In this edition, we consider a case handed down about breaches of AFSL obligations due to poor cybersecurity practices, APRA’s expectations in relation to crypto-assets, proposed amendments to the ASX Listing Rules, and much more.
Click on each heading below to read more about each of these areas: financial products, superannuation, insurance, financial product advice, financial markets, anti-money laundering, consumer credit, banking and other financial services regulation.
Court finds AFS licensee in breach due to inadequate cybersecurity risk management
On 5 May, Justice Rofe of the Federal Court of Australia handed down Her Honour’s decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd  FCA 496, finding that an AFS licensee breached its financial services licensing obligations due to its failure to have adequate documentation and controls dealing with cybersecurity and cyber resilience in place across its authorised representatives (even though the AFS licensee had taken steps to make various improvements over time).
In handling down Her Honour’s judgment, Justice Rofe made the following comments:
‘In a technical area such as cybersecurity risk management, the reasonable standard of performance is to be assessed by reference to the reasonable person qualified in that area, and likely the subject of expert evidence before the Court, not the expectations of the general public.’; and
- it is accepted that the statutory standard of ‘efficiently, honestly and fairly’ in section 912A(1)(a) are to be read ‘compendiously’, however, that it is possible to meet the statutory threshold even if behaviour cannot be described as ‘dishonest;
- in relation to the requirement of ‘efficiently’ in section 912A(1)(a), the test is not always based on what is expected by the public. Rather, Justice Rofe stated that:
- similarly, in relation to the standard of adequacy in section 912A(1)(h), Justice Rofe stated that the Court’s assessment will likely be informed by qualified experts due to its highly technical area of expertise.
Commenting on the case, ASIC said that is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.
We have written more about the implications of this case in our article, ‘AFSL holders on notice for cybersecurity failings‘.
ASIC extends relief from dollar disclosure regime for litigation funding schemes
On 19 April, ASIC announced that it has extended the relief from certain dollar disclosures in for litigation funding schemes in ASIC Corporations (Disclosure in Dollars) Instrument 2016/767 until 1 October 2026 (which was due to expire on 28 April). The extension is effected by ASIC Corporations (Amendment) Instrument 2022/264, which was registered earlier on 13 April.
ASIC states that it has extended the relief because, in the context of litigation, public disclosure of some categories of information could provide a tactical advantage to opposing parties in class actions and may not be in the interests of scheme members.
ASIC publishes speech in relation to regulation of crypto-asset-based investment products
On 6 April, ASIC published a speech regarding regulating crypto-asset-based investment products within the financial services framework. ASIC’s comments concerned:
- the rise of the new retail investor that emerged during the COVID-19 pandemic;
- the increased risk exposure that this confluence of events has led to, including the increase in scam activity; and
- ASIC’s work to regulate it as it evolves.
APRA publishes FAQs on Superannuation Data Transformation
On 5 May, APRA announced that it has published five additional frequently asked questions (FAQs) on the Superannuation Data Transformation (SDT) Phase 1 reporting standards to provide further guidance to RSE licensees on matters relevant to the reporting standards for Phase 1 of APRA’s SDT project. The FAQs are available on APRA’s website.
APRA publishes FAQs on the Financial Claims Scheme for general insurers
On 28 April, APRA announced that it has published an updated set of frequently asked questions (FAQs) relating to the Financial Claims Scheme (FCS) for general insurance. The FAQs are available on APRA’s website.
Court orders bank to pay $1.5 million penalty for CCI contraventions
On 7 April, Justice Katzmann of the Federal Court of Australia handed down Her Honour’s judgement in Australian Securities and Investments Commission v Westpac Banking Corporation (The Consumer Credit Insurance Case)  FCA 359 (Consumer Credit Insurance Case), ordering Westpac to pay a $1.5 million penalty for contraventions in relation to selling consumer credit insurance (CCI).
The relevant conduct included sales of CCI by Westpac staff in branches or over the phone. According to Justice Katzmann:
- while Westpac conducted training for branch and call centre staff that instructed staff to obtain the consent of customers to discuss and purchase CCI, the customer was not required to complete a written application form stating that they consented to purchase the policy, and while phone calls were recorded, Westpac’s internal policies did not require the recordings to be kept for more than 45 days; and
- Westpac did not implement any recommendation to develop a consent document to be signed by both the banker and the customer until after the relevant period for the penalty.
Her Honour held that Westpac had arranged for and issued CCI to customers who did not request for Westpac to arrange for CCI to be issued or supplied to the customer, and that therefore Westpac’s financial services were ‘unsolicited financial services’ in accordance with section 12BA of the ASIC Act. Her Honour ultimately held that Westpac contravened the prohibition on asserting a right to payment for unsolicited financial services in section 12DM, thereby breaching the obligation to comply with financial services laws in section 912A(1)(c) of the Corporations Act.
In assessing the penalty, Justice Katzmann made the following comments (among others) in relation to the circumstances of the case:
- while Westpac did not ignore ASIC’s recommendation in a published ASIC report to obtain evidence of consumer consent, the recommendation was not fully implemented until five years after the report was published;
- while there was no suggestion that Westpac’s senior management knew of the contraventions, nor that they participated in or authorised them, it may be inferred that members of Westpac’s senior management were aware of the potential for obtaining customer consent to acquire CCI; and
- acknowledgement that Westpac’s conduct did not amount to negligence, the contraventions were not deliberate or reckless in nature, they were not systematic, and staff were directed by training to ensure customer consent was obtained.
Commenting on the case, ASIC explained that the action forms part of ASIC’s priority to address consumer harms in insurance, and follows a detailed ASIC review of consumer credit insurance sales by 11 major banks and lenders.
Financial product advice
ASIC announces it will allow COVID-19 advice-related relief to lapse
On 7 April, ASIC announced that it will allow the temporary relief in ASIC Corporations (COVID-19—Advice-related Relief) Instrument 2021/268 to be automatically repealed on 15 April 2022. The relief under the instrument related to providing records of advice rather than Statements of Advice, and extended time to give a time-critical Statement of Advice. For more information on the instrument, see our earlier Issue 53 and Issue 59.
ASIC states that it does not consider that the current status of COVID-19 responses in Australia provides a sufficient basis for a decision by ASIC to further extend the relief provided by the instrument.
ASX consults on enhancements to ASX Investment Products offering
On 26 April, the ASX published a consultation paper in relation to the ASX Investment Product offering.
According to ASX Consultation Paper Enhancing the ASX Investment Products Offering, the consultation seeks stakeholder feedback on enhancements that could be made to the ASX Investment Product offering, particularly with a view to identifying areas where the different rules governing those products (the ASX Listing Rules, the AQUA Rules and the Warrant Rules) could be improved and brought into closer alignment.
Consultation closes on 24 June.
ASIC updates regulatory guidance about licensed benchmark cessation or transition event
On 21 April, ASIC explained in Issue 136 of ASIC’s Market Integrity Update that it has updated ASIC Regulatory Guide 268 Licensing regime for financial benchmark administrators (RG 268) to provide guidance on market announcements in a licensed benchmark cessation or transition event.
ASX announces ASX Listing Rules consultation and listing fee changes
On 21 April, the ASX issued Compliance Update no. 03/22. In this update, the ASX:
- announced that it has published a consultation on proposed enhancements to the ASX Listing Rules (for more information, see below); and
- notified listed entities of listing fee changes for FY23.
ASX consults on proposed amendments to ASX Listing Rules
On 5 April, the ASX published a consultation paper in relation to proposed amendments to the ASX Listing Rules. According to ASX Consultation Paper Proposed enhancements to the ASX Listing Rules: Continually improving the reputation and integrity of the ASX market, the proposed amendments relate to:
- the issuance of securities by listed entities;
- the financial reporting framework for listed entities;
- the admission of an entity to the official list and the quotation of its securities;
- transactions by listed entities with persons in a position of influence;
- the lodgement of documents by listed entities with ASX for release to the market, and
- other miscellaneous matters.
The ASX states it envisages that final rule amendments will be released in the third quarter of 2022 and take effect on 1 December.
Consultation closes on 27 May.
ASIC makes instrument correcting market integrity rules amending instrument
On 5 April, the ASIC Market Integrity Rules (Securities Markets and other ASIC-Made Rules) Amendment Instrument 2022/248 was registered.
According to the Explanatory Statement, the purpose of the instrument is to make corrections to ASIC Market Integrity Rules (Securities Markets and other ASIC-Made Rules) Amendment Instrument 2022/117, which itself amends market integrity rulebooks made by ASIC. For more information about the amended instrument, see our earlier Issue 64.
New amendments to AML/CTF rules registered
On 29 April, the Anti-Money Laundering and Counter-Terrorism Financing Rules Amendment Instrument 2022 (No. 1) (Cth) were registered.
According to the Explanatory Statement, the instrument:
- reduces the period within which a reporting entity is required to carry out the applicable customer identification procedure in relation to online gambling accounts from 14 days to 72 hours; and
- implements the undertaking set out in the revised Explanatory Memorandum to the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2017 (Cth) by removing the requirement for financial institutions to register on the Digital Currency Exchange Register.
AUSTRAC signs updated MOU with Victorian gambling commission
On 27 April, AUSTRAC announced that it has signed an updated Memorandum of Understanding (MOU) with the Victorian Gambling and Casino Control Commission. According to AUSTRAC, the new agreement takes the existing MOU to the next level and enables better information sharing and cooperative regulatory oversight.
AUSTRAC publishes ransomware and digital currency financial crime guides
On 21 April, AUSTRAC announced that it has published two new financial crime guides, being:
- a financial crime guide about detecting and stopping ransomware payments; and
- a financial crime guide about preventing the criminal abuse of digital currencies.
According to AUSTRAC, the guides contain practical information and indicators to help businesses identify and report if a payment could be related to ransomware attacks, or someone could be using digital currencies to commit serious crimes such as money laundering, scams or terrorism financing.
FATF publishes review of global compliance with FATF Standards
On 19 April, the Financial Action Task Force (FATF) published a report setting out a comprehensive review of the state of global efforts to tackle money laundering,
According to FATF, the Report on the State of Effectiveness and Compliance with FATF Standards found overall that countries have made huge progress in improving technical compliance by establishing and enacting a broad range of laws and regulations to better tackle money laundering, and terrorist and proliferation financing. However, the report also highlights that many countries still face substantial challenges in taking effective action in line with the risks they face.
AUSTRAC updates guidance on selecting AML/CTF advisors and pubs and clubs
On 11 April, AUSTRAC announced that it has published updated guidance regarding:
- helping reporting entities select an anti-money laundering/counter-terrorism financing (AML/CTF) advisor who is suitably qualified and experienced to provide products and services for their business. The updated guidance is available on AUSTRAC’s website; and
- educating employees of pubs and clubs on how to recognise indicators of money laundering and other criminal activity.
Senate publishes recommendations on Australia’s AML/CTF regime
On 30 March, the Senate Standing Committees on Legal and Constitutional Affairs tabled its report on the adequacy and efficacy of Australia’s anti-money laundering and counter-terrorism financing regime. The Committee report made four recommendations. We have written about the report in more detail.
Replacement credit reporting privacy code registered
On 11 April, the Privacy (Credit Reporting) Code 2014 (Version 2.2) (Code) was registered.
According to the Explanatory Statement, the Code replaces the Privacy (Credit Reporting) Code 2014 to implement provisions relating to accessing credit information introduced under the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Act 2021 (Cth), which came into effect on 17 February 2021.
APRA updates ADIs on July timeframe for meeting zero and negative interest rate expectations
On 2 May, APRA announced that it has published a letter to authorised deposit-taking institutions (ADIs) on operational preparedness for zero and negative interest rates.
In the letter, APRA advised ADIs that the 31 July 2022 timeframe for meeting APRA’s expectations on zero and negative interest rates is no longer considered relevant, and that APRA will provide a further update at the appropriate time. For more information about APRA’s initial expectations on zero and negative interest rates, see our earlier Issue 60.
APRA consults on draft standards as part of revised ADI capital framework
On 7 April, APRA announced that it has released for consultation the interim reporting standards that will accompany the updated capital adequacy and credit risk capital requirements for ADIs, as well as three reporting standards that contain consequential changes as a result of updates to ADI capital adequacy and credit risk capital requirements, and other minor changes.
The letter and draft standards are available on APRA’s website.
According to APRA, the consultation follows the release of APRA’s new bank capital framework in November 2021 (for more information, see our earlier Issue 61).
Consultation closes on 7 June.
Treasury seeks CFR advice on ‘de-banking’
On 21 March, Treasury published the Terms of Reference requesting the Council of Financial Regulators (CFR) to provide advice on policy options to address the issue of ‘de-banking’ for financial technology firms, digital currency exchanges, and remittance providers. According to the Terms of Reference (which are available on Treasury’s website here), ‘de-banking’ occurs when a bank declines to offer or continue to provide a banking service.
Treasury explains that CFR is requested to provide advice to the Government on policy options by the end of June 2022.
Other financial services regulation
APRA amends CPS 226 to include UK regulatory authorities
On 12 May, APRA announced that it has made a minor amendment to Prudential Standard CPS 226 Margining and risk mitigation for non-centrally cleared derivatives (CPS 226), by adding the UK’s Prudential Regulation Authority and Financial Conduct Authority to the list of foreign regulators in Attachment D.
According to the letter, the change will allow APRA-regulated entities to rely on UK rules when transacting with counterparties that are subject to the new UK margining rules.
The marked-up CPS 226 is available on APRA’s website.
APRA consults on amendments to support Government’s cyclone reinsurance pool
On 28 April, APRA announced that it has published a letter to general insurers on consequential amendments to the prudential framework to support the operation of the Government’s cyclone and cyclone-related flood damage reinsurance pool.
According to the letter, APRA is proposing to clarify the treatment of reinsurance recoverables from the Australian Reinsurance Pool Corporation (ARPC). The letter and the proposed amendments to the prudential standards are available on APRA’s website.
Consultation closes on 1 June.
APRA publishes initial expectations and policy roadmap for crypto-assets
On 21 April, APRA announced that it has published a letter setting out its initial risk management expectations for all regulated entities that engage in activities associated with crypto-assets, and a policy roadmap for the period ahead. We have written about APRA’s expectations and the policy roadmap.
- APRA expects that all regulated entities will:
- adopt a prudent approach if they are undertaking activities associated with crypto-assets and ensure that any risks are well understood and well managed before launching material new initiatives; and
- conduct due diligence and risk assessments, consider the principles and requirements of Prudential Standard CPS 231 Outsourcing or Prudential Standard SPS 231 Outsourcing and apply robust risk management controls;
- comply with all conduct and disclosure regulation administered by ASIC; and
- consult with APRA and ASIC whenever they are unclear on prudential, disclosure or conduct requirements and expectations when undertaking activities associated with crypto-assets; and
- APRA is developing the longer-term prudential framework for crypto-assets and related activities in Australia in consultation with other regulators internationally, to ensure consistency in approach.
FIRB updates Guidance Notes
On 13 April, the Foreign Investment Review Board (FIRB) announced that Treasury has updated the Guidance Notes on the FIRB website. FIRB explains that the update ensures the guidance material reflects the amendments made by the Foreign Acquisitions and Takeovers Amendment Regulations 2022 (Cth) and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth), and addresses other issues identified during the evaluation of the 2021 foreign investment reforms and this year’s foreign investment consultation process.