- FATCA/CRS (ATO): The ATO has issued a self-review guide and toolkit on the internal processes and systems that reporting financial institutions should maintain to comply with the Foreign Account Tax Compliance Act and the Common Reporting Standard, which has been something of a focus for it in preceding years. The ATO has stated that organisations frameworks should be based around three fundamental areas of compliance: 1) governance; 2) due diligence obligations; and 3) reporting systems. The ATO has stated that a well-designed framework:
- has a clear line of sight for maintenance, reporting and compliance;
- sets out the operating model and controls (including the due diligence compliance program);
- identifies gaps and deficiencies, so that reporting errors can be corrected in advance;
- assists senior management with clarifying accountabilities for managing FATCA/CRS obligations, and key risks; and
- provides accurate reporting of customer information.
Guidance aside which is great in my view the FATCA/CRS rules are complex (do reach out if you want a flow chart we have developed if it will help!).
- Open Banking Infringement (ACCC): Bank of Queensland has paid a penalty of $133,200 after the ACCC issued it with an infringement notice for allegedly breaching the Consumer Data Right (i.e. Open Banking Rules) by failing to provide a service enabling consumers data to be shared. BOQ was required to be in a position to share data for financial products, including savings accounts, term deposits and credit cards, by 1 July 2021 it did not meet this requirement until 13 December 2021. Two things are interesting to me here, with what is the first such infringement notice issued. First, I know a good number of banks were delayed with CDR compliance, due largely to core banking system provider issues. The ACCC appears to have recognised this, though also took into account a number of factors, including the period of alleged non-compliance, the number of customers potentially impacted, the resourcing constraints Bank of Queensland faced in developing its CDR infrastructure and the steps it took to limit the duration of its non-compliance. It must have judged Bank of Queensland to be comparatively worse than other banks. Second, this is worth noting for the general insurers and others who are or will be implementing CDR shortly. The ACCC is taking a hardline approach!
- Cyber Risk (ASIC): ASIC is understandably pressing the fact that directors duties include cyber risks in the wake of its notable win in RI Advice. It has stated that it expects directors to ensure their organisations risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience and that “failing to do so could cause you to fall foul of your regulatory obligations.” These include obligations under the recent SOCI Act (see here) and Privacy Act. ASIC has asked directors to:
- consider their risk management framework and risk appetite to ensure it adequately deals with cybersecurity risk;
- enquire about incident response and business continuity plans to determine the organisations preparedness to respond to cybersecurity incidents; and
- ensure access to appropriate resources to effectively manage cybersecurity risk, whether it be in-house or through commercial arrangements.
It has also stressed the need for broad and effective disclosure in the wake of a cyber attacks (e.g. ASX, annual reports, relevant regulators, etc.).
- Investment Governance (APRA): APRA has released a response to consultation and final Prudential Standard SPS 530 Investment Governance (SPS 530). The letter addresses key concerns raised by industry (e.g. clarification that the valuation governance framework requirements do not require the establishment of a stand-alone Board valuation sub-committee), and additionally outlines the updates implemented to SPS 530 to ensure better member outcomes by enhancing stress testing, valuation and liquidity management practices. SPS 530 will commence on 1 January 2023, and you can read the letter here.
- UK Regulation (FCA): I have a lot of respect for the UK FCA as a regulator, from the guidance it issues, to its willingness to speak to market participants, to regulatory evolution it develops to carefully calibrated enforcement action. That is also evident in a speech its CEO gave recently, in which I picked up that it:
- has invested heavily in data and technology and scan 100,000 websites for fraud every day; and
- the US and UK will deepen ties on crypto-asset regulation and market developments including in relation to stablecoins and the exploration of central bank digital currencies.
Both areas which will no doubt be an increasing focus for our domestic regulators. I know ASIC scans websites already for misleading & deceptive conduct. That will only increase I think, as will its focus on cryptocurrency regulation (once Treasury finalises the CASSPr regime).
Thought for the future: ASIC has made an interim stop order preventing advertisements containing certain misleading or deceptive statements about PPM Units, a class of interests in RES Investment Fund (Fund). The order stops RES from advertising or publishing any statement regarding PPM Units that suggests an investor will acquire equity in Pleasure Point Mine Pty Ltd (PPMPL), a related entity of RES. ASIC considers that statements that investors will acquire equity are misleading or deceptive because they may lead investors in PPM Units to believe that they will receive shares and/or a direct ownership interest in PPMPL. The sole underlying asset of the PPM Unit class in the Fund is a loan to PPMPL. It is an interesting, and targeted use of ASICs powers one to watch out for as to whether it will increase.