On 31 August 2020, ASIC and APRA both released their Corporate Plans outlining their strategic priorities for the next four years (2020 to 2024). Both regulators have identified a common focus on governance, risk management and consumer outcomes. Specifically, ASIC and APRA will focus both on:
- governance and accountability frameworks. APRA and ASIC will be co-regulators of the Financial Accountability Regime (FAR). ASIC will also implement the product design and distribution regime;
- cyber resilience, given the increasing prevalence of cyber-attacks, data breaches and system outages; and
- improving consumer and member outcomes generally.
Governance
APRA and ASIC will co-regulate FAR, which is to be extended initially to all APRA-regulated institutions and then ultimately to all Australian financial services licence (AFSL) holders. FAR will seek to clarify the expectations of boards and senior managers in respect to governance, culture, remuneration and accountability.
APRA is ensuring organisations yet to perform a self-assessment, do it. For those organisations who have, APRA will assess whether they have taken reasonable actions to close issues/gaps and demonstrate required improvement.
In addition to conducting targeted governance review on selected companies to assess shortcomings in culture, governance and accountability frameworks, ASIC will be focused on consumer outcomes expected to result from the product design and distribution regime, the heart of which requires effective product governance processes across the lifecycle of regulated financial products.
Cyber Risk management
ASIC and APRA are both concerned about the threat posed to the resilience and stability of the financial system due to the increased prevalence of cyber-attacks. Both regulators expect regulated entities to maintain effective risk management systems designed to mitigate the impact of cyber-risk on their systems and their customers.
APRA intends to ramp up its regulation and supervision with the establishment and enforcement of non-negotiable cyber practices and controls such as cyber-assessment and assurance and an effective incident response. APRA's "ultimate vision is a financial system that can stand firm against cyber-attacks”.
ASIC is identifying and addressing potential technological failures that may have a systemic impact on the market. ASIC recently commenced proceedings against an AFSL holder alleging a breach of their s.912A obligations by virtue of deficiencies in their cybersecurity practices.
The focus by ASIC and APRA on cyber resilience is happening alongside the Australian Government's 2020 Cyber Security Strategy. The Department of Home Affairs last month released a Consultation Paper (Protecting Critical Infrastructure and Systems of National Significance) calling for submissions about enhancing the Commonwealth's powers to protect critical infrastructure (including banking and finance together with data in the cloud) against cyber security risks. Submissions are due by 16 September 2020. Legislation is expected later this year.
Consumer outcomes
ASIC is expecting improved consumer outcomes to be delivered as a result of implementing the Product Design and Distribution Obligations regime. ASIC expects AFSL holders to ensure that their products will meet the needs of consumers and provide value for money. As noted above, AFSL holders must develop and maintain effective product governance processes across the lifecycle of their products to achieve these consumer outcomes.
Consumers who are superannuation members will be a particular focus for ASIC (as the new conduct regulator for superannuation) and APRA. ASIC will concentrate on the provision of inappropriate products, disclosures, fees and trustees acting in the best interests of members. APRA's actions will include supervisory focus on trustee board capabilities and governance and improving transparency by publishing heatmaps and outcomes in investment performance, fees and insurance.
For further information, see APRA Corporate Plan 2020-24 and ASIC Corporate Plan 2020-24.
Authors: Corey McHattan, Partner; Philip Hardy, Partner; and Stephen Tudjman, Consultant.
The services provided by the Ashurst Risk Advisory practice do not constitute legal services or legal advice, and are not provided by Australian legal practitioners. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
