A speech by John Price, Commissioner, Australian Securities and Investments Commission at the Monash Centre For Commercial Law and Regulatory Studies Symposium, (Melbourne, Australia) 12 November 2018

Introduction

Good afternoon everyone – thanks to Monash for inviting me to speak today. Central to this event, is exploring regulatory challenges for the fintech era and I’m looking forward to sharing aspects of ASIC’s approach to innovation with you.

Today, I will examine the topic of innovation through a few different lenses:

1. Firstly, I’ll share with you some aspects of our approach to innovation at ASIC and the work being done through our Innovation Hub to demonstrate our overall approach;
2. Secondly, I’ll will update you on what we are seeing, in the ICO and crypto-asset space as an example of our engagement with new innovations;
3. Thirdly, I will discuss a set of trials we have underway in the regtech and suptech space to show how we are utilising technological innovation ourselves; and
4. Finally, I will explain our approach to cyber security – which is a topic that I know is high on everyone’s priority lists.

ASIC’s approach to financial innovation and Innovation Hub

As technology changes over time and new developments emerge, it is natural to experience disruptions that challenge the prevailing regulatory framework. ASIC has always had a focus on not standing in the way of technological change that may improve outcomes across the financial system.

Whilst it is very important that we do not stand in the way of such change, we also need to continue to target our strategic objectives to ensure good governance in the financial sector.

Our Innovation Hub is at the heart of ASIC’s response to, and engagement with, the opportunities presented by innovation.

We engage directly with fintech and regtech start-ups through our Innovation Hub. This allows them to navigate the regulatory framework and understand our regulatory approach. It also enables us to monitor market developments.

The Innovation Hub is made up of five components:

1. engagement with fintech and regulatory technology (regtech) entities, as well as the physical hubs and co-working spaces for start-ups;
2. informal assistance from us through our website for eligible fintech and regtech entities – this guidance is intended to help new businesses consider important issues early on in their development, and since 2015 we have worked with over 350 fintech businesses;
3. tailored guidance for innovative businesses to access information and services relevant to them via our website – topics include DLT, ICOs and crypto and crowd funding;
4. a senior internal committee to assist in analysis of new business models – the taskforce draws together knowledge and skills from across ASIC, and is complemented by internal working groups on digital financial advice, marketplace lending, equity crowdfunding, blockchain and crypto-assets;
5. Our Digital Finance Advisory Panel, which provides ASIC with advice in this area. This panel includes members from the fintech community, academia and consumer advocates as well as other financial regulators.

We also have a regulatory sandbox framework that includes a world first fintech licensing exemption that eligible fintechs can make use of as they prepare to go to market.

And on that note, I should add that there is a lot of flexibility within the existing regulatory framework that can help too.

ICOs and crypto-assets

Moving on now to an example of an area of fintech where there has been considerable hype and innovation - ICOs and crypto-assets.

ASIC is addressing interest from consumers, investors, entities, advisors, service providers and intermediaries – and have engaged with hundreds of people on ICOs or crypto-assets, and related business proposals.

We are also working and sharing information with other domestic and international regulators as they clarify how crypto-assets are regulated across taxation, AML, payment systems and financial services to ensure shared learning across these areas.

As I mentioned earlier, ASIC is very supportive of innovation, including in the crypto-asset space.

But I have to say in this example, we have had some mixed experience during 2018 with initial coin offerings and token generation events, and have sent out clear messages that ASIC will not tolerate misleading or deceptive conduct.

This is a complex regulatory topic and there are a few moving parts, and ASIC has developed an Information Sheet for those entering this area.

The information sheet explains that where a token offered through an ICO is a financial product, additional laws may apply above and beyond the prohibitions on misleading conduct.

The Information Sheet also explains that the legal status of an ICO is dependent on the circumstances of the ICO, such as how it is structured and operated as well as the rights attached to the token.

Importantly, I’d like to highlight that, regardless of the structure, there is one law that will always apply – you can’t make misleading or deceptive statements about the product. This is a key focus for us and Australian law prohibiting misleading or deceptive conduct will apply in this space, regardless of whether there is a financial product involved.

I also want to point out that Australian corporate and consumer law might apply even if the ICO is created and offered from overseas. This is an important point given the international nature of this sector.

In several cases where we have seen ICOs operating in breach of the Australian legal requirements, we have contacted the relevant entities and taken further action resulting in many operators stopping their ICO or proposing alterative structures.

It’s a complex area and we are encouraging those with an interest, to talk to us about their plans.

ASIC’s role and approach to encouraging innovation for ourselves and industry - regtech

Turning now to the sibling of fintech, I’ll explain some of ASIC’s work in relation to regtech and suptech, and what we view our role to be.

These technologies are already a core element of risk and compliance frameworks for some parts of the Australian financial system, such as the monitoring of financial markets activity.

Although it is not something that we at ASIC regulate directly, regtech is something we are keenly interested in, both as a consumer of products and a facilitator of engagement more generally to ensure innovation in this area is utlised.

The innovation in the regtech sector has enormous potential to help organisations build a culture of compliance, identify learning opportunities and save time and money relating to regulatory matters while improving compliance and most importantly outcomes for consumers.

It also has potential to support ASIC and our regulatory peers in the way we undertake our own work, including engaging with industry.

Facilitating collaboration and information sharing are areas where ASIC feels we can continue play a positive role in supporting innovation in regtech in Australia and overseas.

We want to do our best so that the community can get the benefit from these new technologies while minimising any risks they might pose.

There are complex questions of policy surrounding our role in the area of regtech, and we must consider how best to balance our roles as a regulator and as a technology user.

Our approach to regtech at ASIC, is guided by a set of basic principles:

1. To work towards regtech outcomes that align with our strategic objectives;
2. To undertake a focused number of initiatives that have near term deliverables; and
3. To have regard for industry input, good international case studies and our own learnings in forming our plans.

We also believe it is important for regulators to keep an open mind and try to harvest the benefits of regtech by adopting a technology-neutral approach.

Our Innovation Hub drives a lot of ASIC’s practical support for regtech.

This work has included hosting and attending regtech events, including our Regtech Roundtable and Showcase events last year, as well as ASIC’s Liaison Forum, which next meets on 13 December.

Since announcing our interest in regtech, the Hub has had over 70 meetings with regtech stakeholders and service providers to discuss their developments.

In terms of services, through the Innovation Hub we provide informal assistance to regtech entities on their regulatory obligations, the overarching regulatory framework and as appropriate, options relating to ASIC’s relief powers.

With regards to regtech solutions, we have expressed our interest in engaging in observer roles in trials and we are also conducting our own trials of regtech technologies which I’ll talk about now.

ASIC’s NLP Trials

In February this year we released a set of problem statements to understand and encourage the application of Natural Language Processing in resolving regulatory problems.

The trials are to explore potential innovation in supervision, including through automation and prediction, and present a genuine learning opportunity for ASIC.

An important part of conducting these trials has been playing back our experience and learnings to the industry.

I think information sharing is very important, as challenges relating to practical issues such data availability and data annotation, and more broadly to skill and capability and development are encountered within most organisations – not just ASIC.

One important point on NLP and machine learning, is that whilst it is great for simple, clearly defined tasks, it really cannot replace human judgement and finding the right tasks to apply these solutions to is not without its challenges.

New regtech funding

Still on our utilising regtech innovation, this August it was announced by Government that ASIC will receive just over six million dollars to further our work in the regtech space.

The funding will be used to promote the development and use of regtech solutions by financial services firms and accelerate ASIC’s use of regtech to deliver better regulatory compliance and outcomes for consumers, making Australia a world-leader in the development and use of regtech.

It is very early days, but we can share some detail on what we are doing.

The initiatives include trials working with industry on:

1. Financial advice and machine learning/natural language processing analytics;
2. Financial promotions (of credit) and machine learning/natural language processing analytics;
3. Phone communications about life insurance and voice analytics; and
4. ASIC also proposes a trial on Q&A wizard/chatbot technology on ASIC’s guidance about licensing.

We are extremely excited to move forward on this work and will share our experience through our Regtech Liaison Forum and other channels.

Cyber security – a common challenge

In engaging with innovation one of the common challenges that affects everyone here is undoubtedly cyber security or cyber resilience as we call it.

ASIC has long recognised and identified that cyber resilience of the regulated entities in our financial markets is a critical long-term challenge.

In fact, it was reported earlier this year, that our big banks in Australia might come under attack as many as three times in a 24-hour period.

ASIC’s response to date has been focused on raising awareness, assessing and reviewing the cyber resilience of our regulated entities, and sharing good practices and standards in our efforts to raise standards in this area.

Underpinning this practical activity is an approach founded on three principles:

Firstly, cyber resilience practices must be embedded into whole of business enterprise risk management framework - which is a licensing obligation;

Secondly, that we will work in collaboration with both industry and other regulators (both foreign and domestic) on an ongoing basis to learn from them as well as share our own insights and learning's, and share intelligence on cyber risks and mechanisms to mitigate new and emerging threats;

Finally, recognising the cyber landscape is rapidly changing, ASIC follows an evolutionary approach that reviews and raises the bar on a periodic basis. This includes adapting our surveillance processes in response to key events, such as the emergence of new regulation or new types of cyber threats not previously accounted for.

A lot of this is set out in our report published late last year which includes a number of observations from our work with 100+ entities across the Australian financial market. We can share this with you if you are interested (REP 555 Cyber Resilience of firms in Australia’s financial market).

Getting into some of the detail of our work in this area, over the past three years ASIC has performed cyber security surveillance and assessments of our regulated firms across the financial markets sector.

To date these assessments have been conducted across market operators, post-trade infrastructure providers, credit rating agencies, investment banks and stockbrokers.

The assessments were conducted using standards-based surveillance tools and self-assessments adapted from the United States NIST Framework, as well as follow up interviews with firms and the collection of additional supporting documentation for review.

This work has resulted in the publication of several reports to date, which can all be accessed on the ASIC website.

We continue to review, assess and refine our approach based on our findings to ensure that we are driving continuous improvements and therefore uplift in the levels of resilience across the financial sector.

We also continue to re-enforce the message that Boards need to have a thorough understanding of their risks, and how to mitigate against, and recover from cyber incidents – this is now fundamental to business risk management and potential survival. This is why we refer to cyber resilience and not just cyber security.

It is imperative that Boards treat these issues with the same level of importance as they would ‘traditional’ risk, such as financial, competitor or reputational risks.

This may seem challenging at the onset, but it can be done in a way that delivers significant benefit to the organisation, and even be a competitive advantage. Taking a structured and incremental approach can take the organisation on a journey to achieving cyber security resilience, ensuring they have full awareness of the organisation’s cyber risks, threats, plans and continual improvement measures.

We are very interested in hearing about other strategies and approaches as well – be they based on real-time surveillance using people or automation or other concepts.

On that note, I’ll wrap things up.

Thank you very much for the opportunity to run through some aspects of ASIC’s approach to, and engagement with, innovation - I’m happy to take some questions.