Policy Library
Version, approve, attest — with a paper trail.
The policy library that actually matches how compliance committees work. Version-controlled, multi-approver, attestation-tracked, and review-reminded — with an immutable audit log built for ASIC scrutiny.
Capabilities
Everything a policy library should do.
Not a shared SharePoint folder. Policies behave like the regulated artefacts they are — versioned, approved, distributed, attested, and reviewed on a clock.
Version-controlled by default
Every policy is a stack of versions. Approved versions are immutable, supersession is automatic, and prior versions remain accessible for audit.
Multi-approver workflow
Route a draft to one or many approvers. Track approve / changes-requested / rejected per approver. A policy version only goes live when every approver signs off.
Staff attestation
Distribute the new version to the right audience and track who has read and attested — by name, with timestamp, IP, and user agent.
Review reminders
Each policy has a review cadence (annual, biennial, custom). The platform reminds the owner before the deadline and surfaces overdue policies on the dashboard.
Distribution lists
Define who needs to read which policy by role, tenant, or custom group. Updates push to the right people automatically when a new version is approved.
Append-only audit log
Every draft, approval, supersession, distribution, and attestation is captured in the audit log with full diff — exactly what regulators ask for.
Policy templates
The policies your compliance plan already references.
Start from a template authored against the obligations that apply to Australian AFSL and credit licensees. Edit, route for approval, and publish from inside the platform.
AFSL Compliance Plan
The plan ASIC expects you to maintain — purpose, scope, framework, roles, breach reporting, and review cadence.
AML/CTF Program
Part A and Part B program covering customer identification, ongoing monitoring, employee due diligence, and reporting.
Conflicts of Interest
Identification, disclosure, management, and escalation of conflicts — with a linked Gifts & Benefits register.
Code of Conduct
Behavioural standards, whistleblower channel, sanctions, and annual attestation by every staff member.
Privacy & Data Handling
APP-aligned policy with notifiable data-breach assessment workflow and OAIC reporting timelines.
Cyber Security & IT
Acceptable use, access management, vendor security, MFA, and incident response — aligned to APRA CPS 234.
Outsourcing & Vendor Mgmt
Material outsourcing policy with due-diligence checklist, contractual must-haves, and ongoing monitoring obligations.
Continuous Disclosure
Disclosure framework, market-sensitive information escalation, and trading-blackout policy.
The lifecycle
Draft, approve, distribute, attest — on repeat.
1
Draft a version
Author a new policy version in the editor (or upload a Word/PDF). Track changes against the prior version automatically.
2
Route for approval
Send to the configured approvers. Each can approve, request changes, or reject — with a comment. Approval is unanimous.
3
Distribute and attest
Push the approved version to the distribution list. Track who has read it. Send reminders to outstanding attesters.
4
Review on cadence
When the review deadline approaches the platform reminds the owner. Either republish the existing version or draft a new one.
Built for Australian licensees
Designed against ASIC's view of what good looks like.
Gallantree runs its own AFSL compliance function on this platform. The approval flow, attestation evidence, and review reminders are the ones we use every day — not a translation of a US enterprise policy product.
Approval flow matches how compliance committees actually run — multi-approver, recorded comments, unanimous sign-off
Attestation evidence — name, timestamp, IP, user agent — is what an ASIC investigator expects to see
Immutable history per policy: every superseded version remains readable and is hashed against tampering
Distribution lists are role-aware so new joiners pick up the current set of policies automatically
Linked to obligations — a regulatory deadline can require an up-to-date policy version before it can be closed
Cross-linked
Policies hold the platform together.
Block an obligation from being closed unless the linked policy version is current.
Map each risk to the policy that mitigates it. Surface coverage gaps automatically.
Tie attestation of a policy to the completion of its companion training module.
Evidence the way auditors expect to receive it.
Approvals, attestations, and version diffs export as a single evidence pack — PDF, CSV, or ZIP — ready for the next compliance committee meeting or external review.
Bring every policy under one roof.
Start with the templates that match your compliance plan and have an approved policy live in an afternoon.