Australian regulators weekly wrap — Monday, 1 May 2023

Keeping on top of the latest financial services regulatory & compliance trends?

Investing time in your professional development within a rapidly changing financial services industry is challenging. To meet that challenge, the Australian regulators weekly wrap is designed to keep you at forefront of your practice by quickly setting out the top 5 developments from the past week, analysis and practical considerations for the future.

Never miss an update by signing up to receive emails here or by following me on LinkedIn here. You can also access past editions of the Australian regulators weekly wrap by clicking here.

1. Breach reporting (ASIC): ASIC has released a new version of RG 78 — Breach Reporting. Among other things, it: 1) clarifies the circumstances in which licensees may group multiple reportable situations; 2) provides new guidance on the information to include when licensees describe a reportable situation e.g. in the free text box, with a scalable approach; and, guidance on ASIC’s expectations when licensees are providing updates related to a reported breach e.g. once each 6 months. (There are also changes to the prescribed form for lodging reportable situations e.g. clarifying ASIC’s expectations on “When did you become aware of the breach”?) I think the best place to start is this table, in identifying the changes. The additional guidance from ASIC is great, and AFSL holders now need to check and update their breach policies and practices (take this excerpt from ASIC for example in identifying when the timer starts “Most licensees have interpreted and operationalised this question by providing the date on which they determined that a ‘reportable situation’ had arisen under the law (i.e. when the licensee first knew, or was reckless as to whether, there were reasonable grounds to believe a significant breach of a core obligation, serious fraud or gross negligence situation had arisen). This interpretation is different to what we intended. We were expecting licensees to provide the date on which they first discovered that there may be a breach or likely breach that is significant, serious fraud or gross negligence, but before they made the determination that a reportable situation did exist”). Arguably, it is cosmetic though, as the issue with the breach reporting regime is Treasury’s onerous legislation itself which requires over-reporting given it is triggered by a plethora of struct liability civil/criminal penalty breaches e.g. of s. 12DB of the ASIC Act (misleading and deceptive conduct). Do get in touch if you need copies of that legislation, as we have organised it for reporting entities.
2. Crypto property recognition (HK): a Hong Kong Court has held that crypto is legally property — as opposed to ‘information’ — in that jurisdiction. The Honourable Madam Justice Linda Chan, in Re Gatecoin Limited [2023] HKCFI 91, found that cryptocurrency inherently has all the attributes of property. In England and Wales, the court in AA v Persons Unknown [2019] EWHC 4556 (Comm) had held that bitcoin met the four criteria of being definable, identifiable by third parties, capable in their nature of assumption by third parties and having some degree of permanence. Myself, industry participants and academics have submitted the exact opposite in front of our Federal Senate (see here) for our jurisdiction — do get in touch if you want to trawl through the last 250 years of English common law with me (I am not joking) — but whether or not we are correct in an Australian context, what is certain is that we need certainty. Let’s join NZ, US and other jurisdictions in carefully and sensibly legislating crypto as legally property. Otherwise, if it is merely ‘information’, then the legal uncertainty from a litigation, tax and trust perspective is gargantuan.
3. MICA (EU): the European Parliament has approved the European Union’s digital asset legislation, the Markets in Crypto-Assets Regulation (MiCA) — the rules are not expected to come into force until 2024. I have done a comparison between MiCA and the other jurisdictions legislation (or lack thereof), save for the newest iteration of the Bragg bill (which has been udated more along UK lines than MiCA lines). You can see it here. MiCA is very impressive. Specifically, how it breaks down tokens by their functional usage and then assigns regulation accordingly. For a useful, and short overview, you can read the Reserve Bank of Ireland’s description here. MiCA is not perfect — it does not cover NFTs, DeFI, lending / staking, for example — though hats off to the EU. They rightly deserve praise for getting this regulation through, and this year is going to be really important in ensuring that we catch up!
4. AFCA / APRA (MOU): APRA and AFCA have signed a memorandum of understanding) setting out how they will continue to work together to support a fair and efficient financial system. The MoU sets out the basis for engagement between APRA and AFCA, including active information sharing and other forms of cooperation and coordination. The MoU is here, and it is worth looking at how closely the two organisations have bound themselves together (see clause 4.3 on information sharing, for a start) — this is a post Hayne Royal Commission MoU which creates active regulatory engagement. I would be surprised if much went through AFCA which would engage APRA’s jurisdiction i.e. prudential standing, though I know that AFCA constantly refers matters to ASIC for consideration under a similar MoU.
5. Coinbase v SEC (USA): it is hard not to be impressed by Americans at times. They are wonderfully innovative, and willing to take risks. This week crypto giant Coinbase took legal action against the SEC, asking a federal judge to force the regulator to share its answer on Coinbase’s July 2022 petition (which you can read here) on whether existing securities rule-making processes could be extended to the crypto industry. That petition was ignored by the SEC, which instead followed a regulation by enforcement approach in the absence of homegnous legislation. ASIC has done much the same in Australia — which is really its only option in the absence of legislation policy — though I can’t see the same action being taken here. “Coinbase does not take any litigation lightly, especially when it relates to one of our regulators. Regulatory clarity is overdue for our industry” Coinbase’s GC Paul Grewal has said “Yet Coinbase and other crypto companies are facing potential regulatory enforcement actions from the SEC, even though we have not been told how the SEC believes the law applies to our business.” Absolutely fascinating.

Thought for the future: there is a lot of change happening this year. From FAR, to crypto legislation, to CPS 511 to AML tranche 2, to privacy reforms. Policymakers need law firms, industry bodies and industry itself to help consult on the laws that will assist Australians in succeeding globally!