Conversation with ASIC: AFIA Risk Summit


A speech by ASIC Commissioner, Sean Hughes, to the Australian Finance Industry Association (AFIA) Risk Summit, Tuesday 16 February 2021.

Check against delivery


Thank you to Dianne for the introduction and to AFIA for the invitation to speak to you all today.

Let me begin by acknowledging the Traditional Owners of the many lands upon which we gather today, and pay my respects to Elders past, present and emerging.

It’s great to be joining you as part of the conversation at the AFIA risk summit.

There are many uncertainties facing the industry at this time. The potential for financial instability and disruption last year was the greatest we have seen in recent times.

2020 will be a marker in the history books as one of the most memorable in our lives. A pandemic, border closures, lockdowns, economic uncertainty and contraction, followed by large government stimulus… all of which was entirely unpredicted.

To set the scene for our discussion of ASIC’s priorities in 2021, I need to reflect on what we gained from 2020.

Our national response and ability to pull together as a community mean Australia is currently better positioned than most around the world. I emphasise ‘currently’ because none of us can be certain about what will happen tomorrow, or next week.

2020 has resulted in all of us getting better at living with uncertainty, whether we wanted to or not:

  • We learned how to work from home, together, amid disruptions from family and pets.
  • We are learning to tolerate home schooling, sudden lockdowns and COVID hairstyles.
  • We are learning to accept that living with uncertainty is not always easy, and it’s okay to reach out to others when we are struggling.

The best thing we have gained from 2020 and its trials is resilience – as individuals and collectively as organisations.

Resilience is ASIC’s byword for 2021. We are here to ensure confidence in a financial system that – even under stress – can remain fair, strong and efficient.

With that in mind there are three issues I’d like to discuss before I take questions:

  • First, ASIC’s work in the Buy Now Pay Later sector and the outcomes we are looking for from the industry’s Code of Practice.
  • Second, I’ll discuss the role of design and distribution obligations and ASIC’s product intervention powers.
  • And third, I’ll outline other topics on ASIC’s agenda for 2021. This includes responsible lending; Royal Commission reforms; consumer remediation; cyber security and technology infrastructure.

1. Buy Now Pay Later

The BNPL industry continues to grow and evolve. While these arrangements are working for most consumers, some are incurring missed payment fees and report being financially stressed.

The new Design and Distribution Obligations and industry code of practice, both of which I’ll discuss later, should help address the harms that we continue to see for consumers.

ASIC examined the findings of the Financial Conduct Authority’s Woolard Review in the UK, and it’s interesting to note that some of its findings and observations were similar to ASIC’s BNPL report from November last year.

Before I give you an overview of ASIC’s BNPL report, I will reiterate that how BNPL arrangements are regulated in Australia is solely a matter for Government.

What will come as no surprise to the people in this room, the data in the ASIC BNPL report revealed significant growth and evolution in the BNPL sector. There were substantial increases in the number of open accounts; total transaction values; users; and transactions.

What I need to highlight today are the worrying statistics on consumers’ experience of BNPL arrangements.

  • 1 in 5 (21%) users had missed a payment in the last 12 months.
  • Some consumers were struggling to meet other financial commitments: 1 in 5 (20%) said in the last 12 months they cut back on or went without essentials to make their BNPL repayments on time.
  • 1 in 6 (15%) said they took out an additional loan to make their BNPL repayments on time.
  • Consumers with multiple BNPL arrangements are more likely to experience financial stress.

Data collected from the Big Four banks revealed that consumers who use BNPL and make their repayments on a credit card were more likely to incur interest on their credit card, compared to non-BNPL users. They are also more likely to have higher credit card utilisation compared to non-BNPL users.

ASIC’s expectations of the BNPL Code

This leads me to AFIA’s important work on developing a BNPL Code of Practice, as self-regulation is an integral part of the regulatory framework.

I understand ASIC was provided with the latest draft last week which our team is reviewing.

What I would like to state are ASIC’s expectations of the Code’s outcomes. Because ultimately, it’s the outcomes that will prove whether or not self-regulation is meaningful.

In a nutshell, we encourage you to develop a robust Code that focuses on fair outcomes for consumers. To achieve this goal, it has to accommodate different BNPL business models – including emerging models where possible.

The Code will also need to incorporate strong review and compliance mechanisms to help promote fair consumer outcomes, in-line with community expectations, and have the force of sanctions for those that fail to comply.

I encourage the BNPL industry and AFIA to include in the Code of Practice a suite of targeted and specific responses to each type of consumer harm ASIC identified in our 2020 BNPL report.

We would encourage further consideration of how the Code can address concerns around multiple late fees.

To effectively manage the risk of consumer harm, the Code not only has to be targeted and specific. It also has to be regularly reviewed with speed and agility to maintain its relevance.

For example, the Code might set different thresholds for certain standards and obligations. Products with higher credit limits or longer terms would be one instance where different thresholds apply than to products with lower credit limits or shorter terms.

ASIC encourages you to review these different thresholds periodically, especially as new features and products emerge.

And even more importantly, we advocate for the different thresholds to be supported by data and evidence that indicates why that particular threshold is suitable.

We welcome further engagement with you on the details of the Code. I’m sure it is a priority for you in 2021 and that a lot of work is being done to move it in the right direction. And on behalf of my colleagues at ASIC, we look forward to engaging with you collaboratively on it.

2. DDO and PIP

Next, I’ll cover ASIC’s other key priorities for 2021 – the design and distribution obligations and ASIC’s product intervention powers.

Design and distribution obligations (DDOs)

DDOs are commencing on 5 October 2021 and represent a real step-change in financial services regulation.

You should be well underway in considering how best to approach implementing DDOs for your products and distribution. Everyone has had a two-and-a-half-year transition period to get ready and ASIC considers this has been ample time for businesses to build their compliance capability for day 1 delivery.

The DDOs should reduce harms suffered by consumers, caused by past instances of mis-selling conduct and poor product value.

They embed a consumer-centric approach to the product lifecycle and should assist industry to deliver better outcomes for consumers while managing non-financial risks and avoiding costly remediation.

To comply with DDOs, firms must introduce and maintain effective product governance arrangements focused on consumer outcomes.

ASIC has engaged extensively with industry in developing guidance and will continue to support the implementation of the obligations.

We encourage you to openly discuss DDOs with your peers and utilise forums like this summit to do so. Your products are likely to have similar attributes and your peers may have the same questions as you.

You should be underway in discussing your approach to DDOs with your distributors. This is critically important – I urge you to engage with distributors early and meaningfully on your approach to ensure they also complete their preparations.

As I said earlier, from 5 October onwards ASIC will be expecting you to be ready to meet your obligations.

Another vital aspect of DDOs to consider is the information flow between issuers and distributors. You must get these information settings right so your organisation has the information you require for compliance.

ASIC has published guidance on DDOs (RG 274), to assist you to understand those obligations. We encourage you to think of it as a starting point in understanding our view of what the obligations require. We will also continue providing support to industry as you prepare for commencement. However, the law is the law and we will not be shy in enforcing it.

Product intervention power

Alongside the DDOs sits ASIC’s new regulatory tool, our product intervention power (PIP).

By giving us PIP, Government has enabled ASIC to take a targeted, calibrated and less prescriptive approach to regulation.

As industry steps-up to manage both financial and non-financial risks, ASIC will only need to intervene when early-warning signs of harm and misconduct require us to do so.

I regard PIP as an extremely important addition to ASIC’s regulatory toolkit. It allows us to intervene where we are satisfied that a product (or class of products) is likely to result in significant consumer detriment.

PIP enables ASIC to confront, and respond to, harms in the financial sector in a targeted and timely way. But there are important checks and balances – it is a temporary intervention power and we must consult before each and every use. Affected entities can seek to review our decisions.

Over time, the targeted solving of problems through product intervention may result in less regulation of industry overall. In recommending PIP, the Financial System Inquiry identified the objective of limiting or avoiding the future need for more prescriptive regulation.

3. Looking forward

I’ll now wrap up my update with a round-up of what else is on ASIC’s radar for 2021, namely responsible lending; Royal Commission reforms; consumer remediation; cyber security and technology infrastructure.

Responsible lending

On the topic of responsible lending, this is very much an ongoing process and entirely a matter for Government to give effect to its policy. We’re working closely and collaboratively with Treasury and APRA to progress the credit reforms.

ASIC will appear before the senate inquiry soon to explain the role we have played to date in regulating consumer credit, and our approach to supporting the economy and the community in relation to loan deferrals and other credit issues during the pandemic. We will also be answering questions on how we propose to implement the reforms (including alongside APRA) once they are enacted.

Royal Commission reforms

We are continuing our Financial Services Royal Commission legacy work.

The Royal Commission made 13 referrals to ASIC, four of which are currently in litigation, one of which concluded with $57.5 million in civil penalties (NAB NULIS), one in which the Court declared Youi had breached its duty of utmost good faith, and the others remain under investigation.

In addition to the 13 referrals, ASIC to date has either commenced or finalised action in 12 Royal Commission case studies.

The Government has passed a number of reforms implementing the Royal Commission recommendations, and ASIC is working to deliver guidance to industry, where needed, ahead of commencement of various new obligations.

This year we are implementing a range of reforms including:

  • unfair contract terms
  • breach reporting
  • insurance claims handling
  • reference checking requirements for brokers and advisers
  • a deferred sales model for add-on insurance
  • anti-hawking; mortgage broker best interests duty
  • a raft of superannuation reforms
  • and the DDOs, which I mentioned earlier.


Of course, when individuals or companies break the law, it’s important that customers are put right, and not left out of pocket.

So, we will maintain our focus on consumer remediation. This has proved a resource-intensive and at times challenging endeavor for ASIC.

We do not oversee all remediations and nor should we. Responsibility for consumer remediation lies with each firm and ultimately, its Board.

That being said, we are currently monitoring over 100 remediations that could see a return of at least $4.6 billion to consumers.

Cyber security

Cyber threats and cyber security will be an area of focus for ASIC in 2021.

ASIC’s goal is to improve the cyber resilience of all entities operating in Australia’s financial markets. We do this through close collaboration with regulated firms, regulators and Government.

We are assisting our regulated population in their efforts to improve cyber resilience.

And we’ve shown that we will litigate when necessary.

In August 2020, ASIC commenced proceedings against RI Advice Group, an Australian financial services licensee, for failing to have adequate cyber security systems. This is the first action taken by ASIC against a licensee in respect of cyber security and cyber resilience.

The inter-connectivity between the financial system – which includes market participants, infrastructure, and financial services and wealth management firms – means the impact of a cyber-attack can spread quickly.

We’ve seen cyber-attacks affect the integrity and efficiency of global markets, and trust and confidence in financial systems.

Most recently, the COVID pandemic has resulted in the escalation of cyber-attacks that threaten your businesses and all firms regulated by ASIC.

The accelerated rollout and adoption of digital service offerings during COVID (including remote working) rapidly broadened the range of targets and vulnerabilities across the financial service sector.

There’s been a significant uplift in the adoption of digital platforms for sales and services across Australia’s consumer sector since the pandemic began. This means there is a dramatically ‘richer’ environment for cyber-criminals to exploit than there was even 12 months ago.

In June 2020, the Prime Minister spoke about persistent and sophisticated state-based cyber-attacks on federal government and institutions (including critical infrastructure). Following this announcement, the Government announced new funding to target cyber crime and launched the Cyber Security Strategy.

The many reports of cyber-attacks, data privacy breaches, and weak cyber security risk management at major companies have pushed cyber security to the top of boards’ agendas.

Directors need to understand management’s view of cyber risks; the potential likelihood and impacts of risk events; and the steps taken to address the risks. It is neither practical nor possible to protect all digital assets equally.

In addition to foundational cyber security capability across the institution, ‘crown jewels’ should be identified and further protected. We expect management to be vigilant in identifying emerging threats and implementing effective mechanisms for mitigating them.

Wider issues around technology also dovetail into ASIC’s focus on cyber security.

We don’t expect business leaders to become IT experts to maintain regulatory compliance. But we do expect you to understand the IT landscape well enough to oversee and challenge management when necessary.

This also applies to risks associated with legacy technology.

We are aware that some financial institutions are struggling to decommission and replace legacy technologies and infrastructure including critical platforms and services.

This increases the complexity and costs of operational management and heightens the risk of operational failure and cyber incidents.


Before I invite your questions, I’ll leave you with these three requests for 2021.

  1. Please prioritise your business resilience. Against cyber-attacks; against technology disruption and outages; and against upcoming regulatory changes led by DDO and PIP.
  2. To the BNPL industry, please seize the opportunity to make the Code of Practice robust enough to do its job properly. It’s a timely initiative and one which we want to see working for the benefit of your customers to promote healthy competition in the market.
  3. While your focus in the current macro-economic environment is to ensure credit flows quickly and efficiently to borrowers, please remember that consumers will always expect to be treated fairly, and for their interests to be placed first.

Thank you.

Media enquiries: Contact ASIC Media Unit