Gadens Regulatory Recap – 14 November 2023

This edition of the Gadens’ Regulatory Recap highlights recent developments from ASIC, APRA, ACCC, AFCA, AUSTRAC, the OAIC, and Treasury, including various enforcement actions taken by the regulators.

ASIC

1. ASIC releases second publication on insights from the reportable situations regime: On 31 October 2023, ASIC released Report 775 Insights from the reportable situations regime: July 2022 to June 2023, its second publication regarding information submitted under the reportable situations regime. ASIC noted that in the fiscal year 1 July 2022 and 30 June 2023, credit and financial services licensees submitted over 16,000 reports to ASIC under the regime. However, while key areas of concern improved marginally since the previous Insights publication, (Report 740 Insights from the reportable situations regime: October 2021 to June 2022) ASIC continues to hold concerns about the adequacy and frequency of licensee reports under the regime. ASIC’s concerns include:

• a belief that licensees are not complying with the regime, because only 11% of the licensee population had lodged a report since the commencement of the regime in October 2021;
• 17% involved situations in which licensees had taken more than one year to identify and investigate breaches;
• remediation activities such as compensating affected customers had been delayed by over a year in 8% of reported cases; and
• accurate identification of the root cause of a breach was not always occurring, making it difficult to develop appropriate preventative measures to avoid similar breaches occurring.

ASIC will continue to seek to improve compliance with the regime through stronger regulatory action, including enforcement action where appropriate.

2. ASIC’s new capability to takedown websites resulted in thousands of phishing and investment scam websites being disabled: At a press conference on 2 November 2023, ASIC announced that it had implemented a new scam website takedown capability to limit or remove access to malicious and fraudulent websites, which had resulted in more than 2,500 phishing and investment websites being identified which had either been taken down or were in the process of being taken down since July 2023. The disrupted websites included crypto-asset scam websites, fake investment platforms, and imposter scam websites, which impersonated legitimate financial services businesses. ASIC’s initiative is part of the Australian Government’s Fighting Scams initiative and supports the work of the National Anti-Scams Centre.
3. ASIC proposes extension of relief from disclosure and reporting consistency obligations for superannuation trustees: ASIC is seeking feedback from stakeholders regarding the efficacy and efficiency of ASIC Class Order [CO14/541], which it proposes to extend until 1 January 2026. This Class Order currently relieves superannuation trustees from compliance with disclosure obligations under Section 29QC of the Superannuation Industry (Supervision) Act 1993 (Cth). The consultation closes at 12pm on 4 December 2023.
4. ASIC commentary on greenwashing: ASIC has released an article that provides further details as to ASIC’s approach to greenwashing, which is one of its 2023 enforcement priorities.

In the article, ASIC Deputy Chair, Sarah Court, noted:

• ASIC’s greenwashing enforcement action has ranged from warning letters, infringement notices and undertakings, to civil proceedings in the Federal Court to obtain civil penalties against offenders for misleading and deceptive conduct;
• enforcement action decisions are made having regard to whether the ASIC action will likely deter the broader sector from engaging in greenwashing.

The article also notes that future greenwashing enforcement may extend to licensing actions, breach of statutory corporate officers’ duties, or breach of other statutory obligations. Future areas of interest for ASIC are expected to include:

• misuse of net zero statements and targets;
• misuse of terms such as ‘carbon neutral’, ‘clean’, or ‘green’; and
• the scope and application of investment exclusions and screens.

5. ASIC oversees compensation of more than $17.4 million to retail investors by OTC derivative issuers: On 9 November 2023, ASIC announced that it has overseen more than $17.4 million in combined compensation payments to over 2,000 retail clients affected by financial services law breaches by eight retail OTC derivative issuers. The total compensation figure since March 2021 comprises:

• $4.3 million paid or agreed to be paid to over 1,500 retail clients of seven different issuers, due to the issuing of contracts for difference (CFDs) that exceeded the leverage ratio limits permitted by ASIC Instrument 2020/986; and
• approximately $13.1 million paid to 523 clients of Oztures Trading Pty Ltd (trading as Binance Australia Derivatives) between May and September 2023, due to incorrect classification of retail clients as wholesale clients.

All seven CFD issuers self-reported their breaches and undertook remediation programs to compensate affected consumers. ASIC noted that, while the relevant programs provided appropriate outcomes for the affected consumers:

• three of the CFD issuers used behavioural assumptions to estimate retail client losses resulting in lower compensation than the amount that would have been calculated if they had not been issued the over-leveraged CFDs in the first place; and
• four CFD issuers had not compensated clients for fees or charges incurred on CFDs issued in breach of the class order, or interest on these amounts.

Consequently, ASIC required four of the CFD issuers to pay, or agree to pay, additional compensation.

6. ASIC guidance for UCT reforms: On 9 November 2023, the Unfair Contract Terms (UCT) reforms took effect, with ASIC providing updated guidance for licensees. Under the Australian Consumer Law, and mirror provisions in the ASIC Act, a term in a standard form contract is unfair if it:

• causes a significant imbalance in the rights and obligations of the parties;
• is not reasonably necessary to protect the legitimate interests of the party who would be advantaged by the term; and
• would cause detriment to a party it the term was relied upon.

ASIC has issued the following updated guidance materials:

• INFO 210: Unfair contract term protections for consumers;
• INFO 211: Unfair contract term protections for small businesses; and
• INFO 105: FAQs: Dealing with consumers and credit.

Gadens has previously written about the UCT reforms here.

7. ASIC releases new investor alert list highlighting suspicious investment opportunities: In addition to ASIC’s new scam website takedown capability ASIC has published a new investor alert list and updated investor checklist materials to assist consumers in determining whether an entity is fraudulent, unlicensed or may be a scammer.

The investor alert list includes domestic and international entities that ASIC believes may be offering services to Australians without the requisite licenses, exemptions, authorisations, or permissions. It also includes ‘imposter’ entities, which impersonate or claim to be associated with legitimate businesses. The investor alert list includes 52 unlicensed entities and 25 imposter entities.

ASIC has also updated the investor checklist, which provides guidance to consumers on steps that should be taken before investing.

8. ASIC releases report following cyber pulse survey: On 13 November 2023, ASIC released Report 776 Spotlight on cyber: Findings and insights from the cyber pulse survey 2023. Ultimately, the report summarises the findings of ASIC’s recent voluntary self-assessment survey, including deficiencies in cyber security risk management, and the tendency of organisations to only respond reactively rather than proactively in managing cyber security.

Key findings about participants include that:

• 44% do not manage third-party or supply chain risk;
• 58% have limited or no capability to protect confidential information adequately;
• 33% do not have a cyber incident response plan; and
• 20% have not adopted a cyber security standard.

The report followed the Australian Cyber Security Centre’s estimate that cybercrime cost Australia $42 billion in 2021.

9. ASIC Enforcement: ASIC has continued to be active in the enforcement space. In the past fortnight:

A New South Wales director was disqualified from managing corporations for five years by ASIC due to his involvement in the failure of three companies, and ASIC’s finding that he acted improperly and failed to meet his obligations as an officer.

A Canberra director was disqualified from managing corporations for two years by ASIC due to his involvement in the failure of five companies, with ASIC noting that he showed a lack of care and diligence, and a lack of commercial morality.

Link Administration Holdings Limited has announced the restatement of half year and full year 2023 financial reports, following concerns raised by ASIC about the accuracy of the reports. ASIC’s concerns were raised as part of its financial reporting and audit surveillance program.

ASIC has issued three infringement notices totalling $48,600 to H.E.S.T. Australia Limited, the trustee of HESTA superannuation fund, for alleged false or misleading statements made in marketing materials. Specifically, marketing materials of the ‘Balanced Growth’ option referenced the 10-year performance figures but did not specify what period the figures related to and may have misled consumers to believe the figures were up to the present day, rather than a period ending between up to 14 months prior to publication.

ASIC has commenced civil penalty provisions in the Federal Court against Telstra Super, alleging that it failed to comply with internal dispute resolution (IDR) requirements. These proceedings are the first under the IDR regime that came into effect on 5 October 2021. ASIC alleges that 40% of Telstra Super’s responses to complainants in the relevant period did not comply with the company’s IDR procedures, including 106 complaints that were not responded to within the applicable 45-day timeframe.

Separately, following an ASIC investigation and referral to the Commonwealth Director of Public Prosecutions (CDPP), two financial services companies have been charged in separate proceedings with multiple criminal offences that relate to their failures to lodge financial accounts. APC Security Pty Ltd, formerly known as McFaddens Securities Pty Ltd, and Brava Capital Pty Ltd, formerly known as Dayton Way Securities Pty Ltd, have been charged with:

• Three counts of failing to lodge a profit and loss statement and balance sheet; and
• Three counts of failing to lodge an auditor’s report with the profit and loss statement and balance sheet.

A similar prosecution has been commenced by the CDPP against Odyssey Equity Finance Pty Ltd regarding failures to comply with financial reporting obligations. In all three matters, ASIC specifically noted that they are actively targeting breaches of financial reporting obligations.

The CDPP has also commenced prosecution against three men connected to the Sterling Income Trust, following ASIC’s investigation and referral. The men have been charged with a number of charges of aiding and abetting Sterling Corporate Services to engage in dishonest conduct in relation to a financial product or service, in breach of section 1041G of the Corporations Act 2001.

Finally, William O’Dwyer, the former managing director of companies in the Ralan Group has pled guilty to six offences contrary to section 192E of the Crimes Act 1900 (NSW) following an ASIC investigation. The charges related to loans advanced to Group companies involved in residential development projects where companies were required under loan agreements to satisfy lenders that pre-sale deposits were held in trust. Mr O’Dwyer deceived lenders to believe that the funds were held in a trust account, as required, when they had instead been loaned to the development company as working capital.

APRA

10. APRA’s “patience runs out”: Recent speeches by APRA leaders emphasise renewed focus on key priority areas and hard-line approach to non-compliance: APRA Chair, John Lonsdale spoke at FINSIA’s ‘The Regulators’ conference on 3 November 2023, while APRA Deputy Chair, Margaret Cole gave a speech at the AFR Super and Wealth Summit on 31 October 2023.

Both speeches highlighted the need for entities to ensure that their regulatory compliance and governance policies are keeping pace with the rapid advances in technology in an increasingly interconnected global financial system.

Statements by Mr Lonsdale indicated that APRA expects entities to be up to date with the new policies and will have little tolerance for any failures by entities to comply with the relevant regulations around key risk areas.

In both speeches, APRA’s priorities were stated as follows:

• Cyber security: APRA is taking a hard-line approach on any issues relating to cyber preparedness. APRA notes that information security standard CPS 234 was released three years ago. APRA’s position is that entities have had sufficient time to ensure they are compliant with this standard. Mr Lonsdale stated that APRA’s “patience has run out” and it will intensify scrutiny of any members who are found to be significantly wanting in its cyber preparedness. This may include enforcement action and potentially license conditions.
• Operational resilience standards: This is another area that has been the subject of consistent messaging from APRA over recent months. APRA reminded regulated entities that while it is 18 months before the new CPS 230 will take effect, entities should be implementing policies and practices now to ensure compliance with the requirements of CPS 230 by mid-2025.
• Governance, risk culture, remuneration and accountability: Closely related to operational resilience, APRA is also focused on entities’ compliance with governance, risk culture, remuneration and accountability (see CPS 220, CPS 510, and CPS 511).
• Affordability and accessibility of insurance: APRA noted that this is an area that requires collaboration between insurers, regulators and governments. This includes collection and provision of data that increases public understanding of risks and pain points.
• Data collection and analysis capabilities: APRA has been working to transform its data collection and analysis capabilities to enable more effective risk-based supervision, improve insights and enhance transparency. This process was stepped up earlier this year with the creation of a new standalone Technology and Data division reporting directly to the APRA Members.
• Superannuation: Both the Chair and Deputy Chair emphasised the need for the superannuation industry to ensure trustees are compliant with CPS 234 and 230 above. They also noted that APRA is particularly focused on superannuation trustees’ compliance and governance in the areas of system-wide risks associated with investment market conditions, particularly in relation to asset valuation and liquidity management practices, and management of climate related financial risks.

More details on APRA’s initiatives are set out in their most recent Corporate Plan, which was released in August 2023.

11. APRA applies additional capital requirements to RAC Insurance: Following a governance prudential review, APRA has applied an additional $20 million capital requirement to RAC Insurance Pty Ltd (RAC). APRA noted that RAC has reviewed its governance framework and is implementing an action plan to address these issues, but that further effort is required to ensure the changes are executed and embedded successfully, and to verify their effectiveness in addressing governance concerns.
12. APRA makes correction to Prudential Standard LPS310 (Audit and Related Matters): On Wednesday 8 November, APRA issued a correction to Prudential Standard LPS310 (Audit and Related Matters). The notice was issued to all life insurers and relates to a correction to the level of assurance required for two reporting standards in Attachment A of LPS 310.

ACCC

13. International framework formed to promote competitive markets in the Pacific: On 6 November 2023, the ACCC announced a new initiative with its Pacific neighbours named the Pacific Island Network of Competition Consumer and Economic Regulators (PINCCER). PINCCER allows the ACCC to leverage its experience to assist smaller Pacific economies to provide fairer consumer and trader outcomes and, through collaboration with its partners, positively shape future competition and consumer protection laws throughout the Pacific region.

AFCA

14.  Consultation on AFCA’s Approach to determining compensation in complaints involving Financial Advisers and Managed Investment Schemes opens: On 6 November 2023, the Australian Financial Complaints Authority (AFCA) opened its consultation on its draft Approach to determining compensation in complaints involving Financial Advisers and Managed Investment Schemes.

The Approach draft sets out AFCA’s consideration regarding:

• fairness in respect of the apportioning of loss;
• the application of proportionate liability statutes involving complaints against Managed Investment Schemes (MIS) and financial advisers;
• the provision of advice by financial advice firms which has resulted in a MIS becoming insolvent or failing, and the treatment of liability and compensation of the Responsible Entities and the advice firm; and
• joining a party to a complaint when the party is an AFCA member.

 The consultation is open until 1 December 2023.

AUSTRAC

15.  FATF releases updates on global AML/CTF risk: On 8 November 2023, AUSTRAC provided guidance relating to international anti-money laundering and counter-terrorism financing (AML/CTF) risks following updates issued by the Financial Action Task Force, the global organisation that sets AML/CTF standards.

The most recent updates are:

• High-Risk Jurisdictions subject to a Call for Action – October 2023; and
• Jurisdictions under Increased Monitoring – October 2023.

Reporting entities should be sure that they are aware of any updates relating to high-risk jurisdictions.

OAIC

16.  Australian Information Commissioner and Privacy Commissioner delivers keynote address at the Australian Government Solicitor FOI and Privacy Law Conference: On 31 October 2023, the Australian Information Commissioner and Privacy Commissioner, Angelene Falk, delivered the keynote address at the Australian Government Solicitor FOI and Privacy Law Conference.

The speech highlighted the importance of protecting the fundamental right to privacy, entrenched and recognised in international agreements, including the UN Declaration of Human Rights and the International Covenant on Civil and Political Rights, while balancing the right to privacy with importance of providing access to information.

Of note, the Commissioner highlighted that:

• over the course of the last 12 months, millions of Australians were impacted by Australia’s biggest data breaches, and security of personal information has “come into even sharper focus” as a priority for organisations and the public.
• there is a need to strengthen existing frameworks to provide adequate safeguards in light of the increased development and adoption of generative AI;
• the results of the OAIC’s recent Australian Community Attitudes to Privacy Survey (which Gadens previously wrote about here);
• there is an urgent need for reforms to the Privacy Act 1988 (Privacy Act) to reflect community desire for more control over the collection and use of personal information; and
• the government has agreed, in principle, to a new positive obligation to ensure personal information handling is fair and reasonable.

The Commissioner also recommended agencies:

• embed a proactive disclosure culture;
• implement a best practice open by design approach to proactive disclosure;
• engage with the Australian community in relation to information that is of most value and interest to them; and
• adopt a customer service approach to the proactive disclosure of information.

17.  OAIC commences proceedings against Australian Clinical Labs Limited following 2022 data breach: On 3 November 2023, the Australian Information Commissioner commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs Limited, following an investigation into privacy practices. The investigation followed a data breach of Australian Clinical Labs’ Medlab Pathology business in February 2022 that resulted in the access and exfiltration of personal information, sensitive health information, and credit card information of more than 100,000 individuals.

In the proceedings, the Commissioner alleges that from May 2021 to September 2022, Australian Clinical Labs seriously interfered with the privacy of millions of Australians in failing to take reasonable steps to protect personal information from unauthorised access or disclosure, in contravention of the Privacy Act, with these failures leaving Australian Clinical Labs vulnerable to cyber-attacks. The Commissioner also alleges that Australian Clinical Labs failed to take the steps required under Part IIIC of the Privacy Act by failing to carry out a reasonable assessment whether the matter involved eligible data and reporting the breach promptly. The breach was not reported to the OAIC until 10 July 2022. As a result, it is alleged that Australian Clinical Labs breached section 13G of the Privacy Act by way of:

• Breaches of Australian Privacy Principle 11.1(b), which requires an entity to take reasonable steps to prevent unauthorised access of personal information;
• Contravention of section 26WH(2), which requires an entity to carry out a reasonable and expeditious assessment whether there are reasonable grounds to believe that circumstances amount to an eligible data breach, and take steps to ensure an assessment is completed within 30 days; and
• Contravention of section 26WK(2), which requires an entity to notify the OAIC as soon as practicable after becoming aware that there are reasonable grounds to believe there has been an eligible data breach.

Treasury

18. Treasury commences consultation on liabilities for failure to meet continuous disclosure obligations: Treasury has commenced its consultation on the reforms of the Continuous Disclosure Regime.

Treasury is seeking submissions from interested parties to assist in conducting a review of the operation of the amendments made to the Continuous Disclosure Regime by the Treasury Laws Amendment (2021 Measures No.1) Act 2021, which was introduced by the previous government in August 2021 to reduce the number of shareholder class actions. The primary effect of the amendment was to introduce a requirement for plaintiffs to prove that companies and their officers acted with ‘knowledge, recklessness or negligence’ to be successful in a civil penalty proceeding for breaches of continuous disclosure laws. The latest consultation is likely to result in a policy change in this area.

The Terms of Reference are:

• whether the changes made to the Continuous Disclosure Regime are working in support of an efficient, effective and well-informed market;
• the effect of the amendments on the quality and nature of disclosures made by listed companies;
• the nature of continuous disclosure regimes operating overseas and the extent to which the Australian regime is consistent with them; and
• whether the proposed amendments give rise to barriers that may prevent compliance with or enforcement of the continuous disclosure obligations.

The consultation will be closely watched by ASX-listed entities, litigation funders and other interested stakeholders.

The public consultation period is open for submission for four weeks. Submissions will close on Friday 1 December 2023. Please contact us if you are interested in contributing to a joint submission on this issue.

19.  Treasury commences consultation on sustainable finance strategy: The government is inviting consultations on its newly released Australia’s Sustainable Finance Strategy.

Treasurer Jim Chalmers has stated that the Strategy is aimed at mobilising the significant private capital required to achieve net zero, modernising financial markets and maximising the economic opportunities associated with energy, climate and sustainability goals.

The consultation paper outlines proposals under three key priority pillars:

• Pillar 1: Improve transparency on climate and sustainability;
• Pillar 2: Financial system capabilities; and
• Pillar 3: Australian Government leadership and engagement.

The Treasury seeks feedback on this strategy, the proposed tools and policies, and the specific questions raised in the paper.

The public consultation period is open until 1 December 2023.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Matthew Bode, Partner
Kelly Griffiths, Partner
Michael Kenny, Partner
Sinead Lynch, Partner
Daniel Maroske, Partner
Kate Mills, Partner
Caroline Ord, Partner
Anna Fanelli, Senior Associate
Philip O’Brien, Senior Associate
Zira Norman, Senior Associate
Nigel Mok, Associate