IVS audit and compliance remediation

The audit and compliance remediation process

This information guides you through the audit and compliance remediation process for identity verification services (IVS). You must engage in the remediation process if you have not complied with all of your obligations as an identity verification services (IVS) user.

You may have identified non-compliance in your annual self-audit when completing your compliance reporting, or it may have been identified through our independent external audit. No matter how the non-compliance was identified, it is important that you take the necessary steps below to become compliant with your obligations.

Not taking the necessary steps to become compliant could lead to your IVS access being suspended or terminated.

You must notify us of any non-compliance, and explain to us how you will become compliant.

The remediation process

Remediation is the process of rectifying non-compliance with your participation agreement, Identity Verification Services Rules 2024 and relevant access policies and guidelines. Non-compliance is typically found during the annual self-audit and compliance reporting process. You must notify us of any non-compliance by including it in your compliance statement.

Your organisation may also identify non-compliance outside of the compliance reporting process. You should contact us immediately with details of the non-compliance and follow the remediation steps below.

Non-compliance does not mean we will automatically suspend or terminate your IVS access. Your organisation will need to address and remediate any non-compliance within the timeframe we agree to.

What happens during remediation

To remediate your non-compliance, you should take the following steps.

Inform us of non-compliance

If your organisation identifies non-compliance with its participation agreement, the IVS Rules or the relevant access policy, you must do one of the following:

  • If the non-compliance is identified during the compliance reporting process, include details in the compliance statement for that reporting period.
  • If the non-compliance is identified outside of the compliance reporting process, notify us and supply details as soon as possible.

Management response and remediation plan

Organisations that identify non-compliance must submit a management response. A management response must:

  • outline the process you will follow to remediate the non-compliance
  • include a remediation plan with clear actions and timeframes
  • be submitted to us within 14 calendar days of submitting your compliance statement.

We will need to review and agree to your detailed management response.

To continue to access and use the IVS, we expect your organisation to:

  • follow these remediation steps as soon as possible after identifying non-compliance
  • engage in remediation efforts in good faith and cooperate with directions we give you
  • provide information we request in a timely manner.

How to comply with the compliance reporting process

Organisations must meet the requirements of the compliance reporting process by completing all self-audit, compliance reporting and remediation obligations.

When you identify non-compliance and take prompt action to remediate it, you have taken positive steps to meet these obligations.

Your organisation must:

  • actively identify any non-compliance with its participation agreement and access policy
  • submit a compliance statement by the due date
  • provide a timely management response and remediation plan
  • communicate with us regularly about remediation actions and timeframes
  • provide other necessary information we request
  • respond promptly to communication from us.

What happens when you don’t cooperate

If your organisation does not meet its compliance reporting requirements, such as not submitting a compliance statement or providing a management response, we will take the following steps:

  1. Overdue notice: if your organisation does not provide the information we have requested on time, we will send you an overdue notice. You will have 7 calendar days to provide the requested information.
  2. Suspension notice: if your organisation does not respond to the overdue notice, we will send you a suspension notice. You will have 45 calendar days to provide the requested information.
  3. Suspension: after 45 days, if your organisation has not provided a response to the suspension notice, we will suspend your connection to the IVS by close of business the next calendar day.
  4. Proposal to terminate notice: if your organisation’s IVS connection has been suspended, we will send you a proposal to terminate notice. This notice will advise your organisation that your IVS connection has been suspended, and you will have 14 calendar days to provide the requested information or your IVS connection will be terminated.
  5. Termination notice: if your organisation does not provide a response to the proposal to terminate notice, we will send you a formal termination notice.
  6. Termination: once we have sent your organisation a termination notice, we will terminate your IVS connection the following business day.

If you receive one of these notices and are unsure about your obligations or the information we need, email us at ivscompliancereporting@ag.gov.au.

Contact us

For more information about remediation processes, please email us at ivscompliancereporting@ag.gov.au.

The information on this page is not and should not be taken as legal advice.