Posted: 30 Mar. 2021 5 min. read

Regulators in focus: which way will the pendulum swing?

At the AFR Banking Summit we heard from Wayne Byres, John Lonsdale, Sarah Court and Sean Hughes – from APRA, the ACCC and ASIC respectively – who gave us an insight in relation to each regulator’s focus for 2021. Their priorities remain consistent with their four-year plans released at the back end of 2020. However, of particular note was Wayne Byres’s words of warning that “plans don’t always go to plan,” and at times it’s difficult to forecast what will happen in the future. The financial system is dependent on stability, and it is important that the industry has the skills and capability to respond effectively when unforeseen events will inevitably emerge.


Winding back the clock to pre-pandemic days, the fallout from the Hayne Royal Commission saw a rise in enforcement actions from both ASIC and APRA, with headline-making lawsuits lodged against the biggest players in the Australian financial services industry on a frequent basis with a significant pipeline into the foreseeable future.

Fast forward to the post-pandemic world, it seems COVID-19 has renewed the regulatory priorities of maintaining financial system resilience, ensuring an ongoing flow of credit, improving the licensing framework to sure up the success of new industry participants, whilst also highlighting the critical importance of operational resilience to address the ongoing threats of cyber security, pandemics, outsourcing and third party risk.

Whilst none of the Australian banks have suffered a significant cyber threat to date, it’s only a matter of time. It is also recognised that things sometimes fail (for instance the recent shut down of Xinja Bank) and when they do, contingency plans need to be in place to minimise impacts to customers and the financial system.

Industry competition is also something that APRA and ACCC seek to encourage by providing greater clarity for NEO banks to enter the market. In addition, the ACCC continues to make significant progress with the roll-out of Open Banking and the Consumer Data Right to enable greater data sharing across the industry.

Shared focus areas guiding strategic priorities through to 2023

ASIC and APRA recognise the need to improve the way they ‘co-regulate’ overlapping and adjacent spaces. It seems both have heard the message clearly over recent years and there is strong alignment in a number of keys areas, as exemplified by the graph below. This will provide opportunities to view risk holistically whilst also aiming to reduce the regulatory burden for the industry.

Interestingly, if the roll-back of the ASIC Responsible Lending Laws proceeds successfully through Parliament in the coming months, APRA do not anticipate any reduction in lending standards given the complementary nature of the APRA Lending Regulations. These changes are intended to make lending approvals and processes more efficient without adding additional credit risk. 

What does this mean for organisations regulated by ASIC and APRA?

Regulators are caught between responding to the findings of the Hayne Royal Commission and criticism of light touch regulation by tough enforcement action and, in a post-COVID environment, as part of the government’s ‘Team Australia’, focusing on providing regulatory settings which support economic activity and recovery.

The strategic priorities leading up to 2023 primarily focus on the importance of organisations maintaining liquidity and operations, whilst acting in the best interest of consumers and members and keeping an eye on critical emerging risks such as cyber security. However, enforcement actions will still likely follow as part of the supervisory focus in these areas particularly if actual consumer harm has occurred or is likely to. In particular, having spent years lobbying for increased enforcement powers, we can expect ASIC to flex its product intervention powers early to intervene in cases of emerging risk and harm. ASIC’s focus on improved data analytics capability will leverage the enhanced breach reporting obligations (due to commence in October 2021) to provide richer insights into emerging risk to inform earlier targeted surveillance and enforcement activity. 

What 4 things should organisations do to prepare for upcoming regulatory focus?

As the global economy continues to recover at rapid speed from the COVID-19 period, organisations will be facing a period of remarkable change and should prepare for unanticipated events. They  should lean into the challenge by having regard to the regulators’ priorities, and: 

  1. Performing a current state analysis to identify and assess key compliance controls in operational and compliance risk management programs. This includes performing an assessment of cyber security controls and third party risk, regulatory engagement processes and existing compliance frameworks to identify gaps, potential failings or opportunities for improvement and develop a set of action plans.
  2. Reviewing governance frameworks including board governance and oversight, accountability, and incentive structures.
  3. Stress testing regulatory response frameworks and regulatory response strategies to ensure they are fit for purpose to respond to regulator inquiries or investigations. Consider the design and implementation of a coordinated regulator engagement strategy to respond to regulatory scrutiny with clarity and consistency and in a timely manner having particular regard to the probable expansion of ASIC’s planned ‘express investigation’ pilot.
  4. Improving data capture and analysis to better inform regulatory compliance and the timely identification of potential failings.

View our highlights of the strategic priorities from the corporate plans of APRA and ASIC.

More about our authors

John Weaver

John Weaver

Partner, Audit and Assurance

John is an experienced executive and qualified lawyer (Australia and UK) with in excess of 20 years' experience in professional conduct, risk and compliance including civil, criminal and regulatory surveillance, investigation and litigation focused on failures in business and business processes across a range of sectors including financial services, public listed companies and professional services.

Carolyn Morris

Carolyn Morris

Partner, Audit & Assurance

Carolyn is a Regulatory Conduct partner with over 14 years in Financial Services at National Australia Bank including the Retail Bank, Wealth Management and Financial Advice. She has a proven track record in Customer Remediation, Regulatory Change Implementation, Business Transformation and Portfolio Management. She is commercially focused whilst still ensuring business solutions meet regulatory risk appetite. Carolyn is a strategic thinker with significant experience in creating teams and frameworks to address regulatory expectations and responses.