Print this page

MIU - Issue 163 - November 2024

This Market Integrity Update contains the following articles

We have announced our enforcement priorities for 2025

ASIC has announced its enforcement priorities for 2025, capturing the key areas it will direct its resources and expertise in the coming year.

ASIC Deputy Chair Sarah Court said, ‘Our 2025 enforcement priorities reflect the increased risks consumers are facing that are being driven by cost-of-living pressures. These priorities are about protecting Australians from financial harm and targeting the people who try to take advantage of them.’ 

Enforcement priorities targeting greenwashing, superannuation member services and insurance failures, small business and used car misconduct have been retained.

New priorities will target insider trading matters, inadequate cyber-security protections, unscrupulous property investment schemes, business models designed to avoid consumer credit protections and misconduct involving auditors and debt management and collection.

ASIC has established a new specialist team to expedite criminal insider trading cases from investigation to prosecution. Insider trading remains an ASIC enduring enforcement priority, however ASIC has decided to increase its focus on this area, following on from the release of Report 787 Review of Australian equity market cleanliness (REP 787).

Cyber risk continues to escalate and Australian financial services (AFS) licensees must remain vigilant to guard against this risk. Boards and directors must implement and improve cyber risk management and cyber resilience processes to ensure that cyber incidents are avoided, detected and managed appropriately. For AFS licensees, this includes cyber risk management and resilience. Failure to do so risks enforcement action for breach of licensee obligations and directors’ duties.

Back to top

Basic communication principles in the event of a cyber incident

Recent cyber incidents impacting financial services firms have highlighted disparities in disclosure approaches by some regulated entities. This information covers some good practice communication principles in the event of a cyber incident that may help entities minimise any potential harm.

While the below principles are consistent with guidance from the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC), entities are encouraged to develop communications plans that suit their needs and those of their stakeholders.

Providing timely and accurate communication

It is good practice for entities to keep stakeholders informed about a cyber incident so they can prepare for any potential impact. This includes affected individuals and organisations, regulators, authorities (e.g. the ACSC), financial markets, consumers, and other relevant stakeholders.

Providing accurate and specific information

Individual incident and entity circumstances will influence the content and channel of communications. Cyber response practitioners typically support the accurate and specific provision of known facts when making public statements about a cyber incident.

General good practice is for entities to not downplay the seriousness of a cyber incident (for example, by characterising it as an IT issue) or overestimate the extent to which it is understood.

When issuing communications about a cyber incident, it is similarly good practice for entities to cover the following, where possible:

  • whether the cyber incident is (potentially) malicious
  • whether the cyber incident is ongoing, such as a ransom threat
  • whether there is a risk that current or former customer data has been accessed or compromised, and if individuals should be cautious
  • whether critical issues are under investigation.

Communicating directly with impacted individuals and organisations

Any communications may need to be tailored for effective use by stakeholders, depending on the nature of the cyber incident and the potential impact of the compromised data. This tailoring may include the manner of their provision (e.g. whether by email in the first instance and then by post and phone, where applicable) and information on potential mitigation actions by stakeholders. 

Creating a prominent alert on your corporate homepage or customer-facing portal about the nature of the cyber incident

Any alert may direct users to a landing page containing more detailed information about the cyber incident and relevant details about support services that are available (e.g. call centre and identity support service information).

Regular updates of the content on their homepage and/or portal as important information becomes known can support effective harm-minimisation actions by customers and other stakeholders.

Provide a set of frequently asked questions (FAQs)

Entities may consider publishing a set of FAQs to help affected individuals and stakeholders.

Notify other agencies

Depending on the circumstances, an entity must consider whether other relevant regulatory agencies, government departments, or industry bodies must be notified about the cyber incident. If you are unsure about who to report the incident to, see Single Reporting Portal.

For more information, visit the ACSC website.

Back to top

What happened at our first Digital Assets Liaison Meeting

ASIC’s inaugural Digital Assets Liaison Meeting (DALM) took place on 11 September 2024. More than 190 industry representatives attended online and in person at ASIC offices.

The DALM has been established as a regular event to provide the digital assets industry with insights into ASIC’s strategic priorities and key projects, and give opportunity for Q&A. The inaugural DALM covered:

  • Opening remarks from ASIC Executive Director Markets, Calissa Aldridge
  • Digital asset focus areas from ASIC Senior Executive Leader Digital Assets, Rhys Bollen
  • An update from Treasury on the digital asset platform law reform proposals from Treasury Director of Digital Assets Policy Unit, Chris Adamek
  • Information on ASIC’s Innovation Hub from ASIC Senior Adviser Strategic Planning and Intel, Jonathan Hatch.

We are planning to hold the next DALM before the end of this year. If you would like to be added to the invitation list or suggest topics you would like to hear about at future meetings, please email digital.assets@asic.gov.au.

Back to top

Recent ASIC enforcement actions

Our enforcement priorities send a clear compliance and deterrence message to the entities we regulate. Over October and November, our enforcement actions include:

Full Federal Court dismisses ANZ appeal against ASIC case

On 2 October 2024, the Full Federal Court dismissed an appeal by Australia and New Zealand Banking Group Limited (ANZ) against a judgment that it breached continuous disclosure laws when undertaking a $2.5 billion institutional share placement in 2015.

In dismissing ANZ’s appeal, the Court upheld the original decision in a case brought by ASIC, which imposed a penalty of $900,000 on ANZ for contravening continuous disclosure laws.

The Court found that by failing to notify the Australian Securities Exchange (ASX) that between approximately $754 million and $791 million of the shares offered in the placement was to be acquired by its underwriters rather than placed with investors, ANZ had contravened its continuous disclosure obligations.

ASIC Chair Joe Longo said, ‘ASIC will always defend the integrity of Australia’s markets.’

‘This is an important case that confirms how critical continuous disclosure is to maintain market integrity.’

ANZ was also ordered to pay ASIC’s costs.

ASIC cancels AFS licence of Prospero Markets

ASIC has cancelled the Australian financial services (AFS) licence of over-the-counter (OTC) derivatives issuer, Prospero Markets Pty Ltd (in liquidation) (Prospero) effective from 25 September 2024.

Following an application by ASIC, on 11 April 2024 the Federal Court ordered that Prospero be wound up on just and equitable grounds and that liquidators be appointed.  Under the Corporations Act, ASIC may suspend or cancel an AFS licence if the licensee is being wound up or if the licensee has ceased to carry on a financial services business.

Earlier in December 2023, ASIC had suspended Prospero's AFS licence after it failed to lodge its 2023 audited financial accounts.

ASIC has specified that until 25 March 2026, Prospero Markets must continue to be a member of the Australian Financial Complaints Authority (AFCA), continue to have arrangements for compensating retail clients including the holding of professional indemnity insurance cover, and must comply with the ASIC Client Money Reporting Rules 2017.

Prospero may apply to the Administrative Appeals Tribunal for a review of ASIC’s decision to cancel its AFS licence.

Back to top

Subscribe for updates

For the latest regulatory developments and issues affecting market intermediaries subscribe to our monthly Market Integrity Update.

What's new

More financial markets releases

Find a document

Regulatory guides

Information sheets

Reports

Consultations

Legislative instruments

Pro formas

Forms

Media releases

Speeches

Regulatory tracker

Statistics

ASIC Corporate Plan

ASIC annual reports

Newsletters

ASIC Gazette

ASIC submissions

Last updated: 14/11/2024 10:00