Australia's current financial services regulatory & compliance landscape is changing rapidly - Clyde & Co's weekly Regulatory Roundup will ensure you are up to date with the most important changes. In each edition, we will set out five key developments from the past week for you to consider.
Subscribe here: ONLINE LINK
1. Breach reporting statistics: ASIC has published public information under the breach reporting regime for AFSLs and ACLs between 1 July 2022 and 30 June 2023. As a trip down memory lane, in the last report from October 2022, the key call outs were that: 8,000 reports were made to ASIC by licensees in the first 9 months i.e. 1 October 2021 and 30 June 2022; a much smaller proportion of licensees had reported under the regime than had been anticipated; licensees were taking too long to identify and investigate some breaches; and, that ASIC wanted to see more action on identifying and reporting the root cause of breaches. (There was also a call out on remediation activities, noting the new release of RG 277.) Things appear to have picked up under the second report, as over 16,000 reports were made i.e. a little under double, noting timeframes don’t exactly align between reports. That said, ASIC has stated that: the proportion of the licensee population reporting remains very low, indicating that “some licensees may not be complying with the regime”; licensees are still taking too long to identify and investigate some breaches; a significant number of remediation activities are still taking too long to complete; and, there remain opportunities to improve identification and reporting root causes of breaches. Chair Joe Longo has also stated that, since the regime has been in operation for more than 2 years, it will start to move to an enforcement footing on non-reporting...
2. CPS 234: APRA Chair John Lonsdale has called out compliance with CPS 234 in a FINSIA speech. CPS 234 is the prudential standard for information security, and requires institutions to establish governance, protect sensitive information assets, implement security controls, and manage third-party risks. Compliance is enforced by APRA, and it is all about incident response and reporting. The Chair stated that “…many entities are still struggling with foundational issues: ensuring third party controls are effective, making sure that systematic security control testing is in place, and regularly testing incident response plans. With the potential for serious impact to millions of Australians, our patience has run out. Where an entity is found to be significantly wanting in its cyber preparedness, we are intensifying supervision, insisting upon remediation plans, and taking enforcement action such as capital overlays and potentially license conditions.” (Our emphasis) Given the interconnectedness of cyber resilience with regulatory requirements, under prudential standards, ASIC licensing standards and (personally for individuals when FAR comes out), it is an issue that needs to be constantly on prudential entities' radars.
3. Internal disputes - court action: ASIC has just commenced civil penalty proceedings alleging Telstra Super failed to comply with internal dispute resolution requirements. ASIC alleges that between 6 December 2021 and 23 May 2023, Telstra Super failed to comply with timeframes required for an IDR response, did not inform complainants about the reasons for the delay or their external dispute resolution rights, and did not ensure that its internal dispute resolution procedure operated “efficiently, honestly and fairly”. In that regard, ASIC alleges Telstra Super contravened ss 912A(1)(a) and (g) and (5A) of the Corporations Act 2001 (Cth) i.e. the general obligations. Certainly a first-in-kind action, you can read the Federal Court Concise Statement here.
4. ASIC enforcement activities: Chair Joe Longo appeared before the Parliamentary Joint Committee on Financial Services, and noted that in the calendar year up to 30 September 2023 it had: commenced 91 investigations; filed 18 civil penalty proceedings; disqualified 27 individuals or removed them from directing companies; and, had banned or suspended 58 individuals or companies from providing financial services or engaging in credit activities.
5. Digital asset regulation: as covered in our previous blog, the great new Treasury Paper on digital assets licensing was released on 16 October. See our blog here for the basics (< 2 min), but essentially digital assets (and staking) – advising, arranging, dealing, issuing and custody for wholesale / retail – will be brought into the AFSL regulatory perimeter i.e. in addition to the DCE / remittance perimeter which is already within AUSTRAC’s purview. Interestingly, concurrently, our UK colleagues will have their hands full with the FCA’s new proposal (see here, in case you missed it - essentially mini ASX level disclosure for digital assets!). Proportionate disclosure will be a key feature of the Australian consultation, and we will again be making a public submission - you are more than welcome to utilise us to provide ideas to in order to get them to Treasury publicly. We are doing some heavy lifting in this area, and always more than keen to work with industry in this regard!
Learn more about our global regulatory and investigations team here.
‘Since its commencement, ASIC has been working with stakeholders to improve the operation of the reportable situations regime, including through providing guidance and modifications. ASIC will now move to taking stronger regulatory action to drive improved compliance with the regime, including enforcement action where appropriate.’ (ASIC Chair Joseph Longo)