Gazette
4notify Australia · Commonwealth Gazette
OFFICIAL · APRA · ASIC
Gazette No
GAZ-AU-001
Date
2026-05-27
Status
In force
Category
Banking & Payments

Strong authentication for the New Payments Platform: OTP delivery to Australian banks over Telstra, Optus and Vodafone/TPG

The Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investments Commission (ASIC) oversee authentication standards for Australian authorised deposit-taking institutions. Real-time payments on the New Payments Platform — Osko transfers and PayID resolution — require strong customer authentication. 4notify delivers one-time passcodes with a P50 under 4 seconds across Telstra, Optus and Vodafone/TPG via tier-1 direct interconnects.

SMSPushEmail
Preamble

Section 1 — Pursuant to the Banking Act 1959 (Cth), APRA Prudential Standard CPS 234 (Information Security) and the ePayments Code administered by ASIC, this Gazette is issued in respect of the delivery of strong-authentication one-time passcodes over Australian mobile networks.

Legislative basis
Banking Act 1959 (Cth)

Prudential framework for Australian authorised deposit-taking institutions and APRA's supervisory powers.

APRA Prudential Standard CPS 234

Information-security capability obligations; out-of-band authentication for material payment events.

ePayments Code (ASIC)

Consumer-protection rules for electronic payments; pass-code security and unauthorised-transaction liability.

Implementation
01

APRA-aware onboarding + tier-1 interconnect

4notify holds tier-1 direct interconnects with all three carriers and is documented as a recognised delivery provider for NPP-adjacent authentication traffic.

02

OTP generated in the bank HSM

The one-time passcode is generated inside the bank's hardware security module; 4notify receives only the hash and the destination number.

03

60-second window + fallback chain

SMS is delivered within 60 seconds; on a failed DLR the passcode escalates to push, then email. Grey-route latency is avoided entirely.

04

Seven-year signed retention

Every delivery is signed and retained for seven years — aligned with APRA record-keeping and AUSTRAC expectations.

Delivery envelope
json
{
  "event": "bank.npp.sca_otp",
  "institution_id": "AU-XXXX",
  "transaction_id": "TX-2026-05-27-948210",
  "amount": 240.00,
  "currency": "AUD",
  "rail": "osko",
  "payid": "0412-XXX-XXX",
  "delivery": {
    "channel": "sms",
    "fallback": ["push", "email"],
    "window_seconds": 60,
    "template": "npp_sca_otp_au_v3"
  },
  "audit_signature": "https://4notify.net/sig/bank/948210"
}
Sample message
SMS

CommBank: your code to confirm a $240.00 PayID transfer to J. Nguyen is 482193. Valid 5 min. Never share this code. We will never call to ask for it.

Compliance checklist
  • Recognised delivery-provider documentation on file
  • Tier-1 direct interconnects active across all three carriers
  • OTP P50 ≤ 4 seconds measured each quarter
  • Seven-year signed retention documented
The 4notify difference

4notify is the only A2P provider with simultaneous tier-1 interconnects across Telstra, Optus and Vodafone/TPG and a seven-year signed audit envelope aligned with APRA CPS 234 and the ASIC ePayments Code for NPP Osko and PayID authentication.

Frequently asked questions
Does 4notify deliver to Australian banks directly or via an aggregator?

Tier-1 direct interconnects with Telstra, Optus and Vodafone/TPG. No grey-route aggregation for NPP authentication traffic.

Are push notifications accepted as a second factor?

Yes — app-bound push is a recognised possession factor. Because some institutions require a durable medium, we pair push with SMS or email for high-value Osko and PayID events.

Gazetted by
4notify Operations Office
2026-05-27 · GAZ-AU-001

Start for free

14 days, no card required. Support across Australian business hours.

Other notices in this edition