Compliance and enforcement in retail credit and financial services

Address by ASIC Deputy Chair Sarah Court at the Australian Retail Credit Association Credit Summit, 16 November 2023


Headshot of Sarah Court

Key points

  • With an increasing number of consumers experiencing financial distress and difficulty due to cost-of-living pressures, ASIC is calling for lenders to take all necessary steps to avoid either causing or compounding these difficult circumstances through poor conduct.
  • ASIC has taken enforcement action in the credit sector and will continue to do so. We are particularly concerned where it appears to us that business models have been designed to avoid consumer credit protections.
  • Our focus on protecting vulnerable consumers and those in financial hardship will continue to guide our oversight of the design and distribution of credit and credit-like products.

Check against delivery

Good afternoon to you all. It’s a pleasure to be here with you today – and I want to thank ARCA for inviting me to be a part of their 2023 Credit Summit.

I am very much of the view that ASIC should engage actively, openly and often with those it regulates. Communication is one of our most powerful regulatory tools – and events such as this are an important opportunity to explain our priorities and expectations – and, in doing so, promote compliance.

It is with this outcome in mind that I join you today – and, in the spirit of active and open engagement, I am looking forward to taking your questions later.

Before I begin, I would like to acknowledge the traditional owners and custodians of the land on which we meet today, and to pay my respects to their elders past, present and emerging. I extend that respect to Aboriginal and Torres Strait Islander people present today.

ASIC is Australia’s corporate, markets, financial services and consumer credit regulator. Naturally, given the interests of this audience, my main focus today will be on the latter. There are three main areas I want to discuss with you today.

  • First, I will outline ASIC’s priorities for the consumer credit sector, and in particular, our current focus on financial hardship.
  • Second, I will cover our work on the product design and distribution obligations (or DDO), and their regulatory importance on the provision of credit.
  • Third, I will provide some observations on the reportable situations regime, where ASIC has growing compliance concerns.
  • Finally, I will touch briefly on some cross-sector work, in relation to digitally enabled misconduct – which is of relevance to all our regulated entities.   

ASIC’s priorities for the consumer credit sector

First to our priorities for the consumer credit sector.

ASIC takes a strategic, risk-based approach to regulation. In setting our priorities, we carry out in-depth assessments of our operating environment and the sectors we regulate to identify emerging threats.

Based on this, we target our regulatory interventions at conduct which has the greatest potential for harm. In doing so, we seek to direct our finite resources to where we are able to have the most impactful outcomes.

In the current economic climate, there are clear threats to retail credit consumers. In particular, we are seeing evidence that increasing numbers of consumers are experiencing financial distress and difficulty due to cost-of-living pressures. These pressures have been well documented.

Indeed, in a round table with consumer advocates earlier this week, ASIC Commissioners heard first-hand of the growing demand for financial counselling services, and the poor approach of some lenders to engagement with consumer representatives who are seeking to assist clients in financial distress.

ASIC’s overarching concern in this area is that lenders take all necessary steps to avoid either causing or compounding such distress through poor conduct. Whether it be through predatory lending practices, non-compliance with consumer protections, the provision of high-cost credit and/or poor product design or distribution.

As I have already observed, communication is one of our most powerful regulatory tools. To this end, as some of you will know, in August we published an open letter calling on lenders to ensure they are appropriately supporting customers in hardship. This followed earlier risk-based supervision of a number of banks, which raised concerns for us about their hardship practices and their capacity to meet increased volumes of applications for assistance.

In our letter, ASIC set out its expectations of lenders – and the steps they should take to meet their obligations.

These include:

  • Proactively communicating how and when customers can seek assistance – and making it easy to do so;
  • Ensuring customer-facing staff are trained and have procedures in place to help them identify when a customer might be experiencing hardship;
  • Genuinely considering a customer’s individual circumstances to develop sustainable solutions, where possible; and
  • Communicating regularly with customers throughout the assistance period.

The letter was also sent to the CEOs of 30 large lenders – from whom we are collecting data relating to financial hardship applications. For 10 of these lenders, who are large home loan lenders, we are also reviewing their practices to understand their approach to customer hardship.

Communication is though but one part of our approach. In some circumstances, where we have stronger concerns, we have taken court action to enforce  important consumer protection obligations.

For instance, in September we commenced civil penalty proceedings against Westpac, alleging that the bank had failed to respond to customer hardship notices within the required 21-day timeframe.

The case alleges that 229 Westpac customers were impacted, all of whom had advised Westpac they were experiencing hardship. Many of them had also told Westpac about their difficult circumstances and vulnerabilities, including their inability to work, the impacts of serious medical conditions or their carer responsibilities.

In some cases, we were concerned that these customers endured debt collection activities by Westpac while waiting for the bank to respond to their hardship notices.

We took on this case because of the circumstances of those individuals, and because submitting a hardship notice can be a lifeline for people experiencing challenging financial circumstances, but this can only be the case if those notices are responded to promptly.

The matter remains before the court.

We have taken a range of other enforcement actions in the credit area, and will continue to do so. We are particularly concerned where it appears to us that business models have been designed to avoid consumer credit protections.

To that end you may be familiar with our long-running litigation against Cigno Pty Ltd and BHF Solutions Pty Ltd, where the Federal Court finally found earlier this year that the objective purpose of the particular lending model established by those companies was to avoid the provisions of the National Credit Act and National Credit Code, which of course provide for the protection of consumers from disproportionate fees and charges.

Despite this finding, ASIC was required to act again last month to take further proceedings, this time against Cigno Australia Pty Ltd and BSF Solutions Pty Ltd together with a director of each company, alleging again that the companies were providing short-term credit. The case alleges that more than 100,000 consumers between July and December 2022 were charged substantial fees without either entity holding an Australian credit licence.

To give a size of the scale of the issue, ASIC alleges that BSF Solutions Pty Ltd provided over $34 million in loans while the companies together charged over $70 million in fees, without either entity holding an Australian credit licence.

These cases are just a small part of our enforcement work in this area – earlier this year, ClearLoans was penalised $6 million for financial hardship misconduct and other breaches of the Credit Act during the COVID pandemic; Ferratum Australia Pty Ltd was found to have charged prohibited fees and overcharged customers on small amount credit contracts; and ASIC currently has cases in court against Rent4Keeps, Layaway Depot and Sunshine Loans Pty Ltd amongst others, all alleging various breaches of the credit legislation protections.

We think this work is critical to the protection of financially vulnerable consumers, and we will continue to prioritise this work.

Product design and distribution

Turning now to product design and distribution.

No doubt most of you are familiar with the design and distribution obligations (or DDOs). But, in brief, this legislation is designed to protect consumers from being sold products that do not meet their objectives, needs and financial circumstances.

This legislation has provided ASIC with a range of additional powers, including the ability to issue interim stop orders, where we form the view that a financial product is being issued or distributed to consumers or investors for whom it is not suitable.

These new tools are becoming increasingly critical in our work in credit regulation.

The DDO approach marks a significant departure from earlier consumer protection frameworks, which relied heavily on disclosure as a harm mitigation. As such, DDO has dramatically changed the rules of the game – and, it’s fair to say, created a distinctly more level playing field.

To describe ASIC as the red card waving referee might be to labour the metaphor. So, to put it in plainer terms, we are actively using our DDO powers – including interim stop orders.

Here again we take a risk-based approach – and our focus on protecting vulnerable consumers and those in financial hardship will continue to guide our oversight of the design and distribution of credit and credit-like products.

In the last financial year, we issued close to 80 interim stop orders. Included among them was a credit-for-rent product and a buy now, pay later product. In both cases, we considered consumers of these products to be at increased risk of financial stress. In both cases, too, the issuer addressed ASIC’s concerns and the orders were revoked.

In December, we commenced our first civil penalty proceedings alleging breaches of the DDOs. The case concerns two credit cards issued by American Express that were co-branded with retailer David Jones, and distributed in part through David Jones retail stores. Under the design and distribution obligations, Amex was required to consider and document – in a target market determination – which consumers these credit cards were appropriate for, and how the cards were to be appropriately distributed.

ASIC’s case has two components. First, we allege that the target market determination issued by Amex did not have appropriate distribution limits. Second, we allege that for some time Amex was aware both that cancellation rates for consumers who applied for the credit cards instore were significantly higher than those who applied online; and that some consumers were confused about whether they had applied for a credit card (rather than a loyalty card) at all – and that this circumstance should have indicated to Amex that the TMDs were not appropriate, thus requiring Amex to review them and stop issuing the credit cards.

It is important to recognise that this case remains before the court and is being defended.

Speaking more broadly, we consider that the DDO obligations require product providers to monitor and review – on an ongoing basis – whether consumers are receiving products consistent with their needs, objectives and financial situation. This means product issuers cannot apply a set-and-forget mindset to product governance. Once a provider is on notice that consumers are experiencing poor outcomes from their products, active consideration needs to be given as to whether changes to the target market or distribution of the product needs to be made.

So where to next with DDO?

In addition to our increased scrutiny of TMDs, where we note there is a need for improvement in a number of areas, we are now turning our focus toward what can be described as the ‘reasonable steps’ obligations. These are the actions taken by product issuers to ensure products are distributed in line with the TMDs.

In the coming months, ASIC will begin to review:

  • How product issuers distribute their products, including interacting with any product distributors, to ensure they are not straying beyond their target market;
  • How they monitor product governance arrangements; and
  • How they review data to ensure customers are receiving suitable products on a continuing basis.

The reportable situations regime

As I mentioned earlier, ASIC has a number of concerns relating to compliance with the reportable situations regime. This legislation, which has now been in effect for two years and replaced the formerly known breach reporting regime, requires financial services and credit licensees to notify ASIC in writing of all reportable situations.

These include:

  • Significant breaches or likely significant breaches of core obligations;
  • Investigations related to these, that last more than 30 days;
  • Conduct that constitutes gross negligence or serious fraud;
  • Other situations deemed significant and therefore reportable, such as a contravention of a civil penalty provision; and
  • Reportable situations about other financial adviser and mortgage broker licensees.

We are concerned that the proportion of licensees reporting remains very low. Indeed, since the regime commenced, only 11% of the licensee population has submitted a report. This suggests to us that many licensees may not be in compliance.

Additionally, we are concerned that licensees are taking too long to identify and investigate some breaches – and that a significant number of remediation activities are taking too long to complete. In 17% of the reports received, it took the licensee more than one year to identify and commence an investigation into an issue after it had first occurred.

Reports lodged by licensees are a critical source of regulatory intelligence for ASIC – and we are now considering taking stronger action to improve compliance rates, including enforcement action where appropriate.

Digitally enabled misconduct

Before I conclude, I want to spend a few minutes on digitally enabled misconduct – as something of relevance to all our regulated entities.

As one of the first lines of defence against digitally enabled misconduct, ASIC is increasingly setting its sights on the cyber and operational resilience of our regulated entities – and we continue to supervise and engage with stakeholders to encourage ongoing improvement.

As part of this, we conducted a cyber pulse survey earlier in the year, inviting companies to share their views on their cyber security and controls, governance arrangements and incident preparedness. We published insights from this work earlier this week.

ASIC is one of a number of agencies that regulate cyber risk. While we are not seeking to prescribe technical standards nor to provide expert guidance, where we consider that an entity has not met its cyber risk management obligations, we may consider enforcement action to drive changes in behaviour.

As would be expected with a challenge of this nature and complexity, tackling digitally enabled misconduct very much demands a multi-agency, multi-sector response.

One excellent example of this kind of collaboration is the National Anti-Scam Centre, which was established in July and brings together expertise from across the public and private sectors.

As a key partner, ASIC is co-leading the centre’s first investment scam fusion cell with the ACCC – alongside representatives from the banks, telecommunications industry and digital platforms. Together we will undertake a range of actions to disrupt investment scams and minimise loses – which currently cost Australians over $1.5 billion annually.

These actions include:

  • Removing investment scam websites from the internet;
  • Providing information to the public so they can avoid investment scams;
  • Sharing information about investment scam activity to assist the private sector to take disruption action; and
  • Identifying intelligence to refer to law enforcement in Australia and overseas.

ASIC has already made strong progress on the first two of these. Since July this year, we have initiated the take-down of more than 2,500 investment scam and phishing websites. And, just over a week ago, we launched our new investor alert list – which identifies fraudulent, scam or unlicensed entities, both domestic and international.


That brings me to the end of my prepared remarks. Before I take your questions, I want to thank you for your time today.

I hope I leave you with greater clarity about our priorities and expectations – and the important role your sector has to play in supporting its customers through, what regrettably for some of them, will be a challenging period ahead.

Thank you.

Media enquiries: Contact ASIC Media Unit