Financial Services and Credit Monthly Update - November 2023
Our latest free update for November 2023 is now available here.
Plenty of news over the last month on scams and cyber security.
We hope you are enjoying the new monthly format!
Kathleen Harris and Patrick Dwyer
Legal Directors
CONSUMER PROTECTION
New suspicious investment opportunities alert list released by ASIC
The Australian Securities and Investments Commission (ASIC) has published a new Investor Alert List to help consumers protect themselves against investment scams, fraudulent conduct or unlicensed operators. The Investor Alert List replaces the previous “Companies you should not deal with” list and contains 52 unlicensed entities and 25 websites impersonating legitimate entities. ASIC has also updated its Investor Checklist.
ASIC scam website takedown capability
On 2 November 2023, the Federal Assistant Treasurer Stephen Jones announced a new scam website takedown capability implemented by ASIC that removes or limits access to fraudulent and malicious websites on the internet. ASIC has initiated takedowns of more than 2,500 investment scam and phishing websites since July 2023.
Scam-Safe Accord
A new agreement between Australian banks to combat scams and protect customers was announced on 24 November 2023 by the Australian Banking Association (ABA) and the Customer Owned Banking Association (COBA). The Scam-Safe Accord includes a set of anti-scam measures across the entire industry, such as confirmation of payee, biometric checks, payment warnings and delays, intelligence sharing, and limiting payments to high-risk channels.
Confirmation of payee is a name checking technology that will help customers verify they are transferring money to the intended recipient. It will be rolled out across all Australian banks over 2024 and 2025, with a $100 million investment by the industry. All banks will adopt further technology and controls to prevent identity fraud, such as using biometric checks for new customers opening accounts online. Major banks will use at least one biometric check, such as face or fingerprint recognition, by the end of 2024.
Banks will introduce warnings and payment delays to protect customers if a customer is transferring money to a new payee or raising payment limits.
All ABA and COBA member banks will join the Australian Financial Crimes Exchange (AFCX) and the Fraud Reporting Exchange to share scams intelligence and help customers recover money faster.
The member banks have also committed to limit payments to high risk channels to protect customers, and implementing an anti-scams strategy.
Mandatory scams codes consultation
The Federal Government released a consultation paper on 30 November 2023 on its plans to introduce new mandatory industry codes to combat scam activity. The proposed codes will outline the responsibilities of banks, digital communications platforms and telecommunication providers in preventing and responding to scams. A short survey is also available for those who have experienced scams.
The consultation paper envisages industry wide principles based obligations that would apply to all sectors, as well as specific codes and standards for different sectors. The industry wide obligations would include obligations with respect to prevention, detection and disruption, response and reporting of scams.
ASIC is the proposed regulator of the code that will apply to banks. The consultation paper includes some possible obligations that would be included in the industry code for banks. These include:
implementation of confirmation of payee;
processes to verify a transaction is legitimate where it is deemed to be high risk;
processes and methods to detect high risk transactions and to take appropriate action to warn the consumer or block or suspend the transaction;
methods or processes to identify and share information about scams;
processes to act quickly on information that identifies a potential scam;
user friendly and accessible methods for consumers to take action if they think they have been scammed; and
assisting customers to trace and recover transferred funds, to the extent they are recoverable.
Submissions are due by 29 January 2024.
In an address to the Customer Owned Banking Association on 15 November 2023, Assistant Treasurer Stephen Jones said that in relation to scams, customer owned banks needed to focus on the consultation on the new mandatory codes, and on mule accounts.
Scam Awareness Week
The National Anti-Scam Centre (NASC) ran a campaign from 27 November to 1 December 2023 to raise awareness about impersonation scams, which made up more than 70% of the 234,672 reports to Scamwatch in the first nine months of 2023. The campaign urged consumers to slow down and verify the identity of the person they are communicating with, whether online or by phone, text or email. Impersonation scams have cost Australians $92 million this year, according to the NASC.
ASIC consults on changes to Banking Code of Practice
ASIC has released a Consultation Paper (CP 273) on proposed amendments to the Banking Code of Practice put forward by the ABA in response to an independent review in 2021. Comments close on 15 January 2024.
CORPORATE
Continuous disclosure new consultation
Treasury is seeking views to assist in a review of the amendments made to the continuous disclosure regime by the Treasury Laws Amendment (2021 Measures No.1) Act 2021 (Cth). The amendments introduced a requirement for plaintiffs to prove that companies and their officers acted with knowledge, recklessness or negligence to be successful in a civil penalty proceeding for breaches of continuous disclosure laws.
The review will be based on terms of reference released in September 2023. The report by the reviewer is due by 14 February 2024. Public submissions closed on Friday 1 December 2023.
Financial reporting bodies reform
The Treasurer announced on 21 November 2023 that the Australian Accounting Standards Board, the Auditing and Assurance Standards Board and the Financial Reporting Council will be combined into a single entity. These three bodies currently oversee financial reporting and set reporting standards. It is intended that the body will be operational on or after 1 July 2026. The Government believes that the new integrated body will better support the ongoing implementation of climate‑related financial disclosure standards in Australia. It will release draft legislation for public consultation and appropriate transitional arrangements.
Statutory declarations amendments
The Statutory Declarations Amendment Act 2023 (Cth) received assent on 17 November 2023 and will commence on 1 January 2024. The Act enables a statutory declaration to be validly made in one of three ways:
traditional paper-based, requiring wet-ink signatures and in person witnessing;
electronically, through the application of an electronic signature and witnessing via an audio-visual communication link; and
digitally verified, through the use of a prescribed online platform that verifies the identity of the declarant through a prescribed digital identity service provider.
ESG
Sustainable Finance Strategy
The Federal Government has released a paper on Australia’s Sustainable Finance Strategy to support Australia’s pathway to net zero. It seeks to provide a framework for reducing barriers to investment into sustainable activities. The strategy has 3 key pillars:
Improve transparency on climate and sustainability.
Financial system capabilities.
Australian Government leadership and engagement.
Each pillar contains a range of proposed tools and policies to support sustainable finance in Australia.
The Government is seeking feedback on this strategy, the proposed tools and policies, and the specific questions raised in the paper.
FINANCIAL ADVICE
Consultation on financial advice reforms
The Treasury has released draft legislation for public comment on the first tranche of the Delivering Better Financial Outcomes package of reforms. The package aims to provide legal certainty for the payment of adviser fees from a member’s superannuation fund account and remove red tape that adds to the cost of advice. The draft legislation implements several recommendations of the Quality of Advice Review, such as:
clarifying the legal basis and tax consequences for superannuation trustees reimbursing a member’s financial advice fees from their superannuation account;
streamlining ongoing fee renewal and consent requirements and removing the requirement to provide a fee disclosure statement;
providing more flexibility on how Financial Services Guide requirements can be met;
clarifying that benefits given by a client are not conflicted remuneration and removing some exceptions to the conflicted remuneration rules; and
introducing new standardised consent requirements for life risk insurance, general insurance and consumer credit insurance commissions.
The consultation closes on 6 December 2023.
New ASIC guidance on registration of financial advisers
Information Sheets 276 and 277 have been issued by ASIC to provide guidance to financial advisers and financial services licensees about the new requirement for financial advisers to be registered. The guidance follows the enactment of the Treasury Laws Amendment (2023 Measures No. 1) Act 2023 (Cth) on 27 November 2023. From 1 February 2024, financial advisers (including time-share advisers), excluding provisional relevant providers, who provide personal advice to retail clients on relevant financial products must be registered with ASIC.
INSURANCE
Consultation on using genetic testing results in life insurance underwriting
Treasury has released a consultation paper seeking feedback on the impacts of life insurers using genetic test results in underwriting on genetic testing and research, as well as a range of potential policy responses.
Australia’s life insurance industry introduced a partial moratorium on the requirement to disclose genetic test results in 2019. This was due to concerns that individuals would not undertake genetic testing because they might think it would negatively impact their ability to obtain affordable life insurance.
Concerns have been raised that the industry-led partial moratorium continues to discourage consumers from participating in both established clinical genetic testing and medical research involving genetic testing.
Addressing these concerns has prompted a review of the regulatory framework on the use of genetic testing in life insurance underwriting.
Senate inquiry into insurance
The Senate Economics References Committee has announced a new inquiry into insurance. It will examine how to better align insurance with the outcomes Australians expect throughout their life cycle, including the merits of an aged care insurance product to futureproof the aged care system. It will also examine how to improve customer experiences and choice in insurance. The inquiry is scheduled to report by 30 June 2024.
Commission disclosure obligations for insurance brokers commence
The remuneration disclosure obligations in section 6.1 of the Insurance Brokers Code of Practice came into effect on 1 November 2023. The provisions were subject to a 20 month implementation period. Section 6.1 of the Code requires that if the client is a retail client and the broker is acting on their behalf, the broker must provide them with information about any remuneration or other benefits they will or expect to receive as a result of providing covered services.
PRIVACY AND DATA
New Privacy Commissioner
On 27 November 2023 the Attorney-General announced the appointment of Ms Carly Kind as Privacy Commissioner. Ms Kind will commence in her role in February 2024. This is the first time since 2015 that Australia will have a standalone Privacy Commissioner.
Cyber Strategy
On 22 November 2023, the Federal Government released its 2023-2030 Australian Cyber Security Strategy. It also announced that a Consultation Paper will be released soon to work directly with industry to address gaps in existing laws and make amendments to the Security of Critical Infrastructure Act 2018 (Cth) to strengthen protections for critical infrastructure.
ASD Cyber Threat Report 2022-2023
The Australian Signals Directorate (ASD) has published its cyber threat report for the financial year ending 30 June 2023. The report found that malicious cyber activity continued to pose a risk to Australia’s security and prosperity. The ASD said that a range of malicious cyber actors showed the intent and capability needed to compromise vital systems, and Australian networks were being regularly targeted by both opportunistic and more deliberate malicious cyber activity. Some of the key findings include:
ASD responded to over 1,100 cyber security incidents from Australian entities. Nearly 94,000 reports were made to law enforcement through ReportCyber.
State actors focused on critical infrastructure – data theft and disruption of business.
Australian critical infrastructure was targeted via increasingly interconnected systems.
Cybercriminals continued to adapt tactics to extract maximum payment from victims. ASD responded to 127 extortion-related incidents. 118 of these involved ransomware or other forms of restriction to systems, files or accounts.
Business email compromise remained a key vector to conduct cybercrime.
Cyber security is increasingly challenged by complex ICT supply chains and advances in fields such as artificial intelligence.
ASIC cyber pulse survey 2023
ASIC published its latest cyber pulse survey on 13 November 2023. The report summarises the results of a voluntary self-assessment survey conducted by ASIC to measure the cyber resilience of corporate Australia.
The survey revealed that many organisations are reactive rather than proactive in managing their cyber security, and have deficiencies in critical cyber capabilities such as third-party risk management, data security, and consequence management.
ASIC says that cyber security and cyber resilience must be a top priority for all organisations, and that they should have effective cyber security strategies, governance and risk frameworks, and regular testing and reassessment of cyber risks.
AUSTRAC guidance on data breaches
The Australian Transaction Reports and Analysis Centre (AUSTRAC) has released guidance for regulated entities on data breaches to help them:
understand their anti-money laundering and counter-terrorism financing (AML/CTF) obligations when it comes to data breaches;
protect their businesses and customers from the heightened money laundering and terrorism financing (ML/TF) risks that can arise from data breaches; and
identify potential indicators of identity crime, fraud and cyber-enabled crime.
The guidance applies to businesses which have been directly subject to a data breach or impacted by an external data breach that affects the entity’s customers or services.
Key points in the guidance include that affected entities should:
regularly review their risk assessment to make sure they reflect the ML/TF risks arising from a data breach;
proactively identify data breaches that may affect them;
review systems and controls in light of revised risk assessments to respond to ML/TF risk, including risk of identity crime, fraud and cyber related crimes;
identify, mitigate and manage ongoing customer risks, paying particular attention to potential indicators for identity crime, fraud and cyber-enabled crime;
not provide designated services to a customer until reasonably satisfied the customer is who they claim to be; and
train their staff on how to identify and respond to data breaches and the potential ML/TF risks they pose.
PRUDENTIAL
APRA finalises some technical changes to prudential framework
The Australian Prudential Regulation Authority (APRA) has finalised some technical clarifications to the prudential framework. They include changes to prudential standards and guidance on capital, liquidity, credit risk, operational risk, and governance. These are not major policy changes. APRA consulted on these updates in June 2023.
APRA consults on changes to liquidity and capital requirements
On 15 November 2023 APRA announced that it was consulting on targeted changes to liquidity and capital requirements aimed at strengthening the banking sector’s resilience to future stress. Submissions are due by 16 February 2024.
Minor changes to LPS 310
APRA has identified a minor error in Prudential Standard LPS 310 Audit and Related Matters (LPS 310). The error relates to the level of assurance required for two reporting standards listed in Attachment A of LPS 310. APRA has amended LPS 310 to correct the error.
APRA applies extra $20m capital requirement to RAC Insurance
APRA has applied an additional $20 million capital requirement to RAC Insurance Pty Ltd (RAC), following a governance prudential review conducted by APRA. The review found significant weaknesses in areas of outsourcing controls, conflict management and board decision making. RAC is currently implementing an action plan to address these issues. The additional capital requirements will remain in place until RAC's action plan is completed, substantially embedded and its effectiveness verified.
SUPERANNUATION
Legislating an objective for superannuation
The Federal Government has introduced a Bill that aims to define and legislate the objective of superannuation. The Superannuation (Objective) Bill 2023 (Cth) tabled on 16 November 2023 proposes that the objective of superannuation is ‘to preserve savings to deliver income for a dignified retirement, alongside government support, in an equitable and sustainable way.’ The objective is intended to serve as a guide for future policy making and regulation of the super system. The Bill will require any proposed changes to super legislation to be assessed against the objective.
AML/CTF
New guidance page
AUSTRAC now has a latest guidance updates page to highlight recently released and updated guidance by AUSTRAC. The page includes links to guidance resources, whether the guidance is new or updated, and a description of the guidance or updates made.
DISPUTES AND ENFORCEMENT
ASIC enforcement priorities
On 21 November 2023 ASIC announced its enforcement priorities for 2024. These are:
Enforcement action targeting poor distribution of financial products.
Misleading conduct in relation to sustainable finance including greenwashing.
High-cost credit and predatory lending practices to consumers and small business.
Member services failures in the superannuation sector.
Misconduct resulting in the systematic erosion of superannuation balances.
Insurance claims handling.
Compliance with the reportable situation regime.
Conduct impacting small business including small business creditors.
Enforcement action targeting gatekeepers facilitating misconduct.
Misconduct relating to used car financing to vulnerable consumers including brokers, car dealers and finance companies.
Compliance with financial hardship obligations.
Technology and operational resilience for market operators and market participants.
ASIC welcomes new Commissioners
ASIC Commissioners Simone Constant and Alan Kirkland began their five-year terms on 20 November 2023. They join new Commissioner Kate O’Rourke who commenced her term in September 2023. The new Commissioners will serve alongside ASIC Chair Joe Longo, Deputy Chair Sarah Court and Deputy Chair Karen Chester. Ms Chester’s term ends in January 2024. The initial regulatory focus of Ms Constant will be on markets and superannuation, Mr Kirkland on insurance, credit and financial advisers and investment management and Ms O’Rourke on banking and payments, audit, insolvency and registers.
ASIC sues Telstra Super for breach of internal dispute resolution rules
ASIC has launched civil penalty proceedings against Telstra Super for failing to comply with internal dispute resolution (IDR) requirements that became enforceable on 5 October 2021. This is the first proceeding taken by ASIC for alleged breach of the mandatory IDR requirements. ASIC alleges that Telstra Super did not respond to most superannuation complaints within 45 days, as required by ASIC's Regulatory Guide 271 (RG 271). It also alleges that Telstra Super did not inform some complainants about the reasons for delay, their right to escalate their complaint to AFCA, or its own dispute resolution procedures. ASIC also claims that Telstra Super failed to operate efficiently, honestly and fairly, in breach of its general obligations as a financial services licensee. ASIC is seeking declarations, pecuniary penalties and other orders against Telstra Super.
Information Commissioner sues Australian Clinic Labs over data breach
On 3 November 2023, the Australian Information Commissioner commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs Limited (ACL) in relation to a cyberattack in February 2022 that resulted in personal information (including sensitive health and credit card information) of over 100,000 people being accessed and exfiltrated. ACL’s business involves centrally collecting and holding millions of individual patients’ health information. ACL notified the Office of the Australian Information Commissioner (OAIC) of the breach on 10 July 2022 and that personal and sensitive information was being published on the dark web. The OAIC commenced an investigation which led to the commencement of proceedings.
RACQ fined $10 million for misleading discounts
The Federal Court has imposed a $10 million penalty on RACQ Insurance Limited (RACQ) for potentially misleading customers about the pricing discounts available for its Motor, Home, Caravan & Trailer and Unique Vehicle insurance policies. The Court found that RACQ sent out product disclosure statements on at least 5 million occasions between March 2017 and March 2022 that stated certain discounts would be applied to customers’ insurance premiums. However, these discounts were only applied to the base insurance premium, not to additional premiums paid for certain optional extras. ASIC brought the case in February 2023 and RACQ admitted to the contraventions. The Court also ordered RACQ to pay ASIC’s costs of the proceedings.
OnePath fined $5 million for fees for no service
The Federal Court has imposed a $5 million penalty on OnePath Custodians Pty Ltd (OnePath), a superannuation trustee, for misleading conduct and breaching its trustee duties. OnePath charged $3.8 million in fees to members of the Integra Super product for advice services they did not receive. OnePath also falsely represented to members that they had to pay a fee for a Plan Adviser, even after they were transferred to a division where they were not entitled to advice services. OnePath has repaid the fees (plus interest) to affected members and admitted to the conduct.
Mercer fined $12 million for fee disclosure failures
The Federal Court has imposed a $12 million penalty on Mercer Financial Advice (Australia) Pty Ltd (Mercer) for breaching its fee disclosure obligations and charging fees for no service. The Court found that Mercer:
failed to invite, provide or issue fee disclosure statements to more than 1300 clients who were entitled to annual review meetings;
did not give fee disclosure statements to more than 500 clients;
issued over 3000 fee disclosure statements that were non-compliant or misleading to more than 2000 clients; and
charged 761 clients more than $4.7 million in fees for services they did not receive.
The Court attributed Mercer's misconduct to its inadequate systems and processes, and held that it failed to provide financial services efficiently, honestly and fairly. The Court described the contraventions as 'extremely serious' and said that the community expected robust systems and processes in the financial services market.
Mercer admitted to the misconduct.
iExtend enforceable undertaking
ASIC has investigated iExtend Holdings Company Pty Ltd and iExi Pty Ltd (iExtend). iExtend offers to pay people's life insurance premiums in exchange for a share of the benefit. iExtend acquired interests in life insurance policies by co-owning them with policy holders. ASIC found that iExtend was operating a financial services business without a licence. ASIC has accepted a court enforceable undertaking from iExtend, which requires iExtend to apply for an Australian financial services licence to issue financial products, provide general advice and handle claims.
ASIC fines HESTA for misleading advertising
ASIC has issued three infringement notices to HESTA, the trustee of HESTA superannuation fund, for making false or misleading statements about its Balanced Growth investment option in its marketing material. HESTA paid $48,600 to comply with the notices. The statements advertised 10-year performance figures of the Balanced Growth option without disclosing the date range used to calculate them. ASIC alleges that consumers may have been misled into thinking that the figures were current, when they were actually between five and 14 months old. These figures were higher than the more recent performance figures available during the period of publication. In addition, HESTA published a webinar on its website that claimed a hypothetical consumer would have realised a net return of approximately $67,000 on a $50,000 investment by staying in the Balanced Growth option for 10 years ‘right up to today’, which was incorrect.