Australian regulators weekly wrap — Monday, 18 October 2021

Keeping on top of the latest financial services regulatory & compliance trends?

Investing time in your professional development within a rapidly changing financial services industry is challenging. To meet that challenge, the Australian regulators weekly wrap is designed to keep you at forefront of your practice by quickly setting out the top 5 developments from the past week, analysis and practical considerations for the future.

Never miss an update by signing up to receive emails here or by following me on LinkedIn here. You can also access past editions of the Australian regulators weekly wrap by clicking here.

1. DI system (Treasury): the Federal Government has released an exposure draft of the Trusted Digital Identity Bill. It elates to the expansion of the “DI System”, which facilitates the creation of Digital Identity for individuals and allows businesses to use it for approved verification purposes. A Digital Identity only needs to be created once, is voluntary and enables individuals to access various secure services online; it is current used for governmental services e.g. tax and medicare in MyGov. The draft legislation covers the expansion, maintenance and regulation of the DI System and puts two systems into effect: The Trusted Digital Identity Framework (TDIF) accreditation scheme — this covers providers of identity related services and stipulates the requirements for accreditation of entities, including in relation to privacy, fraud protection, security, and identity proofing; and, The trusted digital identity system — this is the current DI System and entities accredited under the TDIF accreditation scheme, and customers for the digital identity services, will be able to access it. There will be an independent oversight authority with responsibility for governing the two schemes, and which will be responsible for deciding which entities are allowed to be onboarded. In part, this will be based on a ‘fit and proper’ person test. It is an exciting development, and the possibilities are broad — from better AML / CTF compliance to fraud prevention to mortgage VOI compliance.
2. Whistleblowing policies (ASIC): ASIC has written to a number of companies urging improvement in whistleblowing policies following a review it conducted. ASIC reviewed a select sample of whistleblower policies — 102 in total — and is concerned the majority of those policies did not fully address the relevant requirements. Its conclusion was that whistleblowers may not know how they are protected, or feel unsure about how to speak up. This could lead to entities missing opportunities to identify and address potential misconduct at an early stage, in addition to cross-stitching with other issue detection frameworks e.g. complaints handling. ASIC’s letter to companies: reminds entities of their obligation to have a whistleblower policy that reflects the strengthened whistleblower protection regime that started on 1 July 2019; identifies where policies in its sample fell short; and highlights what entities can do to improve their policies. ASIC said that it saw policies which: a) did not list all the categories of people to whom a whistleblower can report misconduct and qualify for protection under the Corporations Act — instead, some policies limited the information to the entities’ preferred reporting channels; b) inaccurately referred to obsolete requirements for whistleblowers to identify themselves or make disclosures in good faith or without malice in order to qualify for protection; c) and, omitted or inaccurately described one or more of the protections available to whistleblowers under the Corporations Act. All great insights!
3. Ransomware plan (Home Affairs): the Minister for Home Affairs has unveiled a ‘new and comprehensive’ Ransomware Action Plan. Key aspects, from my review are that: a) there will be mandatory ransomware incident reporting to the Government — this will only apply to businesses with turnover exceeding $10 million per year; b) legislative reform to ensure law enforcement agencies can investigate and seize ransomware payments in cryptocurrency; c) a stand-alone offence for all forms of cyber extortion; criminalising the buying or selling of malware for the purposes of undertaking computer crimes; d) criminalising the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence; and, an aggravated offence for cybercriminals seeking to target critical infrastructure. While the Plan is great - cyber crimes are on the rise, and many businesses are choosing to pay — the Plan to me seems to be more focused on imperfect cures rather than prevention…
4. ASIC annual report (ASIC): ASIC’s latest annual report is out. Key highlights for me were — unsurprisingly — the focus ASIC has put into new RGs including new design and distribution obligations, breach reporting obligations and the deferred sales model for add-on insurance, which have come into effect recently. Secondly, ASIC has has also stressed that it has continued to build its enforcement capability, securing $189 million in civil penalties and increasing new criminal litigation by 28%. We are seeing that approach in full action currently and that is unlikely to change.
5. Diversa (ASIC): ASIC has commenced civil penalty proceedings against Diversa Trustees Limited, a super trustee. It alleges that between March 2019 and December 2020, Diversa or its representatives: a) were aware that ASIC was investigating a business run by financial adviser Mr Nizi Bhandari for contraventions of the law; b) despite its knowledge of these matters, did not take adequate action and continued to allow Mr Bhandari to put clients into Diversa’s superannuation product; and c) continued to allow the payment of fees from the superannuation fund to Mr Bhandari. ASIC alleges that the OneVue company group acted on behalf of Diversa and facilitated Mr Bhandari putting clients into Diversa products. ASIC also alleges that Diversa did not act efficiently, honestly and fairly because it failed to provide proper oversight of the activities of OneVue nor take appropriate action regarding the activities of Mr Bhandari. Sharp stuff in my view — that is, the super trustee become aware of an ASIC investigation for a representative and should have taken action on that basis. It is further proof of ASIC’s focus on outsourcing, as it is the second case taken by ASIC against a professional trustee for conduct by outsourced service providers following enforcement action against Tidswell.

Thought for the future: ASIC’s review of WB policies and feedback is a great initiative, and hopefully we will see more of it. It gives excellent granular feedback on the corporate regulators’ focus and how to improve, outside of an enforcement process. Braithwaite's regulatory pyramid in action!