- Breach Reporting (Research): Independent research commissioned by Gadens and Lawcadia on the enhanced AFSL/ACL breach reporting regime has been released this week. In summary, this research reveals:
- a marked increased in breach reporting for AFSL and ACL holders;
- a suggestion that ACL holders may be lagging behind AFSL holders in reporting;
- particular increases in breach reporting around misleading & deceptive conduct, and advice-related failures e.g. failure to provide a general advice warning;
- widespread acceptance that changes were needed to how financial services organisations identified, assessed, and remediated breaches;
- broad agreement that the mandated approach is excessive;
- low level of confidence in the new breach reporting regime meeting its stated objectives, and in ASIC’s ability to administer the new regime effectively and fairly;
- significant increase in compliance and resourcing costs, and greater adoption of technology solutions to assist meeting obligations;
- a toll on mental health from a high level of stress and anxiety experienced by legal, risk and compliance professionals who are tasked with planning, implementing and administering the regulatory requirements.
You can access the full report, together with the quantitative and qualitative data here.
- Crypto Schemes (APRA): The prudential regulator has set out in a letter its initial risk management expectations for all regulated entities that engage in activities associated with crypto-assets, and a policy roadmap for the period ahead. My top read for the week, the letter provides that it expects prudentially regulated entities to:
- conduct appropriate due diligence and a comprehensive risk assessment before engaging in activities associated with crypto-assets;
- consider the principles and requirements of Prudential Standard CPS 231 Outsourcing or Prudential Standard SPS 231 Outsourcing when relying on a third party in conducting activities involving crypto-assets; and
- apply robust risk management controls, with clear accountabilities and relevant reporting to the Board on the key risks associated with new ventures.
Fascinating, APRA has said that it plans to in 2022/2023:
- consult on requirements for the prudential treatment of crypto-asset exposures in Australia for ADIs, following the conclusion of the Basel Committee’s current consultation;
- progress new and revised requirements for operational risk management, covering control effectiveness, business continuity and service provider management. While these requirements will apply to the entirety of an entity’s operations, many will be directly relevant to the management of operational risks associated with crypto-asset activities; and
- consider possible approaches to the prudential regulation of payment stablecoins.
A fantastic development, and very sensible approach adopted by APRA.
- Data Security (Government): The Government has released a discussion paper focusing on data security policy settings for state and territory governments, industry and the broader economy. The goal is to inform the National Data Security Action Plans direction, which aims to improve data security measures and close the gaps that exist in our data settings. The goal is to ensure that governments, businesses and communities are informed and resourced to protect their data, and strengthen security and build resilience in infrastructure that underpins our digital economy. The questions are broad ones, and set out at 2932 of the paper (e.g. Does Australia need an explicit approach to data localisation?). Early stages for this one, though given the increase in cyber attacks the idea to collectively take Government and private industry on the journey in increasing our data protection settings is a good one. Between this, the SOCI legislation, and the consultation papers focusing on the uplift of the privacy legislation, informational treatment is going to be a defining feature of the regulatory landscape for this decade.
- Crypto-criminals (AUSTRAC): The AML/CTF regulator has released two new financial crime guides to help businesses stop ransomware attack payments and the criminal abuse of digital currencies. The guides contain practical information and indicators to help businesses identify and report if a payment could be related to ransomware attacks, or someone could be using digital currencies to commit serious crimes such as money laundering, scams, or terrorism financing e.g. use of chain-hopping moving from one blockchain to another in an apparent attempt to obfuscate source or destination of funds or multiple customer accounts are opened with either the same email address, phone number, IP address, residential address, postal address or on-boarding documents. The guide, which an easy read and quite useful, can be accessed here.
- Director Sentiment (AICD): The Australian Institute of Company Directors latest Director Sentiment Index have set out that Directors identified cyber-crime and data security as the number one issue keeping them awake at night – no surprises here. According to the last research I read on the subject (Cost of a Data Breach Report 2021 Australia, IBM), data breaches cost businesses an average of $3.9 million in 2021, an increase of over 30% from 2020, and the highest average cost in the last 17 years. That is only likely to increase with the proliferation of data, increase in stringency of data protection laws and increase in bad actors seeking to fund activities / achieve nationalistic aims.
Thought for the future: I am very heartened to see APRA and AUSTRAC pragmatically embracing the place that crypto has in the future of our financial services system. Of course, the big game is over at Treasury in its consideration of the CASSPr licence (essentially a mutated AFSL) for crypto players. Getting that right is critical for the industry to thrive submissions on that licence are due at the end of May 2022, and I’d encourage everyone to take part in shaping what will be a momentous change.