Every prediction is shaped by what just happened.
Last month, UNSW was penalised $213,120 for systemic record-keeping failures affecting 63 casual academics over five years. The university had already remediated over $12 million in underpayments, with a further $1.3 million owed to former staff it couldn't locate. The Fair Work Ombudsman's assessment: fundamentally a governance issue. Not a payroll error. Not a calculation mistake. A governance failure, in systems that were never designed to catch the problem before it compounded.
That's one university. Now multiply it across five regulatory shifts that landed in 2025, every one of which moved the standard from "are you compliant?" to "prove it." They're all in effect now. The question for 2026 isn't whether these rules apply. It's whether you can meet them.
Start with criminal wage theft under Section 327A of the Fair Work Act. The criminal threshold is intent, proved beyond reasonable doubt, and most directors hear that and relax. They'd never deliberately underpay someone. But prosecutors don't need to prove you meant to steal. If you knew your governance processes were broken and did nothing, that's wilful blindness, and wilful blindness is how intent gets established in court. Ten years imprisonment. A criminal record attached to you personally, not a corporate fine the company writes off. The defence isn't good intentions. It's evidence that you had systems catching the problem before it compounded.
Right to Disconnect under Section 333M. An employee refuses contact outside working hours and files an FWC complaint. Before the Commission gets involved, you're expected to have attempted workplace-level resolution. If unresolved, the FWC must commence dealing with the application within 14 days. That means producing the communication timestamp, the roster from your WFM, actual hours from time and attendance, the contract terms, and the award provisions. All of it correlated into a single timeline that proves the contact was reasonable. The manager who sent the text has personal exposure. Breach the Stop Order and civil penalties run to $19,800 per contravention for individuals, $99,000 for bodies corporate.
ASAE 3000 assurance opinions now require a named engagement partner to personally attest that the evidence trail is sufficient. Not legislation, an assurance standard, but it's the standard that determines whether regulators, insurers, and boards trust your compliance data. If the auditor can't reconcile care minutes across rostering, attendance, and qualification systems, the opinion comes back qualified.
AN-ACC care minute targets under the Aged Care Act. Minimum care minutes per resident per day, verified against roster data, actual attendance, and staff qualifications. The government doesn't sanction "the aged care sector" in the abstract. It sanctions the specific provider, the specific facility, and it wants the data. (You can check any provider's care minutes scorecard here.)
Contractor misclassification under the Closing Loopholes amendments. Section 15AA replaced the High Court's contract-only test with a whole-of-relationship test, making it harder to structure genuine employment as contracting. Under the accessory liability provisions, anyone involved in structuring a sham arrangement can be held liable for every entitlement that should have applied. The defence is evidence the engagement was genuinely independent. Not a contract that says so. Evidence that it was so.
Five provisions. Five regulators. One thing in common: every one requires evidence that crosses system boundaries.
Here's what most companies will do about it. They'll update the policy, run a training session, and move on. That's the pattern. UNSW, to their credit, went further by upgrading systems and strengthening governance. But most won't. And even when you do, it's not enough, because every one of these regulators is asking for evidence, not intent. Wage theft defence needs WFM configuration logs, payroll audit trails, and award interpretation records. Right to Disconnect needs the communication platform, the roster, actual hours, the contract, and the award. Care minutes need roster data, attendance records, qualification databases, and acuity scores. The evidence lives in different systems, maintained by different teams, on different update cycles. No policy closes that gap. No single system in your stack produces what any of these regulators want to see.
So here's what 2026 looks like.
The first criminal wage theft prosecution under Section 327A will land. The Fair Work Ombudsman has the powers and has said publicly they intend to use them. It doesn't matter whether it's your industry or your state. When the first director is charged, every board in the country will ask the same question: could that be us? That's what happened with cybersecurity after the Optus breach. One event turned a theoretical risk into a standing board agenda item overnight. The compliance equivalent is coming.
The first publicised Stop Order will set precedent. The provision is live (effective August 2024 for large employers, August 2025 for small) but as of early 2026 the FWC has not yet substantively considered a standalone case. Nobody knows what "reasonable" contact actually means because no case has defined it yet, and the FWC has postponed its formal review until late 2026. The provision is already gaining traction in ancillary matters. In at least one case, the FWC accepted an unfair dismissal application lodged a day late, reasoning the employee wasn't required to monitor emails outside work hours. The first named manager in the press will do for after-hours contact what the first wage theft prosecution will do for payroll governance: make it real.
Auditors will extend cross-system reconciliation beyond care minutes. ASAE 3000 already requires it for aged care. Auditors who've built that methodology, reconciling data across rostering, attendance, and qualification systems, will apply it to payroll compliance, WFM configuration validation, contractor classification. Once they know how to check across systems in one domain, they check in all of them. (For a full breakdown of what assessors look for, see What is Workforce Governance?)
And companies that find problems will have to disclose them. The Woolworths and Bunnings pattern will continue, but the calculus has changed. Criminal provisions mean sitting on a known underpayment is now wilful blindness, which is exactly how prosecutors establish intent under 327A. Expect more voluntary self-disclosures, more remediation headlines, and more boards asking why the governance infrastructure wasn't there before the problem compounded.
I keep hearing people say they need to "update the policy." They're right. But a policy is a statement of intent. When a regulator, an auditor, or your own board says "prove it," they don't want to read your policy. They want the evidence trail. And that trail runs through the gaps between your systems, exactly where nobody is looking.
The companies building governance infrastructure now will be ready. Everyone else will find out the hard way that 2025 was the setup and 2026 is when it starts to bite.