Australia's current financial services regulatory & compliance landscape is changing rapidly - Clyde & Co's weekly Regulatory Roundup will ensure you are up to date with the most important changes. In each edition, we will set out five key developments from the past week for you to consider. Special thanks to C&C’s Issy Jones and Violet Li for their contributions this week.
Subscribe here: ONLINE LINK
1. APRA Policy and Supervision Priorities: APRA has published its interim policy and supervision priorities for the first six months of the year, reflecting on various events in 2023. The priorities span a wide range of issues including cyber resilience, FAR, climate risk, and governance, culture, remuneration an accountability. In the next 12 months, APRA plans to release its Final Climate Vulnerability Assessment for general insurers, commence consultation on CPS 510 – Governance, and release the final prudential standard on Strategic Planning and Member Outcomes for the superannuation industry. With FAR to come scheduled to come into effect soon, APRA (together with ASIC) will also be busy finalising the Regulator rules and Transitional rules, in preparation for commencement. However, in breaking news, the Regulators have foreshadowed that these Rules will be delayed until after the Ministerial Rules are issued and accordingly, the timeframe for the banking sector will be pushed out to 1 July 2024. You can find out more information on FAR through our dedicated webpage here.
2. ASIC Superannuation Focus: ASIC’s Deputy Chair Sarah Court has reaffirmed ASIC's enforcement priorities in the super sector, being: member services failures; misleading conduct, including greenwashing; and failures to protect superannuation balances. The statement underscores the incredible enforcement focus that ASIC plans to have around super funds this year. In November 2023, ASIC Chair Joe Longo said, “Our focus on the best interests of members in the superannuation sector is part of our continuing work to make the financial system fair for all Australians" and has hinted multiple times since in the media that we can expect more enforcement action arising from ASIC.
3. AI regulation: earlier in the year, Industry and Science Minister Ed Husic revealed a yet to be appointed panel of experts will explore new regulation options for “high risk” AI in Australia in response to calls for tighter rules. While there is no timeline yet, senior policymakers and regulators are already weighing in. Assistant Minister for Financial Services Stephen Jones stressed this week that Australia needs to focus on activity rather than technology, stating “We cannot foresee everything. And in a sense, you don’t want to. You want to create the environment where the market, private individuals can innovate, explore capacities and opportunities”. Speaking on behalf of ASIC, Chair Longo stated that "there’s a need for transparency and oversight to prevent unfair practices – accidental or intended…can our current regulatory framework ensure that happens? I’m not so sure.” An interesting time, and one in which we have the benefit of other jurisdictions' considerations. The EU's AI legislation, which has been provisionally agreed, will usher in risk-based regulation of AI systems across member states. Under it, biometric surveillance and social credit systems will be outright banned.
4. GI remediation program: the prudential regulator has required Auto & General to undertake a risk remediation program and has increased its capital requirements, following a prudential review that identified significant weaknesses in risk governance, risk management and compliance practices. These included capability and capacity weaknesses in the risk function, ineffectiveness of the “three lines of defence” model, and weak risk reporting. The review also revealed unclear accountabilities and responsibilities across the business, and overall, an immature risk culture. This is the third such action against general insurers in the last few years, and a key consideration for insurance boards. Together with the introduction of FAR and CPS 230, which we are assisting many clients to implement, this year will be a large one for prudential governance!
5. Global perspective: BaFin, the principle supervisory authority for financial sector in Germany, has identified cyberattacks and the breakdown of IT systems to be among the greatest risks for the sector in its Risks in BaFin’s Focus 2024 report. Interestingly, the report now includes market concentration of IT outsourcing as a major hazard that is capable of jeopardising the financial stability and integrity of the financial system, with a small number of specialist IT providers effectively serving a significant proportion of banks and insurers in the jurisdiction. BaFin President Mark Branson commented at a press briefing to mark the report, “Companies in the financial sector must be resilient – to both financial and operational risks… and, more than ever, companies should be investing in their operational security and stability”. The key observation from us is how this type of risk may impact FAR projects and CPS230 compliance (It places a strong emphasis on operational resilience of which risk is a key element, including identifying practically assessing, and mitigating operational risks that could potentially affect the critical services that are delivered) in Australia. Should CTO/CIO roles be conscious of concentration risk if they are utilising prominent players in the market? And can this potential exposure be mitigated beyond typical contractual protections? Watch this space!
Learn more about our global regulatory and investigations team here.
APRA continues to engage with the industry on appropriate risk governance and will take suitable action if companies do not meet these expectations (APRA Member Suzanne Smith)