In Short: On 26 August 2021, the Australian Securities and Investments Commission ("ASIC") released its Corporate Plan for 2021-25, the first under its new chair and deputy chair. The Corporate Plan outlines ASIC's regulatory priorities and actions over the next four years and represents a significant change in direction for Australia's corporate regulator.
The Result: ASIC's Corporate Plan reflects its new mandate to contribute to the government's economic goals, including to support Australia's post-pandemic economic recovery. The Corporate Plan sets out initiatives to overhaul ASIC's internal governance framework as well as ASIC's new targeted regulatory enforcement strategy, which is focused on poor product design and governance, failure to implement new standards set by law reform initiatives, and failure to adequately manage cyber risks that harm consumers.
Looking Ahead: Whilst ASIC is no longer pursuing a 'why not litigate?' strategy, it is clear that ASIC will remain a formidable regulator-and litigant-in the areas of greatest harm to consumers and markets. ASIC will be conducting speedier investigations and using the full suite of its enforcement tools, including enforceable undertakings, product intervention orders, and infringement notices. As a result, all regulated entities, as well as their directors and officers, should continue to be mindful of, and seek advice on, their new and existing obligations.
Overhaul of ASIC's Internal Governance Framework
ASIC's Corporate Plan for 2021-25 is the first of its kind released under new Chair Joseph Longo and new Deputy Chair and Head of Enforcement Sarah Court, who each started in their new roles on 1 June 2021 following a series of high-profile internal governance and enforcement failures.
The Corporate Plan sets out ASIC's intention to:
- Actively and transparently communicate and engage with its stakeholders and other regulatory agencies and take their feedback into account when making regulatory decisions;
- Improve its infrastructure and systems to strengthen its key internal operations, processes, and governance frameworks to effectively support its regulatory work;
- Enhance and utilise effectively its data and cyber resilience capabilities in fulfilling its regulatory mandate and organisational priorities; and
- Nurture a workplace environment that promotes a culture of speaking up, challenging, accountability, and a multidisciplinary approach to mitigating harms.
ASIC also has established a dedicated unit solely for the purposes of identifying ways to change how it administers the law so as to minimise the costs and burden of regulatory requirements for its regulated entities and consumers. ASIC has already indicated that one of the key areas of focus will be Chapter 7 of the Corporations Act 2001 (Cth) that deals with the provision of financial services, which Mr Longo has flagged as being in need of reform. Through ASIC's new dedicated unit, the government also expects ASIC to ensure that its regulatory guidance is not unduly prescriptive, and does not limit businesses' discretion and flexibility to operate in the manner they see fit whilst still complying with the law.
ASIC's New Mandate to Support Australia's Economic Recovery
ASIC's Corporate Plan for 2021-15 reflects its new mandate, as set out in the government's latest Statement of Expectations and ASIC's Statement of Intent released in response, to identify and pursue opportunities to contribute to the government's economic goals, including to support Australia's economic recovery in the wake of the COVID-19 pandemic by promoting innovation, considering the impact of its work on competition and enhancing cyber resilience. This sits in contrast to ASIC's previous 'why not litigate?' strategy introduced following the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
As part of its new mandate, ASIC has adopted a regulatory and enforcement strategy focused on the following four pillars:
- Promoting economic recovery, including through better and more efficient regulation, facilitating innovation, and targeting regulatory and enforcement action to the greatest areas of harm;
- Reducing risk of harm to consumers exposed to poor product governance and design and increased investment scam activity in a low-yield environment;
- Supporting enhanced cyber resilience and cyber security amongst regulated entities, in line with the whole-of-government commitment to mitigating cyber security risks, as set out in the government's Cyber Security Strategy; and
- Driving industry readiness and compliance with standards set by law reform initiatives, including the proposed Financial Accountability Regime ("FAR") which will apply to all entities regulated by the Australian Prudential Regulation Authority ("APRA") (which we have written about previously); the Your Future, Your Super reforms (which we also have written about previously); and the new breach reporting obligations and design and distribution obligations which commence in October 2021.
ASIC's renewed regulatory and enforcement strategy is aligned with APRA's Corporate Plan for 2021-25 (also released on 26 August 2021). APRA's Corporate Plan is focused on the two pillars of 'protected today' and 'prepare for tomorrow'. APRA have acknowledged that COVID-19 continues to be the dominant influence on the economic and financial environment and that financial system stability, competitiveness, and efficiency remain the key priorities. APRA acknowledges there are a number of other challenges to which it needs to address, including enhancing cyber resilience across the financial system, helping regulated entities manage the financial risks associated with climate change, promoting high-quality superannuation products, and improving governance and accountability through the FAR. APRA intends to address these challenges through a supervision-led approach (leaving formal enforcement action to ASIC).
ASIC's Targeted Approach to Enforcement Action
ASIC is no longer pursuing its 'why not litigate?' strategy and instead intends to adopt a targeted approach to regulatory and enforcement action focusing on the areas of greatest harm to consumers and markets. These areas include poor product design and governance, failure to implement new standards set by law reform initiatives, and failure to adequately manage cyber risks that harm consumers. Given this last area of focus, all ASIC-regulated entities should continue to watch closely the proceedings commenced by ASIC against RI Advice Group Pty Ltd in August 2020, which was the first action against an AFS licensee for deficient cyber security systems and which may set benchmarks in this area going forward.
Despite the change in approach, ASIC has been quick to dispel suggestions that it would be winding back litigation as 'nonsense'. In recent public comments, Mr Longo and Ms Court emphasised that ASIC would be prioritising speedier investigations, particularly in response to unacceptable delays in resolving systemic compliance issues in the financial services sector, and using its full suite of enforcement tools, including enforceable undertakings (which had fallen out of favour under the previous leadership of ASIC), product intervention orders, and infringement notices.
ASIC has also confirmed that when it takes enforcement action against misconduct, it will seek to maximise the deterrence impact to discourage poor behaviour amongst regulated entities. Further, it remains the case that a significant proportion of ASIC resources will be allocated to its enforcement, supervision, and surveillance activities (an estimated 80% of ASIC's funded activities in 2021-22, according to the Corporate Plan).
ASIC's Strategic Initiatives Over the Next Four Years
To fulfil its new mandate, ASIC intends to undertake a number of strategic initiatives over the next four years, which notably include:
- Undertaking a strategic approach to the supervision and enforcement of the design and distribution obligations, including undertaking risk-based surveillance on a range of products such as superannuation and BNPL products and, where appropriate, taking enforcement action;
- Reviewing the mandatory underperformance notifications and other communications by trustees of superannuation products that fail to pass the annual performance test, and taking regulatory action in relation to noncompliance where appropriate;
- Reviewing continuing credit models and other models purporting to be exempt from the National Credit Act;
- Investigating and taking enforcement action against egregious instances of failure to adequately manage cyber risks;
- Conducting targeted surveillance of financial products to identify misleading statements relating to ESG claims, particularly across social media, and seeking opportunities to improve consumer outcomes by changing industry practices to mitigate the risk of greenwashing;
- Developing and utilising market-wide scanning and analytics tools to identify patterns of serious market misconduct, including insider trading and market manipulation; and
- Implementing the FAR in conjunction with APRA.
Three Key Takeaways:
- Under ASIC's new mandate to support the government's economic goals, ASIC will strive to promote innovation, consider the impact of its work on competition, and enhance cyber resilience amongst regulated entities.
- Whilst ASIC is no longer pursuing its 'why not litigate?' strategy, it is clear that ASIC will remain an active and formidable regulator and litigant in the areas of greatest harm to consumers and markets, and will continue to adopt an assertive approach to enforcement and investigations where necessary.
- All regulated entities, and in particular trustees of superannuation funds, as well as their directors and officers, should continue to be mindful of, and seek advice on, their new and existing obligations, especially in relation to product design, governance and disclosure, cyber security risk, and their obligations under FAR once the new regime comes into force.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.