trade. ASIC had already warned the industry to stop this in 2024. Half the sector was still doing it.

Sit with what that means operationally. This was not fifty separate boardrooms deciding to breach the PIO. It was a funding and margin treatment, set at group level, that produced a prohibited outcome and then kept producing it. A configuration choice replicated across servers and books, quietly non-compliant, for long enough to generate tens of millions in refunds.

Nobody chose the breach. The config chose it, and nobody was watching the config closely enough to catch what it was doing to hedged retail positions. That is the shape of almost every finding in this report. The failure is rarely a decision made in a meeting. It is a setting that drifted, or a default that was never right to begin with, running unseen between reviews.

Pillar two: seventy million reasons your data lies

Back to the number that matters.

ASIC found more than seventy million erroneous OTC derivative transaction reports across the sector, and forty-eight issuers had to change how they report as a result. Trade reporting sits downstream of your books. Every report is generated from platform data, mapped through your fields, and pushed out to the trade repository. Seventy million errors is not one typo somewhere. It is systemic drift between what your servers actually did and what your reported record says they did.

Here is the operator's gut punch. Nobody was reconciling the two. The reported data and the source of truth had pulled apart, at enormous scale, and the gap sat there unmeasured until a regulator went looking for it. This is the purest example in the whole report of the thing that hides between audits. It is not a flashy breach. It is a slow silent divergence in a high-volume pipeline that everyone assumed was working, because nothing ever told them it was not.

And that is exactly why it is dangerous. Trade reporting is the kind of process no one watches by hand. It runs nightly, it runs in the millions, and it succeeds quietly until the day someone reconciles it against the book and finds out how far it has wandered. Drift in a place like that does not announce itself. It accumulates. By the time it surfaces, the number is measured in months and millions, not in the one bad mapping that started it.

If you run a broker, this is the finding to lose sleep over. Not because trade reporting is glamorous. Because it is the perfect hiding place, and the report just proved the whole sector had something hiding there.

Pillar three: set and forget is now the breach

The third pillar is where ASIC moved the standard.

Across the review, forty-two issuers had to build or seriously upgrade ongoing monitoring of client outcomes. Forty-four reworked their onboarding questionnaires. Thirty-nine revised their target market determinations. The pattern underneath all of it is the line that should be pinned above every compliance desk in the sector: a set and forget approach is a breach.

Not a weakness. A breach. The report's stance is that a target market determination is meant to be a living document, driven by data you already hold, and that collecting that data without acting on it is not compliance. If a high share of your clients are consistently losing or defaulting, and you hold the data that shows it, you are expected to have seen it and done something about it.

Read that as an operator and the message is blunt. Periodic review is no longer a defence. The expectation is now continuous data-driven monitoring of your own book, with alerts and triggers that fire when something moves. The brokers who came out of this review ahead were the ones already watching their outcomes in close to real time. The ones who got the refund bill were running on the quarterly cadence everyone used to think was enough.

The breach clock it implies

Here is the part most summaries skipped.

Reportable situations lodged by issuers jumped one hundred and twenty-seven percent year over year. The industry did not suddenly start breaching more. It started looking more, and the looking surfaced what was already there. That single statistic is the whole thesis of the report.

The breaches existed the entire time. Detection is the only thing that changed.

And once you are looking, the clock is unforgiving. A reportable situation does not start its window when you happen to notice. It starts when you knew, or were reasonably able to determine, that it had arisen. Reasonably able to determine is the phrase that turns a quiet config drift into a liability. The margin discount breach that ran for a year was not a year of grace. It was a year in which a reasonable licensee, watching properly, would have caught it. ASIC has now said in writing that not watching is itself the failure.

And the money is remediation, not a fine. Under the obligation to operate efficiently, honestly and fairly, and the consumer remediation guidance that sits behind it, you take responsibility and you pay clients back. The forty million dollars was not a penalty the regulator extracted. It was the sector handing money back for harm it did not see in time. The true cost of the blind spot is the harm itself, plus the reconstruction work, plus every reportable situation the blind spot was hiding while it ran.

What this means for how you run your books

Strip REP 828 of its distribution language and it is a report about operational blind spots. The margin discount breach was a config that drifted. The seventy million reporting errors were data that drifted. The monitoring failures were books nobody was watching closely enough between reviews. None of it was a strategy problem. All of it was a visibility problem.

So the instruction buried in the report is not really about marketing or onboarding. It is about whether you can see your own environment continuously. Whether a funding treatment that turns non-compliant shows up the day it moves, not the day an auditor reconstructs it. Whether your reported data is reconciled against your actual book often enough that a gap surfaces in a cycle instead of a year. Whether your client outcomes are watched by something that alerts, rather than by a calendar reminder to review.

ASIC has told the sector, in plain terms, that the cadence has changed. The brokers who internalise that will run the next few years from the front foot, self-identifying and remediating before anyone forces them to. The ones who do not will keep finding out the expensive way, one sector review at a time. The product intervention order runs until at least May 2027, and nothing about the regulator's posture suggests it softens after that.

The forty million dollar number was the cost of not looking. The seventy million number was the proof that nobody was. Decoded for operators, that is the entire report.

Broker Intelligence runs independent, read-only surveillance across your live MT4 and MT5 servers, surfacing the config drift, the data gap and the compliance breach quantified to the dollar, before they become a refund bill. Book a 30-minute walk-through.