Financial Services Update | Australia
08 Sep 2020 Governance, risk management and consumer outcomes will be a common focus for APRA and ASIC over the next four years
On 31 August 2020, ASIC and APRA both released their Corporate Plans outlining their strategic priorities for the next four years (2020 to 2024). Both regulators have identified a common focus on governance, risk management and consumer outcomes. Specifically, ASIC and APRA will focus both on:
- governance and accountability frameworks. APRA and ASIC will be co-regulators of the Financial Accountability Regime (FAR). ASIC will also implement the product design and distribution regime;
- cyber resilience, given the increasing prevalence of cyber-attacks, data breaches and system outages; and
- improving consumer and member outcomes generally.
Governance
APRA and ASIC will co-regulate FAR, which is to be extended initially to all APRA-regulated institutions and then ultimately to all Australian financial services licence (AFSL) holders. FAR will seek to clarify the expectations of boards and senior managers in respect to governance, culture, remuneration and accountability.
APRA is ensuring organisations yet to perform a self-assessment, do it. For those organisations who have, APRA will assess whether they have taken reasonable actions to close issues/gaps and demonstrate required improvement.
In addition to conducting targeted governance review on selected companies to assess shortcomings in culture, governance and accountability frameworks, ASIC will be focused on consumer outcomes expected to result from the product design and distribution regime, the heart of which requires effective product governance processes across the lifecycle of regulated financial products.
Cyber Risk management
ASIC and APRA are both concerned about the threat posed to the resilience and stability of the financial system due to the increased prevalence of cyber-attacks. Both regulators expect regulated entities to maintain effective risk management systems designed to mitigate the impact of cyber-risk on their systems and their customers.
APRA intends to ramp up its regulation and supervision with the establishment and enforcement of non-negotiable cyber practices and controls such as cyber-assessment and assurance and an effective incident response. APRA's "ultimate vision is a financial system that can stand firm against cyber-attacks”.
ASIC is identifying and addressing potential technological failures that may have a systemic impact on the market. ASIC recently commenced proceedings against an AFSL holder alleging a breach of their s.912A obligations by virtue of deficiencies in their cybersecurity practices.
The focus by ASIC and APRA on cyber resilience is happening alongside the Australian Government's 2020 Cyber Security Strategy. The Department of Home Affairs last month released a Consultation Paper (Protecting Critical Infrastructure and Systems of National Significance) calling for submissions about enhancing the Commonwealth's powers to protect critical infrastructure (including banking and finance together with data in the cloud) against cyber security risks. Submissions are due by 16 September 2020. Legislation is expected later this year.
Consumer outcomes
ASIC is expecting improved consumer outcomes to be delivered as a result of implementing the Product Design and Distribution Obligations regime. ASIC expects AFSL holders to ensure that their products will meet the needs of consumers and provide value for money. As noted above, AFSL holders must develop and maintain effective product governance processes across the lifecycle of their products to achieve these consumer outcomes.
Consumers who are superannuation members will be a particular focus for ASIC (as the new conduct regulator for superannuation) and APRA. ASIC will concentrate on the provision of inappropriate products, disclosures, fees and trustees acting in the best interests of members. APRA's actions will include supervisory focus on trustee board capabilities and governance and improving transparency by publishing heatmaps and outcomes in investment performance, fees and insurance.
For further information, see APRA Corporate Plan 2020-24 and ASIC Corporate Plan 2020-24.
Authors: Corey McHattan, Partner; Philip Hardy, Partner; and Stephen Tudjman, Consultant.
The services provided by the Ashurst Risk Advisory practice do not constitute legal services or legal advice, and are not provided by Australian legal practitioners. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
Key Contacts
We bring together lawyers of the highest calibre with the technical knowledge, industry experience and regional know-how to provide the incisive advice our clients need.
Keep up to date
Sign up to receive the latest legal developments, insights and news from Ashurst. By signing up, you agree to receive commercial messages from us. You may unsubscribe at any time.
Sign upThe information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying it to specific issues or transactions.