- FAR & Breach Reporting (ASIC): I attended the Credit Law Conference earlier in the week, where ASIC Commissioner Sean Hughes provided an update on the Financial Accountability Regime (FAR) and breach reporting. My key notes are:
- the Financial Accountability Regime Bill 2022 has bipartisan support with the final reading expected after October 2022;
- the Commissioner indicated that there would be a focus on driving operating culture and standards of accountability;
- ASIC/APRA are looking to adopt a one touch approach on enforcement and supervision;
- there is a portal being built for uploading documents and reporting, among and other relevant functions.
- on the breach reporting front, ASIC has been surprised that some entities do not appear to be reporting any breaches. A report on breach reporting statistics is anticipated within the next fortnight but will not be naming names.
You can read the Commissioner’s full speech here.
- Data breaches (Parliament): In the wake of the Optus hacking scandal, the Telecommunications Regulations 2021 will be amended to allow telecommunications companies to better coordinate with financial institutions, the Commonwealth, and states and territories, to detect and mitigate the risks of cyber security incidents, frauds, scams and other malicious cyber activities. The amendments will enable telecommunications companies to temporarily share approved government identifier information (such as drivers licence, Medicare and passport numbers of affected customers) with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by the data breach. Telecommunications companies will also be able to share identifiers to assist Commonwealth, and state and territory agencies, to detect and assist in preventing fraud. The proposed changes will also allow for increased fraud detection in the broader financial services sector through existing industry mechanisms to report fraudulent transactions, such as fraud information exchanges.
- Internet Sweeps (ACCC): The webpage sweeps for breaches of the law are increasing I see quite a number of them from ASIC where they have detected potentially unlicensed activity. The ACCC does the same, and has announced it will launch two internet sweeps to identify misleading environmental and sustainability marketing claims and fake or misleading online business reviews. At least 200 company websites will be reviewed in the sweep for misleading environmental claims across a range of targeted sectors including energy, vehicles, household products and appliances, food and drink packaging, cosmetics, clothing and footwear. At the same time, the ACCC will conduct a separate internet sweep of about 100 businesses targeting fake or misleading online reviews and testimonials. The ACCC will publish the findings of the sweeps once they are collated and analysed, and I for one am very interested these internet sweeps represent an increasing part of the future of financial services regulation.
- ASIC Annual Report (ASIC): ASIC has released its annual report for 2022. Not too much in here that we didn’t already know such as increased enforcement and investment, though a useful summary of the changes ASIC is bedding down from last year. These include design and distribution obligations; the new breach reporting regime; the hawking prohibition; and, the deferred sales model aimed at improving consumer outcomes in the add-on insurance market. The report also restates ASICs plans for the next period, including focusing on greenwashing claims, crypto investment scams, and an intensified focus on the superannuation industry.
- RACQ (APRA): APRA has required RACQ Insurance and RACQ Bank to develop and implement a comprehensive, APRA-approved, risk transformation program. It comes after APRA identified significant weaknesses in RACQ’s risk governance during a prudential review undertaken this year, including around risk and compliance framework and practices, capability and capacity challenges within the risk functions, unclear accountabilities and an immature risk culture. Interestingly, RACQ is required to engage a third party to provide independent assurance over the delivery of the risk transformation program and provide periodic reporting to APRA, and assign accountability under the BEAR for successful delivery of the risk transformation program to an appropriate, named executive.
Thought for the future: I understand why APRA has brought RACQ’s remediation program under BEAR. Obviously, this places personal liability for the success of the remediation project on that person, so it is quite a big deal and not something we have seen from APRA before, in terms of utilising the BEAR regime.