ASIC regulatory message: GRC2022 Annual Conference
Speech by ASIC Commissioner Sean Hughes to the GRC2022 Annual Conference, 11 October 2022.
Check against delivery
Good morning and thank you to the GRC Institute for the invitation to speak today. Today I will talk to you about the significance and centrality – in a mature environment – of governance, risk and compliance functions.
In August we released ASIC’s Corporate Plan, which sets out our strategic priorities. Some of these include design and distribution obligations, the reportable situations regime and crypto-assets. I will take this opportunity to talk about some of ASIC’s short to medium term priorities in these areas.
Many of these priorities will continue beyond 2022-23, and the key actions outlined will pave the way for our work over the next four years. Each priority is designed to target a specific risk of harm, support law reform, or improve our capabilities and effectiveness as a regulator.
I will also close by giving an update on ASIC’s whistleblower work.
The significance and centrality of the governance, risk and compliance functions
First, let me go to an issue dear to the heart of this audience, and indeed to this speaker. An evolving and volatile global landscape means governance, risk and compliance functions are ever more crucial in helping executives and boards navigate emerging risks and obligations that would otherwise have the potential to derail strategic goals.
These changes are not only being driven just by new regulation, but more so by fundamental shifts in how the community and shareholders view corporate social responsibility, as well as the “licence to operate”.
Take for example the recent Australian federal election. There was significant community engagement in addressing corruption issues across all levels of government, which has crystalised in a commitment to establishing a national integrity commission (or ‘federal ICAC’ as it has been termed), legislation for which was recently introduced into Parliament.
Separately, in the corporate world, we are experiencing the rapid evolution of and demand for inclusion of effective ESG commitments. Gone are the days where meeting minimum compliance obligations through a legalistic ‘tick the box’ approach might have been considered sufficient. We are expected to challenge ourselves and our organisations with the fundamental question – just because we can, does it mean we should?
The media regularly presents the community with case studies where prominent organisations have stumbled over this question, despite having previously attested to the effectiveness of the governance, risk and control frameworks they have in place.
It is against this backdrop that governance, risk and compliance functions must lean resolutely and courageously into the challenge of designing and implementing systems and processes that not only allow their organisation to address their legal and regulatory obligations, but also act as a handbrake for bad decisions and poor conduct that could occur in the unchecked pursuit of opportunities.
This situation reinforces the importance of underpinning tailored and effective governance, risk and compliance frameworks with an uncompromised focus on integrity and values-led behaviour.
People acting with accountability, honesty, respect, and transparency are likely to make the right ethical decision, even when our governance, risk and compliance frameworks may not be able to provide an easy or palatable answer.
Not only is this desirable and necessary to underpin good governance, but it is also increasingly considered the norm by organisational stakeholders. It can and it does directly impact reputation and enterprise value where it goes wrong.
We also recognize that ASIC is not immune to these challenges. In recent years we have implemented whole of ASIC governance, risk and compliance frameworks that are overseen by our Chief Risk Officer and actively oversighted by ASIC’s Commission.
This has also included implementing our own Speak Up program that allows our staff to report any integrity concerns anonymously and confidentially through a secure app.
In taking actions such as these, we place a similar expectation on ourselves as we do on those we regulate. Our aim is to look beyond the formal frameworks, processes and procedures and actively encourage behaviours and attitudes that will positively contribute to our culture of integrity. You should expect nothing less from us, as standard-setters for the corporate community.
Without this foundation, governance, risk and compliance can quickly devolve into a backroom administrative exercise and temporary window dressing. Given the increasingly complex economic and environmental challenges we and future generations will face, this is not the time to undermine the significance and centrality of the governance, risk and compliance functions, nor short-change the resources required for their sustainability and effectiveness.
Our own strategic priorities echo these challenges as we continue to face into an increasingly uncertain world…
ASIC’s priorities for 2022-26
We released ASIC’s Corporate Plan in August. The Plan outlines our priorities for the next four years and our action plan for the year ahead.
The Corporate Plan outlines four external strategic priorities:
- Product design and distribution: Reducing the risk of harm to consumers of financial and credit products, caused by poor product design, distribution and marketing, especially by driving compliance with new requirements.
- Sustainable finance: Supporting market integrity through proactive supervision and enforcement of governance, transparency and disclosure standards in relation to sustainable finance.
- Retirement decision making: Protecting consumers, especially as they plan and make decisions for retirement, with a focus on superannuation products, managed investments and financial advice.
- Technology risks: Focusing on the impacts of technology in financial markets and services, driving good cyber-risk and operational resilience practices, and acting to address digitally enabled misconduct, including scams.
Supporting these priorities are several core strategic projects, some of which I will now discuss in a little more detail.
Design and distribution obligations (DDO)
For boards, the design and distribution obligations (DDO) regime is fundamental to managing non-financial risks and preventing many of the poor outcomes seen in recent years, especially through the lens of several Financial Services Royal Commission case studies, which would simply not have passed muster under DDO.
Although it is encouraging to see the work that many firms have done to implement DDO, especially in developing target market determinations (TMDs) and simplifying unnecessarily complex products, these obligations are not set and forget. Firms need to monitor consumer outcomes to improve and refine the design and distribution of their financial products over time.
The regime has now marked its first full year in operation and we have now shifted our focus from supporting licensees’ implementation to active supervision and enforcement.
Our early focus is on sectors where there is the most risk of consumer harm and we will apply a DDO lens when responding to poor outcomes that we identify. This work includes surveillances of superannuation trustees’ distribution practices, credit cards, small amount credit and buy now pay later providers, and managed fund sectors.
Where our surveillances identify poor consumer outcomes, we will use our full regulatory toolkit to address misconduct. For example, we recently imposed interim stop orders on three financial firms to address the sale of high-risk investments to retail investors. We also have a number of matters in the pipeline for potential enforcement action.
It is critical that firms get their TMDs and product governance settings right and have robust, timely and meaningful data to test and monitor these settings.
Firms must collect and understand data about the outcomes of their product distribution and who their products are getting to. You can ultimately expect us to look closely at the way firms do this. It is critical that firms respond to poor outcomes that they identify by making the necessary changes to their products or their distribution arrangements.
The reportable situations regime applies to Australian Financial Services Licensees and, for the first time, to Credit Licensees. It is both broader and more complex than the previous breach reporting obligations existing prior to October 2021.
The regime recognises the important role that licensees have in lifting industry standards as a whole, in part by identifying and reporting breaches in a timely manner, through the operation of internal risk and compliance systems and processes. This is a critical source of intelligence for ASIC.
We are aware that there have been a number of implementation challenges under the new regime, and we are addressing those.
We have developed a comprehensive plan of work, including engagement with our stakeholders, to address those implementation challenges, and ensure the regime meets its objectives for ASIC, industry and consumers.
Together with team members across ASIC, I am currently engaging with stakeholders on proposed solutions to some of these challenges, with a view to ASIC implementing solutions early next year. This will include supplementary guidance on some aspects of the regime, including on completing the approved form.
We will be continuing our engagement with stakeholders on other implementation challenges and possible solutions early next year.
ASIC will soon release its first public report on the information lodged under the new regime. Due to some of the implementation challenges, this report will not contain granular data, such as the name of licensees. Nor will it refer to the nature or number of reports lodged by specific licensees. However, the report will provide some useful insights for compliance and risk practitioners, particularly relating to the identification, investigation and remediation of breaches.
Cyber-attacks are increasing in frequency and sophistication, and through recent examples such as at Optus, many of us have experienced first-hand the immense impact, disruption and anxiety these attacks can create. The damage to affected Australians can be seen as both multi-faceted given the interconnectivity of our digital engagement, as well as long-lasting, where stolen personal information can be readily tracked and traded.
Optus itself is now suffering significant financial and reputational damage. As the Prime Minister has noted, this is a ‘wake up call’ for corporate Australia.
Financial services and markets are a particularly attractive target for cyber criminals. It is not only the sensitivity of the information held by firms, but their domestic and global interconnectivity, that underscores the potential for systemic risk within the financial system.
Resilience to cyber and operational incidents minimises disruption from cyber attacks and helps to promote confidence in markets. We are engaging closely with our regulated entities to promote good practices and support initiatives that enhance cyber resilience. While it is not possible to reduce cybersecurity risk to zero, we expect our regulated population to actively manage its cyber risk.
ASIC recently took successful action against RI Advice in relation to a series of cyber attacks and data breaches affecting clients’ personal information. The firm failed to ensure that robust information protection and cyber security measures were in place. The Federal Court’s judgment reinforces that managing cyber risk is a key part of licensees’ obligations to act fairly, honestly and efficiently and to have appropriate risk management systems.
To benchmark cyber resilience, refine our risk framework and develop sectoral insights, we are developing a voluntary, cross-industry self-assessment tool. We are also working in partnership with APRA and other agencies alongside the Department of Home Affairs to avoid duplication and enhance coordination.
We are also actively supervising:
- the implementation of our enhanced Market Integrity Rules on technology and operational resilience which apply to markets firms; and
- cyber resilience of the new Cboe trading system and the CHESS replacement trade settlement system.
We will continue to conduct surveillances to monitor cyber and operational resilience among our regulated entities. That means egregious failures to mitigate the risks of cyber attacks are likely to result in enforcement action.
ASIC recently released research on investor behaviour revealing that, of the 1053 active investors surveyed, 44% held crypto-assets. Of those, only 20% considered their investment approach to be ‘risk taking’. These findings mirror those of a recent IOSCO RMCTF report (which I co-chair with CBI) following a global survey and study earlier this year.
In reality, we know that crypto-assets are highly volatile, inherently risky, and complex.
Globally, crypto users have lost about $2 trillion in the value of their holdings during the course of this year. Sadly, many of those investors whom ASIC surveyed last year – at what turned out to be the peak of crypto prices – have probably shared in these very significant losses.
Regulation of crypto is currently fragmented both in Australia and elsewhere. We are seeing providers who seek to take advantage of this and engage in regulatory arbitrage. This has resulted in products that mimic the characteristics of traditional financial products, but are not subject to the oversight, regulation and consumer protection features that investors might like, or even expect.
The three cornerstones of ASIC’s crypto regulatory strategy are:
- First, to support the development of an effective regulatory framework for crypto-assets. We welcome the new Government’s announcement that it will prioritise a ‘token mapping’ exercise as part of progressing towards a regulatory framework for crypto. In particular, we welcome the emphasis on consumer protection in that announcement.
- Second, to take enforcement action to disrupt and deter harmful products within ASIC’s jurisdiction.
- Third, to collaborate and cooperate with our domestic and international peers. This is important because crypto is a phenomenon that does not respect the limits of the mandates of individual regulators nor global borders. Market fragmentation and the risk of inconsistent regulatory treatment can lead to arbitrage and expose consumers to greater harm.
Financial Accountability Regime
Also included in ASIC’s priorities is the Financial Accountability Regime (FAR), pending passage of legislation, which was re-introduced to the House in September.
The FAR will impose a strengthened responsibility and accountability framework that will ensure directors and senior executives will be held accountable for their decisions and conduct. It will aim to drive reform in operating culture and reinforce the standards of conduct expected by the Australian community.
The FAR replaces the Banking Executive Accountability Regime (BEAR) and extends it in a number of areas including:
- extending the regime to non-operating holding companies (NOHCs) of ADIs, to insurance entities, their NOHCs and superannuation entities;
- having a specific conduct focus; and
- being jointly administered by APRA and ASIC.
APRA and ASIC will jointly administer the FAR and work together to ensure a smooth transition to the new regime. Together with APRA, we will develop guidance for industry and engage with financial firms on the implementation of the FAR.
This work will augment our focus on individual accountability in our regulatory and enforcement approach.
Investors are increasingly making values-based investment decisions, leading to a surge in ‘green’ investment offerings. As the market for environmental social and governance (ESG) investment products grows, transparency and trust are paramount.
Our supervisory work is testing these ‘green’ offers to make sure they are accurate, comply with the prohibitions on misleading statements in the Corporations Act, and are useful to investors. Among our actions planned for the years to come will be oversight of sustainability-related disclosure and governance practices of listed companies, managed funds, superannuation funds and green bonds.
The growth in investor appetite for ESG-labelled investments mean we will be vigilant and responsive to the existence of greenwashing.
We want to see continued improvement in climate risk governance and disclosure practices. We recognise that more and more listed companies in Australia are voluntarily making sustainability or climate-related disclosure. The Australian Council of Superannuation Investors (ACSI) has found that, as at 31 March 2022, 95 companies across the ASX 200 have adopted ‘net zero’ commitments. This accounts for 70% (or $1.59 trillion) of the ASX 200’s collective market capitalisation, which is almost double the figure from ACSI’s prior year analysis.
We are closely engaged with international developments and peer regulators on these issues. In July, ASIC, as part of Australia’s Council of Financial Regulators (CFR), provided a submission to the International Sustainability Standards Board (ISSB) supporting the establishment of a comprehensive global baseline to improve consistency for both market participants and investors.
We are keen to see market participants thinking now about what kind of governance structures will be required to support company reporting under future ISSB standards.
And we also encourage listed companies with material exposure to climate change to consider voluntary reporting consistent with the recommendations of the Task Force on Climate-Related Financial Disclosure to make sure they are ready for the transition.
The past three years of enforced isolation and home-based activity has seen Australians spending more time than ever before online. Like many of our counterparts globally, we have looked for investment opportunities, especially during the recent period of low yields in traditional asset classes. This has coincided with increasingly sophisticated attacks on Australians by scammers.
It has been said that there is a different scam for every person. Losses to scams have almost doubled every year, and these losses threaten confidence in our financial institutions and regulatory framework.
Australians lost over $2 billion to scams in the year to July 2022, with investment scams totalling $701 million. As scammers use increasingly sophisticated techniques, the size and scale of the problem can feel immense.
To use our resources for maximum impact, we are primarily focused on disruption of scams, using innovative data-driven approaches to drive early intervention.
But we cannot do this in a vacuum, and the commercial sector has an important role to play. We have recently partnered with Google to limit advertising of financial products and services on its Australian site only to entities that are licensed by ASIC or exempt from licensing. We have also worked with the ACCC to trial a service that takes down fraudulent websites.
We are also reviewing scam identification and response strategies of banks and educating consumers about scam trends and specific scam threats as they emerge.
Coordinating our response with the market and other regulators is critical to protecting consumers and preserving market integrity. This is not a responsibility of one agency, one sector or one community alone.
ASIC is also responsible for administering the strengthened whistleblower protection regime for companies and superannuation trustees.
Since the whistleblower reforms commenced, we continue to receive more reports from whistleblowers each year. Whistleblowing is a key part of transparent, accountable, and safe workplace culture.
Whistleblower programs are an important internal governance tool. They allow employees to speak up about problems and allow organisations to identify risks and address problems before they turn into crises. Considering how your organisation treats whistleblowers in practice can provide an insight into its culture.
ASIC previously reviewed whistleblower policies from a select sample of entities, and found that many policies fell short. In 2021, we published an open letter to CEOs urging companies to improve their whistleblower policies. This letter provided information on the gaps we saw, and guidance on how companies could address them.
Anecdotally, we have heard from directors, industry and legal practitioners that the letter has prompted internal reviews of whistleblower policies.
We encourage you to look at the work ASIC has done to date and ensure your organisation’s whistleblower policy encourages people to come forward, and complies with the legal requirements.
ASIC is now reviewing whistleblower programs from a small sample of companies across the financial services, resources, and retail sectors. We are assessing how these organisations are handling whistleblower disclosures, how they use the information from disclosures to address issues or change their operations, and the level of board and executive oversight of the programs.
We expect to provide more information about this review next year.
Beyond having the right policy framework in place, you should consider whether your organisation has effective processes in place to assess and deal with whistleblower reports.
In closing, I encourage you all to reflect on our strategic priorities for the year ahead and identify where the most likely opportunities for engagement with ASIC will arise. As governance, risk and compliance professionals, ASIC values the critical role you play in supporting your employers and clients to achieve their commercial objectives, honestly and fairly, and consistent with community expectations. Thank you.