Posted: 07 Dec. 2021 5 min. read

Regulators in focus: which way will the pendulum swing - 6 months on...

Earlier this year we published a blog entitled “Regulators in Focus: which way will the pendulum swing?”. The blog covered off the coming years focus for each of the three main Australian conduct regulators, ASIC, APRA and the ACCC as expressed at the AFR Banking Summit 2021 and took a deeper dive into ASIC and APRA’s respective corporate plans for 2020-2024.

A lot has happened since then, particularly at ASIC. A new Chair and Deputy Chair, Joe Longo and Sarah Court respectively have been appointed and a raft of regulatory change driven by the recommendations of the Financial Services Royal Commission landed in October - much of which requires significant effort to capture and report new information.

With change at the most senior levels there is inevitably a new mandate and after a settling in period, ASIC’s new commission members are becoming increasingly prominent as they publicly set out their own vision and strategic objectives for the regulator.  Importantly and most recently, this has resulted in ASIC publishing its Corporate Plan for 2021-2025.

So, what is the new or perhaps more correctly, the renewed focus of ASIC and what is the Commission saying publicly that should be considered for the year ahead.

For the most part the underlying priorities remain very similar to those announced in the last strategic plan, though the tone is evolving– among other matters:

  • Smarter regulation
  • Strong and targeted law enforcement
  • Data and cyber resilience

ASIC’s evolution to be a digitally and data led organisation is apparent through a number of different lens. Firstly, it is an area of primary focus in the strategic plan; secondly, for at least the past couple of years job advertisements demonstrate that ASIC has been recruiting widely for new staff with systems and software skills and thirdly; ASIC has been engaging third parties to support a digital transformation as evidenced by the publicly available public service procurement portals. In the event, it is clear that ASIC is serious and committed to evolve the way they regulate, building the tools and architecture to be ‘smarter’ and more focused.

In part this is in response to ASIC’s own challenges with its legacy systems but also to ensure it maximises insights from information provided as a consequence of the Financial Services Royal Commission directed law reform. For example, the new complaints regime, breach reporting, anti-hawking, and design and distribution obligations each require the regulated population to monitor, collect, assess and report data and information to ASIC in prescribed circumstances. Some of the additional reporting obligations are less onerous but the breach reporting changes alone are forecast to see the number of incidents reported to ASIC multiply by between 10 and 20 times the previous average. ASIC’s ability (and ambition) to identify emerging risks and harms across licensees or products (think the broad insurance industry pricing review) – while continuing to actively manage the most significant risks - will be determined by the success of its digital transformation which in turn will be a key measure of success by external stakeholders including government.

Just as ASIC is imposing this transformation on itself, it is renewing its expectation on the regulated population to do the same. As an example, licensees are required by the Corporations Act to have in place adequate systems (relative to the nature scale and complexity of their businesses) to appropriately discharge monitoring and reporting obligations. For larger licensees this is likely to mean that limitations in their own data gathering and analysis will need to be overcome to improve the ability to provide timely responses to ASIC requests for data and information. An absence to do so will likely be seen as obstructive and or a signal that licensee systems are deficient to meet obligations. Perhaps of equal importance, in these circumstances, is the risk that ASIC will be identifying and raising issues based on the licensees disclosures the significance of which has been overlooked.

The concept of ‘smarter regulation’ is not new. ASIC has limited resources and therefore has to deploy those resources where they will have the greatest impact. Professor Malcolm Sparrow, Chair of Harvard’s John F Kennedy School of Government’s executive program “Strategic Management of Regulatory and Enforcement Agencies” often summarises the role of conduct regulators as, identifying big problems, fixing them, and telling people about it. Increasingly, in ASIC’s context this goes beyond enforcement outcomes (which are slow and expensive) and includes solving for the identified inefficiencies in the financial system within the confines of the Corporations Act (noting that ASIC can only apply the law and not change it). The state of the Financial Advice industry in Australia is a good example. Since the new Chairman commenced at ASIC the narrative around the regulators’ support for simplification of the advice process to reduce the cost of advice and increase access to advice has been notable (though I would note that substantive change, in the advice space at least, will probably have to await the outcome of the Treasury financial advice review in 2022). In the spirit of COVID-19 induced ‘Team Australia’, it seems likely that ASIC’s collaborative approach to solving for bottlenecks or uncertainties in regulation will increase across a range of issues including by consulting more frequently with Treasury in relation to opportunities to reduce or remove red tape.

There are also however some potentially important differences between the plans - particularly in relation to enforcement, which has seemingly moved on from the ‘why not litigate’ posture and the aversion in recent years to using all the enforcement tools in the box including Enforceable Undertakings and Infringement Notices. The changed messaging around enforcement will be welcomed by the regulated population and in our view represents the inevitable shift to a more centrist regulatory approach, accelerated by the COVID-19 pandemic and the push to support business and the economy and relieve cost through regulatory burden.

Referrals to enforcement and enforcement action and the imposition of significant penalties (including criminal sanctions in appropriate cases) remain an important tool for any regulator. The identification of appropriate cases is however key, and one can expect ASIC to be reconsidering the criteria it will apply or at least the way in which it applies its criteria to commence proceedings. ASIC’s Chairman has given some indication of where he considers energy should be committed and the new strategic plan is also informative. For example, Mr Longo has previously commented that he regards commercial misconduct has been “over-criminalised”. By that it appears he means that there are in his view too many sections which impose potential criminal sanctions for corporate misconduct unfocussed on genuinely egregious conduct causing market or consumer harm. Secondly the 2021-25 strategic plan makes multiple use of the term egregious (and certainly more than the previous plan) in the context of the conduct ASIC will commit most enforcement resources towards. In the event, perhaps the door has been re-opened to negotiated outcomes where an otherwise responsible licensee has identified and self-reported a breach and acted in a timely way to remediate both the breach and any impacted customers. If this is the path ASIC takes it reinforces the importance of licensee’s being able to demonstrate:

  • That they have acted (even when in error), honestly efficiently and fairly.
  • They have set up systems which are appropriate having regard to their nature, scale and complexity to achieve compliance and deliver fair customer outcomes.
  • When there is a breakdown, their controls have supported early detection. 

The key takeaways for licensees then:

  1. Get data and key risk indicator fit – be at least as good as ASIC at identifying emerging risks and themes across people and product.
  2. Be a demonstrably responsible licensee. Use your data to understand and proactively identify, remediate, and report issues to the Regulator. If so, you are likely to be a lower priority for formal enforcement action. 

More about the authors

John Weaver

John Weaver

Partner, Audit and Assurance

John is an experienced executive and qualified lawyer (Australia and UK) with in excess of 20 years' experience in professional conduct, risk and compliance including civil, criminal and regulatory surveillance, investigation and litigation focused on failures in business and business processes across a range of sectors including financial services, public listed companies and professional services.

Carolyn Morris

Carolyn Morris

Partner, Audit & Assurance

Carolyn is a Regulatory Conduct partner with over 14 years in Financial Services at National Australia Bank including the Retail Bank, Wealth Management and Financial Advice. She has a proven track record in Customer Remediation, Regulatory Change Implementation, Business Transformation and Portfolio Management. She is commercially focused whilst still ensuring business solutions meet regulatory risk appetite. Carolyn is a strategic thinker with significant experience in creating teams and frameworks to address regulatory expectations and responses.