Australian regulators weekly wrap — Monday, 17 February 2020

Keeping on top of the latest financial services regulatory & compliance trends?

Investing time in your professional development within a rapidly changing financial services industry is challenging. To meet that challenge, the Australian regulators weekly wrap is designed to keep you at forefront of your practice by quickly setting out the top 5 developments from the past week, analysis and practical considerations for the future.

Never miss an update by signing up to receive emails here or by following me on LinkedIn here. You can also access past editions of the Australian regulators weekly wrap by clicking here.

1. Industry data (APRA): the prudential regulator has sent a consultation letter to the insurance sector proposing to publish a greater breadth of industry-aggregate data for the general insurance and life insurance sectors. Part of a broader trend towards greater availability of data e.g. open banking and mandatory credit reporting (see item 5 below), APRA is hoping that this action will increase competition, foster innovation and increase public understanding of insurance issues. The consultation closes 20 March 2020.
2. ‘Verification of Identity’ (Banks): the Australian Registrars National Electronic Conveyancing Council’s consultation on version 6 of its Model Participation Rules will finish on 19 February 2020. It pertains to Mortgagees’ “Verification of Identity” (VOI Draft) requirements when registering mortgage securities, which are separate to AML / CTF KYC requirements. All of the states (but not the territories) require mortgagees to take positive steps to verify the identities of mortgagors, commonly through a framework called the “Verification of Identity Standard” (VOI Standard) undertaken by specialised “Identity Agents” such as a lawyer. The VOI Standard essentially requires: a face-to-face interview to be conducted by an Identity Agent with the mortgagor; the Identity Agent to be satisfied that the mortgagor bears a “reasonable likeness” to the person depicted in photographs in the identification documents; and the Identity Agent to confirm that the identification documents are current originals produced by the mortgagor. In addition to identity verification obligations, the VOI Standard requires the mortgagee to verify the mortgagor’s entitlement to sign the mortgage e.g. through a land title search and to maintain key records. Where it does not, the mortgagee could lose the benefit of its registered mortgage security. (The same requirements are imposed on Qld witnesses to mortgage instruments.) The VOI Draft contains an important proposed change. At present, the VOI Standard is not mandatory. All that is required is that mortgagees take “reasonable steps” to verify mortgagors’ identities. The rules provide that the VOI Standard will satisfy this requirement, however, mortgagees can take a different approach if they consider it justified in all the circumstances. Many do as a matter of course. With the new draft, the VOI Standard will become mandatory save for in limited circumstances. As such, mortgagees will need to update their systems and processes or risk their mortgages…
3. Auditors (ASIC): the conduct regulator has told a Parliamentary Inquiry that it intends to focus on auditors in an enforcement context, and that it already has 5 cases sitting with its enforcement teams relating to auditor independence and quality. Greg Yanco, executive director of markets at ASIC, has also stated that ASIC’s enforcement team are getting involved a lot earlier: “Previously … we’d come to a point where we would refer something to enforcement… Now enforcement are looking over our shoulder a lot earlier and picking up on items that they may want to take. This can get things moving a lot quicker.” In the context of this increased focus on auditors, it is worth recalling that the Morrison Government introduced fault-based criminal offence for breaches of audit standards in early 2019, adding to the existing strict liability offence, under which auditors may be penalised up to $50,400 or face up to two years in goal. Those breaching the strict liability equivalent can be fined as much as $10,500.
4. Blockchain compliance (AUSTRAC): The Department of Home Affairs and AUSTRAC have highlighted blockchain as a means to help reporting entities comply with their compliance and regulation requirements in a joint submission to the Select Committee on Financial Technology and Regulatory Technology. The submission — while light on examples — is a really interesting insight (my top read for the week!) into the work AUSTRAC is doing in this space and its support for innovative solutions to increasingly onerous AML / CTF KYC requirements. Especially given the increasing cross-border interactions. The submission states: “RegTechs appear to be alive to the opportunities for growth in the Australian market (such as the recently introduced Consumer Data Right), and are increasingly adopting blockchain technologies in their solutions (for example, Identitii). There is also an active awareness of privacy obligations and emerging consumer concerns.” The service mentioned in the submission, Identitii, is a clever Regtech company which helps reporting entities to know which transactions need to be reported and have the right data available in the right format to comply with AUSTRAC rules. There are a number of such entities operating (and growing) in the Australian market, which is great to see from my perspective.
5. Mandatory Credit Reporting (Treasury): The Government is seeking stakeholder views on the exposure draft of the National Consumer Credit Protection Amendment (Mandatory Credit Reporting) Regulations 2020. These Regulations provide detail on the Government’s mandatory comprehensive credit reporting regime (CCR). The mandatory reporting regime is expected to give lenders access to a deeper, richer set of data so they can better assess a borrower’s true credit position and the borrower’s ability to repay a loan. The mandatory CCR regime is also expected to increase competition between lenders in the credit market and benefit consumers who will be able to better demonstrate their reliability to get better deals on financial products. The mandatory CCR regime requires a large banks institution to supply 50 per cent of its consumer credit information within 90 days of 1 April 2020 to all credit reporting bodies it had an existing agreement with on 2 November 2017. Within 90 days of 1 April 2021, the same banks will need to supply credit information on their remaining accounts to the same credit reporting bodies. From 1 April 2021, the CCR regime will also require the same banks to supply any financial hardship information about an individual if the bank is disclosing repayment history information about the individual to a credit reporting body as part of its credit reporting obligations. The consultation closes on 28 February 2020 and, at two weeks, is the the fastest consultation time yet I think!. Affected lenders will need to mesh this development with any updates to their responsible lending obligations under the new RG 209 (which specifically mentioned CCR).

Thought for the future: the Bank for International Settlements has released a paper on operational and cyber risks in the financial sector. It is an interesting — if very dense — report. It found that cyber losses are a small fraction of total operational losses , but can account for a significant share of total operational value-at-risk for banks. Given the increasing trend towards data sharing as evidenced in this briefing, my sense is that cyber risk is set to rise as a risk to manage for banks and other financial services institutions affected by reforms such as open banking and CCR.

Do you think I overlooked something or would like more information? If so, please send me a message!

(These views are my own and do not constitute legal advice. Photo credit Tom Wheatley)