IVS audit and compliance remediation
The audit and compliance remediation process
This information guides you through the audit and compliance remediation process for identity verification services (IVS). You must engage in the remediation process if you have not complied with all your obligations as an identity verification services (IVS) user.
You may have identified non-compliance in your annual self-audit when completing your compliance reporting, or it may have been identified through our independent external audit. No matter how the non-compliance was identified, it is important that you take the necessary steps below to become compliant with your obligations.
Not taking the necessary steps to become compliant could lead to your IVS access being suspended or terminated.
You must notify us of any non-compliance and explain to us how you will become compliant.
The remediation process
Remediation is the process of rectifying non-compliance with your participation agreement, Identity Verification Services Rules 2024 and relevant access policies and guidelines. Non-compliance is typically found during the annual self-audit and compliance reporting process. You must notify us of any non-compliance by including it in your compliance statement.
Your organisation may also identify non-compliance outside of the compliance reporting process. You should contact us immediately with details of the non-compliance and follow the remediation steps below.
Non-compliance does not mean we will automatically suspend or terminate your IVS access. Your organisation will need to address and remediate any non-compliance within the timeframe we agree to.
What happens during remediation
To remediate your non-compliance, you should take the following steps.
Inform us of non-compliance
If your organisation identifies non-compliance with its participation agreement, the IVS Rules or the relevant access policy, you must do one of the following:
- If the non-compliance is identified during the compliance reporting process, include details in the compliance statement for that reporting period.
- If the non-compliance is identified outside of the compliance reporting process, notify us and supply details as soon as possible.
Remediation plan
Organisations that identify non-compliance must submit a remediation plan. A remediation plan must:
- outline the process you will follow to remediate the non-compliance
- include a remediation plan with clear actions and timeframes
- be submitted to us within 14 calendar days of submitting your compliance statement.
We will need to review and agree to your detailed remediation plan.
To continue to access and use the IVS, we expect your organisation to:
- follow these remediation steps as soon as possible after identifying non-compliance
- engage in remediation efforts in good faith and cooperate with directions we give you
- provide information we request in a timely manner.
How to comply with the compliance reporting process
Organisations must meet the requirements of the compliance reporting process by completing all self-audit, compliance reporting and remediation obligations.
When you identify non-compliance and take prompt action to remediate it, you have taken positive steps to meet these obligations.
Your organisation must:
- actively identify any non-compliance with its participation agreement and access policy
- submit a compliance statement by the due date
- provide a timely remediation plan
- communicate with us regularly about remediation actions and timeframes
- provide other necessary information we request
- respond promptly to communication from us.
What happens when you don’t cooperate
If your organisation does not meet its compliance reporting requirements, such as not submitting a compliance statement or providing a remediation plan, we will take the following steps:
- Overdue notice: if your organisation does not provide the information we have requested on time, we will send you an overdue notice. You will have 7 calendar days to provide the requested information.
- Notice to suspend: if your organisation does not respond to the overdue notice, we will send you a notice to suspend. You will have 45 calendar days to provide the requested information or your IVS connection will be suspended the following business day.
- Suspension notice: if your organisation has not provided a response to the notice to suspend, we will send you a suspension notice advising your IVS connection will be suspended immediately. You will have 14 calendar days to provide the requested information or your IVS connection will be terminated the following business day.
- Termination notice: if your organisation does not provide a response to the suspension notice, we will send you a termination notice advising your IVS connection has been terminated.
If we believe a serious non-compliance has occurred, in accordance with your participation agreement we may immediately suspend your IVS connection without advance notice to allow the matter to be assessed further.
If you receive one of these notices and are unsure about your obligations or the information we need, please contact your gateway service provider for assistance or email us at ivscompliancereporting@ag.gov.au.
Contact us
For more information about remediation processes, please email us at ivscompliancereporting@ag.gov.au.
The information on this page is not and should not be taken as legal advice.