Market Integrity Update - Issue 119 - September 2020
Following a recent campaign of distributed denial-of-service (DDoS) and ransomware attacks targeting the Australian banking and financial services sector, Australian financial services (AFS) licensees are reminded to be alert to the risk of cyber breach incidents.
The Australian Cyber Security Centre (ACSC) has provided guidance on proactive strategies to ensure your organisation’s resilience against such attacks. The ACSC has also advised that organisations consider the following advice to prepare for the types of DDoS attacks used in this extortion campaign:
- Perform upstream filtering of all User Datagram Protocol (UDP) traffic, except traffic with a destination IP address and port that corresponds to a legitimate UDP service.
- Implement upstream filtering by source port. For example, filter out network traffic from source port 1900/UDP.
- Adequately provision services so that they can process the maximum packets per second delivery of the underlying network link.
- If possible, implement a high availability network architecture with link segregation and scalable services. However, preparation is important in order to achieve effective outcomes.
Organisations experiencing a DDoS attack should consider the following:
- Discuss with service providers their ability to immediately implement any responsive actions.
- Temporarily transfer online services to a major cloud service provider and, where possible, multiple major cloud service providers to obtain redundancy with high bandwidth and content delivery networks that cache non-dynamic websites.
- If using a content delivery network, avoid disclosing the IP address of the origin web server, and use a firewall to ensure that only the content delivery network can access this web server.
- Use a denial-of-service attack mitigation service for the duration of the denial-of-service attacks.
- Deliberately disable functionality or remove content from online services that enable the current denial-of-service attack to be effective (e.g. implement a pre-prepared low-resource version of the website, remove search functionality, or remove dynamic content or very large files).
- Depending on business requirements, consider implementing geo-fencing to restrict incoming traffic to regions where your organisation normally operates.
AFS licensees facing challenges affecting their ability to provide financial services (in accordance with their authorisations) should contact their Intermediary Supervisor.
Visit our website for more information on cyber resilience good practices, how to report a cyber attack and our latest cyber resilience assessment of financial markets firms.
We’ve commenced proceedings against RI Advice Group Pty Ltd (RI), an Australian financial services (AFS) licensee, for allegedly failing to have adequate cybersecurity systems.
Our action follows several cyber breach incidents at certain authorised representatives (ARs) of RI, including an alleged cyber breach incident at Frontier Financial Group Pty Ltd as trustee for The Frontier Trust (Frontier) from December 2017 to May 2018.
We allege that Frontier was subject to a ‘brute force’ attack where a malicious user successfully gained remote access and spent more than 155 hours logged into Frontier’s server. The server contained sensitive client information, including identification documents.
We also allege that RI failed to have (including by its ARs) adequate policies, systems and resources which were reasonably appropriate to manage cybersecurity and cyber resilience.
- declarations that RI contravened provisions of the Corporations Act 2001, specifically sections 912A(1)(a), (b), (c), (d) and (h) and (5A)
- orders that RI pay a civil penalty in an appropriate amount to be determined by the court
- compliance orders that RI implements systems that are reasonably appropriate to adequately manage cybersecurity and cyber resilience risk and provide a report from a suitably qualified independent expert confirming implementation.
- Read the media release
In a letter addressed to all market intermediaries, we’ve summarised our supervisory work on conduct and culture and highlighted a number of better and poorer practices.
We undertook supervisory reviews of five market intermediaries with a significant presence in securities markets. We assessed the extent to which their approach to managing conduct risk was professional and robust by looking at how they:
- proactively identified conduct risk
- encouraged accountability for conduct across all areas of the firm
- supported staff to improve conduct
- oversaw conduct risk.
Like all non-financial risks, conduct risk should be actively identified and monitored by senior management. Boards also need to exercise active stewardship in their oversight of conduct risk. Where oversight and management of conduct risk is not well managed, it can lead to significant reputational and financial consequences for the intermediary.
Other themes we continue to focus on include compliance frameworks, breach reporting, corporate governance, monitoring and surveillance, and client money.
- Read the letter
Ananda Kathiravelu has pleaded guilty to a charge of conspiracy to commit an offence of market manipulation.
We alleged that between 12 May and 17 May 2016, Mr Kathiravelu conspired with another to take part in, or carry out, whether directly or indirectly, transactions that had or were likely to have the effect of creating or maintaining an artificial price for Radar Iron Limited (Radar) shares traded on the Australian Securities Exchange (ASX).
The offence carries a maximum penalty of 10 years’ imprisonment or a fine of up to 4,500 penalty units ($810,000), or both.
A sentencing hearing date has yet to be set.
- Read the media release
With the increase in capital raising activity throughout the COVID-19 pandemic, we remind Australian financial services (AFS) licensees of the importance of complying with their regulatory obligations and incorporating our better practices for capital raisings.
We remind licensees that the regulatory guidance and better practices below apply to both primary and secondary capital raising transactions. We’ll continue to monitor selected capital raising transactions to test compliance with financial services laws.
Debt capital market transactions
We’ve released Report 668 Allocations in debt capital market transactions (REP 668) setting out the findings of our thematic surveillance of allocations in debt capital raisings in the Australian market (including by public issuance and private placement). It focuses on the conduct of AFS licensees and the factors considered in making allocation recommendations to issuers.
AFS licensees should review REP 668 and consider whether their processes and controls for allocations in debt raising transactions – including policies, procedures and monitoring – are appropriate and sufficiently robust to meet legal and regulatory requirements.
- Read the media release
Equity capital market transactions
Report 605 Allocations in equity raising transactions includes areas of focus and greater care for AFS licensees, along with better practices for the conduct of equity raising transactions. This includes ensuring that the processes and controls – including policies, procedures and monitoring – are appropriate and sufficiently robust to meet legal and regulatory requirements.
Care should be taken in any messages provided to investors and issuers, and in the management of conflicts of interest in allocations to connected persons.
Good conduct in capital raisings promotes market integrity, improves market efficiency and increases investor confidence.
Our review of how AFS licensees are implementing the guidance in Regulatory Guide 264 Sell-side research (RG 264) has highlighted areas for improvement.
RG 264 provides guidance to AFS licensees that provide sell-side research for capital raising transactions on how to manage conflicts of interest and handle inside information.
To better meet regulatory obligations and reduce conflicts between investment banking activities and research function independence, AFS licensees should:
- ensure all documents that meet the definition of research report (e.g. desk notes, investor education reports and periodic research reports) are prepared and published in accordance with RG 264
- appropriately monitor and review material changes to price targets in research reports before their release
- ensure decisions about research coverage are made by the research team of the AFS licensee and are not subject to input or influence by other parts of the licensee
- undertake regular reviews of communications between research analysts and other parts of the licensee and issuing companies. This particularly applies where research reports have been published, there have been changes in research recommendations or price targets for a company, or where the AFS licensee is pitching for or has recently been engaged on a capital raising.
- Read RG 264
We’ve banned former National Representative of BitConnect, John Bigatton, from providing financial services for seven years.
Between August 2017 and January 2018, Mr Bigatton was the Australian National Representative of an online cryptocurrency platform known as BitConnect and a cryptocurrency investment scheme known as the BitConnect Lending Platform.
We found that, in connection with his promotion of BitConnect and the BitConnect Lending Platform, Mr Bigatton provided unlicensed financial product advice and engaged in conduct that was misleading or deceptive or was likely to mislead or deceive.
We also found that Mr Bigatton:
- is not a fit and proper person to provide financial services
- is not adequately trained, or competent, to provide financial services
- is likely to contravene financial services laws.
Mr Bigatton has the right to appeal to the Administrative Appeals Tribunal for a review of ASIC’s decision
- Read the media release
As part of our increased focus on fixed income, currency and commodity (FICC) markets, we remind market intermediaries that we expect them to inform us of any unusual or suspicious trading activity observed in wholesale markets.
We’ve updated our report suspicious activity webpage to include a section on wholesale markets. We rely on the information received from these reports to identify market misconduct and ensure the integrity and fairness of our markets.
Any information we receive is considered with Regulatory Guide 103 Confidentiality and release of information.
As part of our continuing focus on the retail over-the-counter (OTC) derivatives sector, we’ve made enquiries and raised concerns with a number of licensees and representatives to test that only entities authorised to provide services in retail OTC derivatives are doing so.
Some of the concerns we’ve raised include:
- authorised representatives and/or introducing brokers of the licensee claiming to be the issuer of the product
- related entities of the licensee promoting their services in overseas jurisdictions under the banner of ASIC regulation
- licensees acting outside the scope of their authorisations.
As a result of these discussions, we’ve seen several rectification actions, including:
- corrective disclosure on websites and in product documentation
- termination of agreements with authorised representatives and introducing brokers
- cessation of unlicensed services.
Our ongoing work in this area is in line with our longer-term focus of reducing poor product design and restricting misselling, as outlined in our Corporate Plan 2020–24.
We encourage all licensed retail OTC derivative issuers with authorised representatives and Australian introducing brokers to review and continually monitor their arrangements, to ensure clients are clear on which entity they’re dealing with.
We also encourage you to report any unlicensed, or otherwise concerning, conduct in the retail OTC derivatives sector to email@example.com.
We’ve initiated a project to review and update the ASIC Derivative Transaction Rules (Reporting) 2013 (the Rules) to bring them into line with international requirements.
We’ve updated the derivative transaction reporting upcoming rules and exemptions changes webpage to include our Rules changes project plan, and will provide further updates as they become available.
The project plan provides an introductory overview, including:
- an indicative timeline, from November 2020 to September 2022
- our focus on implementing international standards for unique transaction identifiers (UTIs), unique product identifiers (UPIs), and critical data elements (CDEs)
- a review of existing Rules elements in order to consolidate, simplify and improve their effectiveness, where possible.
To provide certainty about our proposed alignment with international jurisdictions and facilitate project planning by relevant entities, we’re communicating our intentions to revise the Rules ahead of our first round of consultation.