ASIC’s expectations for protecting vulnerable customers


A speech delivered by Sean Hughes, ASIC Commissioner, to the Financial Services Assurance Forum, Thursday 26 November 2020.

Check against delivery

Thank you for the introduction and good morning everyone.

I would like to acknowledge the Traditional Owners of the lands upon which we meet; and pay my respects to Elders past, present and emerging.


I very much appreciate the opportunity to speak to you at this forum. Who said being an auditor – or a regulator for that matter – was dull?

It’s been a long and trying year. New challenges have been set in front of us, and more await in the year ahead.

2020 has been a year of unprecedented business disruption. And as internal auditors you’ll be dealing with a huge range of new and emerging risks for the businesses you serve.

Industry, government and the community have had to adapt rapidly to change. As assurance specialists, you have had to become flexible and nimble to stay relevant and adapt to changing times. Regulators are not exempt from this change requirement either.

Compliance breaches happen in all organisations and businesses. Every organisation faces tests. And ASIC is no exception. As many of you know, we are going through our own test right now.

Last month the ASIC Commission accepted responsibility for failings of process and governance recently identified by the Australian Auditor General in finalising ASIC’s year-end financial statements.

In response to the Auditor General’s findings, ASIC fully supports the independent review being undertaken by Treasury under the lead of Dr Vivienne Thom. We will be informed by and act upon its findings and make the changes needed.

And ASIC will be subject to further accountability in the future. The proposed establishment of the Financial Regulator Assessment Authority will inform the Treasury and Treasurer and ultimately the Parliament about our regulatory efficiency and effectiveness.

So I speak to today with an even stronger conviction in the role that internal audit has to play for every organisation. It is a key contributor to managing risk effectively.

And with risk management in mind, today I’d first like to discuss ASIC’s expectations for protecting vulnerable customers, for you to consider in the context of internal auditing processes.

Second, I will cover ASIC’s response to the pandemic and our current regulatory priorities, which include hardship, predatory lending, debt management and internal dispute resolution.

And third, I will discuss what’s on ASIC’s horizon for 2021, including the new design and distribution obligations.

1. Protecting vulnerable customers

In recent years, and prior to COVID-19, the Financial Services Royal Commission, the Productivity Commission and several Parliamentary inquiries drew increasing attention to the risks to, and vulnerability of, consumers in the financial services, insurance and superannuation markets.

This begs the question – what is ASIC’s definition of a ‘vulnerable customer’?

As you may know, ‘vulnerability’ per se is not specifically regulated in Australia. However, ASIC’s regulatory requirements and interactions are relevant to vulnerability. Our contextual definition is outlined in the ASIC Corporate Plan 2021–24, which is available on our website.

For some of you, vulnerability may immediately conjure to mind individuals who we consider disadvantaged or marginalised. A person on a low income. A single parent. An elderly pensioner. Or a person with a physical or mental disability.

And while the threat of financial stress may be greater within certain geographical and socio-economic groups, I think 2020 more than ever reminds us that any individual can experience vulnerability as a result of any number of factors.

Some of these factors might include the actions of the market or individual providers. For example: being targeted with products that are inappropriate for a particular consumer, or being given inadequate or overly complex documentation.

It may also include personal or social characteristics that can affect a person’s ability to manage financial interactions. For instance: speaking a language other than English; having different cultural assumptions or attitudes about money; or experiencing cognitive or behavioural impairments due to intellectual disability, mental illness, chronic health problems or age.

ASIC’s definition of ‘vulnerable customers’ also includes those people experiencing specific life events or temporary difficulties. For example: an accident or sudden illness, a relationship breakdown, family violence, job loss, or the death of a family member.

2. Vulnerability during the pandemic

2020 will undoubtedly be one of the most memorable years in our lives. Etched into our history alongside other major world events such as natural disasters, wars and terrorist attacks.

Those of us who can look back on this time and remember inconveniences and even boredom can count themselves lucky. Many more will know real hardship and anxiety.

2020 has left many more people financially vulnerable than at any other time in our recent history. And the toll is not only financial – people are under emotional and cognitive strain too, which makes it even harder for them to seek help, make decisions and navigate processes.

ASIC’s definition of ‘vulnerable customers’ also extends to business entities.

It’s an understatement to say that many small businesses are doing it tough. Many business owners face serious financial stresses and, in some cases, insolvency. This financial stress extends to households and has been revealed by, among other indicators, home loan repayment deferral data.

At 31 May this year, data on home loan repayment deferrals collected by APRA shows deferrals peaked at approximately $192 billion, representing around 11% of total home loans. This corresponded to approximately 490,000 home loan facilities being deferred.

Pleasingly, the recent data shows there is a continued decline in those numbers. At 30 September, home loan repayment deferrals had declined by around one-third to approximately $133 billion, or 7.4% of all home loans. This corresponds to approximately 325,000 deferred home loan facilities.

During this time, many businesses and individuals have benefited from a combination of government support, bank forbearance and regulatory relief.

We have acknowledged the efforts of insurers and banks to meet the disruptions and uncertainty that have spanned close to 12 months now. From last summer’s response to natural disasters to the unanticipated uncertainty of COVID-19.

Promisingly, I am seeing encouraging signs of a commitment to recover community trust and confidence translating into action.

While we acknowledge these efforts, it is important for firms to ensure that safeguards are in place to make it easy for customers and businesses to navigate themselves to better outcomes.

I will come to this in more detail later, including to cover ASIC’s expectations, but first let me touch on ASIC’s strategic priorities responding to the impact of the COVID-19 pandemic.

2a. ASIC’s response to the pandemic

Alongside all those around us in industry, government and the broader community, ASIC had to adjust and respond to the impact of the pandemic.

Like others, we saw remarkable workforce transformation during this time. Across the country ASIC’s 2,000-plus employees transitioned to working from home remotely within a matter of weeks and continued business-as-usual.

In mid-April, ASIC announced it would temporarily change its regulatory work and priorities to allow it and regulated entities to focus on the impact of COVID-19.

We focused our efforts on assessing the key vulnerabilities of our regulated sectors in the evolving environment, and on developing short‑term strategic priorities to underpin our regulatory responses to address the immediate risks arising from the pandemic.

Some of the risks we identified included consumers being more at risk of scams, false or misleading advertising (particularly targeting retail investors), and unlicensed financial advice. The impact of – and consumer susceptibility to – these unscrupulous activities are exacerbated by financial stress or hardship that many people may already be experiencing.

In June, we clearly articulated our pandemic priorities in our Interim Corporate Plan. We reiterated the same five priorities in our full Corporate Plan in August. They are:

  1. Maintaining financial system resilience and integrity.
  2. Protecting consumers from harm at a time of heightened vulnerability.
  3. Supporting Australian businesses to respond to the effects of coronavirus.
  4. Continuing to identify, disrupt and deter the most harmful conduct.
  5. Continuing to build our organisational capability in challenging times.

A key consideration that we called out in our Corporate Plan is the extent to which we are supporting the long-term recovery of the Australian economy, in all the work we do.

In response to the pandemic, we established three internal working groups to respond to scams, unlicensed advice and misleading advertising.

2b. ASIC’s current priorities

Earlier this year, starting in March, we began to see lenders, such as banks, respond to the pandemic and offer assistance to consumers. This assistance often included an option for customers affected by to the pandemic to defer repayments on their mortgage for a period of up to six months.

ASIC is closely monitoring how lenders are offering assisting to consumers. We have made two public announcements setting out our expectations of lenders:

  • First, in April this year we published expectations that were focused on providing customers with appropriate disclosure about assistance options. Importantly, customers should be informed about the consequences, including long-term costs of the assistance they are considering and ultimately may agree to.
  • Second, in September we published our expectations that were focused on how lenders should approach customers whose six-month repayment deferral is expiring. We expect lenders to take steps to understand what is preventing their customers from returning to mortgage repayments, and to better assess what further assistance may be appropriate.

In our announcements we have also set out expectations about how lenders should approach communications with customers:

  • In circumstances where a customer does not respond to a communication; you should try to contact the customer using a range of communication channels. Lenders should be able to evince that you have made reasonable efforts to contact your customers.
  • Where a customer’s repayment deferral expires and they miss a repayment, we expect you to make reasonable efforts to contact your customer and assess the appropriateness of further assistance being offered to them.

ASIC encourages all lenders to continue to work closely with their customers to develop options that provide short-term assistance to those experiencing difficulty due to the impacts of COVID-19, also to customers requiring longer-term assistance due to changes in employment, trading or community conditions post COVID-19.

We also recognise that unfortunately, there will be instances in which offering your customers further temporary assistance may in fact make their total indebtedness situation worse.

These instances need to be carefully identified by lenders and involve a high level of engagement with those affected. We are encouraging consumers to engage with their banks – early and often – and to seek debt counselling or other advice.

ASIC expects lenders to make all reasonable efforts to work with customers to keep them in their homes if that is in the customers’ best interests.

Hardship will be an ongoing area of focus for ASIC into 2021, where the fair treatment of consumers will remain fundamental to reaching good outcomes.


Now I will speak to the work we are doing on financial hardship in the life and general insurance sector.

Since June this year we have been working with life and general insurers to review and monitor how they are responding to their customers who are experiencing financial hardship. This work has involved:

  • direct engagement with the major life and general insurers to better understand customer behaviour;
  • the effect of Government stimulus measures; and
  • the support options and help being provided by life and general insurers to assist customers – either to keep their insurance cover (or make changes where appropriate) or to obtain insurance cover or make a claim.

Through ASIC’s engagement we set expectations and ensured that life and general insurers’ commitments and conduct in supporting customers was appropriate.

We have been encouraged by insurers’ responses and your efforts to uplift industry standards to ensure positive outcomes for customers, including:

  • broadening the range of support options available to policyholders;
  • proactively identifying, communicating with, and supporting consumers experiencing financial hardship;
  • implementing more robust systems and processes to identify and support vulnerable consumers;
  • specifically for life insurers – working closely with trustees and employers of group schemes to communicate with members, and extending the FSC Initiatives; and
  • specifically for general insurers – extending the end date of COVID-19 specific hardship assistance and ensuring travel insurance refund policies are based on clear eligibility rules and in a form that provides value to consumers.

ASIC believes, and insurers have acknowledged, that this work will form the basis for a more well-developed hardship framework in insurance for the future, in a situation-neutral environment.

We will continue to monitor how life and general insurers respond to consumers in financial hardship and those affected by COVID-19, to identify best practice and ensure positive outcomes for consumers. ASIC thanks you, the insurers, for your continued positive engagement on this work.

Predatory lending

As we continue to monitor lenders’ responses to consumer hardship, we are mindful of the potential for unregulated fringe lenders who are using the pandemic to prey on vulnerable people. In particular, people who are desperate to stay in their homes.

ASIC has zero tolerance for this kind or predatory behaviour, particularly lenders who are offering refinancing options that are nothing more than equity stripping.

If you or your clients see examples of this behaviour, we urge you to come forward and report it to ASIC.

Debt management firms in the spotlight

Another area of concern to ASIC, particularly in relation to vulnerable consumers, is the debt-management sector, which also includes services known as ‘credit repair’.

In 2016, ASIC published research into Australian debt management firms and the risks they present to consumers. The purpose of this report was to contribute to information about this growing sector and policy debate.

As part of the package of reforms announced by the Treasurer on 25 September this year, debt management firms will be required to hold an Australian Credit Licence when they are paid to represent consumers in disputes with financial firms. This reform is intended to take effect from 1 April 2021.

The Government’s reforms will require debt management firms to meet the ongoing obligations imposed on credit licensees. These obligations include a requirement to meet the ‘fit and proper person’ test, and to undertake their activities ‘efficiently, honestly and fairly’.

Internal Dispute Resolution

At the end of July this year, ASIC released RG 271 – our final Internal Dispute Resolution (IDR) guidance.

This new guidance follows extensive consultation with consumer and industry representatives and a wide body of work by ASIC – all of which revealed an evidence base for raising IDR standards across the financial sector.

Take timeframes. Existing IDR timeframes have remained the same for 20 years, despite technological developments and process improvements in industry.

With RG 271, the maximum IDR timeframes are now reduced from 45 days to 30 days for most non-superannuation complaints.

Complaints handling, the first step in the dispute resolution framework, plays a critical role – and presents a critical opportunity – for firms to restore consumer trust when things have gone wrong.

Complaints should be easy to make, and customer pain-points in application and switching processes should be reduced wherever possible.

We believe financial firms’ approach to complaints handling is a litmus test of how it treats its customers.

Complaint management cultures should welcome complaints and should focus on fairness, quality and timeliness in their handling.

And better IDR not only benefits customers, it also arms the boards of financial firms with rich and real time data on the customer experience and whether their needs are being met or not.

In your roles you will have seen examples of system failure. Of where mistakes have been made. The question to ask is – are we doing enough to make things right when they go wrong?

We continue to see significant remediation payments by industry:

  • Six of Australia's largest banking and financial services institutions have paid or offered a total of $1.05 billion in compensation, as at 30 June 2020, to customers who suffered loss or detriment because of fees for no service misconduct or non-compliant advice.
  • In 2020 another $32 million for junk consumer credit insurance taking the total to over $160 million to almost 450,000 consumers.
  • In 2019, the total remediation bill for add-on insurance was over $130 million to over 245,000 consumers sold a product with little or no value.

ASIC plans to release updated guidance for firms around remediation shortly.

3. Looking ahead

I’d now like to focus on what is on the horizon for 2021.

Design and distribution obligations

The design and distribution obligations (DDOs), which now commence on 5 October 2021, represent a step-change in financial services regulation, placing greater responsibility on issuers and distributors of financial products to appropriately design and distribute their financial products.

Under the obligations, industry must design fit-for-purpose products that meet consumer needs. They will also need to take steps to ensure their products are reaching the right consumers.

This includes consideration about how products are marketed and the sales practices adopted. Where poor consumer outcomes are identified, industry will need to consider whether changes are required to the design of their products and how they are being sold.

A vital consideration for industry generally, and the people present in this room particularly, will be ensuring robust and effective product governance arrangements are implemented, monitored and maintained to ensure compliance with DDOs. The Financial System Inquiry, which recommended these reforms, highlighted that weaknesses in processes for, and controls on, product distribution to consumers have led to significant consumer losses.

Robust and effective product governance arrangements will help firms avoid similar outcomes to those identified by the Financial System Inquiry, as well as the Financial Services Royal Commission. By establishing consumer-centric practices across the lifecycle of products, industry can better manage non-financial risk, avoid costly future remediation and continue to rebuild consumer trust by delivering better consumer outcomes.

As internal auditors and compliance professionals, you are well-placed to be the agents of change here, by assessing and improving your risk management and governance processes ahead of the commencement of DDOs on 5 October 2021.

The obligations require firms to review the arrangements they put in place, periodically and in response to events and circumstances that reasonably suggest their arrangements are no longer appropriate. To support this process of review and refinement over time, firms will need to collect, analyse and act upon information – including about consumer outcomes, and address problems if they arise. 

By meaningfully engaging with DDOs and strengthening product governance arrangements, industry can go a long way to addressing consumer harm, including for the most vulnerable consumers. As industry steps in to address these harms, ASIC can step back.

Over time, as recognised by the Financial System Inquiry, compliance with the obligations may result in the need for less prescriptive regulation in the future and the potential for deregulatory initiatives.

To achieve this, though, compliance is essential. ASIC expects compliance with the design and distribution obligations from Day One. In order to do this, industry needs to invest in their systems now and ensure they are properly able to monitor the outcomes of their products come 5 October next year.

Questions to ask now

There are a few questions the boards of financial services firms ought to ask their senior executives now:

  1. Are we getting ready for DDOs?
  2. Do we have the data we need to ask and answer fundamental business questions?
  3. Do we know our target market for this product?
  4. Does it meet their needs?
  5. Is this product of value to that target market?
  6. Do our distribution controls, included our chosen distribution channels, mean it’s getting to our target market?
  7. Would we know if it wasn’t?

ASIC will be releasing its final guidance on these obligations soon.

Investing in systems and data

A final issue which will remain a focus of our work at ASIC is the importance of data.

Our supervisory work has identified poor data technology systems and associated processes as a root cause of institutions’ poor practices in identifying and responding to customer complaints, incidents and issues.

Notably, a review of breach report samples lodged with ASIC point to underinvestment in technology systems as a root cause of the reported breaches in a significant number of cases – ranging in estimates of around 40% in some areas (including bank overcharging) to around 70% in others (including insurance overcharging).

ASIC’s review of Total and Permanent Disability insurance likewise found critical absences of data – insurers were not using, or in some cases even collecting, data to enable them to identify the very poor consumer outcomes being produced.

This is the big challenge for industry – without this data, insurers cannot identify the value of their products to consumers, including your target market determinations.

ASIC’s work has found significant limitations to the systems inside a wide range of financial institutions. The current state creates operational risks. It also suggests that historical Board and management decisions on the development and maintenance of these systems did not have the long-term interests of consumers at its core. 

A combination of poor systems and poor governance mean delays in picking up problems and ultimately result in lengthy and costly remediation programs.

Given the year that ASIC has had, I do not say this lightly: investment in getting data and systems right is essential. And it is overdue.

An important observation to share is that lenders with better data and technology capability, for example, based on analytics and enhanced with artificial intelligence, were able to respond more quickly and in a targeted, tailored fashion to borrowers needing additional support this year with loan deferrals.

Numbers, data, consumer outcomes – they all matter for rebuilding trust. Assurance processes have an important role to play. Auditors can help elevate the data, help identify risks or problems early, mine the data for good use and influence the design to deliver fit-for-purpose solutions.


The realities of COVID-19 have inevitably amplified and increased vulnerability across many Australian households.

The pandemic may have reduced some people’s capacity to engage with financial decisions and handle ‘life administration’ tasks such as choosing appropriate financial products, consolidating or switching loans.

It has also reduced some people’s capacity to assess information, which may have resulted in a lowering of their defences, making them more vulnerable to scams and misinformation.

At this time, it is especially important for firms to ensure that safeguards are in place to make it easy for customers to navigate themselves to better outcomes.

So in conclusion, what does ASIC expect your company, and you as an assurance specialist, to do?

We expect firms to:

  • understand customer outcomes, monitor those outcomes and deliver those outcomes;
  • design and offer products that deliver value – not surprises – and are sold fairly;
  • design ‘choice architecture’ that is fair for customers; and
  • tackle head-on complexity in financial services and products that are unnecessary and harmful to customers and, ultimately, a value loss for shareholders.

While ASIC’s vision for a “fair strong and efficient financial system for all Australians” focuses our efforts and frames everything we do, it is not only about us. It is a vision for all.

Parliament has given ASIC the regulatory tools we need to take a targeted, outcomes-based and less prescriptive approach to regulation. By embracing their design and distribution obligations and own self-regulatory code, industry can go a long way to addressing consumer harm. To ‘step in and step up’.

Our expectation is that, with the post-Financial Services Royal Commission regulatory toolkit in place, we will only intervene when the warning signs of harm and misconduct require us to do so.

Of course, this does not mean that we will be any less busy, especially in the enforcement space, where our ‘why not litigate’ posture will continue to apply.

While the focus in the current macro-economic environment is primarily addressed at ensuring credit flows quickly and efficiently to borrowers, customers still expect to be treated fairly and for their interests to be placed first.

Thank you.

Media enquiries: Contact ASIC Media Unit