- Financial Accountability Regime (FAR) (Parliament): As expected, the Senate Committee examining the reintroduced FAR Bill has give it the tick of approval, stating “The committee is of the view that accountability measures, such as the existence of banning powers and deferred remuneration arrangements, will complement existing penalties for entities and accountable persons contained in the Corporations Act. On balance, the committee believes that such measures will effectively guide behaviour and are the final step of implementing the recommendations made by Commissioner Hayne.” Expect it to be passed in its current form, in the Spring sitting, which ends on 1 December 2022. There are still many outstanding issues with the design of the bill, but thank God it was not made worse through the lobbying of the Greens who called it “all carrot, no stick.” Ridiculous.
- Breach reporting (ASIC): ASIC has released its much anticipated report on the first year of the new enhanced breach reporting regime. Key statistics are as follows:
- 8,829 initial reports and 2,530 updates were submitted;
- 6% of the licensee population lodged reports which is significantly lower than expected, and ASIC will be undertaking a range of activities to strengthen compliance with the regime such as enforcement;
- 74% of all reports were lodged by just 23 licensees which were generally larger licensees;
- 38% of reports were about credit product lines, followed by general insurance at 19% and deposit taking at 10%. 34% of reports were about issues of false or misleading statements about a product, regarding service information or in warning statements, followed by lending (21%), general licensee obligations (19%) and fees and costs (14%). 60% of reports specified a root cause of staff negligence or error, followed by policy breaches.
A deeply interestingly read, and one which will no doubt herald ASIC’s great focus in this area, much as it is doing with TMDs now
- Misleading & Deceptive Conduct and Crypto (ASIC): ASIC has commenced civil penalty proceedings in the Federal Court against BPS Financial Pty Ltd (BPS) for allegedly making false, misleading or deceptive representations and engaging in unlicensed conduct in relation to a non-cash payment facility involving a crypto-asset token called Qoin. BPS allegedly made false, misleading or deceptive representations in marketing the Qoin token, including through the following statements:
- consumers who purchased Qoin tokens could be confident that they will be able to exchange them for other crypto-assets or fiat currency;
- Qoin tokens can be used to purchase goods and services from an increasing number of merchants;
- the Qoin Facility and/or the Qoin wallet application used to transact Qoin tokens are regulated, registered and/or approved in Australia; and
- the Qoin Facility and/or BPS are compliant with financial services laws.
ASIC alleges that Qoin merchant numbers were declining. However, more importantly, in the words of ASIC Deputy Chair Sarah Court, “ASIC is particularly concerned about the alleged misrepresentation that the Qoin Facility is regulated in Australia, as we believe the more than 79,000 individuals and entities who have been issued with the Qoin Facility may have believed that it was compliant with financial services laws, when ASIC considers it was not.” Of course, whether or not that is the case depends on whether the Qoin token was a non-cash payment (NCP) facility. A NCP is a payment not made through the physical delivery of Australian or foreign currency, and is classed as a financial product requiring an AFSL. Examples of NCP facilities include stored value cards, electronic cash and direct debit services. ASIC has only released its Originating Process, which does not give an indication of the facts it will rely on to state that Qoin is a NCP (we will have to wait for the affidavit material for that!). The industry will need to wait to see ASIC’s analysis, though presumably it rests on the fact that the design of the Qoin token provides rights to use the asset to make payments at merchants and/exchange for fiat currency. It is an uncomfortable action, and you can read our greater analysis why here.
- Privacy Laws (Parliament): The Government has introduced Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 which will significantly increase maximum penalties under the Privacy Act. A serious or repeated breach of the Australian Privacy Principles (APPs) could attract a maximum penalty of $2.5 million for individuals, or for body corporates an amount equal to the greater of: $50 million (a massive increase over the current maximum of $2.22 million); three times the value of the benefits obtained from the breach; or, if the court cannot determine the total value of those benefits, 30% of adjusted turnover in Australia during the breach turnover period (being the longer of 12 months prior to the breach or the period over which the breach occurred). The Government also proposes to introduce new powers for OAIC to obtain information relating to actual or suspected data breaches, so that it can properly assess the particular risks posed by such breaches; allow the OAIC to require organisations to engage an independent adviser to review privacy acts or practices of the organisation and then report to OAIC and/or to publish a statement about a privacy breach and the steps being taken to ensure that it does not happen again; and give the OAIC power to issue infringement notices to persons who refuse to answer a question or produce a document when required under the Act. Expect more funding to flow to the OAIC as well, turning a previously weak regulator into a much stronger one with a hawkish mandate in the wake of the Optus and Medibank hacks.
- Privacy (AICD): The Australian Institute of Company Directors and the Cyber Security Cooperative Research Centre has produced Cyber Security Governance Principles addressed to directors to oversee cybersecurity risk and promote a culture of cyber security resilience. My top read for the weeks, it is a really helpful resource which covers governance, regulatory obligations and policies and procedures. Well worth a read!
Thought for the week: The US, EU, UK and Australia are currently struggling with the definition of “crypto assets”, and what should and should not fall within the definition. This is super important, as it then sets the level of regulation over the industry i.e. whether they are regulated at all, as financial products / securities or something in between. Australia’s only legislation, Senator Braggs private members bill, which ends its consultation shortly, has a very broad definition. That legislative breadth, if passed, has real-world competitive impositions. A finer scalpel is needed