Guidance

Information sheet 7: Our regulatory powers

Information about the processes we undertake when using our powers under the Payment Times Reporting Act 2020 (the Act) to collect information or when using compliance powers.

This information sheet provides general guidance only and does not amount to legal advice. We encourage entities to seek independent legal advice to clarify their rights and obligations under the Act.

One of the Payment Times Reporting Regulator’s functions is to monitor and enforce compliance with the Payment Times Reporting Act 2020 (the Act). The Act provides powers to gather information from entities, and tools to address non‑compliance.

This sheet provides information about our regulatory powers, including an overview of the steps and processes followed when they are used (see Appendix).

Our approach to the use of regulatory powers will depend on the nature of the suspected non‑compliance and the conduct of the reporting entity. Information on when we intend on using our regulatory powers is set out in Information Sheet 1: Our approach to regulation.

Download

INFO7: Our regulatory powers [DOCX 360 kB]

Contents

  • Information gathering
  • Our powers to respond to non-compliance
  • Document History
  • Appendix: Overview of processes for regulatory powers

Information gathering

Information gathering notice

We have the power to give written notice to a person compelling them to give information or documents to the Regulator. Failure to comply with such a notice attracts a civil penalty.

We may give a notice to a person where we have reasonable grounds to believe that the person has information or documents that are relevant to the operation of the Act.

The notice must specify:

  • the name of the person subject to the notice,
  • the information and/or documents the Regulator is requiring,
  • how that information and/or those documents can be provided to the Regulator, including for example electronic or physical format, and
  • the date by which the information and/or documents must be provided.

We have discretion to determine the length of time a person has to provide the information or documents to the Regulator. However, it must be at least 14 days from when the notice is given to the person.

An extension of time to provide the information or documents may be sought in writing to the Regulator. An extension may also be given after the original due date has expired.

Voluntary information requests

We may make written requests for you to voluntarily provide information. Voluntary requests allow us to understand or clarify an entity’s compliance with the Act.

Although not compelled to provide information in response to a voluntary request, providing information voluntarily may resolve our concerns without the use of compulsory information gathering powers.

Voluntary requests may relate to:

  • suspected non-compliance,
  • clarification of a matter or information in a payment times report, and
  • requests for specified information or documents.

Most of our compliance activities will commence with a voluntary request for information but in some cases, we may use compulsory information gathering powers without a making a voluntary request.

Compliance audits

What is a compliance audit?

Where we reasonably suspect a reporting entity has contravened the Act, we may require the entity to undertake a compliance audit by issuing a written notice to the entity (a compliance audit notice).

In a compliance audit, an appointed auditor undertakes an audit and prepares a written report for us within the period specified in the notice, or a longer period if we grant an extension.

If we issue a compliance audit notice, the recipient reporting entity can nominate an auditor. If we consider the nominated auditor suitable, we will approve their appointment in writing. If we do not consider the auditor suitable, we may request that the entity nominate another auditor, or we will approve an auditor that the entity can engage.

If an entity fails to comply with a compliance audit notice it may be liable for a civil penalty.

Auditor suitability

The requirements relating to the auditor’s qualifications and independence will be in the compliance audit notice and can vary depending on the nature of the suspected non-compliance. In general, suitability requirements will include:

  • the auditor’s independence, which may include restrictions on prior engagements and capacities held by the auditor in relation to the entity, and 
  • qualifications, which may include professional qualifications and memberships, for example membership to the Chartered Accountants Australia and New Zealand, Certified Practicing Accountants Australia or holding a legal practising certificate.

Auditors do not require registration as company auditors unless stated in the compliance audit notice. Where the suspected non-compliance requires assessment of specialised or technical matters, specific expertise may be included in the auditor requirements.

Obligations for the compliance audit

The reporting entity given a compliance audit notice must pay the reasonable fees and expenses of the auditor for preparing the audit report. The entity must also provide the auditor, and anyone assisting the auditor, with the reasonable facilities and assistance necessary for the auditor to exercise their duties.

If the entity fails to provide reasonable facilities and assistance, it may be liable for a civil penalty.

On premises information gathering

Powers to gather information on premises

We may enter premises to gather information for compliance purposes with the consent of an entity or under a warrant issued by a court.

Incorporated into the Act are monitoring powers and investigation powers from a standard suite of regulatory powers set out in the Regulatory Powers (Standard Provisions) Act 2014(the Regulatory Powers Act).

Both monitoring powers and investigation powers allow us to enter premises for the purposes of gathering information regarding suspected non-compliance with the Act and offences relating to the Act. However, there are differences in the use of powers.

What is the difference between monitoring and investigation powers?

Monitoring and investigation powers are similar processes but differ in:

  • when we can use the powers, and 
  • what we can do when on premises, including the removal of evidence.
Monitoring powers

We can enter premises under monitoring powers in relation to any information given in compliance or purported compliance of the Act and:

Monitoring powers allow us to search premises, examine or observe any activity conducted on the premises, ask questions and inspect, examine, record and copy anything on the premises relating to the suspected non-compliance. Although we can secure evidence to make copies, we cannot seize evidence using monitoring powers.

Investigation powers

We can enter premises under investigation powers in relation to any suspected contravention of a civil penalty provision of the Act or if we suspect there has been an offence against the Crimes Act 1914 or Criminal Code Act 1995 relating to the Act.

Investigation powers allow us to search premises for evidential material, ask questions and inspect, examine and record evidence found. We can seize evidence and take it from premises using investigation powers.

Consent to enter premises

If we request consent to enter premises to use monitoring or investigation powers, you can refuse. This will be made clear in our request for consent.

If an entity grants consent for monitoring or investigation activities to occur on premises, it can:

  • set a limit of time on the consent granted, and
  • withdraw its consent at any time even after on-premises activities have commenced.

If an entity does not give consent to use monitoring or investigation powers, we may consider seeking a warrant to exercise those powers.

Rights and obligations

When entering premises, whether with consent or under a warrant, we will provide you with information about your rights and obligations.

You are required to provide our officers and those assisting them with reasonable facilities and assistance. You may also be required to answer our questions if we have entered a premises under a warrant.

When we are on premises using monitoring or investigation powers, you have the right to observe our activities, including where we have entered premises under a warrant.

Our powers to respond to non-compliance

Publishing non-compliance

Where we are reasonably satisfied that a constitutionally covered entity (which may be a reporting entity or a suspected reporting entity) has failed to comply with the Act, we can publish information about the entity's non-compliance on the Payment Times Reports Register and in any other way we consider appropriate.

Before we decide to publish information about non-compliance, we will give you notice of the proposed decision and our reasons. You will have 28 days to provide written submissions that we will consider before making the decision to publish.

You can apply for a review of our decision to publish non-compliance. For more information on your rights to a review see Information Sheet 2: Regulator decisions – Your rights.

We may use our powers to publish information about non-compliance in conjunction with other powers, including information gathering powers and infringement notices. We may also publish information about non-compliance before or after remediation has occurred. For more information on when we may publish information about non-compliance see Information Sheet 1: Our approach to regulation.

Enforceable undertakings

We can accept an enforceable undertaking from a reporting entity as part of our compliance response to non-compliance with obligations that would attract a civil penalty.

An enforceable undertaking is a legally binding agreement between a person or company and the Regulator, and it is an alternative to court proceedings. The undertaking is offered by the person or entity that outlines actions they will take to address the breach and remediate their non-compliance.

Undertakings can agree to take or refrain from taking a specific action to comply with the Act. They can also agree to take action to ensure they don't contravene the Act in the future.

Section 114(1) of the Regulatory Powers Act gives an authorised person, the power to accept written undertakings from persons to comply with the Act.

A person can withdraw or change their undertaking at any time, but they need the written consent of the authorised person.

An undertaking can only be cancelled by an authorised person giving written notice of the undertaking being cancelled.

Infringement notices

An infringement notice is an administrative enforcement remedy that the Regulator may use in certain circumstances. Infringement notices are a valuable enforcement and regulatory tool as they can provide a timely and cost-efficient outcome for both the Regulator and the entity that is the subject of an investigation.

An infringement officer may issue an infringement notice under the Regulatory Powers Act if the infringement officer believes on reasonable grounds that an entity has contravened a civil penalty provision of the Act.

The recipient of an infringement notice has the option of resolving the matter immediately by paying the amount specified in the infringement notice, as an alternative to having court proceedings brought against them for the alleged contravention. Infringement notice amounts are significantly less than the penalties that a court could otherwise impose.

What contraventions are subject to an infringement notice?

An infringement notice is available for alleged contraventions of civil penalty provisions of the Act. Table 1 below contains a list of civil penalty provisions under the Act.

When can an infringement notice be issued?

Under the Regulatory Powers Act, an infringement officer can issue an infringement notice when:

  • the infringement officer believes on reasonable grounds that a person has contravened a civil penalty provision of the Act, and
  • it is within 12 months since the day of the alleged contravention.

If an entity must do something within a particular period or before a particular time under a civil penalty provision, then that obligation continues until that thing is done.

The entity commits a separate contravention of the provision each day that it does not do the thing required.

In what circumstances is an infringement officer likely to issue an infringement notice?

In determining whether giving an infringement notice is an appropriate enforcement response, the infringement officer considers a broad range of factors.

Circumstances in which the issuing of an infringement notice is likely include where:

  • the alleged contravention is isolated or non-systematic
  • remedial or risk mitigation action occurred following the Regulator bringing the issues of concern to the entity’s attention (for example, through a formal warning)
  • the facts that make up the alleged contravention are straightforward and are not in dispute
  • the alleged contravention does not pose a significant risk to the effective administration of the Act and its purpose and objectives, and
  • issuing an infringement notice is necessary to form part of a broader industry or sector compliance and enforcement program.

Circumstances where civil penalty proceedings are more likely to be an appropriate enforcement response include where:

  • the Regulator has previously acted against the entity for similar alleged contraventions of the law
  • the alleged contravention is more serious in nature and the consequences for the administration of the Act and its purpose and objectives could be severe
  • the alleged contravener has a substantial record of non-compliance, meaning an infringement notice would not be an effective deterrent, and
  • the entity has, because of the alleged contraventions, obtained a financial or other advantage, to the detriment of others.

Amounts in an infringement notice

The Regulatory Powers Act prescribes the amount to be stated in an infringement notice. The maximum amount payable for a single alleged contravention is the lesser of:

  • 60 penalty units for a body corporate; or
  • one-fifth of the maximum penalty a court could impose for the alleged contravention.

The current value of one penalty unit is $330.[1] On 1 July 2026, the value of one penalty unit will increase in accordance with the formula in section 4AA of the Crimes Act 1914.

Table 1: civil penalty provisions under the Act:

ContraventionMaximum court-imposed penalty for a body corporate (single contravention)Infringement notice amount payable for a body corporate (single contravention)
Giving false or misleading notice that the entity has ceased to be a reporting entity (Section 10J)0.6% of the total income for the entity for the income year in which the contravention occurredLesser of 60 penalty units or one-fifth of the maximum penalty a court could impose for the contravention
Reporting entity or reporting nominee failing to give a payment times report (Section 15)300 penalty units60 penalty units
Reporting entity or reporting nominee giving a report that is false or misleading in a material particular (Section 16)0.6% of the total income for the entity for the income year in which the contravention occurredLesser of 60 penalty units or one-fifth of the maximum penalty a court could impose for the contravention
Reporting entity or reporting nominee failing to comply with a slow small business payer direction (Section 22G)0.6% of the total income for the person for the income year in which the contravention occurredLesser of 60 penalty units or one-fifth of the maximum penalty a court could impose for the contravention
False representation in relation to fast small business payers
(Section 22L)		1000 penalty units60 penalty units
Reporting entity or reporting nominee failing to keep records
(Section 29 and 29A)		0.2% of the total income for the entity for the income year in which the contravention occurredLesser of 60 penalty units or one-fifth of the maximum penalty a court could impose for the contravention
Failing to comply with a compliance audit notice in relation to appointment of an auditor (Subsection 30(7))300 penalty units60 penalty units
Failing to provide auditors with facilities and assistance in relation to compliance audits
(Subsection 30(8))		0.2% of the total income for the entity for the income year in which the contravention occurredLesser of 60 penalty units or one-fifth of the maximum penalty a court could impose for the contravention
Failing to comply with an information gathering notice to give or produce information or document or thing that is relevant to the operation of the Act
(Section 30B)		300 penalty units60 penalty units

What details will be included on the infringement notice?

An infringement notice must state the following:

  • unique reference number
  • date the notice is given
  • name of the entity to whom the notice is given
  • name, contact details and authority of the person giving the notice
  • brief details of the (or each) alleged contravention, including the maximum penalty that a court could impose
  • amount that is payable under the notice and an explanation of how the payment can be made
  • that proceedings seeking a pecuniary penalty order will not be brought for the alleged contravention(s) if payment is made within 28 days, unless the notice is withdrawn
  • that payment of the amount is not an admission of guilt or liability
  • that the entity may apply to the Regulator to have the period of time to pay extended
  • that the entity may choose not to pay the amount and the actions that may be taken if payment is not made
  • information about how the notice may be withdrawn and what occurs if it is withdrawn, and
  • that the entity may make written representations to the Regulator seeking withdrawal of the notice.

What can an entity do if it receives an infringement notice?

A recipient of an infringement notice is not obliged to pay the amount, but they may do so to avoid civil penalty proceedings being brought in the court. Payment of an infringement notice is not an admission of guilt or liability. In most cases, the recipient will have had some contact with the Regulator before receiving an infringement notice. This will often include a discussion of the circumstances that led to the alleged contravention(s) of the Act. The entity will be able to provide any documents or information relevant to the Regulator’s concerns.

A decision to give an infringement notice is not subject to merits review. However, a recipient is entitled to take the following action:

  • request an extension to the period within which they can pay the amount
  • request withdrawal of the infringement notice, or
  • refuse to pay the amount and to defend the matter in court if the Regulator brings civil penalty proceedings against them.

How do you request an extension to the period for payment?

A recipient of an infringement notice can request an extension of the payment period and they must make that request in writing to the Regulator. In making a request, the entity should set out the reasons why they consider the Regulator should grant the extension.

The request should explain:

  • whether the recipient intends to pay the amount
  • why the recipient is unable to pay the amount in the current payment period (including the financial circumstances of the recipient), and
  • why the recipient anticipates that they will be able to pay the amount if the payment period is extended.

The Regulator will notify the recipient of the infringement notice of its decision.

How do you request withdrawal of an infringement notice?

The Regulator may withdraw an infringement notice of its own volition or following a request for withdrawal from the recipient of the notice. If a recipient of an infringement notice believes that they have not engaged in the alleged conduct or there is additional information that the Regulator has not considered, the recipient may seek withdrawal of the notice.

A request to withdraw an infringement notice:

  • must be made in writing to the Regulator
  • must be made before the date for payment of the infringement notice
  • should provide evidence or information to assist the Regulator decide on whether to withdraw the infringement notice.

The Regulator will notify the recipient of the infringement notice of its decision.

What are the consequences of paying or not paying the infringement notice amount?

If a recipient pays the infringement notice amount within the specified period, and the notice is not withdrawn:

  • liability of the entity to proceedings seeking a pecuniary penalty order for the contravention(s) specified in the notice is discharged and
  • the payment is not taken to be an admission of guilt or liability for the alleged contravention(s).

If a recipient does not pay the infringement notice amount, the Regulator may bring civil penalty proceedings against the entity for the alleged contravention(s). In such cases, a court could impose pecuniary penalties more than the infringement notice amount, up to the maximum penalties set out above.

Publishing details of infringement notices

The Regulator may issue a media release and publish a copy of the notice in full or in part and the date of payment on the Regulator’s website or the Payment Times Reports Register. It is anticipated that this will occur after the payment of the amount. The media release may include:

  • the entity name
  • the infringement notice amount
  • the contravening conduct alleged in the notice
  • confirmation that the entity has paid the infringement notice amount
  • acknowledgement that payment of the amount is not an admission of guilt or liability, and
  • acknowledgement that the entity has not contravened the civil penalty provision specified in the notice.

Document History

This information sheet version was published in November 2025 based on the Payment Times Reporting Act 2020 and Payment Times Reporting Rules 2024 as of that date.

Date publishedStatusDetails of change
17/11/25ActiveUpdated guidance for infringement notices and minor text changes throughout the document
16/12/24SupersededUpdated to reflect new powers in the amended Payment Times Reporting Act 2020
28/10/22SupersededOriginal version

Appendix: Overview of processes for regulatory powers

The compliance audit process

StepProcessDetails
1We give written notice that a compliance audit is required

If we reasonably suspect that a reporting entity has contravened the Act, we will give a written notice requiring the reporting entity appoint an auditor to review the entity’s compliance with the Act.

The notice will include:

  • details of the suspected non-compliance,
  • the matters to be covered by the audit,
  • the qualifications and independence requirements of the auditor,
  • the time by when the audit must be completed, and
  • the required form and content of the audit report.
2The entity nominates an auditorThe reporting entity nominates an auditor that it considers meets the suitability requirements set out in the notice.
3We approve the auditor in writing

After receiving the nomination, we may:

  • approve the nominated auditor,
  • request the entity make alternative nominations, or
  • if a suitable auditor is not nominated, make an appointment on the

entity’s behalf.

4The auditor undertakes the audit, and the reporting entity gives the audit report to the Regulator

The auditor undertakes the audit and prepares a report in the manner and form, and within the time set out in the notice.

If additional time is required to complete the audit, the reporting entity may request an extension of time in writing.

5We assess the audit report

We review the audit report and consider potential further action.

If no further action will be taken following assessment of the audit report, the reporting entity will be notified in writing that the compliance action has closed.

On-premises information gathering process

StepProcessDetails
1We obtain the consent or a warrant to undertake monitoring or investigation activities

Consent

We may contact an entity to request consent to conduct on-premises information gathering. The request will:

  • be in writing,
  • state the nature of the suspected contravention,
  • state the powers to be exercised and the activities expected to be undertaken on premises, and
  • state that consent can be refused and or withdrawn later if given.

If the entity gives consent, we will request that this be provided in writing in a standard form.

Warrant

We may seek a warrant to conduct monitoring or investigation activities from a magistrate or a Judge of the Federal Court or Federal Circuit and Family Court of Australia.

We may seek a warrant without requesting consent or if consent is refused.

2We enter premises

When entering a premises, we will provide you with information regarding:

  • the powers being exercised,
  • the officers that will be exercising the powers,
  • the nature of the suspected non-compliance,
  • your rights and obligations, and
  • the activities to be undertaken.

Prior to commencing activities, an authorised person will identify themselves and provide identification. If entry is being undertaken under a warrant, you will be given a copy of the warrant.

3We undertake monitoring and investigation activities

We undertake searches and monitor activities to identify material and evidence relevant to the alleged non-compliance.

We may ask questions while undertaking these activities. If entry to premises was under a warrant, you may be required to answer our questions.

You have a right to observe our activities. If entry to premises was by consent, you can withdraw consent at any time.

4We copy or seize relevant material

If we identify relevant material during searches and monitoring, we may take copies.

If we entered premises using investigation powers and it is impractical or insufficient for our purposes to take a copy, we may seize evidence and remove it from premises.

If evidence is to be seized and removed from premises:

  • you may ask for a copy of the item to be seized before it is removed (if a copy can be made), and
  • you will be given a receipt for items seized.
5We return seized evidence (if seized during investigations)

If evidence was seized and removed from premises using investigation powers it will be returned as soon as practicable, usually after we have had an opportunity to make copies.

The longest period we can hold evidence, without an extension granted by a court, is 60 days from the date of seizure.

6We assess information obtained from monitoring

We review the information gathered and consider potential further action.

If no further action will be taken following assessment of the information gathered, the entity will be notified in writing that the compliance action has closed.

Information gathering notice process

StepProcessDetails
1We give notice requiring a person or entity to provide certain information and/or documents

When requiring the production of information and/or documents we must issue a notice in writing. A notice may be hand delivered or sent by post or electronic communication.

The notice will detail:

  • the name of the person to provide the information or documents,
  • the form and way the person are required to comply,
  • the period within which the person must provide the information (minimum of 14 days after giving notice), and
  • a description of the documents and/or information we are seeking.

The notice will state, in general terms, the basis on which we require the production of documents and/or information.

The notice may request the production of electronic data and files. The Regulator will help facilitate the production of such information (e.g. by providing secure storage devices).

The notice will outline the rights and responsibilities of the recipient, including penalties for non-compliance.

2Recipient responds to the notice

If you have questions about any aspect of the notice to produce, you should contact the officer named in the notice.

You may apply to the Regulator in writing seeking an extension of the period for the provision of information and/or documents.

We may be able to:

  • clarify the scope of the notice and/or the meanings of terms used in the notice, and
  • provide some technical guidance on the form and manner of production.

There are different approaches to reviewing information and data to identify the documents that fall under the notice to produce. For example, you may undertake:

  • a manual review,
  • keyword or concept searches, or
  • a technology-assisted review.

We encourage you to carefully document any such review, including:

  • your approach to the review,
  • how you conducted the review,
  • the decisions you made about the review, and
  • outcome of the review.

A process for claiming legal professional privilege, where relevant, will be set out in the notice.

3We receive the requested information and/or documents

We will review the information and/or documents provided to ensure the notice has been complied with.

There will be some occasions when we are unable to interpret documents provided in their original native file format. In these instances, we will ask for the information to be reproduced in a form we are able to read/interpret.

4We assess information and/or documents obtained under the information gathering notice

We review the information provided and consider further action.

If no further action will be taken following assessment of the information and/or documents provided, the entity will be notified in writing.

The publication of non-compliance process

StepProcessDetails
1We identify non- complianceNon-compliance may be identified following information gathering activities, assessment of the Payment Times Reports Register, information received from a reporting entity, tip-offs or other compliance activity.
2We give notice of an intention to publish non-compliance

We will give notice of an intention to publish information about non- compliance. The notice will include:

  • information about the non-compliance and the reasons for publication,
  • details on how the information is proposed to be published, and
  • information on how to make submissions before a decision to publish is made.
3The reporting entity gives submissionsThe entity has 28 days from the date of the notice to provide written submissions regarding the decision to publish information about non- compliance.
4We decide whether to publish

Submissions from the reporting entity are considered and then, a decision made whether to publish. The decision may be to:

  • publish the information as proposed in the notice,
  • publish the information in a manner modified in response to submissions from the entity, or
  • not to publish the non-compliance.

The decision is communicated to the reporting entity and information provided on how the entity can request a review of the decision.

5Information about non-compliance is publishedWhere the Regulator has decided to publish the information about non- compliance, it is published in the manner set out in the Regulator’s decision.
6We consider further compliance actionWe may continue to pursue remediation and consider using other regulatory powers if the non-compliance is continuing.

Infringement notice process

StepProcessDetails
1We identify alleged contravention of a civil penalty provision

When undertaking compliance activities, we may form reasonable grounds to believe that there is a contravention of a civil penalty provision of the Act.

Reasonable grounds to believe that there has been a contravention may be formed from information gathering from a reporting entity, assessment of the payment times reporting register, information received from a reporting

entity, tip-offs or other compliance activity.

2We give an infringement notice

We give an infringement notice to the regulated entity. The notice contains all information required by the Regulatory Powers Actincluding:

  • a description of the contravention,
  • details of the person giving the notice,
  • the effect of paying or not paying the notice,
  • how to pay the notice,
  • details on how the infringement amount was calculated,
  • instructions on how to request withdrawal of the notice, and
  • instructions on how to request additional time to pay the infringement notice.

Note: we are not required to give an infringement notice. We may commence civil penalty proceedings without giving an infringement notice.

3The infringement notice recipient chooses a response

The regulated entity can:

  • choose to pay the infringement notice within 28 days (or a later time if an extension is given), or
  • choose not to pay the infringement notice.
4We may publish details of the infringement noticeThe Regulator may issue a media release and publish a copy of the notice in full or in part and the date of payment on the Regulator’s website or the Payment Times Reports Register.
5We consider further actionIf the regulated entity chooses not to pay the infringement notice, we may consider taking further action, including the commencement of civil penalty proceedings in court.

[1] Subsection 4AA(1) of the Crimes Act 1914.