Penalties & enforcement
Recent NDIS banning orders: patterns from 2024–2026
Patterns from NDIS Commission banning orders issued between 2024 and 2026, summarising the conduct categories that triggered each action - for compliance leads building risk frameworks.
About these case studies: this page summarises patterns drawn from the public NDIS Provider and Worker Register. We don't name individuals or providers - the register already names them publicly, and our purpose here is preventive risk education, not commentary. Treat each pattern as a category risk, not a specific case.
In plain English
Between 2024 and early 2026 the NDIS Commission's enforcement activity stepped up noticeably. Banning orders rose year-on-year, and the conduct categories that triggered them clustered into a handful of recurring patterns. If you're building a compliance framework, these are the patterns to design controls against - because they're the ones being actively prosecuted.
Knowing what kinds of conduct have actually attracted banning orders is more useful than knowing the abstract list of offences, because the Commission's enforcement priorities show through in which sections of the Act they reach for first. The five patterns below cover the majority of orders issued in the period.
Pattern 1 - Worker screening failures + harm event
Engaging unscreened or banned workers, followed by an incident
- Order scope
- All NDIS supports involving the affected worker categories; sometimes broadened to all supports if systemic
- Typical duration
- 3–10 years for the worker; 1–5 years for the provider entity
What triggers it
Provider engages a support worker without completing NDIS Worker Screening, or engages a worker already on the Worker Register as banned. A participant is then harmed (physical, psychological, or financial). The Commission's investigation finds both the screening failure and an inadequate response to the incident.
Preventive control
Verify NDIS Worker Screening clearance BEFORE the worker has unsupervised contact with a participant, and re-check the public register at least quarterly. Document the verification with a timestamp and the officer who checked. Engaging a banned worker is a section 73Q contravention even if inadvertent.
Pattern 2 - Restrictive-practice breaches
Unauthorised use of restrictive practices in SIL settings
- Order scope
- Often: behaviour-support delivery + SIL settings; in serious cases all supports involving children
- Typical duration
- Permanent for the responsible worker; 5–10 years for managers; 2–5 years for the provider entity
What triggers it
A SIL provider uses physical, environmental, or chemical restraint on a participant without an authorised behaviour-support plan, without state/territory authorisation, or without reporting the use as a reportable incident. Often surfaced through a complaint or a state authority's data-sharing with the Commission.
Preventive control
No restrictive practice should be used without (1) a current authorised plan from a registered behaviour-support practitioner, (2) state authorisation where required, and (3) monthly reporting of every use. The unauthorised-use offence is a strict-liability provision under section 73ZN - intent doesn't mitigate.
Pattern 3 - Sexual or physical misconduct
Worker conduct against a participant
- Order scope
- All NDIS supports; permanent ban from working with NDIS participants
- Typical duration
- Permanent (the most common duration in this category)
What triggers it
Allegations of sexual misconduct, physical assault, or grooming behaviour against a participant. The Commission acts on evidence from a complaint, a state safeguarding referral, or a finalised criminal matter. Acting before criminal-court finalisation is increasingly common via interim banning orders.
Preventive control
Robust pre-employment screening, mandatory reportable-incident training for every worker, immediate stand-down on credible allegation, and engagement with state child-safety or vulnerable-persons authorities. Failing to immediately notify the Commission of an incident is itself an aggravating factor.
Pattern 4 - Financial misconduct
Billing fraud, plan-management misuse, or participant-funds misappropriation
- Order scope
- Plan management; in some cases all NDIS supports if the conduct is systemic
- Typical duration
- Permanent for the responsible director(s); 5–10 years for the entity
What triggers it
Provider claims for supports not delivered, supports delivered by unqualified workers, or supports the participant didn't consent to. Plan-management providers misusing trust accounts. Often surfaced via NDIA payment-integrity audits that flag pattern anomalies (round-number invoices, duplicate-claim signatures, claims dated outside participant location).
Preventive control
Time-stamped service records signed by both worker and participant. Reconciliation between rostering, support delivery, and claim submission. Separate signing authority on participant-funds accounts. Annual external review of plan-management trust accounts.
Pattern 5 - Director-fitness failures
Phoenix companies, undisclosed prior bans, or false declarations on registration
- Order scope
- Roles: holding any managerial or director position in an NDIS provider
- Typical duration
- 5–permanent depending on intent
What triggers it
A previously-banned individual takes a director role in a newly-incorporated provider, often after liquidating a prior entity ("phoenix" pattern). Or a registration applicant fails to disclose a prior banning, criminal conviction, or insolvency event on the suitability declaration. Discovered via NDIS Commission cross-checking against ASIC, AFSA, and other public registers.
Preventive control
The Commission cross-references ASIC and the banning register on every registration application. False declarations are themselves a contravention (section 73S - providing false or misleading information). The Commission will reopen registration if a prior ban is later discovered.
What the patterns tell us about Commission priorities
Looking across the orders issued in the period, three trends stand out:
- Workers and providers banned together. When worker misconduct is the trigger, the provider entity is increasingly named alongside the individual - reflecting a section 73Q view that the provider is responsible for screening and supervision failures, not just the worker.
- Interim orders for speed. The Commission is more willing to issue interim orders (effective immediately, without prior notice) where there's an immediate risk - particularly in sexual-misconduct and restrictive-practice cases.
- Cross-agency data sharing. State safeguarding authorities, the NDIA's payment-integrity team, and ASIC are increasingly feeding intelligence into Commission investigations. Misconduct surfaced in one channel triggers cross-referenced enforcement in others.
The compliance lesson - build for the patterns
A risk-based compliance framework should weight controls toward the conduct patterns the Commission is actually prosecuting:
- Worker-screening verification at hire and quarterly re-checks against the public register.
- Restrictive-practice authorisation + monthly use reporting evidence trail (every use, every approval, every state notification).
- Reportable-incident workflow with measurable response-time SLA - your investigation, not the Commission's, is the first line of defence.
- Service-delivery records that survive a payment-integrity audit (timestamps, dual signatures, location matching).
- Director-fitness declaration kept current - re-confirmed on every registration renewal cycle, with cross-checks against ASIC and the banning register.
General information only. This page summarises publicly-available enforcement patterns. It is not legal advice and doesn't take the place of guidance from your own lawyer. If you're facing a Commission investigation or have received a notice, read our response guide and engage a lawyer immediately.
How Checkbase helps
Checkbase tracks the artefacts that prevent the patterns above from happening to your organisation. Worker-screening expiry alerts, reportable-incident logs with response-time tracking, service-delivery records with worker + participant timestamps, and the auditor portal that lets you demonstrate continuous compliance to the Commission if they investigate. The goal isn't to react after a notice arrives - it's to make sure one never does.
Frequently asked questions
How many banning orders has the Commission issued?
The Commission publishes its enforcement actions quarterly. Year-on-year totals for 2023–24 and 2024–25 showed roughly one-third growth in banning orders compared to the prior year. The trend is consistent with the Commission's public messaging about stronger enforcement leading into mandatory registration on 1 July 2026.
How long after the conduct does a banning order arrive?
Investigation timelines vary enormously. Straightforward cases (clear evidence, single allegation, no contested facts) can move from complaint to final order in 3–6 months. Complex cases (multiple allegations, contested evidence, parallel criminal proceedings) can run 12–24 months. Interim orders can issue within days of a credible immediate-risk allegation.
Are the patterns above representative of all orders?
They cover the majority but not all. Other less-frequent triggers include false advertising about NDIS registration status, breach of conditions imposed by a prior compliance action, and conduct in non-NDIS settings deemed to make the person unsuitable to deliver NDIS supports. The five patterns above represent the most-common conduct categories from the period reviewed.
If a worker is banned, do their previous employers face action?
Sometimes. The Commission considers whether previous employers had reasonable opportunity to detect the conduct and didn't. If screening was inadequate, supervision was poor, or earlier incidents were unreported, the employing provider can face their own enforcement action separately from the worker's ban.
How can I check the register without doing it manually?
The Commission doesn't currently offer an API. Manual search of the public register is the canonical check. Best-practice compliance teams run a scheduled quarterly re-check against their full active-worker list and document the date + officer + result for each worker. Checkbase stores the verification record so an auditor can later confirm the check happened.
Related terms
- Penalties & enforcement
What is an NDIS banning order?
Banning orders are the NDIS Commission's most serious enforcement tool. Here's who issues them, what they cover, and where the public register lives.
Read - Penalties & enforcement
How much is an NDIS provider fine?
Current civil-penalty maximums per NDIS contravention, what they apply to, and what changes with the 2025 reforms - in plain language.
Read - Penalties & enforcement
How to respond to an NDIS Commission notice
You got the letter. Here's the disciplined first 72 hours, the standard mistakes to avoid, and when you absolutely need a lawyer. General information, not legal advice.
Read - Penalties & enforcement
The NDIS Commission complaint process
Who can complain to the NDIS Commission, what they do with the complaint, how long it takes, and what providers should do when one lands on them.
Read - Penalties & enforcement
What happens if you fail an NDIS audit?
How NDIS auditors classify findings, the timelines and consequences for each category, and what providers can actually do when a finding lands.
Read - Penalties & enforcement
NDIS Reportable Incident requirements
What counts as a Reportable Incident, the 24-hour and 5-business-day reporting clocks, the categories of conduct that trigger reporting, and the penalties for not reporting.
Read
Track every NDIS document in one place
Checkbase keeps your worker screening, participant files, governance, insurance, and audit evidence on one continuously-updated page. Built for Australian NDIS providers, 1–50 staff.