Examination findings and ratings methodology

Issued:13 October 2025
Examination findings and ratings methodology

Findings matrix

Obligation risk

Failure to comply with an inherently higher-risk obligation increases the likelihood of financial crime crystallising to a greater extent than non-compliance with inherently lower-risk obligations.

Low: non-compliance with the obligations may increase the likelihood of financial crime, conduct or prudential risks crystallising.

Medium: non-compliance with the obligations increases the likelihood of financial crime, conduct or prudential risks crystallising.

High: non-compliance with the obligations substantially increases the likelihood of financial crime, conduct or prudential risks crystallising.

Level of compliance

This is based on how compliant you are with the obligations.

Largely compliant: minor shortcomings identified. The supervised person has met most requirements and/or deficiencies are considered not material [1]. Some enhancements or remediation are required to fully comply with legal and/or regulatory requirements.

Partially compliant: moderate shortcomings identified. The supervised person has not met several requirements and/or deficiencies identified are considered material1. The supervised person cannot demonstrate full compliance with legal and/or regulatory requirements and may be in breach of its statutory obligations. Substantial remediation is required to achieve full compliance with legal and/or regulatory requirements.

Not compliant: major shortcomings identified. The supervised person has not met many of the requirements and/or material1 deficiencies have been identified which may be considered serious. The supervised person is in breach of its statutory obligations. Fundamental remediation is required to fully comply with legal and/or regulatory requirements.

Financial crime, conduct and prudential risk rating

Minor (yellow): systems and controls are assessed as being substantially effective. The supervised person can demonstrate that it has a generally sound understanding of the risk it faces, but enhancements would assist it to better monitor, manage or mitigate the risk. Some improvements to existing systems and controls are required to remedy findings identified.

Moderate (amber): systems and controls are assessed as being moderately effective. The supervised person cannot demonstrate a comprehensive understanding of the risk it faces, increasing the likelihood of it being unable to effectively monitor, manage or mitigate the risk. Substantial remediation is required to adequately remedy findings identified.

Major (red): systems and controls are assessed as being ineffective. The supervised person has a limited understanding of the risk it faces, resulting in it being unable to effectively monitor, manage or mitigate the risk. Fundamental remediation is required to comprehensively remedy findings identified.

Financial crime risk: the risk of financial crime crystallising.

Conduct risk: the risk of poor outcomes for customers, harm to market integrity and/or trust in the financial system being damaged.

Prudential risk: the risk of firms becoming financially unsound.

[1] The consideration as to whether deficiencies are determined to be material or not is based on the impact on the entity of a risk crystallising as a result of those deficiencies.