Who controls your domain? Risk management for financial advisers

Most advice firms assume their domain is under control, the reality is it often sits in a developer's account, tied to a former staff member's email, or set to expire without anyone noticing.

domain secure

Most people assume a domain is simply a website address.

But your domain also affects your email, how you communicate with clients, and even the links in disclosure and compliance documents.

If a key staff member departs, you lose your domain logins, or your IT agency shuts down, it can quickly turn into a major operational headache.

We’ve seen advice firms locked out of their domains before, and getting access back was a cumbersome process.

An adviser reached out to us because his previous web designer had gone MIA. Before we could launch his new website, we spent weeks recovering ownership of his domain. Fortunately, we corrected his setup before his website or emails were affected.

That’s why we wrote this article: to help you avoid the risk of losing control of your domain.

How do practises lose access to their domain?

The most common scenario is that your web developer or IT contractor registers your domain under their own account. When the relationship ends, so does your easy access. Recovering a domain you technically own but cannot access is possible, but it is slow, stressful, and sometimes costly. In the worst cases, an expired domain gets picked up by a third party before the rightful owner realises it has lapsed.

The other risk is internal team members. Domains registered to a former business partner, a staff member who has since left, or an old email address that no longer exists all create the same vulnerability.

The registrar will only deal with whoever holds the account, regardless of who owns the business.

What should I check with my domain right now?

A few things worth checking this week:

  1. Is your domain registered to an email address you personally control, not a contractor or former staff member? Use a personal email, not your business domain, to avoid a single point of failure.
  2. Do you have your own login to the domain registrar?
  3. Do you know when your domain expires and whether auto-renewal is turned on?
  4. If your domain is managed by an agency or developer, have you confirmed they will transfer it to you on request?
  5. Is your registrar account secured with two-factor authentication (2FA)?
  6. Does at least one other trusted person in your practice know where the login details are stored?

If the answer to any of these is no, or you’re unsure, it’s worth sorting it out sooner rather than later. Future you will be thankful.

What do I need if I’m not in control?

  1. If the relationship with your web developer/IT team is still active: Ask them to transfer the domain to a registrar account in your practice’s name. A reputable provider will do this without issue.
  2. If the relationship has ended: Reach out to the key contact you worked with at the time. Your best bet is getting them to help you personally. If you can’t reach anyone from your previous IT, contact the registrar directly. You will need to demonstrate that you are the legitimate owner of the business. This typically involves ABN documentation and may take time, but it is recoverable.
  3. If the domain has lapsed: Check whether it is still in a redemption period, which is usually 30 to 90 days after expiry, depending on the registrar. Recovery fees apply, but it is still yours to claim.

Once you have control, set up auto-renewal, secure the account with 2FA, and make sure at least one other trusted person in your practice knows where the login lives.

Quick-reference domain checklist for advice firms

  1. Confirm your domain account is registered to an email address you personally control that’s separate to your domain
  2. Log in to your domain registrar and verify that access is current
  3. Check your domain expiry date and confirm auto-renewal is on
  4. Secure the registrar account with 2FA
  5. If managed by a third party, confirm in writing that they will transfer on request
  6. Make sure at least one other trusted person in your practice has access or knows where login details are stored

Keep in mind that spending some time checking everything today is considerably easier than recovering your domain if something goes wrong.

While you’re looking at securing your domains, it’s a good time to ensure you have registered alternatives to your domain. This may include similar extensions, such as .au or .com, if your business operates on .com.au.

If you’re already in a tight spot and don’t know where your domain is, we understand how stressful that can be. Please reach out.

Domain control FAQs

What is a registrar, and how is it different from my web hosting provider?

A domain registrar is the company that registers and renews your domain name (e.g., smithfinancial.com.au). Your web hosting provider is where your website’s files actually live. They are often different companies, and you may have separate logins for each.

Think of it like this: your registrar holds the street address; your host provides the building. If you lose access to the registrar, you lose control of where that address points, which can take your website, email and any linked documents offline even if your hosting account is perfectly intact.

Learn more about website terms in our explainer blog here.

What if my email domain is different to my website domain?

This is more common than it might seem, particularly for practices that have rebranded, changed licensees, or set up email through a separate provider. A key consideration is that each domain needs to be managed and secured independently.

If your email runs on a different domain from your website, you need to confirm ownership, access, and auto-renewal for both domains. A lapse or breach on either one can disrupt client communications or create a compliance gap, even if the other is perfectly secure. Run through the same checklist for each domain you rely on.

What are the real costs if I lose access to my domain or need to recover it?

Costs vary depending on how far along things are. A standard domain transfer between registrars is typically low cost. Recovery during a redemption period can attract fees of several hundred dollars. If the domain lapses entirely and is picked up by a third party, you may face legal costs to reclaim it or be forced to rebrand, which carries flow-on costs including updating your FSG, website, email infrastructure and client communications. The indirect costs, particularly the compliance and reputational fallout from disrupted email or broken disclosure document links, can far exceed the direct recovery fees.

In terms of insurance, professional indemnity (PI) insurance doesn’t typically cover losses arising from domain or account access failures. Cyber liability insurance is a separate product designed to cover data breach response, business interruption from cyber incidents, and related legal costs. If you are unsure what your current policies cover, speak directly with your broker and ask specifically whether domain-related incidents and cyber events are included.

This is general information only; seek your own advice tailored to your practice’s circumstances.

Does losing control of my domain create a regulatory or compliance problem?

It can. ASIC expects financial services licensees to have adequate risk management systems in place, which include information security. If a domain-related failure leads to a data breach, unauthorised access to client communications, or a disruption to your FSG or disclosure obligations, you may be asked to demonstrate what reasonable security practices you had in place. Being unable to show basic controls, such as two-factor authentication, clear account ownership and succession arrangements, could complicate your position with your licensee and, depending on the circumstances, with regulators.

The Office of the Australian Information Commissioner (OAIC) also has jurisdiction over notifiable data breaches. If a domain or email compromise results in unauthorised access to a client’s personal information, you may have notification obligations under the Privacy Act. See oaic.gov.au for guidance on the Notifiable Data Breaches scheme. This is general information only; seek your own legal or compliance advice specific to your practice.

What is 2FA and how do I set it up on my domain registrar account?

Two factor authentication (2FA) means that logging in requires both your password and a second verification step, typically a code sent to your mobile or generated by an app like Google Authenticator. Even if someone obtains your password, they cannot access the account without that second factor.

To set it up, log in to your domain registrar, navigate to account security or profile settings, and look for an option labelled “two factor authentication” or the equivalent, e.g., “multi-factor authentication”. Follow the prompts to link your mobile number or authenticator app. If you cannot find the option, search your registrar’s help centre for “enable two factor authentication” or contact their support team.

Posted by Jacqueline Barton
11 May 2026

The Trust Stack

Subcribe for exclusive adviser insights to build credibility at scale.

Cartoon style graphic of mobile phone in hand with Google Review button and orange background relevant to financial advisers

Google Reviews in financial advice

Learn the power of Google reviews, managing feedback, and strategies for effective collection.

Read article
Google search bar with a written longtail keyword example targeting to financial advice clients

How advisers can use longtail keywords to attract the right clients

Many advice firms target broad search terms, but real growth comes from relevance. Discover how longtail keywords help financial advisers attract higher-quality enquiries by aligning website content with real client intent.

Read article

Too many leads, not enough time?

Typically, advisers treat websites as a marketing tool but their real value is operational: triaging leads, streamlining workflows, and driving lasting efficiency.

Read article