Australian regulators weekly wrap — Monday, 1 February 2021

Keeping on top of the latest financial services regulatory & compliance trends?

Investing time in your professional development within a rapidly changing financial services industry is challenging. To meet that challenge, the Australian regulators weekly wrap is designed to keep you at forefront of your practice by quickly setting out the top 5 developments from the past week, analysis and practical considerations for the future.

Never miss an update by signing up to receive emails here or by following me on LinkedIn here. You can also access past editions of the Australian regulators weekly wrap by clicking here.

1. AML reforms (AUSTRAC): AUSTRAC has released proposed amendments to the Anti-Money Laundering and Counter-Terrorism Financing Rules for public consultation. The proposed changes are to support reforms to the AML/CTF Act 2006 (Cth) made by the Anti-Money Laundering and Counter-Terrorism Financing and Other Legislation Amendment Act 2020 (Cth). Consultation closes 11 March 2021. The Explanatory Note for the proposed amendments is available here. Key changes are to correspondent banking e.g. requiring banks to conduct due diligence assessments before entering into, and for the duration of, any correspondent banking relationship; KYC e.g. clarifying the requirement to complete the applicable customer identification procedure (ACIP) before providing a designated service; and, reliance on customer identification carried out by another reporting entity — the amendments to the AML/CTF Act 2006 (Cth) expand the circumstances in which a reporting entity may rely on an ACIP or other identification procedure undertaken by another person. Very sensible changes in my view, particularly with respect to outsourcing which has always been tricky to navigate in this context.
2. Company reporting (ASIC): ASIC has released Consultation Paper 337 Externally administered companies: Extending financial reporting and AGM relief (CP 337) seeking feedback on proposals to reduce the regulatory burden for externally administered companies. In essence, ASIC will expand existing relief under ASIC Instrument LI 2015/25 to defer reporting obligations for companies under external administration e.g. liquidation or VA for up to 2 years and also allowing them to defer their obligation to hold an AGM until two months after the financial reporting deferral relief expires. Again, a sensible reform given the overlapping reporting obligations of the external controllers. ASIC will accept submissions on CP 337 until 11 March 2021.
3. Cyber attack (ASIC): On 15 January 2021, ASIC became aware of a cyber security incident related to Accellion software used by ASIC to transfer files and attachments. It involved unauthorised access to a server which contained documents associated with recent Australian credit licence applications. (For those involved in licensing work, including myself, it was an interesting notification to receive from ASIC!) It appears there is some risk that some limited information may have been viewed by the bad actor, but not that ACL applications have been opened or downloaded at this stage. For a regulator that hammered RI Advice for cyber breaches earlier in 2020 (see my colleague Dudley’s summary here) — which was a much worse scenario, admittedly , as it involved almost willful blindness — the timing is unfortunate.
4. AML/CTF Regtech (HKMA): as you might have picked up from last week’s update, we have been spending some time developing a self-reporting app for breach reporting (incl. SMRs), so a clever report published by the Hong Kong Monetary Authority just published titled “AML/CFT Regtech: Case Studies and Insights” has been timely reading. The report highlighting the opportunities that Regtech offers to transform the effectiveness and efficiency of Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) efforts, and sharing end-to-end approaches which worked in real life. Key focus areas within the report include: data and process readiness — key preparatory steps regarding data, processes and the use of network analytics; third-party vendor relationships — how to identify and evaluate potential Regtech providers in a fast-developing field. This was really useful to me, as I expect it will be for others; people, talent and culture — necessary knowledge, skills and experience in implementation teams and the often misunderstood role of data scientists; and performance metrics and indicators — what success looks like in this space. My top read for the week, even if you just read page 7 which contains the key findings, you can access the report here.
5. AFAC Rules (AFCA): AFCA has amended its Rules to provide clarity for consumers and members regarding AFCA’s jurisdiction to receive complaints about the conduct of an authorised representative of an AFCA member. The Rules change is a result of a legislative instrument issued by ASIC on 5 January 2021 requiring AFCA to update its Rules. The Rule change follows the judgment of the NSW Supreme Court in DH Flinders Pty Limited v Australian Financial Complaints Authority Limited [2020] NSWSC 1690. In that case, it was common ground that the authorised representative provided inappropriate and wrong advice. The AFSL holder, DH Flinders, asserted that the AFCA rules did not give AFCA jurisdiction to hear claims against representatives acting outside the scope of their authority. Further, it also said that AFCA encouraged the complainant to bring a complaint against DH Flinders which was unfair, inappropriate and not impartial. The Supreme Court ruled in DH Flinder’s favour, holding that the AFCA rules meant that AFCA only has jurisdiction to hear complaints against a licensee in respect to the conduct of a representative acting within its authority. The amended AFCA Rules now reflect the same statutory liability for licensees regarding their authorised representatives as set out in the Corporations Act 2001 (Cth) and the National Consumer Credit Protection Act 2009 (Cth). Relevantly, s. 917B of the Corporations Act 2001 (Cth) provides “If the representative is the representative of only one financial services licensee, the licensee is responsible, as between the licensee and the client, for the conduct of the representative, whether or not the representative’s conduct is within authority.” (Emphasis added)

Thought for the future: ASIC released a RegTech summary here recently, outlining all of its initiatives in 2020, and it makes for very interesting reading. One part that caught my attention, is ASIC’s attempts to manage what will be an avalanche of breach reports when the new breach reporting regime comes into play in October 2021. One page 3 it records as an initiative: “Data automation and process workflow trial — A proof-of-concept project seeking productivity improvements for our Licensing and Misconduct and Breach Reporting teams. The project aimed to do this by automating data flows and reporting of matters of interest.” Licensees subject to multiple mandatory reporting regimes this year e.g. AFSL, ADI, BEAR / FAR, OAIC, AML / CTF, DDO would be well advised to consider their own preparations for the second half of this year to assist them in keeping up.