Australian regulators weekly wrap Monday 1 February 2021

Keeping on top of the latest financial services regulatory & compliance trends?

Investing time in your professional development within a rapidly changing financial services industry is challenging. To meet that challenge, the Australian regulators weekly wrap is designed to keep you at forefront of your practice by quickly setting out the top 5 developments from the past week, analysis and practical considerations for the future.

1. AML reforms (AUSTRAC):AUSTRAC has released proposed amendmentsto the Anti-Money Laundering and Counter-Terrorism Financing Rules for public consultation. The proposed changes are to support reforms to theAML/CTF Act 2006 (Cth)made by theAnti-Money Laundering and Counter-Terrorism Financing and Other Legislation Amendment Act 2020(Cth). Consultation closes 11 March 2021. The Explanatory Note for the proposed amendmentsis available here. Key changes are to correspondent banking e.g. requiring banks to conduct due diligence assessments before entering into, and for the duration of, any correspondent banking relationship; KYC e.g. clarifying the requirement to complete the applicable customer identification procedure (ACIP) before providing a designated service; and, reliance on customer identification carried out by another reporting entity the amendments to theAML/CTF Act 2006 (Cth)expand the circumstances in which a reporting entity may rely on an ACIP or other identification procedure undertaken by another person. Very sensible changes in my view, particularly with respect to outsourcing which has always been tricky to navigate in this context.
2. Company reporting (ASIC):ASIC has releasedConsultation Paper 337Externally administered companies: Extending financial reporting and AGM relief(CP 337) seeking feedback on proposals to reduce the regulatory burden for externally administered companies. In essence, ASIC will expand existing relief under ASIC Instrument LI 2015/25 to defer reporting obligations for companies under external administration e.g. liquidation or VA for up to 2 years and also allowing them to defer their obligation to hold an AGM until two months after the financial reporting deferral relief expires. Again, a sensible reform given the overlapping reporting obligations of the external controllers. ASIC will accept submissions on CP 337 until 11 March 2021.
3. Cyber attack (ASIC): On 15 January 2021, ASIC became aware of a cyber security incident related to Accellion software used by ASIC to transfer files and attachments. It involved unauthorised access to a server which contained documents associated with recent Australian credit licence applications. (For those involved in licensing work, including myself, it was an interesting notification to receive from ASIC!) It appears there is some risk that some limited information may have been viewed by the bad actor, but not that ACL applications have been opened or downloaded at this stage. For a regulator that hammered RI Advice for cyber breaches earlier in 2020 (see my colleague Dudleys summaryhere) which was a much worse scenario, admittedly , as it involved almost willful blindness the timing is unfortunate.
4. AML/CTF Regtech (HKMA):as you might have picked up from last weeks update, we have been spending some time developing a self-reporting app for breach reporting (incl. SMRs), so a clever report published by the Hong Kong Monetary Authority just published titled AML/CFT Regtech: Case Studies and Insights has been timely reading. The report highlighting the opportunities that Regtech offers to transform the effectiveness and efficiency of Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) efforts, and sharing end-to-end approaches which worked in real life. Key focus areas within the report include:data and process readiness key preparatory steps regarding data, processes and the use of network analytics;third-party vendor relationships how to identify and evaluate potential Regtech providers in a fast-developing field. This was really useful to me, as I expect it will be for others;people, talent and culture necessary knowledge, skills and experience in implementation teams and the often misunderstood role of data scientists; andperformance metrics and indicators what success looks like in this space. My top read for the week, even if you just read page 7 which contains the key findings, you can access the reporthere.
5. AFAC Rules (AFCA): AFCA has amended its Rules to provide clarity for consumers and members regarding AFCAs jurisdiction to receive complaints about the conduct of an authorised representative of an AFCA member. The Rules change is a result of a legislative instrument issued by ASIC on 5 January 2021 requiring AFCA to update its Rules. The Rule change follows the judgment of the NSW Supreme Court inDH Flinders Pty Limited v Australian Financial Complaints Authority Limited [2020] NSWSC 1690.In that case, it was common ground that the authorised representative provided inappropriate and wrong advice. The AFSL holder, DH Flinders, asserted that the AFCA rules did not give AFCA jurisdiction to hear claims against representatives acting outside the scope of their authority. Further, it also said that AFCA encouraged the complainant to bring a complaint against DH Flinders which was unfair, inappropriate and not impartial. The Supreme Court ruled in DH Flinders favour, holding that the AFCA rules meant that AFCA only has jurisdiction to hear complaints against a licensee in respect to the conduct of a representative acting within its authority. The amended AFCA Rules now reflect the same statutory liability for licensees regarding their authorised representatives as set out in theCorporations Act 2001(Cth) and theNational Consumer Credit Protection Act 2009(Cth). Relevantly, s. 917B of theCorporations Act 2001(Cth) provides If the representative is the representative of only one financial services licensee, the licensee is responsible, as between the licensee and the client, for the conduct of the representative,whether or not the representatives conduct is within authority.(Emphasis added)

Thought for the future:ASIC released a RegTech summary hererecently, outlining all of its initiatives in 2020, and it makes for very interesting reading. One part that caught my attention, is ASICs attempts to manage what will be anavalanche of breach reportswhen the new breach reporting regime comes into play in October 2021. One page 3 it records as an initiative:Data automation and process workflow trial A proof-of-concept project seeking productivity improvements for our Licensing and Misconduct and Breach Reporting teams. The project aimed to do this by automating data flows and reporting of matters of interest.Licensees subject to multiple mandatory reporting regimes this year e.g. AFSL, ADI, BEAR / FAR, OAIC, AML / CTF, DDO would be well advised to consider their own preparations for the second half of this year to assist them in keeping up.