Australian regulators weekly wrap — Monday, 31 October 2022

Keeping on top of the latest financial services regulatory & compliance trends?

Investing time in your professional development within a rapidly changing financial services industry is challenging. To meet that challenge, the Australian regulators weekly wrap is designed to keep you at forefront of your practice by quickly setting out the top 5 developments from the past week, analysis and practical considerations for the future.

Never miss an update by signing up to receive emails here or by following me on LinkedIn here. You can also access past editions of the Australian regulators weekly wrap by clicking here.

1. Financial Accountability Regime (Parliament): as expected, the Senate Committee examining the reintroduced FAR bill has give it the tick of approval, stating “..The committee is of the view that accountability measures, such as the existence of banning powers and deferred remuneration arrangements, will complement existing penalties for entities and accountable persons contained in the Corporations Act. On balance, the committee believes that such measures will effectively guide behaviour and are the final step of implementing the recommendations made by Commissioner Hayne.” Expect it to be passed in its current form, in the Spring sitting, which ends on 1 December 2022. There are still many outstanding issues with the design of the bill, but thank God it was not made worse through the lobbying of the Greens who called it “all carrot, no stick”. Ridiculous.
2. Breach reporting (ASIC): ASIC has released its much anticipated report on the first year of the new enhanced breach reporting regime. Key stats are as follows: 1) 8,829 initial reports and 2,530 updates were submitted; 2) 6% of the licensee population lodged reports. This is “significantly lower” than expected, and ASIC will be undertaking a range of activities to strengthen compliance with the regime e.g. enforcement; 3) 74% of all reports were lodged by just 23 licensees. These were generally larger licensees; 4) 38% of reports were about credit product lines, followed by general insurance (19%) and deposit taking (10%). 34% of reports were about issues of false or misleading statements about a product, regarding service information or in warning statements, followed by lending (21%), general licensee obligations (19%) and fees and costs (14%). 60% of reports specified a root cause of staff negligence or error, followed by policy breaches. A deeply interestingly read, and one which will no doubt herald ASIC’s great focus in this area, much as it is doing with TMDs now…
3. Misleading & deceptive conduct / crypto (ASIC): ASIC has commenced civil penalty proceedings in the Federal Court against BPS Financial Pty Ltd (BPS) for allegedly making false, misleading or deceptive representations and engaging in unlicensed conduct in relation to a non-cash payment facility involving a crypto-asset token called Qoin (Qoin). BPS allegedly made false, misleading or deceptive representations in marketing the Qoin token, including through the following statements: consumers who purchased Qoin tokens could be confident that they will be able to exchange them for other crypto-assets or fiat currency; Qoin tokens can be used to purchase goods and services from an increasing number of merchants; the Qoin Facility and/or the Qoin wallet application used to transact Qoin tokens are regulated, registered and/or approved in Australia, and the Qoin Facility and/or BPS are compliant with financial services laws. ASIC alleges that Qoin merchant numbers were declining, however, more importantly in the words of ASIC Deputy Chair Sarah Court “…ASIC is particularly concerned about the alleged misrepresentation that the Qoin Facility is regulated in Australia, as we believe the more than 79,000 individuals and entities who have been issued with the Qoin Facility may have believed that it was compliant with financial services laws, when ASIC considers it was not”. Of course, whether or not that is the case depends on whether the Qoin token was an non cash payment facility. An NCP is a payment not made through the physical delivery of Australian or foreign currency, and is classed as a ‘financial product’ requiring an AFSL. Examples of NCP facilities include stored value cards, electronic cash and direct debit services. ASIC has only released its Originating Process, which does not give an indication of the facts it will rely on to state that Qoin is a NCP (we will have to wait for the affidavit material for that!). The industry will need to wait to see ASIC’s analysis, though presumably it rests on the fact that the design of the Qoin token provides rights to use the asset to make payments at merchants and/exchange for fiat currency. It is an uncomfortable action, and you can read our greater analysis why here.
4. Privacy laws (Parliament): the Government has introduced legislation (the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022) that will significantly increase maximum penalties under the Privacy Act. A serious or repeated breach of the Australian Privacy Principles could attract a maximum penalty of $2.5 million for individuals or for body corporates an amount equal to the greater of: $50 million (a massive increase over the current maximum of $2.22 million); three times the value of the benefits obtained from the breach; or, if the court cannot determine the total value of those benefits, 30% of adjusted turnover in Australia during the ‘breach turnover period’ (being the longer of 12 months prior to the breach or the period over which the breach occurred). The Government also proposes to introduce new powers for OAIC to obtain information relating to actual or suspected data breaches, so that it can properly assess the particular risks posed by such breaches; allow the OAIC to require organisations to engage an independent adviser to review privacy acts or practices of the organisation and then report to OAIC and/or to publish a statement about a privacy breach and the steps being taken to ensure that it does not happen again; and give the OAIC power to issue infringement notices to persons who refuse to answer a question or produce a document when required under the Act. Expect more funding to flow to the OAIC as well, turning a previously weak regulator into a much stronger one with a hawkish mandate in the wake of the Optus / Medibank hacks.
5. Privacy (AICD): the Australian Institute of Company Directors and the Cyber Security Cooperative Research Centre has produced Cyber Security Governance Principles addressed to directors to oversee cybersecurity risk and promote a culture of cyber security resilience. My top read for the weeks, it is a really helpful resource which covers governance, regulatory obligations and policies and procedures. Well worth a read!

Thought for the week: the US, EU, UK and Australia are currently struggling with the definition of crypto assets, and what should and should not fall within the definition. This is super important, as it then sets the level of regulation over the industry i.e. whether they are regulated at all, as financial products / securities or something in between. Australia’s only legislation, Sen. Bragg’s private members’ bill, which ends its consultation shortly, has a very broad definition. That legislative breadth, if passed, has real-world competitive impositions. A finer scalpel is needed…