Regulation for recovery: when pilots become enduring practice

A speech by Deputy Chair Karen Chester, to the AFR Business Summit 2021, Wednesday 10 March 2021.


Let me begin by acknowledging the Traditional Owners of the land upon which we meet today – the Gadigal people of the Eora nation – and pay my respects to their Elders past, present and emerging.

My thanks to the AFR for inviting me to speak today. And congratulations to the AFR journalists for their 2020 awards – due recognition of your tenacious investigative reporting. Topped off no less by a Walkley for young Mr Roddan last week.

2021 is also the AFR’s 70th anniversary. An awesome vintage for a newspaper that remains instrumental to ASIC’s regulatory effectiveness – delivering our messages of mass deterrence, targeted nudges and precision disruption.

Last November I spoke at the AFR Banking & Wealth Summit with a speech simply titled, ‘Getting on with it’.

Because that’s exactly what we were doing. Responding as a regulator to a pandemic-induced trifecta of shocks to our economy, health and social wellbeing. Along with our own governance speedbump.

In doing so, we sought to do things differently. To leave a lighter but more impactful regulatory footprint. Our aim – less regulatory weight on business and markets; and more regulatory impact on our targets.

Today, four months later is the Year of Deployment: our resolve to do things differently with our pilots becoming our ‘regulation as usual’.

This reflects our confidence today in ASIC’s capabilities, and in the tools and powers we now have, thanks to the Government and the Parliament. Importantly, it also aligns with our imperative today to regulate in a way to support recovery.

In doing so, we are mindful of two contextual dynamics at play.

First, consistently low interest rates and the ongoing hunt for yield have accelerated change and inflated risk appetite. They have created entirely new lockdown-era demographics among consumers and investors.

I’m sure we all watched US markets last month with both trepidation and fascination.

And while the risk in Australia of a ‘GameStop moment’ is remote, it is symptomatic of a shift in risk mindset that is happening globally among consumers becoming investors. And this we are not immune to.

Second, and this puts me firmly in Paul Krugman’s ‘glass half full’ camp, is that running in-tandem with elevated risk and risky behaviour, is accelerated change.

Because 2020 proved the year where we all got on with doing things differently. Where 2020 saw Australian firms implement as much new technology and software as they had in the past 10 years.[1]

Our 2020 pilots were designed out of immediate necessity – to address uncertainty, the need to do things differently and recovery. But they were also designed by our desire to regulate with a lighter but more impactful regulatory footprint.

Our approach to pilots is consistent with the findings of MIT Research Fellow Michael Schrage, who said, “The key common denominator to success isn’t careful planning and comprehensive analysis, but taking fast, cheap, and simple pilots seriously.”[2]

Going forward, ASIC will seek to maintain a regulatory spirit-level between incentives for good conduct and compliance; and targeted, swift action when we see misconduct and harm.

For the firms we regulate (both big and small), it means that more often than not, we will work with you, not against you.

We want to reward good performers with nudges, not grudges. We want to train ASIC’s radar on harmful misconduct, not on harm-free process breaches.

And we think that over time, this will deliver better outcomes for the economy, markets, business, shareholders and ultimately – consumers and investors.

This approach aligns with the Business Council of Australia’s 2020 Mission Statement, which called out a universal truth that doing the right thing by consumers creates shareholder value.[3]

I did a ‘Toyota Jump’ when I read it.

But rest assured – if all else fails, ASIC’s data and intel will alert us to when there are harms that matter to us. And we will act.

Calling out harms

By now you may be asking: “What harms are in ASIC’s crosshairs today?”

I’d like to call out two.

Consumer harm

The first: harm to consumers seeking fairly priced credit. Along with investors (both retail and less-sophisticated wholesale) on the hunt for yield in today’s flatline rate market.

I’ll speak more about the latter later in the context of enforcement.

Cyber risk

The second is cyber risk – not ‘the new black’ by any means.

Cyber risk has been a ‘known known’ for well over 20 years. But in today’s world of ubiquitous software usage, it’s now a vulnerability and an exposure that has exponentially escalated.

And it’s arguably the new frontier of both national defence and market integrity.

The impact of cyber risk is insidious. It can have a multiplier effect on individual businesses, markets and ultimately – consumers.

I have personal history (and professional scars) in the cyber space. Indeed, it’s a story where the AFR proved a white knight (in the form of Brian Toohey, and a then–freshly minted recruit Matt Drummond, who reported for over 18 months on the story).

About 20 years ago when I was the CEO of what is now Deloitte Access Economics, we were the first corporate to report being a cyber-crime victim. It was the first case under the brand new Cybercrime Act 2001. We were successful, but the matter consumed 18 months of my CEO focus and caused much distraction to our Board.

Which is why cyber risk matters so much to business.

There are three reasons why cyber risk matters even more to business today.

First, systems under investment has increased exposures. We know this from seeing it first-hand in our onsite supervisory work on internal dispute resolution processes[4]; and breach reporting.

Here, metrics tell a powerful story. ‘System deficiency’ was the second most common root cause of breaches recently reported to us by the major banks.[5]

Second, the risk landscape has morphed. Between 2016 and 2020 there was a threefold increase in the number of common vulnerabilities and exposures reported in the US.[6]

The third reason is a simple one. Much of this increase in vulnerabilities is occurring in systems that are ubiquitous; indeed, many are household names.[7]

And it all coincides with the exponential growth in online activity and spending by consumers.[8]

Perversely, while these changes promise greater efficiency and productivity, they’re also expanding the attack surface for cyber criminals. This shift in surface exposure and the number of threat agents is here to stay.

ASIC’s cyber strategy

This is why ASIC has recalibrated and elevated its own cyber strategy.

Last year, we consulted extensively with other domestic and international regulators and Government; and on the Australian Government’s Cyber Security Strategy.

For we need to work together like synchronised swimmers, which we are doing with Home Affairs, Treasury and our regulatory brethren – particularly APRA. From these consultations we advanced our current cyber supervisory endeavours:

  1. raising awareness of cyber resilience for our entities;
  2. helping our regulated entities get prepared with their self‑assessment; and
  3. taking decisive, deterrence-based enforcement action.

In doing so, ASIC will ensure regulatory incentives for cyber resilience are in open play, as evidenced by ASIC’s August 2020 case against RI Advice Group. It should be front-of-mind. It was the first action taken by ASIC against a licensee in respect of cyber security and cyber resilience.

It won’t be the last.

That said, we also see much potential for collaboration among large firms to develop a standard of resilience (a pilot path) for their many, smaller service provider firms. Lifting the cyber resilience tide for all. And we’re initiating a dialogue to that end.

Putting pilots into practice

Before I join Jenny for a carbon-free fireside chat, I’d like to finish with a quick navigation of our three pilot groups we’re now embedding.

1. Enforcement

Turning to our first – the enforcement pilot stream.

On harms relating to consumers and investors I’ll call out our recent action against the Mayfair 101 Group of companies.[9]

The Mayfair action is one of several we have taken (and will continue to take) under our ‘True-to-Label’ pilot. Through this pilot we analysed websites, advertising, and social media to quickly identify funds that marketed themselves as safer, lower risk, or more liquid than they really were.

And in doing so, we identified that their (sometimes Google-enabled) marketing was targeting unsophisticated and, at times, vulnerable cohorts of wholesale investors. I don’t think they were AFR readers.

Notably as part of our disruption endeavour, we sought and secured the help of said search engines.

Most firms responded quickly when ASIC flagged their product. The few that didn’t are now subject to our spotlight.

Altogether, ASIC dealt with 30 funds from about 20 responsible entities; protecting consumers investing over $10 billion across these funds.

The ‘True-to-Label’ pilot showed ASIC’s rapid results from well-targeted identification of problematic marketing and quick regulatory disruption. In the past, ASIC’s regulatory endeavour here may have extended over several years, not six months.

Express Investigation

Turning now to the ‘how’ of ASIC’s new approach to enforcement. It’s called Express Investigation (EI). And here we’re aiming to leave a lighter (lower cost) footprint.

Our EI pilot began in 2019 after the Financial Services Royal Commission. Now, all pilots ought be assessed. We did so last year and found that we didn’t get the traction we’d hoped.

So late last year we reviewed, refined and re-engaged with five of our largest financial institutions. We’ve since met with their Chairs, CEOs and general counsel.

We explained how ASIC’s new cost-reduced EIs would ultimately be in the best interest of all – the company itself, their shareholders, ASIC and ultimately – consumers. And traction has emerged.

EI is simple. At the earliest possible time, ASIC sets out our concerns to the entity. We then seek cooperation in the investigation through regular and consistent engagement. By cooperating, we reduce the time and expense of the investigation.

We improve compliance rates on notices to produce documents and information; and on the voluntary provision of information to assist our understanding of the conduct at issue.

In some instances, the EI pilot led to agreement on facts and admissions on liability, which saved time and the expense of a contested trial.

If cooperation from the entity wanes, ASIC’s investigation forges on. But slowly and with greater cost. And the Chairs and CEOs also understand our new ‘one strike and you’re out’ policy.

The benefits of the EI approach are readily evident. Let me share a case study, with thanks to one of our ‘EI Five’ (you know who you are).

An Express Investigation came at a cost of $1.9 million and was resolved in six months. A comparable matter involving the same entity (a year earlier) cost $7.2 million and took 16 months to finalise.

That’s around a 70% cost saving and 60% time saving; not including the cost of time and distraction to the Board and executives.

Going forward, we will work with these firms and the ABA to share respective methodology on how to measure the benefits of EI. We will also start rolling out EI across a broader cohort of firms we investigate.

The opportunity cost of lost time in protracted litigation is at the expense of consumers, shareholders and the economy. My experience at Access Economics remains a constant reminder.

2. Product design and distribution

Turning now to our second pilot project for 2021 – our much awaited, much coveted Design and Distribution Obligations (DDOs). And not just coveted by regulators – they ought be coveted by firms and their shareholders. And we are hearing and seeing that from the switched-on CEOs and Chairs.

DDOs commence on 5 October. They represent a true step-change in financial services regulation – the frontier of outcomes-based regulation.

Our pilot here – a firm pre-emptive nudge – is about to get underway.

ASIC will soon commence meetings with the Chairs, CEOs and Boards of regulated cohorts, where DDOs could prevent current and future harm. This should reduce legacy trails of litigation, loss of shareholder value, and consumer harm.

The first near-term cab off the rank will be Buy Now Pay Later firms. As flagged in our BNPL report late last year, we see DDO as our regulatory lever to address the harms of BNPL in a precise and targeted way.

3. Superannuation

Last but not least, ASIC’s new form of super endeavour.

The super reforms that took effect from 1 January 2021 expanded ASIC’s role as the conduct regulator.

ASIC’s enforcement will tilt strongly towards harm-targeted deterrence, especially in the all-important window of the next 12 to 18 months.

Our approach is premised on the simple equation that harming members, harms the future prosperity of Australian workers, and our most important pool of savings.

Enforcement will always be a cornerstone of our super regulation.

Think of ASIC’s action against NAB’s Wealth Management division, which led to a $57.5 million penalty in 2020.

And the recent High Court decision on Westpac’s superannuation sales campaign. ASIC’s win set an important standard for super trustees when they recommend rollovers from other funds.

Last week, ASIC issued proceedings against REST. We are alleging that REST made misleading and deceptive representations to members (over eight years) regarding whether they could transfer out of the REST Fund.[10]

We also brought civil penalty proceedings last week against Statewide Superannuation for misleading or deceptive correspondence (over three years).[11]

This is the beginning of our now-mature pipeline of non-Royal Commission–related superannuation litigation. It follows 12 months of behind-the-scenes strategy, surveillance and investigation. Our superannuation pipeline today comprises:

  • eight matters in litigation;
  • two briefs of evidence in support of criminal charges with the CDPP;
  • more than 20 enforcement investigations; and
  • multiple surveillances about potential super trustee misconduct.

The broad misconduct themes are trustee competence and oversight, complaints handling processes and mischarging fees. And the metrics of harm are known to us all.

Through all of this, ASIC is working side-by-side with APRA. Indeed, the REST case was thanks to a referral from our APRA brethren.

Enforcement is by no means the only way ASIC will seek to address risks or issues relating to misconduct in superannuation. Nudges like DDO will apply to parts of the super system.[12] As will the new complaints handling requirements, which come into effect on 5 October 2021 alongside DDO.


On a final note, let me share a few words inspired by the great literary feminist Jane Austen, albeit terribly bastardised by a 21st-century feminist and fan.

It is a truth universally acknowledged that a firm seeking to benefit from good consumer outcomes is not in want of enduring shareholder value.

Best to end on a glass half-full.

Thank you.

[1] Report by AlphaBeta (part of Accenture) and Microsoft, How technology strengthened Australian business during COVID and beyond, 24 September 2020. Excerpt: “Firms in all sectors embraced new technologies to help them navigate the crisis: florists and cafes started selling online; fitness instructors and music teachers offered online lessons; professional and admin workers leveraged online collaboration tools; and, retailers used online technologies to allow touchless service.”

[2] Michael Schrage (MIT Research Fellow), The Right Way for an Established Firm to Do an Innovation Pilot with a Startup, Harvard Business Review, 30 May 2018.

[4] Under-investment in systems evident from IDR reviews:Under-recording of complaints was identified as a common problem in ASIC’s IDR reviews. Systems under-investment has been identified as one of the key contributing factors – e.g. relying on multiple or legacy systems or in some cases, limited access to complaint recording systems.

[5] Under-investment in systems evident from breach report statistics: In the six months between July-December 2020:

  • Almost one-third (28.9%) of breach reports submitted by the major banks identified ‘system deficiency’ as a root cause of a reported breach.
  • ‘System deficiency’ was the second most frequent root cause of all root causes submitted by major banks during that period (behind ‘deficiencies in processes or policies’).
  • In one case, an entity reported that a ‘system deficiency’ was the main root cause of over half (53%) of the breach reports it lodged in this period.

[6] US Government’s Cybersecurity and Infrastructure Security Agency; 6,447 common vulnerabilities and exposures (CVEs) were reported in 2016, compared to 18,358 CVEs reported in 2020. See: Tenable, 2020 Threat Landscape Retrospective report. Global companies that report CVEs are listed on

[7] See: US National Institute of Standards and Technology National Vulnerability Database.

[8] NAB identified approximately 44% growth in online spending in the last year (2020) by Australian consumers, compared to the 12 months to December 2019. See: Matt Wade, SMH, More sophisticated’: The pandemic has changed how Australians are spending money, 17 February 2021.

[10] From at least February 2009 to 2 May 2018 (just over 8 years). Tuesday 2 March 2021: 21-034MR ASIC commences civil penalty proceedings against REST for misleading and deceptive representations to members.

[11] Between around May 2017 and June 2020 (just over 3 years). Thursday 4 March 2021: 21-037MR ASIC commences civil penalty proceedings against Statewide Superannuation for misleading or deceptive correspondence.

[12] See section 994B(1) of the Corporations Act; section 994B(3) carves out MySuper products.