Speech by Chair Joseph Longo at the Corporate Counsel Association’s Executive Committee webinar, 25 May 2022.
Check against delivery
I begin today by acknowledging the Traditional Custodians of the land on which we meet and pay my respects to their Elders past and present. I extend that respect to Aboriginal and Torres Strait Islander peoples here today.
Introduction
It is great to join you.
In my opening remarks, I’d like to start with ASIC’s priorities, particularly in corporate governance, followed by some of the digital challenges and opportunities we face.
Corporate governance
It is my job to advance the public interest. It is yours to advance the interests of your organisation.
Before I joined ASIC for the second time, many of you will know that I worked as general counsel at Deutsche Bank. I understand the scope and challenges of the role of in-house counsels. It requires a clear understanding of whose interests you have to protect and advance.
The remit is broad, and the work is complex and challenging. It requires a willingness to turn your hand to everything thrown your way. You play a critical role to advise and support boards and executives to discharge their legal, risk and compliance functions. The most successful general counsels are at the table making an impact on what a firm does or doesn’t do, playing a critical role as a gatekeeper of legal risk and compliance within your firm.
This requires leadership from you to drive a culture of compliance across your organisation. Just as important is the oversight of the right systems and processes to embed this culture in the way your organisation works.
What do we mean by compliance in this context? Regulatory compliance is about a firm’s ability to achieve the outcomes it has promised its customers and stakeholders within the law.
This means focusing on putting outcomes for those customers and stakeholders at the centre of the way the firm operates, rather than relying solely on a checklist of legal obligations.
In your role, you oversee an array of complex issues and legal obligations facing your organisation and the industry you are in, and I acknowledge the complexity of these obligations.
As you know, the Australian Law Reform Commission (ALRC) is currently considering the potential simplification of laws that regulate financial services in Australia. This work is of fundamental significance to the Australian legislative landscape. ASIC is working closely with the ALRC to help achieve its ambitious objectives.
In your role as general counsel, consider the important contribution you can make as part of the law reform process, whether in the context of the ALRC review or other law reform initiatives relevant to your sector.
ASIC's priorities
I’d like to turn now to the issues we’re focused on, including:
- reducing the risk of harm caused by poor product design, distribution, and marketing, especially by driving compliance with new requirements
- supporting market integrity through proactive supervision and enforcing governance, transparency, and disclosure standards
- protecting consumers, especially as they plan for retirement, with a focus on superannuation, managed investments, and financial advice, and
- focusing on the impacts of technology, driving good cyber risk and operational resilience practices, and acting to address digitally enabled misconduct.
Enforcement remains fundamental to ASIC’s remit and effectiveness. ASIC will continue to be a strong and targeted law enforcement agency, and an active litigator against misconduct.
Internally, we’re focused on:
- our digital capability uplift and expanding our use of technology to support more efficient processes in our regulatory work; and
- our data strategy, including access to information and adoption of analytic tools to better identify harms and prioritise our activities.
I will talk about our digital and data priorities later, but first I would like to expand on cyber resilience.
Cyber resilience
Earlier this year, the Australian Cyber Security Centre (ACSC) issued an alert encouraging all Australian organisations to adopt an enhanced cyber security position. Failure of cybersecurity measures was recently identified by Australian executives as their number one risk, according to a World Economic Forum report[1].
ASIC’s report from December 2021 showed that firms operating in Australia’s markets had a small but steady improvement in cyber resilience. However, the increase of 1.4% fell far short of the 14.9% improvement targeted for the period. This shortfall was, in part, attributable to pandemic-related disruptions.
As we approach the end of the financial year, against the backdrop of a heightened cyber threat environment, companies should be reviewing their cyber resilience settings and taking action.
This includes ensuring that detection, mitigation, and response measures adequately address a firm’s risk-appetite. We encourage firms to assess their preparedness to respond to cyber security incidents, and to review incident response and business continuity plans.
ASIC is not seeking to prescribe technical standards or to provide expert guidance on cyber security. However, where we consider that a firm has not met its cyber risk management obligations, we may consider enforcement action to drive changes in behaviour.
One example from earlier this month is the Federal Court’s decision in ASIC’s case against the RI Advice Group. The Federal Court found the Australian financial services licensee breached its licence obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.
When handing down the judgment, Her Honour Justice Rofe made it clear that cyber security should be front of mind for all licensees, stating, ‘Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.[2]
This decision sets an important legal precedent as it makes it clear that licensees need to ensure they have adequate technological systems, policies, and procedures in place to protect sensitive client information from cyber attacks.
Whistleblower policies
Turning now to another corporate governance priority for ASIC and key issue for Australian organisations – whistleblowing.
ASIC is responsible for administering the expanded whistleblower protection regime for companies and superannuation trustees.
Whistleblowing is a key part of transparent, accountable, and safe workplace culture. Whistleblowers provide early warning and visibility of issues and can help identify and call out misconduct and harm to consumers and the community.
I know you will play an important role when faced with whistleblower disclosures within your organisation. They can be quite sensitive and difficult to deal with. They require careful judgement by general counsels.
I encourage you to look at the work ASIC has done to date and ensure your firm’s whistleblower policy is adequate.
The strengthened whistleblower protection regime started on 1 July 2019. Unfortunately, our 2020 review of whistleblower policies found that many companies fell short. Most of the policies we reviewed were deficient. They were out of date, contained incomplete or inaccurate information, or lacked oversight arrangements.
ASIC is now reviewing company whistleblower programs from a cross-section of industries. We will assess how these firms are handling whistleblower disclosures, how they use the information from disclosures to address issues or change their operations, and the level of board and executive oversight of the program.
ASIC also assesses and investigates reports from whistleblowers. Since the reforms commenced, we continue to receive more reports each year.
Beyond having the right policy framework in place, I ask you to consider if your organisation has effective processes in place to assess and deal with whistleblower complaints.
Emerging technologies
I’d like to turn now to emerging technologies that are changing the financial services landscape.
New digital models, such as decentralised autonomous organisations (DAOs), ARE governed by artificial intelligence (AI) in the form of smart contracts, using blockchain technology, to record transactions with and between their members and third parties.
We are all familiar with traditional corporate structures and governance models, with clear legal frameworks, such as limited partnerships, partnerships and joint ventures.
With DAOs, however, there are no boards of directors in sight, and the rules of engagement are coded in smart contracts. It isn’t immediately clear who the controlling mind is.
What is obvious is that DAOs present new challenges when it comes to governance, accountability, and criminal responsibility. We have a long way to go to fully understand DAOs, how, why and when they might be an appropriate mechanism to use, and how they might be effectively overseen or regulated.
We are also observing crypto-assets becoming increasingly mainstream, with more and more Australians accessing these assets. More than 800,000 Australians have transacted in digital assets in the last THREE years, representing a 63% increase in 2021 compared to 2020.
We also continue to see high rates of crypto-related scams.
Consumers that access unregulated products are not offered the same level of protection that traditional financial intermediaries are required to provide. Research shows that most consumers do not understand the risks in these products, or that they are not regulated. Where those digital assets are financial products or financial services, our supervision is incorporated into our overall supervision of the activities of all providers of investment products.
Consumer protection should be a key focus of any regulatory regime applying to crypto-assets.
Our role is to administer the regulatory regime currently in place. The extent to which our regulatory regime applies to crypto-asset investment products depends on whether they fit within the legal framework for financial products and services.
To assist firms, we issued two information sheets:
- INFO 219, which describes how the financial services regulatory framework may apply to distributed ledger or blockchain technology, and
- INFO 225, which describes when and how crypto-assets may fit within the financial services regulatory framework.
In October last year, following consultation, we released guidance (INFO 225 and INFO 230) for product issuers and market operators on how they can meet their regulatory obligations relating to crypto-asset exchange traded products (ETPs) and other investment products. To ensure these ETPs maintain investor protections and Australia’s fair, orderly and transparent markets, we issued good practice guidance that covers admission and monitoring standards, custody of crypto-assets, pricing methodologies, and disclosure and risk management.
Deciding if investments that don’t fit within the concepts of financial products or services should be regulated is a matter for the Australian Parliament.
Last year, the Australian Government responded to recommendations made by the Payments System Review, the Senate Select Committee of Australia as a Technology and Financial Centre and the Parliamentary Joint Committee on Corporations and Financial Services (PJC) Inquiry into Mobile Payments and Digital Wallets.
The Government’s response foreshadowed a program of consultation and policy development. ASIC is working closely with Treasury on this.
In March this year, Treasury released a consultation paper, Crypto asset secondary service providers: Licensing and custody requirements, for public feedback.
It proposes:
- a regulatory model, which is a tailored licensing framework for crypto-asset secondary service providers, sitting beside the existing Australian financial services (AFS) and market licensing regimes for crypto-asset financial products, and
- obligations on firms that provide access to crypto-assets and custodial services.
The consultation also seeks views on two alternative regulatory models.
ASIC’s digital future
ASIC is not immune to the digital challenges you face. We have our own program of work to improve our digital capabilities.
Work is already underway, and we are on a path to fully harness the benefits of new and sophisticated technologies to drive more efficient, informed, and targeted regulation.
One example is where we have used AI and machine learning to identify insider trading rings. We use AI to map real-time share trading with data from the Australian Taxation Office (ATO). Our algorithms identify connections between traders and family members, colleagues, neighbours and, more recently, directors of companies. This system then alerts us to trades that may be suspicious.
This technology will significantly reduce the manual work associated with identifying insider trading and has resulted in more targeted enforcement action. I’m sure you are all aware of the significant harm insider trading presents to our financial system.
We continue to invest in technology to become a digitally enabled regulator, but there is a long road ahead. We are finalising our digital road map to transform the way in which we work. I am especially interested in improving the way in which we interact with you, our regulated population, and how we can use digital technologies to make compliance more streamlined.
Good data governance is a key challenge and responsibility for us, and we are focused on ensuring we have both the staff capability and the technological safeguards to enable and support effective data governance standards.
ASIC will continue to engage with the market and the community to help us make the right decisions in this rapidly evolving area.
One of the questions for you to consider is whether your organisation is harnessing and investing in good systems and processes and new and emerging technologies? Investment in this area helps embed a culture of compliance into the way your organisation works.
[1] World Economic Forum’s Global risks report 2022.
[2] 22-104MR Court finds RI Advice failed to adequately manage cybersecurity risks