ASIC’s corporate governance priorities and the year ahead

Speech by Chair Joe Longo at the AICD Australian Governance Summit, Thursday 3 March 2022.

Check against delivery

Good morning everyone, both here and online.

I would like to begin by acknowledging the Traditional Owners and Custodians of the lands on which we meet today, and to pay my respects to their Elders past, present and emerging. I extend that respect to Aboriginal and Torres Strait Islander peoples present today.

I would like to thank the AICD for its continued commitment to governance policy and engagement, research, and building the capability of directors across the country.

Now, more than ever, the AICD plays an important role in contributing to the sound development of corporate law reform and good regulation in Australia.

Many of the Royal Commission’s recommendations for legislative reform have now been enacted, including the design and distribution obligations, breach reporting, other reforms commencing last October, and the setting up of the Financial Regulatory Assessment Authority.

However, we are at the early stages of implementation, with some proposals still to come. For example, the Financial Accountability Regime (FAR), and extending and replacing the current Banking Executive Accountability Regime (BEAR).

I would also highlight the important work of the Australian Law Reform Commission, with the publication last November of its first interim report, focusing on Corporations Act 2001 Chapter 7 – Financial Services and Markets.

These are all areas where the AICD’s voice can make a real difference.

AICD members also represent the companies, the people who run them and work for them, and their shareholders, who together form the backbone of Australia’s economy.

Collectively you employ millions of Australians, across every industry and sector, large and small business, not-for-profits and government bodies; and contribute hundreds of billions annually in GDP.

As we enter the third year of the pandemic, ASIC will continue to support the nation’s economic recovery by using the full range of our regulatory tools in a targeted and proportionate way, to identify and address misconduct in the markets and sectors we regulate.

We will focus our enforcement action on areas of greatest harm, and take an active and targeted approach to enforcement.

In my remaining time today I would like to focus my remarks on three topics.

The first is ASIC’s priorities for the year. I will outline some of our general priorities for the year, based on what we’re seeing in the external environment. I will then turn to some particular issues we are focusing on in relation to corporate governance, including in our enforcement work.

The second area I will discuss is ASIC’s work on digital transformation, and how ASIC is responding to the challenges of regulating in an increasingly digital and technology-enabled world.

And finally I will talk about ASIC’s focus on regulatory efficiency and streamlining our interactions with our regulated population.

First, a few words about our priorities for the coming 12 months.

Every August we release our Corporate Plan, which contains our strategic priorities for the coming financial year.

And as the year progresses, we factor in issues and developments in the market and adjust our activity accordingly to ensure our actions and priorities are aligned.

At the moment we are looking closely at the impact of factors such as the uncertainty in global markets, record low interest rates, and the rapidity of digital transformation.

We have recently seen an uptick in first-time investors entering the market, and consumers continuing to conduct more and more business online.

Consumers are facing an exponential increase in exposure to misleading and deceptive conduct, and scams.

Over the past three years, scams have risen from 15% to 35% of all reports of misconduct made to ASIC, indicating that this is an increasingly significant issue for consumers.

With hundreds of millions lost per year to scams, government agencies have observed a rise in investment and other scams during the pandemic, while largely unregulated crypto-assets are used increasingly to funnel money to scammers overseas.

In response, our priorities for this coming year – other than in the corporate governance area, which I will come to in a moment – include:

  • Working with other regulators, industry and social media platforms to combat and disrupt financial scams.
  • Addressing the deceptive promotion of riskier asset classes such as crypto.
  • Disrupting investment ‘gamification’ on digital platforms.
  • Protecting financially vulnerable consumers impacted by predatory lending practices or high-cost credit.
  • Addressing misleading and deceptive conduct relating to investment products, including advertising through digital means that obscures the risk.
  • Ensuring that consumers receive the benefits of the new design and distribution obligations.

A few words on the design and distribution obligations in particular.

The design and distribution obligations are intended to help consumers obtain appropriate financial products by requiring firms to design products that meet the needs of consumers and direct distribution towards the intended target market.

We want to see the long-term benefits of the design and distribution obligations realised for consumers.

The obligations commenced in October 2021. There was an initial two-and-a-half year transition period before commencement, as well as a further period of adjustment after commencement.

Our early reviews of target market determinations highlighted some disappointing approaches. But we have seen some positive improvements in response, including from the big end of town.

We consider that industry is reaching a point where it has had sufficient time to bed down its implementation of the regime.

We will therefore be expecting compliance with the regime, and across this year we will pursue a targeted surveillance approach, and will be moving to enforce the obligations where necessary.

ASIC’s approach to corporate governance

I want to talk to you today about ASIC’s overall approach to corporate governance, our priorities and key areas of focus – that is, what is important to us.

Corporate culture and governance are not matters that you can ‘set and forget’; they are enduring priorities for boards.

A critical aspect of what directors do is manage risk.

Today, I want to focus on non-financial risk.

If you don’t manage non-financial risks well, they can carry very real financial implications. For companies, their investors, and their customers.

We need only to look at the remediation by the banks for charging fees for no service, and providing non-compliant advice, which has now reached $3.15 billion.

Yet, it has long been recognised that risk taking lies at the heart of business and entrepreneurial activity.

ASIC is not here to discourage risk-taking and innovation.

Rather, ASIC recognises that running a company is about managing risks, and involves decision makers allocating resources and making decisions very often in conditions of uncertainty.

The courts have also acknowledged that a degree of pragmatism is involved in balancing risks and benefits. Ultimately, however, in the words of one judge, companies “did not evolve to facilitate risky activity without personal responsibility”.

So my fundamental question for company directors is to consider whether you, and your board, are dealing with the matters you should be dealing with.

What are the reasonably foreseeable risks and compliance issues that are raised by your business?

Because even in well-run organisations, things are going to go wrong from time to time. The critical question is: what does the organisation do when things do go wrong?

Did you give those issues the attention they deserved, and at the level they deserved?

I expect directors to adopt an approach that seeks to understand what went wrong and why, that will lead to the right lessons being learnt and will then be reflected in future changes to the way the business is run.

So I can’t stress this enough. Good governance and culture require constant and ongoing investment of time and effort.

Nothing short of that will do.

Because if and when those efforts do fall short, there are consequences. When a company fails to act responsibly, ASIC will not hesitate to take action.

Priorities in corporate governance

I will now outline the issues ASIC is focusing on in corporate governance, including our enforcement work. I will focus on three topics:

  1. Governance failures relating to non-financial risk that result in significant harm to consumers and investors. This includes directors failing to identify and manage the risk attaching to a company’s business activities; failing to ensure that appropriate resources are allocated to deal with risks; or failing to respond to indicators that risks are not being properly managed.

When we talk about non-financial risk, this includes things like significant reputational harm caused to a company through its conduct, and that may impact upon its license to operate; or where a company engages in breaches of the law that attract significant monetary penalties.

  1. Cyber governance and resilience failures. This is illustrated by current proceedings brought by ASIC against RI Advice Group, where we allege that it failed to have adequate policies, systems and resources to appropriately manage risk in respect of cyber security and cyber resilience.

  2. Egregious governance failures or misconduct resulting in corporate collapse. This includes instances where company money, or money belonging to company creditors, is misapplied or misappropriated.

To recap, the most common types of situations we are looking at relate to failures by directors to manage their company’s significant or strategic risks.

Recent investigations have shown that problems can arise out of any activity undertaken by a company. They are not confined to situations where there has been financial loss – they also include reputational damage.

There are other issues relating to non-financial risk that ASIC is considering, and that will be of particular relevance to many of you, depending on the size and structure of your organisation.

These include cyber resilience and climate-related disclosure, including misleading marketing or ‘greenwashing’ by listed entities.

Cyber risk

First to cyber risk. The World Economic Forum recently released its 2022 global risks report. ‘Failure of cyber security measures’ was the number one risk identified by Australian executives in the report’s opinion survey.[1]

In today’s world of ubiquitous software usage, cyber risk is a vulnerability and an exposure that has exponentially escalated.

The Australian Cyber Security Centre issued an alert on Tuesday to encourage all Australian organisations to adopt an enhanced cyber security position.

We strongly encourage you to act on that advice and improve your cyber security resilience in light of the heightened threat environment.

Cyber risk is very much the new frontier of market integrity.

It is having a multiplier effect on individual businesses, markets and ultimately – consumers. Different legal and compliance requirements are giving rise to an obligation to manage cyber risk across ASIC’s regulated populations.

We encourage active management of cyber risks, and we encourage entities to continually improve their cyber-resilience.

We are not looking to prescribe technical standards or provide expert guidance on operational aspects of cyber security. That is the role of Government and other agencies.

Where we consider that a firm has not met its obligations, ASIC may take enforcement action to drive a change in behaviour, as we are with RI Advice Group.[2]

Boards play a key role in recognising and managing risk, including cyber risk. They should consider where they have an obligation to report breaches to ASIC, and where it may be appropriate to make disclosure to the market as either continuous disclosure or in financial reports.

This year we see a number of risks emerging that will need to be assessed and managed by directors. Specifically, the threat posed by the widespread use of open-source software (think back to the ‘Log4j incident’ just prior to Christmas), heightened global tensions, and the continuation of flexible working arrangements.

Climate-change disclosure for listed companies

Now on to climate-related disclosure for listed companies. ASIC’s core focus is to foster continued improvement in the standard of climate change governance practices; and to promote the provision of reliable and decision-useful climate-related disclosures by listed companies, to enable investors to make fully informed decisions.

Globally, this is an area of rapid change.

Late last year, the International Sustainability Standards Board was established to develop high-quality, global baseline climate and sustainability disclosure standards to meet investors’ information needs.

This work will build off existing frameworks such as the Task Force on Climate-related Financial Disclosures.

We are also seeing some jurisdictions, including the UK and New Zealand, move towards mandatory climate-related reporting for listed companies.

Domestically, we are seeing more companies produce detailed climate-related disclosures in response to market expectations.

ASIC is following developments closely and continues to participate in the IOSCO Task Force on Sustainable Finance, alongside our peer regulators. In light of this, it is important for directors to adopt a proactive approach as developments unfold.

Getting the right governance arrangements in place is critical. The Task Force on Climate-related Financial Disclosures has issued some helpful guidance on what constitutes ‘good’ disclosure. ‘Good’ disclosure should be:

  • clear, balanced and understandable
  • consistent over time and provided on a timely basis
  • reliable, verifiable and objective.

We will engage closely with listed companies and investor groups throughout 2022 as the International Sustainability Standards Board climate standards develop, and as mandatory reporting rules are introduced in other markets.

Greenwashing is also very much in our sights.

The definition we use to describe greenwashing is the potential for an entity to overrepresent the extent to which its practices are environmentally friendly, sustainable, or ethical.

ASIC is conducting a review to establish whether the practice and promotion of managed investment and superannuation funds that offer ‘ESG’ or ‘green’ products are actually aligned.

Boards should be mindful that prohibitions in the Corporations Act on misleading and deceptive conduct, and false or misleading statements, apply in relation to financial products such as securities or interests in funds.

Accordingly, we encourage boards to look out for any greenwashing – and to ask whether their company’s disclosure around environmental risks and opportunities, or their promotion of ESG-focused products, accurately reflects their practices in this area.

Whistleblowers and good governance

I would now like to turn your attention to whistleblowers.

We have learnt in recent times the significance of whistleblowing to good governance.

Whistleblowing is a key part of transparent, accountable and safe workplace culture. Whistleblowers provide early warning and visibility of issues, and can help identify and call out misconduct and harm to consumers and the community.

I encourage you to consider the value of whistleblowers, and take seriously your obligation to have a whistleblower policy in place.

There is an article by ASIC Commissioner Sean Hughes in the March 2022 issue of AICD’s Company Director magazine, which came out on Monday.[3]

I suggest you read if it you haven’t already, particularly if you represent a public company, a large proprietary company, or if you are a corporate trustee of registrable superannuation entity. These entities are required to have a whistleblower policy that reflects the strengthened whistleblower protection regime, which started on 1 July 2019.

Unfortunately, our 2020 review of whistleblower policies found that many companies fall short. The majority of the whistleblower policies we reviewed were deficient, and three of the most prevalent and concerning deficiencies we saw were:

  • incomplete or inaccurate information
  • obsolete and out-of-date policies
  • policies without oversight arrangements.

These three issues are of particular concern to ASIC because they suggest that many entities do not fully understand the enhanced whistleblower protection regime, or worse still, have chosen to ignore them.

And fair warning, ASIC has commenced a surveillance of company whistleblower programs from a cross-section of industries. We will assess how these companies are handling whistleblower disclosures, how they use the information from disclosures to address issues or change their operations, and the level of board and executive oversight of the program.

So to recap, today I have covered the key issues ASIC is focusing on in corporate governance, including our enforcement work.

I would now like to talk about ASIC’s digital transformation.

Digital transformation

This has been a flagship issue for me since I joined ASIC in June last year. It is something I have discussed extensively.

To be an effective regulator in the 21st century, ASIC has to be always thinking ahead. And that includes embracing new technologies.

We are alive to the fact that technology and data is critical to every business we regulate. We are dealing with operating environments, customer engagement, and misconduct all centred on technology and data.

And so we will continue to transform alongside you.

We have been investing in new technologies and systems to enhance our capabilities for some years, and my aim is to enhance our capabilities even further.

I would like ASIC to be at the forefront of supervisory technology – SupTech – and particularly to focus on ways we can reduce the time it takes for companies to interact with us.

A major recent initiative has been the director identification number, now required for all new and existing directors. Streamlining director identification this way will mean less administration for directors, and help prevent the use of fictitious director identities.

If you are one of the 250,000 directors that have already obtained your Director ID, I say thank you. If you haven’t signed up yet, please make sure you do soon.

This leads me to my final topic, which is the related issue of regulatory efficiency.

Regulatory efficiency

You will have often heard me refer to my aspiration for ASIC to be an ambitious and self-confident regulator.

As well as building professional and technological capabilities, this also means focusing on how we administer the law, in our various interactions with our regulated population.

Early on in my term I announced the establishment of a Regulatory Efficiency Unit at ASIC. This team reports directly to me, and is focused on ASIC’s work from a functional perspective. It aims to remove unnecessary frictions in our interaction with industry, to reduce regulatory impost and drive better compliance.

While work of this nature was already underway within ASIC, the unit will coordinate this work, as well as complementing it with other initiatives.

The team has so far met with more than 70 external stakeholders, and is working on identifying a range of initiatives that will improve the efficiency of our interactions with our regulated population.

The issue of reducing complexity is also front-of-mind for Government.

Many of you know that the Australian Law Reform Commission is reviewing the Corporations Act with the aim of reducing its undue complexity. I hope you were all able to submit your submissions on ‘Interim Report A’ before last Friday (25 February 2022).

The benefits of untangling Australia’s corporations and financial services legislation are very clear, as the ALRC observed:

We all bear the consequences of legislative complexity, including through increased costs for financial products and services, and in publicly funding courts and regulators to wade through the legislative thicket.’[4]

Conclusion

To conclude, and before I hand over to Professor Hanrahan for the Q&A, I would like to leave you with one concluding reflection.

The risks you are facing as directors are dynamic.

They are evolving.

ASIC is acutely aware that there is no one-size-fits-all approach to governance.

The costs and consequences of poorly handled non-financial risks can be immense and, at the extreme, catastrophic.

However, establishing the structures and information flows within your control, getting the people and practices right so as to seek out the ‘known unknowns’ that might otherwise endanger your business, is a very achievable objective.

Thank you.

[1] World Economic Forum, Global Risks Report 2022, page 96. Accessed 4 February 2022.

[2] 20-191MR ASIC commences proceedings against RI Advice Group Pty Ltd for alleged failure to have adequate cyber security systems.

[3] ASIC Commissioner Sean Hughes, Blowing the whistle, Company Director magazine, March 2022.

[4] ALRC, Undue complexity in Australia’s corporations and financial services legislation, 30 November 2021.

Last updated: 03/03/2022 11:40