Gadens Regulatory Recap – 3 October 2023

3 October 2023
Matthew Bode, Partner, Brisbane Kelly Griffiths, Partner, Melbourne Michael Kenny, Partner, Melbourne Sinead Lynch, Partner, Sydney Daniel Maroske, Partner, Brisbane Kate Mills, Partner, Sydney Caroline Ord, Partner, Melbourne

This edition of the Gadens’ Regulatory Recap highlights recent developments from ASIC, APRA, OAIC, ACCC, AUSTRAC and Privacy Commission, including various enforcement actions taken by the regulators.


1. ASIC Chairman highlights cyber-security risks: ASIC Chairman, Joe Longo gave a speech at the AFR Cyber Summit on 18 September 2023 regarding cyber risk and cyber resilience. Mr Longo has put company boards squarely on notice that ASIC is expecting organisations to make cyber security a top priority.    

Key takeaways include: 

  • ASIC expects boards and executives to ensure their organisations are focused on cyber security and cyber resilience as top priorities. Failure to ensure adequate measures are in place exposes directors to potential enforcement action by ASIC, including for breaches of directors’ duties to act with reasonable care and diligence.  
  • Cyber resilience extends beyond preventative safety measures – it includes the ability to respond to, and recover from, an incident. Systems must be tested regularly – alongside ongoing reassessment of cyber security risks, including within the supply chain.  
  • Reliance on third-party providers is always a risk. Three ways to reduce third-party risk include:  
    • never set and forget – take an active approach to managing the supply chain and vendor risk;  
    • plan and test for attacks; and 
    • you can’t protect what you aren’t aware of: almost half of cyber pulse survey respondents indicated they don’t identify critical information and business critical systems. 

This is an area that is sure to attract greater attention over the coming years with cyber-attacks becoming an increasingly prevalent concern for boards and executives.  

The main lesson for boards is simple: cyber preparedness is not simply a question of having impregnable systems. That’s not possible. Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cyber security incident.

The full speech can be accessed here.

2. ASIC extends registration requirement date for financial advisers: ASIC has recently announced that it will be extending the deadline date by which financial advisers must be registered. Registration for financial advisers was previously due by 1 October 2023, however, the revised registration deadline is now due by 1 February 2024.

The registration extension has been granted because the Treasury Laws Amendment (2023 Measures No. 1) Bill is still before Parliament. This additional time will enable ASIC to provide regulatory guidance to the industry, to ensure financial advisers are enabled to understand and comply with the requirement.

3. ASIC’s 2023 Licensing and Professional Registration Activities Update: ASIC has released its latest licensing report titled ‘Report 772 Licensing and professional registration activities: 2023 update (the Report) covering the financial year period from 2022-2023. This Report provides a high-level overview of what ASIC has examined in the last 12 months regarding Australian licensing and registration applications and activities in the market.  

The Report’s aim is to impart industry professionals with knowledge as to what the regulator is observing and examining across the Australian licensing landscape. It presents statistics such as the number of Australian financial services licence and Australian credit licence applications that have been received, finalised, granted and approved by ASIC, as well as proposes changes and improvements to the current licensing process.  

To find out more and to read the Report, please follow this link here.

4. ASIC calls on licensees to strengthen remediation procedures: On 25 September 2023, ASIC called on Australian financial services and credit licensees (licensees) to ensure consumers are remediated efficiently and fairly in accordance with Regulatory Guide 277 Consumer Remediation (RG 277). ASIC has overseen more than $7 billion in remediation to approximately 8.42 million Australian customers due to identified failures in the financial services industry.

The key findings in ASIC’s recent review of remediation procedures and policies of a sample of large financial institutions in assessing their implementation of RG 277 found that:  

  • forgone returns or interest must return the customer to, as close as possible, the position they would have been in if the misconduct did not occur;  
  • the remediation review period should begin upon first suspicion of the failure or misconduct which caused a loss to the customer;  
  • beneficial assumptions must be used to increase remediation efficiency and address knowledge gaps;  
  • adequate governance frameworks with appropriate accountability and oversight are required;  
  • customers in the low value payment threshold of under $5 are still entitled to payments; and  
  • reasonable endeavours must be adopted to contact and remediate affected customers.  

5. Consultations on insolvent trading open for public: Update to RG 217 26 October 2023  

ASIC is seeking feedback on Regulatory Guide 217, which contains guidance on the operation of the safe harbour provisions for insolvent trading. 

Comments close on 26 October 2023 and the consultation paper can be found here.  

6. ASIC Enforcement: ASIC continues to deliver on its stated strategic priorities, with a range of enforcement activities over the past fortnight.  

A company auditor has been suspended from practice for a period of 12 months and ordered to pay ASIC’s costs of $20,000 after the regulator found that two of his audits failed to comply with auditing standards.  

An individual has been disqualified from managing corporations for five years due to phoenix activity. The individual was involved in the failure of five companies. ASIC determined that the individual acted as a ‘shadow director’ by controlling companies and acting as a director, despite not being listed as a registered director of the companies, which have since entered liquidation. ASIC also raised concerns regarding breaches of directors’ duties, including a failure to act in good faith, to exercise care and diligence, and a failure to meet statutory lodgement requirements of the Australian Taxation Office. 

Interactive Brokers Australia Pty Ltd paid a penalty of $832,500 to comply with an infringement notice issued by the Market Disciplinary Panel. The Panel determined that the company was negligent in its failure to identify suspicious trading on the part of a client, and that by continuing to allow the suspicious trading to occur, following notification from ASIC, was ‘reckless’.  

Bobbob Pty Ltd has paid $53,280 to comply with infringement notices relating to representations made in respect of a crypto-asset linked investment product. ASIC considered that those representations had the potential to mislead consumers, including representations regarding the product’s approvals, risks, characteristics and benefits.  

ASIC has commenced Federal Court proceedings against Bit Trade Pty Ltd, which provides access to the Kraken crypto exchange for Australian customers. ASIC alleges that Bit Trade failed to comply with the design and distribution obligations for the margin lending product offered on its platform. 

The Federal Court ordered Australia and New Zealand Banking Group Limited (ANZ) to pay a penalty of $15 million after the bank admitted to misleading customers about the funds available in certain credit accounts. The Court found that ANZ had breached the ASIC Act and the National Consumer Credit Protection Act by falsely suggesting customers could obtain a cash advance from funds listed in their Available Funds without attracting fees and interest.  

The Federal Court has also ordered National Australia Bank Ltd (NAB) to pay a penalty of $2.1 million for unconscionable conduct for continuing to charge periodic payment fees, despite the knowledge that customers were being wrongfully overcharged. Justice Derrington imposed the maximum penalty for the single contravention of the ASIC Act, which has since been updated to impose a greater penalty for the same contravention, and NAB has paid approximately $9 million in remediation to customers who incurred the incorrect periodic payment fees from 1 August 2001.  

ASIC has also released further information about its activities relating to financial reporting failures between 1 January and 30 June 2023. In this period, ASIC has prosecuted 36 companies and secured over $700,000 in penalties for failure to lodge financial reports, hold annual general meetings, and maintain the required number of directors and resident directors. These prosecutions include ALT Financial Group Ltd, which was fined $123,000, TV2U International Ltd, which was fined $110,000, and RMG Ltd, which was fined $105,000.  


7. APRA releases Intermediated General Insurance Statistics for June 2023: On 28 September, APRA released its bi-annual intermediated general insurance statistics for the sixmonth period ending June 2023. The Statistics Report publishes industry level data on general insurance placed with APRA-authorised general insurers, Lloyds’ underwriters and unauthorised foreign insurers (UFIs), segmented by region type, atypical risk class, and customised reasons. The Statistics Report notes for the period ending June 2023:  

  • total premiums invoiced in June 2023 were $15.14 million;  
  • total number of intermediaries were 1,681;  
  • total premiums effective in the period in the sum of $14 million;  
  • total business placed with UFIs by region for the six months ending June 2023 was $1.151 million (the largest being towards Fire and ISR at $756 million, the largest Arisk type being for biological, with an average premium at $566,000; and  
  • total gross premiums written by APRA authorised general insurers (excluding Lloyds) was $30.4 million gross.

The December 2023 edition of the Statistics Report will be released on March 2024. 

8. APRA seeks consultation to improving effectiveness of hybrid capital bonds: On 21 September 2023, APRA issued a Discussion Paper on the challenges of using AT1 capital instruments (Hybrid Capital Bonds), in a potential bank stress scenario in an Australian context. APRA is calling for submissions by 15 November 2023. The APRA executive board are concerned that these instruments ‘do not operate as intended due to certain design features and market practices’. Hybrid Capital Bonds operate by allowing a bank to decline to pay discretionary coupons to AT1 investors, converting the instruments to equity or writing them off. Executive Board Member, Theresa McCarthy Hockey has said “AT1 are critical instruments designed to absorb losses to stabilise a bank before it reaches a crisis scenario or support bank resolution if it gets to that. However, recent episodes of banking stress overseas highlighted that AT1 only absorbs losses at a very late stage of a crisis – in the resolution phase. The Australian market for AT1 bonds are “unusual by global standards, with over half the bonds being held by small retail investors”. Ms McCarthy Hockey said, and converting such investments into equity or writing them off could undermine confidence in the financial system, [impacting] stability of other institutions – a complication that risks impeding the speed of decision.” APRA will hold discussions with industry on these options this year and will formally consult on any proposed changes to prudential standards or guidance in 2024. 

9. APRA tightens standard to enhance member outcomes in superannuation: On 21 September, APRA announced its intentions to reform Prudential Standard SPS 515, Strategic Planning and Member Outcomes (SPS 515), which will sharpen industry focus on the delivery of outcomes to members. Submissions are due by 21 December 2023.  

The draft reforms will seek to ensure: the expenditure of member funds is better aligned with trustees’ best interest duty; better support for the retirement income covenant (under which Trustees must now justify the purpose of expenditure relating to business operations); lift the bar on trustees’ management of financial resources; trustees prudently approach fee setting and managing member fund reserves; and improve management of risks to members being transferred across funds. Proposed reforms to SPS 515 have been a priority focus for APRA, Deputy Chair Margaret Cole has said, given the existing standard was significantly outdated (designed in 2001), and no longer reflected the matured business structures, or legal environment within which Superannuation trustees currently operate. The review has also prompted APRA to retire its guidance circular on the sole purpose test, which Ms Cole said was designed more than 20 years ago for a larger number of less sophisticated trustees… and offered no general guidance, had no legal status or effect”.  

A replacement guidance will not be published. The discussion paper on the SPS515 reforms can be accessed here.


10. ACCC to deny proposed joint mortgage aggregator assurance review program: The ACCC has signalled its intention to withhold approval for Australia’s five largest banks to establish a proposed voluntary program that would allow participating mortgage lenders to jointly procure assurance reviews of participating mortgage aggregators’ compliance systems and standards.  

The regulator has cited concerns that the proposed program may increase coordination between Australia’s largest mortgage lenders by increasing frequency and points of interaction, risks prioritising the interests of major banks over smaller lenders, and uncertainty over whether the program is likely to result in assurance reviews being conducted to a higher standard.  


11. AUSTRAC publishes consequences of not complying with reporting entity obligations on its website. AUSTRAC has outlined the penalties it can seek and steps it can take to enforce compliance where reporting entities do not meet their obligations. Enforcement actions available to AUSTRAC are:

  • Civil penalty orders: AUSTRAC can apply to the federal court for an order that a reporting entity must pay a penalty to the Commonwealth of up to 20,000 penalty units for individuals and 100,000 penalty units for a body corporate. As at 1 July 2023, the penalty unit amount is $313.  
  • Enforceable undertakings: AUSTRAC can require that a reporting entity must provide a written commitment undertaking to take or not take specific actions. Failure to comply with the agreed terms of an enforceable undertaking can result in AUSTRAC applying for an order that the terms of the undertaking be met.   
  • Infringement notices: AUSTRAC can issue infringement notices for breaching specific obligations under the AML/CTF Acts. Infringement notices can be made public.  
  • Remedial directions: AUSTRAC can issue a direction instructing reporting entities to take specific actions to comply with sections of the AML/CTF Acts, including ordering reporting obligations.  
  • Written notice to appoint an external auditor: Where AUSTRAC has reasonable grounds to suspect that a reporting entity has not taken appropriate actions to avoid money laundering or terrorism financing risk, they can require a reporting entity to appoint an external auditor and provide the results of the audit to AUSTRAC.  
  • Written notice to undertake a risk assessment: AUSTRAC can issue a notice requiring a reporting entity to conduct an internal money laundering/terrorism funding report to be provided to AUSTRAC.

AUSTRAC can also take registration actions against Remittance Service Providers and digital currency exchange providers if it believes that the organisation poses an unacceptable risk of money laundering, terrorism funding or people smuggling. Registration actions include refusing registration or registration renewal.  

AUSTRAC also outlines the process for applying to have a decision or suspension reviewed.  


12. Information commissioners and ombudsmen release survey on community attitudes on access to information.

Following the 2023 Cross-jurisdictional Information Action Survey, the Federal Information Commissioner, Information Commissioners from NSW, Victoria, Queensland, Western Australia, and Ombudsmen from Tasmania and the ACT have released findings on community attitudes on access to government information.  

Key findings include:  

  • 91% of those surveyed believed that the right to access government information is important;  
  • 56% to 72% of respondents (depending on jurisdiction) were aware that they had the right to access government information;  
  • 21% to 41% of respondents (depending on jurisdiction) had attempted to access information from government agencies;  
  • of those that had attempted to access information, most were successful (85% success rate at federal level, and 68% to 78% depending on state or territory); and
  • success rates seemed to vary on the type of information requested and the agency or entity subject to the request, with most success coming from information requests from the tertiary education sector, and the least success coming from State Ministers.  

These results provide valuable insights into civic attitudes and experiences regarding freedom of information that will inform the OAIC and other government agencies on the effectiveness of the access to information regime, with important implications for the rule of law and anti-corruption principles.  

13. Government response to the Privacy Act Review ReportFollowing the Attorney-General’s Department’s Privacy Act Review Report published in February 2023 (Report), the Australian Government has published its response to the Report (Response). The Response follows submissions from various stakeholders (including by Gadens) on the 116 proposals in the Report that look to overhaul the current Privacy Act 1988 (Cth).

Read our full article on the critical impacts that this Response discloses, including importantly on timelines: A step in the right direction – Australian Government Response to Privacy Act Reforms.

The Australian Government will undertake further targeted consultation with relevant stakeholder groups prior to the introduction of the draft legislation being presented to Parliament in 2024.  

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:
Caroline Ord, Partner
Daniel Maroske, Partner
Kate Mills, Partner
Kelly Griffiths, Partner
Matthew Bode, Partner
Michael Kenny, Partner
Sinead Lynch, Partner
Anna Fanelli, Senior Associate
Elizabeth Ziegler, Senior Associate
Philip O’Brien, Senior Associate
Rebecca Di Rago, Senior Associate
Zira Norman, Senior Associate
Nigel Mok, Associate
Patrick Simon, Associate
Declan Melia, Lawyer

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch