A speech by Cathie Armour, Commissioner, Australian Securities and Investments Commission at the Australian British Fintech Cyber Catalyst, (London, England), 3 July 2018
Introduction
Good morning everyone.
It’s fantastic to be here in London to hear a range of perspectives on our digital future. I appreciate the opportunity to share ASIC’s approach to innovation with you.
Why is ASIC - which for those of you who are not familiar with us, is Australia’s integrated corporate, financial markets and services regulator- keen to participate in a Fintech Cyber Catalyst?
Well, our job is all about ensuring a fair, strong and innovative financial system for all Australians. We are vitally interested in the digital opportunities available for Australian financial investors and consumers; in the technology that powers our markets and in promoting a capital market environment and a regulatory framework that allows business to prosper.
So all in all, a Fintech Cyber Catalyst is exactly the place we want to be, and it is very much a place we need to be.
Critically, this week we are exploring opportunities between Australia and the UK as part of what is already a very close and supportive relationship in financial services sectors.
Today, I will examine innovation from a regulator‘s perspective focussing on:
- First, some of the opportunities I see for Australia and the UK that support innovation in financial services and markets;
- Secondly, ASIC’s approach to innovation;
- Thirdly, what ASIC is doing in the regtech space; and
- Finally, I will explain our approach to cyber security – a topic that is, and has been for a number of years now, high on our priority list.
Opportunities for Australia and the UK
This catalyst will identify numerous opportunities between Australia and the UK that will support innovation in financial services and markets.
Our Governments have committed to deepen the existing relationship by leveraging and recognising aspects of each other’s frameworks and supervisory approaches - this will no doubt create efficiencies for all.
There are opportunities for innovators to exploit the close regulatory relationship between the Australia and UK regulatory regimes. These benefits exist today without the need for a skerrick of additional work - I think industry could be making better use of these benefits.
For instance, licensing authorisations for financial service providers and wholesale markets are easier for firms from our countries. As an example, a professional market operator can operate across our respective borders with compliance expectations and supervision largely set and undertaken in one country and relied upon by the other. In other words, a form of mutual recognition or home/host approach.
Between the FCA and ASIC to date, there already exist practical forms of recognition frameworks. More than a dozen UK wholesale platforms currently offer their services in Australia based ASIC’s deference to the FCA’s primary regulatory oversight.
Our key market infrastructures -our clearing houses - have also been granted rights to operate in each other’s countries based on this equivalence approach.
I see great advantages to learning from each other’s approaches to the design and implementation of frameworks, particularly in relation to setting common standards, and maximising use of and cross-referencing each other’s standards. Both ASIC and the FCA were closely involved with the development by the Central Banks and Industry of the FX Global Code.
The UK is living and breathing its new open banking regime – given, Australia is looking to start introducing its regime from July next year, we see great value in learning from your experience is the UK as the regime matures.
There is plenty in common between the Australia and UK regulatory environments for financial services, the key regulators know each other well and are used to collaborating - my question for this audience is are you making the most of this environment?
I anticipate many of you want to hear about how regulators and governments might look to standardise regulation in order to better facilitate fintech between our countries. This question is a good one because there are regulatory differences between our two countries and undoubtedly life would be easier for fintechs to operate across countries if there were no differences.
But I think an emphasis on this issue of standardisation runs the risk of distracting focus from the real and achievable benefits of using our current effective cross-border regulatory model.
Think about this – we have not been able to agree on legal standards for distance – you have miles and we have kilometres so what are the chances that we can expect agreement on standards for other detailed areas of regulation like financial services. In any event is there really much utility of just two countries agreeing legislation; what about our other trading partners?
Simply put, Australian and UK governments and regulators can and do work very effectively in an equivalence or mutual recognition world - that is a world where firms in the financial sectors operate on the basis I have already described - they obtain licensing or permission to operate in one place based on the regulatory oversight and rules of the other jurisdiction.
What are some practical examples of this? Well here is an example after my own heart - UK firms report transactions on trading venues under the MIFID II and accompanying regulations. If those same firms were operating in Australia they would be required to retain records under our much more generic 'business records' requirement but would not have the same detailed reporting obligations. If a firm that provided regtech support to firms who needed to meet the MIFID II requirements were to approach us at ASIC about clarifying our record keeping requirements, we would be open to considering issuing guidance that meeting MIFID II reporting requirements for some types of Australian business, would also satisfy our requirements. Effectively creating a standardised process without the need for mutual law reform.
Not dissimilarly, Australia does not yet have an equivalent to the EU General Data Protection Regulation – as you know and we have discussed earlier today, we are in the process of developing and will legislate a Consumer Data Right.
But in any event if you are building technology solutions for firms that comply with the GDPR obligations, why would you think that this technology might not be suitable in the Australian markets - some aspects of the technology solution might need to be developed with the capacity to turn off certain elements in places where there is not an equivalent legal obligation - but building to the highest standard of data protection for consumers is unlikely to translate to a significant regulatory issue in our country – and may be relatively easily adjusted to accommodate any critical differences when the Consumer Data Right is finalised.
So, rather than try to wrangle disparate political processes in different countries for a uniformity that has not before been achieved in history and which tends to implicitly suggest adopting the lowest common denominator- my counsel to the fintech industry is to focus on developing solutions for the best investor and customer outcomes, the higher standard of the relevant jurisdiction, to allow the flexibility to 'turn off' some features and to work with the regulators to look for guidance and support of the higher standard being applied by businesses in their country.
ASIC’s approach to financial innovation
Moving more broadly to ASIC's approach to innovation. ASIC supports technological change that may improve outcomes across the financial system.
Evolving technology is nothing new to regulators – markets have existed in one form or another over mankind’s history. We are all familiar with the technological leaps and bounds that have led to today‘s dynamic markets where equities or foreign exchange transactions occur in nano seconds. This is a far cry from the days of men haggling in the courtyard of the world’s first modern stock exchange the Amsterdam bourse at the start of the 1600’s.
We like to think that our regulatory regime is sufficiently principles based that it operates in a technology neutral way. But we do know that this is not always so; pragmatism means that we frequently amend our regime to facilitate new technologies. For example, we have facilitated electronic securities offering documents.
We also adapt the way we regulate to reflect the technological needs of the day. For instance ASIC’s Innovation Hub helps ASIC to engage with new Fintech and reg tech start ups.
The Innovation Hub has five components:
- engaging with fintech and regulatory technology start ups, as well as the physical hubs and co-working spaces for start-ups;
- informal assistance for eligible fintech and regtech start ups – our goal is to help new businesses consider key regulatory early on in their development;
- tailored guidance for innovative businesses to access information and services relevant to them via our website;
- a senior internal taskforce to assist in analysis of new business models – the taskforce draws together knowledge and skills from across ASIC, and is complemented by internal working groups on digital financial advice, marketplace lending, equity crowdfunding, blockchain and crypto-assets;
- a Digital Finance Advisory Committee (DFAC), which provides ASIC with advice in this area. The committee includes members from the fintech community, academia and consumer advocates as well as other financial regulators.
ASIC’s regulatory sandbox framework
ASIC has a regulatory sandbox framework -a ‘lighter touch’ regulatory environment - this sandbox is available to Australian and overseas fintech start-ups.
Our sandbox is based around a world-first class waiver (an exemption) that allows eligible fintech businesses to test certain services for up to 12 months without an Australian financial services or credit licence.
At the same time, retail clients who access services of firms using the sandbox still have fundamental protections under the law, such as dispute resolution and professional indemnity insurance.
This is a ‘whitelist’ approach - there is no ASIC review of each proposed test. In contrast, sandbox proposals in other countries and we heard today about the FCA’s sandbox, involve regulators selecting applicants and negotiating individual testing terms.
Six firms have made use of this fintech licensing exemption and many others have approached ASIC about its application and learnt there may be alternative ways to test their business model where they are not eligible to rely on this exemption made by ASIC.
The Australian Government is looking to build on the scope and design of the ASIC Sandbox in a number of key areas. For example, the Government proposes that the licensing exemption set by ASIC be replaced with a similar conditional exemption but for a wider range of services, eligible providers and for a longer duration. A Bill to enable for the Government’s enhanced sandbox was debated only last week.
Global dimension to ASIC’s work on innovation
ASIC believes it must be open, engaged and globally connected in order to contribute to an innovative financial sector. So we meet with our international regulatory counterparts to discuss developments and policy proposals as often as possible.
We engage with global standard setters through, for example, the various taskforces and committees at IOSCO and other regulatory groups to contribute to the global discourse on fintech and regtech and to champion what is being done in Australia.
We have also recently joined a working group of regulators led by the FCA working to jointly consult on the feasibility of a Global Sandbox .
At a practical level, we have the mechanisms in place to make referrals of fintech providers under Co-operation Agreements with international agencies and are more than happy to do some heavy lifting where we can.
ASIC entered a world-first fintech Cooperation Agreement with the FCA in the UK back in 2016, that allowed us to refer fintech to each other to receive informal assistance.
In March this year, the FCA and ASIC entered an enhanced Cooperation Agreement, deepening our level of commitment to work to together on work relating to fintech and regtech.
This enhanced agreement, is part of the UK-Australia Government-to-Government Fintech Bridge that we have heard so much about today.
Under the regulator-to-regulators component of this agreement, ASIC and the FCA will be doing a number of things which we have already heard about today including:
- exploring opportunities to enable quicker licensing of innovative fintech businesses that are already authorised in the other jurisdiction. The FCA and ASIC will hold discussions in the next month;
- looking at ways to facilitate entry into each other’s sandbox environments;
- making a commitment to reach shared approaches, understandings and positions on emerging issues relating to fintech and regtech. Only last week, ASIC had 4 data scientists meet with FCA colleagues on approaches on data analytics and use of supervisory technology; and
- considering other shared opportunities, such as joint events, trials, research projects and secondments.
ASIC’s role and approach to regtech
Turning now to the sibling of fintech, I’ll explain some of ASIC’s work in relation to regtech and what we view our role to be.
A capacity to monitor automated activities is already a core element of risk and compliance frameworks for some parts of the Australian financial system, such as the monitoring of financial markets activity.
We strongly believe that reg tech should be top-of-mind for regulators and across all of the financial services industry.
The regtech sector has enormous potential to help organisations build a culture of compliance, identify learning opportunities and save time and money relating to regulatory matters while improving compliance and most importantly outcomes for consumers.
It also has potential to support ASIC and our regulatory peers in the way we undertake our own work, including engaging with industry.
This is critical for us to do our job successfully. We must monitor market integrity and so we need the tools to analyse the millions of transactions daily on our markets. This year we need to analyse approx. 75-150 million messages per day, for over 1.5 million equity trades, 45k futures trades. For our enormous (in monetary terms) OTC markets, 2-3 million end of day positions.
As an example, in a recent investigation that looked at market misconduct of four large financial institutions ASIC reviewed over 75 million documents (35 terra bytes of data) and over 42 million voice recordings (2.7 million hours of listening pleasure being 256 terra bytes of data). So you can see why we are keen exponents of the virtues of regtech!
This time last year we publicly consulted on what ASIC’s role should be on reg tech. Generally the response supported ASIC being ambitious in the regtech – which was good, because that is what we want to do!
Our approach to regtech is guided by some basic principles:
- To work towards regtech outcomes that align our strategic objectives;
- To undertake a focused number of initiatives that have near term deliverables; and
- To have regard for industry input, good international case studies and our own learnings in forming our plans.
Our Innovation Hub hosted Regtech Roundtable and Showcase events last year. We have had over 60 meetings with regtech stakeholders and service providers.
ASIC’s Regtech Liaison Forum
Late last year we established ASIC’s RegTech Liasion Forum. The forum meets every three months and meetings are open to all interested parties.
The Forum's goal is to facilitate networking and stimulate discussion on regtech developments and identify opportunities for future collaboration. We are hoping that it provides a platform to help identify practical areas of focus for industry and regulators.
ASIC’s NLP Trials
I’d like talk briefly on ASIC’s Natural Language Processing trials.
In February we released a set of problem statements with use cases to understand and encourage the application of Natural Language Processing in resolving regulatory problems.
The trials are to explore potential efficiencies in supervision, including through automation and prediction, and present a genuine learning opportunity for ASIC.
A tender was issued for the provision of pilots and we have executed contracts to execute these trials over the next 3 to 4 months in:
- The identification of promotions of concern for financial and credit services;
- Managed fund PDSs review;
- Financial advice file review;
- Financial reporting review of company announcements; and
- Prospectus review
We will keep industry, our fellow regulators such as the FCA, updated on how these trials progress and share any insights we can on our learnings.
Cyber security – a common challenge
This Catalyst focuses on meaningful collaboration and part of that is sharing information on our approaches to common challenges like cyber security.
ASIC has long recognised and identified that cyber resilience of the regulated firms in our financial markets is a critical long-term challenge.
Only last week, our financial press reported on the number of times our big banks in Australia come under cyber attack in a 24-hour period.
ASIC’s has focused on raising awareness, assessing and reviewing the cyber resilience of our regulated firms, and sharing good practices and standards in our efforts to raise the standards of cyber resilience.
When I refer to firms here, these include authorised market operators and participants including stockbrokers and investments banks.
Underpinning this practical activity is an approach to cyber security supervision founded on three principles:
- First cyber resilience practices must be embedded into whole of business enterprise risk management framework - this is a licensing obligation;
- Secondly, we will work in collaboration with both industry and other regulators (both foreign and domestic) on an ongoing basis to learn from them as well as share our own insights and learning's, and share intelligence on cyber risks and mechanisms to mitigate new and emerging threats;
- Finally, recognising the cyber landscape is rapidly changing, ASIC follows an evolutionary approach that reviews and raises the bar on a periodic basis. This includes adapting our surveillance processes in response to key events, such as the emergence of new regulation or new types of cyber threats not previously accounted for.
A lot of this is set out in our report published late last year which includes a number of observations from our work with 100+ entities across the Australian financial market. We can share this with you if you are interested (Report 555 Cyber Resilience of firms in Australia’s financial market).
Getting into some of the detail of our work in this area, over the past three years ASIC has performed cyber security surveillance and assessments of our regulated firms across the financial markets sector.
To date these assessments have been conducted across market operators, post-trade infrastructure providers, credit rating agencies, investment banks and stockbrokers.
The assessments were conducted using standards-based surveillance tools and self-assessments adapted from the United States NIST Framework, as well as follow up interviews with firms and the collection of additional supporting documentation for review.
This work has resulted in the publication of several reports to date, which can all be accessed on the ASIC website:
- We continue to review, assess and refine our approach based on our findings to ensure that we are driving continuous improvements and therefore uplift in the levels of resilience across the financial sector. [1]
- We also continue to re-enforce the message that Boards need to have a thorough understanding of their risks, and how to mitigate against, and recover from cyber incidents – this is now fundamental to business risk management and potential survival. It is imperative that Boards treat cyber security with the same level of importance as they would manage ‘traditional’ risk, such as financial, competitor or reputational risks.
- We are actively looking at market misconduct that is facilitated by poor cyber security. Last month charges were brought against an IT consultant for 115 offences of unauthorised access to data in a computer, insider trading and destroying or concealing books required by us.
We are very interested in hearing about other strategies and approaches as well – be they based on real-time surveillance using people, automated robots or newer concepts like gamification.
On that note, I’ll wrap things up.
Thank you very much for the opportunity to run through some aspects of ASIC’s approach to innovation – I’ll be back for a panel discussion a little later on.
- Report 555 Cyber resilience of firms in Australia’s financial markets
- Report 468 Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd
- Report 429 Cyber resilience: Health check.