Speech by Chair Joseph Longo at the Law Council of Australia Business Law Section Corporations Workshop, 4 June 2022.
Check against delivery
Good morning everyone.
I would like to begin by acknowledging the Traditional Owners and Custodians of the lands on which we meet today, and to pay my respects to their Elders past, present and emerging. I extend that respect to Aboriginal and Torres Strait Islander people present today.
Thank you to the Law Council Business Law Section Corporations Committee for giving me the opportunity to speak to you today. I have been a regular participant in these annual Corporations workshops, and in my experience they are always enjoyable and stimulating.
In the time available to me today, I am going to share with you some reflections about key issues that have been on my mind in the time I have been Chair of ASIC, and give you a sense of the themes that ASIC is particularly focusing on in the next 12 months. I will then explore some of those themes in a bit more detail.
It is not overstating it to say that the financial ecosystem we are operating in, and that ASIC regulates, is transforming before our eyes. Legislators and regulators are grappling with how to apply regulatory strategies to information systems and digital asset technology that did not exist just a few years ago. Quantum leaps in innovation are revolutionising the landscape. All of this poses emerging challenges for ASIC’s role, as it navigates this new terrain in a way that protects the end users of the financial products and services.
First, however, I would like to commend the Corporations Committee for its continued commitment to actively participating in and influencing the reform of corporate and business law in Australia.
A very substantial part of the current law reform agenda across the Treasury portfolio concerns corporations and securities law; and the role you play in consultation, and in preparing submissions to Treasury, ASIC and the Australian Law Reform Commission (ALRC), has real impact in shaping that agenda.
If you as legal professionals aspire to better law and a more rational, fit-for-purpose and effective regime, I think you have a responsibility to engage with the reform process and to make your views known about the impact and implications of proposed law and policy; and I encourage you to take that responsibility seriously and to continue to participate in that process.
Key themes for ASIC
Turning now to some of the issues that have been on my mind in the time I have been Chair of ASIC, and the themes that ASIC is particularly focusing on in the next 12 months.
A fundamental theme, from the commencement of my term, is wanting ASIC to be ambitious and confident in discharging its regulatory and enforcement responsibilities, to serve and advance the public interest. There are several dimensions to this.
An area of increasing challenge for ASIC is its capacity to think and act strategically. This means understanding emerging trends and issues, investing in technology, and planning, prioritising, and allocating its resources thoughtfully and to maximum effect.
We must also continue to be a strong and targeted law enforcement agency, and an active litigator against misconduct. Enforcement is a fundamental part of ASIC’s work, and continues to be a touchstone of ASIC’s perceived success or failure as an effective regulator.
Against that background, in my first 12 months in the role I have been focused on several key themes. These include accountability and performance, regulatory efficiency, and optimal use of technology.
In particular, technology and innovation, how they interact with the law, and the opportunities and challenges they present for a regulator, are pressing topics.
Lawmakers and regulators worldwide are grappling with how to deal with issues posed by new technological ecosystems. I will return to those themes later.
But first I want to say a few words about accountability and performance. These have been at the forefront of my mind this year, not least because it has been – and remains – a year of reviews and scrutiny. There are a range of reviews under way, of the legal framework, the regulatory regime and ASIC’s performance.
The Financial Regulator Assessment Authority (FRAA) is well advanced in its first review of ASIC, with its report due out in July. It is assessing ASIC’s effectiveness and capability in strategic prioritisation, planning and decision-making, our surveillance and licensing functions, and our use of data and technology in each of these areas. We have had productive and collaborative engagement with FRAA members over the last few months.
In August last year the Australian Government announced a review of the industry funding model that applies to ASIC, to ensure it remains fit for purpose. It is sometimes not widely understood by practitioners that ASIC is industry funded, with the aim being that costs are borne by the entities that create the need for regulation. The regime commenced in 2017, so this is the fifth year of industry funding for ASIC. The review announced last year will need to look at whether the regime is delivering its intended benefits, how the current system is administered and in particular, address issues surrounding the temporary levies relief provided last year to personal financial advice licensees.
More broadly, in terms of reviews of the legal and regulatory landscape:
- the ALRC is engaged in the ambitious task of trying to simplify Australian corporations and financial services laws, to arrive at a more navigable and effective framework (and I note the Law Council submission to that review); and
- the Quality of Advice Review, commissioned earlier this year by the previous Government, is looking at how to better enable the provision of high quality, accessible and affordable financial advice to retail clients.
Each of those reviews will have an impact on ASIC’s work, and we are actively engaged in both.
In particular, I was pleased to recently join the Advisory Committee for the ALRC Review, to help provide regular feedback from ASIC as the ALRC continues its important work this year and next. I have also asked ASIC’s General Counsel, Chris Savundra, to establish a working group between ASIC and the ALRC to facilitate close discussion on key topics and share information and data to assist the Review.
We are also assisting the Quality of Advice Review, by providing Treasury with all research and submissions we received in response to Consultation Paper 332 in relation to Unmet Advice Needs, as well as the findings of our review of the impact of the reforms to remuneration of life insurance advisers. We will of course continue to provide any other input to assist Treasury and the reviewer where we can.
It remains to be seen whether the new Government will initiate any further reviews or inquiries.
Thus, ASIC will continue to be – as it should be – held accountable for its work. We will also continue to act independently. Independence is fundamental to the effective operation of regulators, and underpins the trust placed in them by the community.
And the reviews I have mentioned – particularly the work of the FRAA – will, I trust, provide valuable insights that will help ASIC further improve its regulatory performance and effectiveness.
Regulatory efficiency has also been on my mind, and is another key theme for ASIC this year. We have been talking to a wide range of our stakeholders, and are coordinating work across the organisation to promote better and more efficient regulation. This work is focused on how ASIC administers the law from a functional perspective. Its aim is to help remove unnecessary frictions, improve processes, and ultimately drive better compliance, as well as make it easier for business to get things done.
I want to turn now to a few issues that I will explore in a bit more detail.
The areas I will cover are:
- design and distribution of financial products;
- breach reporting;
- climate risk and sustainable finance;
- critical infrastructure and cyber security; and
- regulation of digital assets.
Design and distribution of financial products
One of ASIC’s strategic priorities is to reduce the harm caused to consumers by poor product design and distribution, especially by driving compliance with new legislative requirements.
As you know, the design and distribution obligations (DDO) that commenced in October 2021 require firms to develop products that meet the needs of consumers in their intended target market, and to direct distribution to that target market.
We want to see the long-term benefits of these obligations realised for consumers, and we have engaged with industry in helping firms implement them, including providing feedback about template target market determinations (TMDs).
Our early reviews of TMDs highlighted some disappointing approaches, including for example TMDs that read like marketing documents rather than meaningful guidelines for product distribution, and TMDs for historically poor value or harmful products that did not properly identify target markets or stipulate appropriate review triggers. Some lacked objective criteria for a consumer’s financial situation, and shifted the onus back onto consumers by focusing solely on preference or intended use of a product. Others omitted important product attributes that were likely to be relevant, such as high annual fees and interest.
In our communications to industry, we have emphasised a few key aspects of the obligation (as set out in Regulatory Guide 274), for example:
- the need to consider each element – the likely objectives, the financial situation, and the needs – of the consumers in the target market;
- using objective and tangible parameters to describe the class of consumers in the target market, rather than focusing solely on consumer preference or using as the target market those that had bought the product before; and
- unpacking the product and its attributes in a way that demonstrates that they align with the objectives, financial situation and needs of the target market;
and we have recently seen some improvements in approaches to TMDs.
Overall, we consider that industry has now had sufficient time to bed down its implementation of the regime. We are therefore expecting compliance with the obligations, and are pursuing targeted, risk-based surveillances – there is work under way and more is planned.
We will also move to enforce the obligations where necessary, and are developing an ASIC-wide enforcement strategy that identifies cases for litigation. We have several matters in the pipeline for potential enforcement action. We are looking at defective TMDs, as well as product issuers who have not made TMDs or not made them publicly available. We will use our full regulatory toolkit as appropriate, including court-based enforcement action as well as stop orders.
Breach reporting
I now want to make some observations about another set of reforms currently being implemented by industry and ASIC – the reforms to breach reporting obligations that also took effect late last year.
The new regime is broader, more ambitious, and more complex than the previous obligations. It addresses long held concerns about the quality and timeliness of breach reporting. Compliance breaches happen in all businesses, and reporting of those breaches is integral to Board oversight and risk management by licensees, as well as to ASIC’s system-wide regulatory oversight.
ASIC has received over 10,000 submissions through our regulatory portal since October 2021, and we expect the number of licensees reporting to increase over time. The intention of the regime is more comprehensive and more timely reporting; and it has real potential to provide greater transparency and ultimately a better understanding of the key problems in firms.
Some industry groups have raised concerns with Treasury about the legislative policy settings for the breach reporting regime. We are supporting Treasury in their consideration of those issues, but they are ultimately issues for Government.
ASIC’s focus is practical implementation, and working with industry to find and employ common sense solutions to issues that arise. We are aiming to be reasonable and consistent in our approach; and part of that will be learning from early experience. There are significant system and process changes required, by the large reporters and by ASIC, which take time.
In particular we have been working on our processes to effectively triage the reports we receive, so that we target our attention toward the most serious conduct.
I also want to make clear that if something fundamental goes wrong in a licensee’s business, we expect those who are accountable for that licensee’s compliance to pick up the phone and tell us.
There is of course considerable industry interest in our public reporting on the data collected.
The legislation requires ASIC to publish information on reports lodged with ASIC about self-reported significant breaches and likely significant breaches of core obligations. We must do this annually, within four months of the end of the financial year (s912DAD Corporations Act 2001 and s50D National Consumer Credit Protection Act 2009). Our inaugural public report will relate to breach reports lodged between 1 October 2021 and 30 June 2022, and must be published by 1 November this year.
We have a broad discretion as to what data we publish, and we will be speaking to stakeholders shortly about our approach for this year.
No one wants to be reported as having a disproportionate number of breaches. Thus, we are focusing on making sure our breach reporting data is reliable and consistent, so that it can – together with other data available from AFCA and the IDR process – form part of a richer and more transparent data set that will benefit regulators, industry, government, and consumers.
This is a large and long-term change project; and there is further work to be done, with Government and industry, to ensure the provisions are interpreted consistently. We are working closely with all stakeholders to achieve that aim.
Climate risk and sustainable finance
Another of ASIC’s priorities is proactive supervision and enforcement of governance and transparency standards in relation to sustainable finance.
Climate change is a systemic risk. Investors need listed companies to disclose meaningful and useful information, so that the physical and transitional risks of climate change can be priced and capital allocated efficiently.
We want to see continued improvement in climate change governance and disclosure practices; and in particular, that climate-related disclosures by listed companies comply with the law and are decision-useful for investors.
ASIC has been working for some time to influence international and domestic developments on sustainability reporting.
We are part of the Council of Financial Regulators’ Climate Working Group that coordinates action in relation to financial climate-related risks; and internationally, we belong to the IOSCO Task Force on Sustainable Finance. Last year it reviewed corporate sustainability disclosure guidance, and found that investor demand for transparent and comparable reporting on climate-related matters was often not met.
There is work being done to develop global baseline climate and sustainability disclosure standards, to meet that demand.
Last year the International Financial Reporting Standards Foundation established the International Sustainability Standards Board (ISSB), which is working on developing baseline standards – a significant step towards a harmonised international sustainability reporting framework.
ASIC supports this initiative, as consistent and comparable information is critical to fully informed decisions by investors.
The ISSB is currently consulting on standards for General Requirements for Disclosure of Sustainability-related Financial Information and Climate-related Disclosures. ASIC encourages Australian stakeholders to participate in the ISSB consultation process.
Several jurisdictions have taken steps to mandate climate-related disclosure. For example:
- in the UK, since April this year large UK-registered companies and financial institutions are required by law to disclose climate-related financial information, in line with the recommendations of the G20 Financial Stability Board’s Task Force on Climate-Related Financial Disclosures (TCFD);
- in New Zealand the Government recently passed legislation that will require around 200 entities to produce climate-related disclosures by around 2023; and
- most recently, the US SEC has proposed amendments to rules and disclosure forms to require additional disclosure in relation to environmental, social, and governance (ESG) strategies in fund prospectuses, annual reports, and adviser brochures: for example, how funds are progressing towards their ESG goals, and the total greenhouse gas emissions of the companies they invest in. The SEC is also expanding its ‘name rule’ to make a clearer distinction between funds that focus on ESG factors and funds that only have ESG considerations, and introducing a tabular approach to help investors compare funds’ disclosure.
ASIC has encouraged companies to provide meaningful and useful voluntary disclosures about climate impacts, in line with the TCFD. This will place companies in a good stead to comply with any standards that are mandated in future. In other words, any material risk – climate related or otherwise – should be disclosed.
We are also focused on preventing harms from ‘greenwashing’, or misleading claims about the extent to which products are environmentally friendly, sustainable, or ethical.
More and more companies are making representations about their ESG credentials. ‘Net zero’ commitments by ASX 200 companies tripled in the 12 months to August last year, according to an Australian Council of Superannuation Investors report. This accords with ASIC’s own analysis in this area; and that number is likely far higher now.
As ESG and sustainable products continue to grow in prominence, we want to lift standards by helping industry understand and comply with their responsibilities, and influencing product issuers to actively think about their green credentials. We also encourage investors to ask questions about sustainability claims.
ASIC’s Regulatory Guide 168 provides issuers with guidance on how to label funds appropriately; and in 2020 we conducted a targeted review looking at whether funds were ‘true to label’. We plan to shortly publish an Information Sheet to set a baseline for ASIC’s expectations and help issuers avoid misleading or deceptive greenwashing practices (See ASIC 22-141MR). We will be looking for funds and products that make misleading claims related to sustainability. Where we find wrongdoing, we will not hesitate to use our range of regulatory tools, including enforcement action.
Critical infrastructure and cyber security
I now want to turn to critical infrastructure, including payment systems and trading systems, ASIC’s role in their oversight, and some recent developments in this area.
Firstly, turning to payment system reforms. ASIC has been engaging with Treasury and other regulators on how to implement the range of recommendations for payment system reforms agreed to by the previous Government following the Review of the Australian Payments System (Farrell Report) and the Parliamentary Joint Committee Corporations and Financial Services Report: Mobile Payment and Digital Wallet Financial Services.
The Farrell Report referred to the challenges raised by the development of new currencies and ways to pay, including cryptocurrencies, stablecoins and digital wallets.
The potential regulation of payment functions is of course ultimately a matter for the Government. ASIC’s perspective is that it is important to consider the consumer protection implications, as well as the financial system risks involved in various payment functions, when determining the appropriate level of regulation for each.
I will make some observations now about ASIC’s oversight of a key part of Australia’s infrastructure, namely the trading and clearing and settlement facility services provided by ASX, which are fundamental to the effective functioning of the Australian financial system.
In 2016, the Government endorsed Competition in Clearing and Settlement reforms that would allow ASIC and the Australian Competition and Consumer Commission (ACCC) to impose requirements on ASX’s cash equity clearing and settlement facilities, including rule-making powers for ASIC in respect of these facilities, and an arbitration power for the ACCC, for recourse in disputes about the terms of access to these services.
These reforms will shape ASX’s conduct as the sole provider of cash equity clearing and settlement services in Australia, including its replacement of the Clearing House Electronic Sub-register System (CHESS).
The Government also endorsed a Financial Market Infrastructure (FMI) regulatory reforms package, in June 2021. That package includes reforms to ensure financial regulators have sufficient powers to intervene to manage a crisis, and pre-emptively identify and manage risks. It will introduce a crisis management regime that will allow the Reserve Bank of Australia (RBA) to manage a failure at a domestic clearing and settlement facility, and will enhance the supervisory and licensing powers of ASIC and the RBA in respect of FMIs.
ASIC supports both these important reform packages. It is important to say that in a crisis we would work closely with the resolution authority (the RBA) as we do already on clearing and settlement facility issues.
Against that background, ASIC and the other members of the Council of Financial Regulators (CFR) – the Australian Prudential Regulation Authority (APRA), RBA and Treasury – are closely monitoring ASX’s conduct in relation to its CHESS replacement program, in accordance with the CFR’s Regulatory Expectations for Conduct in Operating Cash Equities Clearing and Settlement.
These regulatory expectations govern ASX’s pricing, access, and governance arrangements, to ensure ASX remains responsive to the evolving needs of users, and provides access on a transparent and non-discriminatory basis, with terms and conditions that are fair and reasonable.
ASIC and the RBA meet frequently with ASX, to reinforce our expectations that it replaces CHESS in a safe and timely manner.
You will be aware that ASX recently announced the CHESS replacement program has been delayed. We have said publicly that we expect ASX to conduct a robust analysis of the impact of the delays on the program timeline, engage with industry on any changes, and notify the revised go-live date as soon as practicable.
ASIC has also imposed additional licence conditions on ASX Clear and ASX Settlement, as an outcome of our investigation into the recent ASX trade outage. The licence conditions are directed at mitigating risks for future upgrades, with specific emphasis on the oversight of the CHESS replacement program. Longer term, the objective is for ASX to self-identify issues early and address them swiftly.
I note that infrastructure systems of national significance will soon be subject to new and additional risk management and cyber security obligations. On 31 March 2022, the Australian Parliament passed legislation to enhance the security of Australia’s critical infrastructure (the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022). That legislation places additional security obligations on entities that own or operate critical infrastructure assets in Australia, that is, ‘systems of national significance’.
These assets can include a system, network, facility, computer, computer device, computer program, computer data, premises and 'any other thing'. The Minister may prescribe an asset as a critical infrastructure asset if certain thresholds are met, including that it relates to a critical infrastructure sector (but must consult with the responsible entity for that asset before an asset is declared). Systems of national significance, once declared, will be subject to new risk management and cyber security obligations.
Cyber security
Cyber security is a critical issue for all participants in the financial system, and especially so given the increasingly connected and digital nature of business, which makes companies, consumers, and investors ever more vulnerable to cyber threats.
ASIC is focused on driving good cyber risk and operational resilience practices. We expect our regulated population to actively manage cyber risk as a key part of their legal and compliance obligations.
That means making sure that the measures they have in place to detect, mitigate, and respond to cyber risk adequately address that risk based on the size and complexity of their business and the sensitivity of the information they hold.
In May 2022, the Federal Court made it clear that inadequate cyber security is a breach of the law. In civil proceedings in ASIC v RI Advice Group Pty Ltd [2022] FCA 496, the Court found that the company had breached its obligations as an AFS licensee to act efficiently and fairly, by failing to have adequate systems to manage its cyber security risks. The case followed multiple cyber incidents at authorised representatives of RI Advice, including one extended incident that resulted in the personal information of several thousand clients being compromised.
Her Honour Justice Rofe stated that ‘Cyber risk management is a highly technical area of expertise. The assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person’ and that ‘Cyber risk management is not an area where the relevant standard is to be assessed by reference to public expectation. Rather, the adequacy of risk management must be informed by people with technical expertise in the area.’
This decision makes clear that licensees must ensure they have adequate technological systems, policies, and procedures in place to protect sensitive client information from cyber attacks.
ASIC does not seek to prescribe technical standards or to provide expert guidance on cyber security. But where we consider that a firm has not met its cyber risk management obligations, we will consider enforcement action to drive changes in behaviour.
Regulation of digital assets
Another dimension of ASIC’s focus on technology is the regulation of digital assets, and acting to address digitally enabled misconduct.
An interesting perspective on these challenges is the ‘policy trilemma’ articulated in the article ‘Fintech and the Innovation Trilemma’ by Chris Brummer and Yesha Yadav, recently brought to my attention by Professor Pamela Hanrahan.[1] The authors suggest that ‘the supervision of financial innovation is invariably bound by what can be described as a policy trilemma’.
Specifically, that ‘when seeking to provide clear rules, maintain market integrity, and encourage financial innovation, regulators have long been able to achieve, at best, only two out of these three goals’.
That is, ‘if regulators prioritise market safety and clear rulemaking, they do so through broad prohibitions, invariably inhibiting financial innovation. Alternatively, if regulators wish to encourage innovation and provide rules clarity, they must do so in ways that ultimately result in simple, low-intensity regulatory frameworks, increasing risks to market integrity and consumers. Finally, if regulators look to enable innovation and promote market integrity, they must do so through a complex matrix of rules and exemptions, raising compliance costs and disproportionately impacting smaller firms and upstarts’.
There is a separate session at this workshop tomorrow about crypto assets and decentralised autonomous organisations (DAOs), and how the challenges they present can be addressed through regulation – but I cannot resist making some observations on that topic today.
As I mentioned earlier, the financial ecosystem is transforming rapidly and in new directions. Emerging technologies and products, including the expansion of crypto assets and the increasing use of artificial intelligence in the financial services sector, present entirely new terrain to be navigated by legislators and regulators.
As crypto assets become increasingly mainstream, government and regulators will need to race to catch up. Notwithstanding the publicity surrounding recent market volatility and collapses, many consumers do not understand the risks in these products, or that they are not regulated.
Following the previous Government’s in principle agreement to recommendations in the final report of the Senate Select Committee on Australia as a Technology and Financial Centre, Treasury is consulting on proposals that some services relating to crypto assets be subject to new regulation. ASIC’s focus has been consumer protection, consistent with the position we took in our submission to the Committee.
Perhaps even more fascinating to us as lawyers are the emerging new models of corporate governance, such as DAOs.
Governed by artificial intelligence in the form of smart contracts to record transactions between their members and third parties, they involve internet communities rather than boards of directors, and the rules of engagement are encoded in computer programs.
This raises a range of challenging issues around governance, decision making and accountability. How does one determine the intent, or the directing mind and will, of a DAO? Is it possible to effectively regulate a DAO?
There is much food for thought for regulators in these issues, and in the ‘policy trilemma’ referred to earlier, that has been said to govern the supervision of financial innovation. But I prefer to look at it as a balancing act – between rule clarity and simplicity, market integrity, and financial innovation.
I do not underestimate the challenges for regulators in performing that balancing act – especially on a high wire above a rapidly transforming technological and financial landscape – but I think ASIC understands those challenges and will continue to rise to them.
[1] Chris Brummer & Yesha Yadav, ‘Fintech and the Innovation Trilemma’, Georgetown Law Journal, vol. 107, 235. Thank you to Prof. Pamela Hanrahan for circulating this article.